July 4, 2023
Streamlining data portability in a multi-PSP environment
In today’s ever-changing payment landscape, the security and management of sensitive card data has become a top priority for businesses and consumers alike. With the increasing number of data breaches and cyber attacks, it is crucial for organizations to implement robust security measures to protect their card data, but often this results in vendor lock-in with the retailer’s primary payment service provider (PSP).
Storing card data with a single PSP can severely limit the data portability of card data for a retailer. True data portability ensures that a retailer has the ability to transfer data from one service provider to another without any loss of functionality or security. In the context of card data storage, this means that businesses can easily switch between different PSPs without having to worry about the migration of sensitive card data. This is particularly important for businesses that want to maintain flexibility and adapt to changing market conditions.
So, how can merchants ensure maximum data portability across their card data when working with multiple PSPs?
1) Always store your card data in an independent external cloud vault
Storing card data in an independent external vault is the most essential step in ensuring maximum data portability for a retailer. Any retailer only storing their card data with their primary PSP will inevitably encounter significant hurdles every time a new payment service is introduced.
By keeping card data in an independent cloud vault, a retailer can ensure that the same card data can instantly be used to process with any PSP, without any migration. This cloud vault can store card data securely while ensuring maximum PCI compliance. The data from the vault can then be used to process on the fly with any PSP, routing card data on demand to the preferred processors based on cost, preference, location, availability, or any other factor.
When evaluating a vault it’s important to ensure that the vault is truly agnostic. A real agnostic vault should be external to any PSP while simultaneously ensuring it keeps all the data needed to process payments through any route. This means the vault should keep not just the card data secure but should also store any associated data needed to properly process payments including necessary scheme data and customer data.
Additionally, it’s important to consider the infrastructure behind a PCI vault. Cloud-based vaults with true data segregation, full multi-region redundancy, and linear scalability are going to be more secure, more scalable, and more powerful than traditional on-prem and Software-as-a-Service (SaaS) solutions. A truly independent, external, cloud-based, PSP agnostic vault will not just reduce cost through easier migration, but it will also enable any retailer to seize the opportunity of newer payment routes and experiment with new PSPs before committing to a full switch.
2) Make the most of your vault with network tokens
Network tokens are an exciting new innovation in the world of card data security. They are unique, digital identifiers that replace sensitive card data during transactions, making it more difficult for fraudsters to access and use the information. Additionally, network tokens provide uplifts in authorization rates and cost, dependent on the scheme and PSP used – for example, Visa’s Token Service 2020 report shows an uplift of 3.2% in authorization rates.
One of the main benefits of network tokens is that they can be used across multiple PSPs, providing retailers with greater flexibility and control over their payment processing. Additionally, network tokens can be easily updated or replaced if they become compromised, ensuring that card data remains secure at all times. When evaluating a cloud vault, a retailer should consider built-in network token functionality. The ability to provision and de-provision network tokens allow for maximum portability and will future-proof any retailer’s payment stack.
One caveat to consider is that not all network tokens are created equal. When a network token is generated it’s associated with the business that requested the token. This is essential to the security feature of network tokens, but it does mean that network tokens generated by some services are associated with those services and not the merchant retailer, limiting the network token’s usage with other PSPs. It’s essential to ensure that network tokens are generated and associated with the retailer, not the service, for exactly this reason.
3) Ensure your vault is always kept fresh
Keeping card data fresh is essential for ensuring future payments can be processed without any issues. Stale or outdated card data can lead to declined transactions, increased chargebacks, and a poor customer experience. By storing card data in a cloud vault retailers have a variety of options to ensure that their customer’s data is always up-to-date and accurate.
One way to keep card data fresh is by using a built-in account updater with their cloud vault. These account updaters will be able to fetch the newest data for an expired or replaced card. A built-in account updater can automatically fetch the new primary account numbers and expiry dates and store these directly in the vault. This ensures the retailer remains out of PCI scope for these updates, and removes the need to re-request card data from consumers.
A new alternative approach to keeping data fresh is to utilize network tokens. Because network tokens replace the original card data they do not require updating when the actual card is replaced. Additionally, network tokens can be extended beyond their original expiry date, providing similar benefits to an account updater.
4) Owning the data in your vault is non-negotiable
The final thing to consider when ensuring maximum data portability is that a retailer’s card data should always remain fully owned by them. Although most payment services promise the ability to export raw card data on request, these processes can be far from frictionless and fast. Additionally, depending on the PSP used, the card data might not actually belong to the retailer. For example, any network tokens may belong to the PSP, and if the payment service also acts as a merchant-of-record then even the card data may be off limits for the retailer.
To maximize data portability a cloud vault should provide multiple export options for the payments data, both on-demand and for full migrations. The ability to directly request network tokens and PSP tokens from the vault is a good start, but for full flexibility, a vault should allow for the ability to push card data to any PCI endpoint, as well as a full export of all data on request.
If you’re a merchant looking to securely store card data, learn more about the Gr4vy Cloud Vault.