Token Vault
What Is a Token Vault? Definition and How It Works
Definition
A token vault is a secure, encrypted data store that maintains the mapping between payment tokens and the original card data they represent, enabling merchants to process transactions using tokens without storing raw card numbers.
How it works
The token vault sits at the core of any tokenisation system. When a card is tokenized, the vault stores the encrypted primary account number (PAN) and returns a token to the merchant. Every subsequent transaction that uses that token triggers a vault lookup: the token is presented, the vault retrieves and decrypts the PAN, and the original card data is passed to the acquirer for authorisation.
Token vaults are typically operated by payment providers, though large enterprise merchants sometimes operate their own. The vault must meet PCI DSS requirements for storing cardholder data, specifically, the encrypted PAN storage environment falls under PCI DSS scope regardless of the tokenisation approach used.
Token portability is the defining commercial characteristic of a vault. A portable vault allows the merchant to use the same tokens across different acquirers and to migrate tokens to a new payment provider without losing stored card relationships. A non-portable vault locks token storage to a single provider, if the merchant switches, stored tokens become unusable.
Vault architecture also determines cross-channel token reuse: a merchant with a single token vault can use the same token across web, mobile, in-store, and phone channels, enabling a unified customer payment profile without requiring the cardholder to register their card multiple times.
Why it matters
Token portability is the most overlooked vault requirement: merchants who store thousands of active tokens in a provider-specific vault face significant switching costs if they need to change providers. Migrating encrypted PANs requires cooperation between old and new provider and may involve card network involvement for network tokens.
Vault reliability directly affects authorisation rates: if the vault has downtime, stored-credential transactions fail. Vault availability SLAs should be evaluated alongside gateway and acquirer SLAs when assessing payment infrastructure resilience.
Multi-acquirer merchants need vault-level token routing: when the same token is used across multiple acquirer connections, the vault must support presenting the right credential to each acquirer. This is a non-trivial architectural requirement that not all vault implementations handle correctly.
Vault scope affects PCI audit complexity: the vault environment, wherever encrypted PANs reside, is in PCI scope. Merchants using a third-party vault provider shift that scope to the provider, but must verify the provider's PCI Level 1 certification covers vault operations.
With PXP
PXP operates a secure token vault that stores encrypted card data and supports both gateway tokens and network tokens across all acquirer connections on the platform. Merchant tokens are portable within the PXP ecosystem, and PXP supports token migration engagements for merchants moving existing stored credentials to the platform.
Frequently asked questions
What data does a token vault actually store?
A token vault stores the mapping between each token and the encrypted version of the original card data, typically the primary account number (PAN), expiry date, and sometimes the cardholder name. The raw PAN is encrypted at rest using strong cryptographic standards. The vault never stores CVV, which is not permitted to be retained post-authorisation under PCI DSS.
What's the difference between a token vault and a token service provider?
A token service provider (TSP) is an entity authorised by card networks to issue and manage network tokens. A token vault is the secure storage infrastructure where token-to-PAN mappings are held. A TSP operates a token vault, but not all token vaults are operated by TSPs, payment providers may run their own vaults for gateway tokens without TSP registration.
How do merchants migrate tokens when switching payment providers?
Token migration requires both the outgoing and incoming provider to cooperate. For gateway tokens, the outgoing provider must decrypt and re-encrypt PANs under the incoming provider's keys, which requires both parties to be PCI-compliant and agree on the transfer process. For network tokens, the card network must be involved to transfer the token-to-PAN mapping. Not all providers support migration.
Can a single token vault serve multiple sales channels?
Yes, and this is one of the main architectural benefits of centralizing token storage. A single vault can serve web, mobile app, call centre, and in-store channels using the same token for the same cardholder card. This enables a unified payment profile without requiring cardholders to re-register across channels, which is particularly valuable for omnichannel merchants.
Revolutionize your business with PXP
Take complete control of your commerce and payments with one platform.
Get Started