Payment Method Vault
As part of Ezypay's stringent security practices to protect you and your customers, all payment methods - such as credit cards, debit cards or bank accounts - are securely encrypted and stored in the Ezypay Vault. The Vault adheres to PCI Compliance requirements and ensures the protection of your customer's sensitive payment data.
Payment information stored in the Ezypay Vault is replaced with a token to represent it for all operations across the Ezypay platform. This token contains metadata only, instead of using the actual payment method data, thus preventing any exposure of customer payment data. Ezypay employees will not have any knowledge or information about actual payment method details, as all that information is held privately in the Vault.
Tokenisation and Detokenisation Process
Tokenisation substitutes a customer's personal account information with a digital token. This token only contains metadata and does not expose actual payment method details when used across Ezypay, ensuring the protection of a customer's payment information. After creating the token, the merchant will create a payment method, which links the token to a customer. All subsequent subscriptions and billing will interact with that token, which can be reused indefinitely for multiple transactions.
When a customer is scheduled to be billed, Ezypay will generate the necessary invoices and transactions. Billing information and the payment method token are sent to the Ezypay Vault, where the token is detokenised and replaced with the actual payment method information. The payment provider receives full payment method information to process the payment. Actual payment details are only revealed to the payment provider and Ezypay Vault.
Ezypay Security Standards
The Payment Card Industry Data Security Standard - PCI DSS(https://www.pcisecuritystandards.org/) is a set of security standards created in collaboration with major credit card payment brands (such as Visa, MasterCard, American Express, Discover and JCB) to ensure that all companies accept, process, store or transmit credit card information maintain a secure environment. PCI compliance applies to any merchant that accepts credit card payments regardless of whether they use in-house or third-party software to process, store or transmit cardholder data.
To ensure PCI Compliance, Ezypay adheres to the following requirements:
|PCI Compliance Requirement||Ezypay Implementation|
|Ezypay as a subscription payment platform only works with tokens and payment method metadata||- Ezypay does not store payment method details and only identifies payment methods with a token.|
- Ezypay fully relies on the Ezypay Vault to detokenise and handle all interactions requiring the actual payment method details.
- The token only contains metadata: cardholder name, card first 6 digits, Card last 4 digits, Bank last 4 digits.
|Ezypay Vault holds the full bank account and card details||- The Ezypay Vault stores payment method details and works with all Ezypay related processes that require it to use actual payment method details (such as billing and settlement runs).|
- The Ezypay Vault will be the main interface to the Payment Service Providers (PSPs), dealing with the detokenisation of payment methods prior to sending the payment requests through.
|All UI that captures payment methods are hosted in the Vault environment||Ezypay Hosted Pages will receive input for payment methods and they will be hosted as part of the Ezypay Vault solution.|
|Quarterly inactive card data disposal process||Ezypay will automatically remove payment methods flagged as invalid for 13 months.|
|Deletion of card data based on customer request||When Remove a payment method (API)(https://developer.ezypay.com/reference#delete_payment_method) is called, Ezypay will delete the payment method permanently from the Ezypay Vault.|
|No users are allowed to access full payment method details||Payment method tokens only contain metadata and are used across all Ezypay operations. The true payment account information is never exposed outside of the Ezypay Vault.|
PCI Compliance Scope Reduction
Ezypay offers various integration options to reduce your application's PCI Compliance footprint:
Embedded Payment Page: Embed an iFrame into your web application that will allow you to collect payment method information from your customers, store them in the Ezypay Vault and receive a token in return. Because your app does not directly handle any sensitive payment information, your PCI scope is dramatically reduced.
API Integration: Fully integrate with Ezypay APIs to utilise our existing PCI Compliant implementations to create your own customised in-app payment experience. However, when cardholder data passes through your hosting environment, even if you are not storing it, your systems fall within PCI compliance scope. You are responsible to ensure you do not store or log any of the credit card information on your site/app at any point in time.
As the payment method details are collected by Ezypay, your PCI compliance requirements are reduced.
Updated almost 4 years ago