Every platform or SaaS company that stores card credentials faces a question that gets more expensive the longer it goes unanswered: where do those card numbers actually live, who secures them, and what does that cost you every year?
Credit card vaulting is the infrastructure answer. It moves raw card data into an isolated, encrypted environment and replaces it with tokens that your systems use for everything else. The card number never leaves the vault. Your application, your database, and your logs only ever see the token.
The decision isn’t whether to vault. PCI DSS requires that stored PANs be rendered unreadable (Requirement 3), and raw card storage in your production database is an audit failure waiting to happen. The decision is whether you build and operate the vault yourself, or hand it to a provider whose entire business is keeping that data safe.
Key takeaways:
- Running your own vault costs $150K-$500K+ annually when you factor in infrastructure, compliance, engineering, and breach risk
- Outsourcing to a PCI Level 1 certified provider eliminates Requirement 3 and portions of several other PCI DSS requirements from your scope
- PSP-owned vaults create vendor lock-in; independent vaults or orchestration layers keep tokens portable across processors
- Network tokenization delivers 6% approval rate improvement and 30% fraud reduction on top of vault-level security (Visa, 2024)
- The build-vs-buy threshold: build only if card data handling is a core differentiator and you have dedicated security engineering
What is credit card vaulting?
Credit card vaulting stores primary account numbers (PANs) and associated card data inside a dedicated, PCI-compliant encrypted environment, separate from your application infrastructure. When a customer submits their card, the vault ingests the raw data, encrypts it at rest, and returns a token: a non-sensitive reference that maps back to the stored card but is useless on its own.
Your application stores and transmits the token. When you need to charge the card, the token goes to the vault (or through an orchestration layer), which retrieves the real PAN and forwards it to the processor.
PCI DSS scope is determined by which systems store, process, or transmit cardholder data. Every system that handles the real PAN is in scope. Every system that only handles tokens is generally out of scope. The vault concentrates your cardholder data environment (CDE) into one controlled perimeter instead of spreading it across your entire stack. For recurring billing, saved-card checkout, and subscription platforms, vaulting is the mechanism that makes “remember my card” work without storing the actual card number in your own systems.
How card vaulting works: tokenization in practice
The mechanics are straightforward. The implementation details determine whether the vault actually reduces your risk or just moves it around.
- The customer enters card details in your checkout form, ideally a hosted field or iframe that sends data directly to the vault without touching your servers.
- The vault encrypts the raw PAN using AES-256 or equivalent and stores it in an isolated database with strict access controls.
- The vault returns a token, either format-preserving (looks like a card number) or opaque (a random string).
- For subsequent charges, your system sends the token to the vault or orchestration layer, which decrypts the real PAN and routes it to the processor.
- The processor authorizes the transaction. Your system never sees the real card number.
Two distinctions matter when evaluating vault architecture:
| Approach | How it works | Use cases | Limitations |
|---|---|---|---|
| Vaulted tokenization | Stores the original card data in a secure vault, with tokens referencing that stored data | Recurring billing, refunds, card-on-file, multi-processor routing | Requires vault infrastructure |
| Vaultless tokenization | Uses cryptographic algorithms to generate tokens without storing the original data | Lower infrastructure requirements | Can’t retrieve original PAN; limits recurring billing across PSPs |
| Network tokenization | Issued by card networks (Visa, Mastercard); replaces PAN at the scheme level | Auto-updated on card reissue, better auth rates | Network-dependent; supplements rather than replaces vault tokens |
Visa reported a 6% improvement in approval rates and 30% reduction in fraud from network tokenization in 2024, with 29% of all Visa transactions now using tokens.
These three approaches aren’t mutually exclusive. A well-architected payment system uses vault-level tokenization for internal storage, combined with network tokens for authorization improvement at the scheme level.
The real cost of running your own vault
Per-token storage fees from a third-party provider might be a few cents, which sounds trivial. But the cost of running your own vault extends far beyond the infrastructure bill.
| Cost category | What’s involved | Typical annual range |
|---|---|---|
| Infrastructure and hosting | Dedicated servers or isolated cloud VPC, HSMs for key management, encrypted storage, network segmentation | $30,000-$100,000+ |
| PCI DSS compliance | QSA assessments, penetration testing, vulnerability scanning, remediation | $50,000-$200,000 (large org) |
| Engineering staffing | At least one FTE dedicated to vault operations, plus fractional time from infrastructure and DevOps | 1+ FTE ongoing |
| Key management | Dual-control key management, regular key rotation, audit trails for all key access | Included in engineering time |
| Ongoing maintenance | Continuous validation under PCI DSS v4.0, ongoing monitoring beyond annual audit | Ongoing overhead |
| Breach liability | Average data breach costs $4.88M globally; $6.08M in financial sector; $183 per stolen record (IBM/Ponemon, 2024) | Risk-adjusted exposure |
Sources: SISA InfoSec/Centraleyes (2025), IBM Cost of a Data Breach (2024). Smaller businesses spend $5,000-$20,000/year on PCI compliance alone.
PCI DSS v4.0 shifted from point-in-time compliance to continuous validation, meaning your vault security posture needs ongoing monitoring, not just an annual audit pass. The Verizon 2024 Payment Security Report found that the PCI DSS compliance control gap widened to 4.5% in 2023 from 3.2% the prior year, indicating that maintaining compliance is getting harder, not easier.
Key point: PCI non-compliance fines escalate from $5,000-$10,000 per month initially to $100,000 per month after six months, and card networks can levy up to $500,000 per security incident (Clone Systems, 2025; Spreedly, 2023).
Add it up, and an in-house vault’s true annual cost for a mid-size platform is $150,000 to $500,000+ including engineering time, compliance overhead, and risk-adjusted breach exposure. That’s before the opportunity cost: every sprint your team spends on vault maintenance is a sprint not spent building the product your customers are paying for.
Build vs. buy: in-house vault vs. outsourced vault service
The build-vs-buy decision comes down to cost, control, and compliance burden:
| Factor | In-house vault | Third-party vault service |
|---|---|---|
| Upfront cost | $50K-$150K+ (infrastructure, HSMs, initial build) | Near-zero (API integration, typically days) |
| Annual compliance | $50K-$200K (QSA audits, pen testing, remediation) | Included in provider’s certification; your scope shrinks |
| Engineering effort | 1+ FTE ongoing, plus DevOps and security team time | Integration sprint, then minimal maintenance |
| Key management | You build and operate it; dual-control, rotation, audit trails | Provider handles it; covered under their PCI Level 1 certification |
| PCI DSS scope | Full Requirement 3 and portions of 2, 6, 7, 8, 9, 10, 11 | Stored cardholder data exits your environment; scope drops materially |
| Multi-processor support | You build the routing logic | Provider or orchestration layer routes tokens to any processor |
| Portability | You own the data but migration is your problem | Depends on provider; PSP-owned vaults lock you in |
| Customization | Full control over architecture and business logic | Constrained by provider’s API and feature set |
| Breach liability | Fully yours | Shared; provider bears liability for their environment |
Building your own vault makes sense only if card data handling is a core differentiator in your product, you have a dedicated security engineering team, and you’re processing at a scale where per-token fees become material. For most SaaS platforms, the economics favor outsourcing.
One nuance on portability: not all third-party vaults are equal. If your vault is owned by your payment processor (Stripe’s vault, Adyen’s tokenization), your tokens are locked to that processor. Switch providers, and you lose access to stored cards. An independent vault, or a payment orchestration layer that includes vault functionality, keeps tokens portable across any processor.
How vaulting reduces your PCI DSS 4.0 scope
PCI DSS v4.0 became mandatory on March 31, 2025, with future-dated requirements taking effect March 31, 2026. The update shifted from prescriptive, point-in-time compliance to a risk-based model with continuous validation. For companies running their own vaults, this means more monitoring and documentation on an ongoing basis, not just once a year.
PCI DSS has 12 high-level requirements. Requirement 3, “Protect Stored Account Data,” is the most directly affected by vaulting. It contains seven sub-sections covering data retention, access controls, key management, and encryption standards. If you store cardholder data, all of Requirement 3 applies, along with portions of Requirements 2, 6, 7, 8, 9, 10, and 11 for every system that touches that data.
Outsource the vault to a PCI Level 1 certified provider, and stored cardholder data leaves your environment entirely. Systems that only handle tokens are generally outside the CDE. This doesn’t make you fully PCI compliant (you still have obligations around your checkout integration, network security, and access controls), but it eliminates the most demanding requirements around stored data protection.
Instead of satisfying Requirement 3’s encryption, key management, and access control mandates for every system in your CDE, you’re validating that your token-handling systems are properly segmented and that your vault provider’s compliance is current.
For a practical reference on which PCI DSS requirements apply to your environment and which ones vaulting addresses, see this 12-point PCI requirements checklist.
The financial consequences of getting scope reduction wrong are real. Non-compliance fines start at $5,000-$10,000 per month and escalate to $100,000 per month (Clone Systems, 2025). For a deeper look at the cost of ignoring PCI compliance across international payment operations, that analysis covers the fine schedules, breach liability, and reputational damage in detail.
What to look for in a vault provider
Not every vault service delivers the same value. When evaluating providers, these criteria separate a vault that reduces your costs from one that just moves the problem:
| Criterion | What to verify |
|---|---|
| PCI DSS Level 1 | Highest level of PCI compliance, validated by an external QSA. Ask for the current AOC, not a marketing claim. |
| Token portability | Can you use vaulted tokens with multiple processors? PSP-owned vaults create lock-in. An independent vault or orchestration layer lets you [route transactions across processors](https://orchestrasolutions.com/payment-routing-optimization/) without re-collecting card data. |
| Network token support | Visa reports [10B+ tokens issued globally](https://usa.visa.com/about-visa/newsroom/press-releases.releaseId.20701.html), generating $40B in incremental e-commerce revenue and $650M in fraud savings (Visa, 2024). 85% of online merchants now use tokenization (CoinLaw, 2025). |
| Multi-processor routing | If the vault integrates with a [payment orchestration layer](https://orchestrasolutions.com/payments-compliance-outsourcing/), tokens can route to any connected processor based on cost, performance, or availability. Enables [failover between processors](https://orchestrasolutions.com/payment-gateway-failover/) without customer friction. |
| Data residency | Where is encrypted card data physically stored? For cross-jurisdiction businesses, the provider should specify data center locations and comply with local data protection requirements. |
| Migration support | How do you import existing stored cards, and what happens if you need to leave? Easy import but difficult export is a lock-in risk. |
| Transparent pricing | Per-token storage, per-transaction decryption, or flat monthly fees. Understand how costs scale. At Orchestra’s standard rate of 5-10 cents per transaction, per-transaction vault cost is a fraction of in-house compliance overhead. |
The payment tokenization market is projected to reach $8.4 billion by 2034 (Market.us, 2025).
Frequently asked questions
How much does credit card vaulting cost?
Running your own PCI-compliant vault can cost $50,000 to $200,000+ annually including infrastructure, QSA audits, engineering, and key management (SISA InfoSec, Centraleyes, 2025). Third-party vault services charge per-token or per-transaction fees, typically a few cents each. The outsourced model eliminates the fixed compliance overhead entirely.
What is the difference between tokenization and vaulting?
Tokenization is the process of replacing sensitive card data with a non-reversible token. Vaulting is the secure storage of the original card data in an encrypted environment. They work together: the vault stores the real card number, and tokens are used everywhere else so the original PAN never leaves the vault. You can have tokenization without a vault (vaultless tokenization uses algorithms), but most recurring billing and multi-processor use cases require vaulted tokenization.
Does credit card vaulting make you PCI compliant?
No, but it removes the most expensive parts of PCI compliance from your plate. Outsourcing card storage to a PCI Level 1 certified provider eliminates stored cardholder data from your environment, which takes Requirement 3 and portions of several other requirements out of your scope. You still have PCI obligations around your checkout integration, network security, and access controls.
Can I use a third-party vault with multiple payment processors?
Yes, provided the vault is processor-independent. PSP-owned vaults (where your processor controls the tokens) lock you to that processor. An independent vault or a payment orchestration layer like Orchestra connects your vault tokens to multiple processors, so you can route transactions across PSPs without storing card data yourself or re-collecting it from customers.
What is the difference between vaulted and vaultless tokenization?
Vaulted tokenization stores original card data in a secure vault, with tokens referencing that stored data. Vaultless tokenization uses algorithms to generate tokens without storing the original data, which reduces infrastructure needs but limits some use cases. Recurring billing across multiple processors, for example, typically requires the ability to retrieve the original PAN, which vaultless tokenization cannot do.
What happens to vaulted cards when I switch payment processors?
It depends on who owns the vault. With a PSP-owned vault, you typically lose access to stored cards when switching providers, forcing customers to re-enter their details. With an independent third-party vault or payment orchestration layer, your tokens remain portable across any processor, and switching providers doesn’t affect stored card access.