No Revenue Interruptions - Tokenization Credit Card Updater Services

No Revenue Interruptions - Tokenization Credit Card Updater Services

Right, wrong, or indifferent, companies want to store payment card information – or tokens that represent payment card information – to facilitate business and growth.  While the days of storing the Primary Account Number as the primary key in a database are hopefully past, there is still a great use case for leveraging the uniqueness of payment card information, (PAN, security token, network token, whatever everyone is calling it in their corner of the world), to support business processes and functions.  Entire empires have been developed in the Loyalty space because of the importance of knowing how people are interacting with your company and your products and services.  Because of this, Card Brands like Visa, MasterCard, and American Express have developed “Account Updater” services that allow merchants and service providers to update payment card information as expiration dates or card changes occur with their customer base.

For example, say you are a merchant with recurring billing capability – or you’re a Charity-based organization with a recurring donor option.  When the customer or donor payment card expires, recurring payments and donations will cease unless you either, 1)  contact the customer or donor to manually update their card information, or 2)  subscribe to a card updater service from an acquirer.  The reason merchants and service providers opt for subscribing to an updater service is because contacting the customer or donor can disrupt their payments or donations.  Additionally, recurring payments and recurring donations are designed as a convenience, and if merchants and service providers are contacting their customers and donors regularly to update payment card information it becomes inconvenient.  Payment Card Account Updater services features aim to maintain this convenience for both parties.

How it Works

How these services work at a technical level is pretty simple.  When you sign up with an acquirer, (normally the acquirer that supports your payment gateway or the one you’re working directly with today), they will give you a standard file format to use to request updates for your stored payment cards.  Once you populate the account updater file, you will likely be required to encrypt it with a public key to ensure its’ security.  Then, you will transmit (often via SFTP) the file directly to the acquirer. From there, the acquirer decrypts the file and generates a response file that provides status of the supplied card data, along with with any updates for PAN and/or expiration date. The response file can then be used to update your stored data. Overall, this process is quick, and once implemented, you can run it at regular intervals to keep cards in your environment up-to-date.

Cloud Tokenization = No Impact on Business Processes

So, what happens if you’ve done the right thing and tokenized your environment, thereby reducing risk and compliance burden by not storing payment card information?  Some believe that the tokenization will add a degree of complexity. However, —and this surprises many– the complexity for you as a merchant or service provider does not change at all when you use TokenEx.  In fact, the only change you will see in your environment is the endpoint where you send and receive the Account Updater file.  You will populate the file just as you do today, only with tokens instead of payment card numbers.  You will encrypt it with the TokenEx public key, and send the file to TokenEx instead of your acquirer.  Literally, the only changes you make are the destination and source of file transmissions, and the encryption key you’ll be using. Once TokenEx receives the file, we decrypt it, replace the tokens with payment card numbers, and send it to the acquirer on your behalf.  We, of course, still encrypt with the acquirer public key and send via SFTP, but they will receive the file as if you had sent it to them.

Let TokenEx Handle Toxic Payment Card Data

On the return trip, TokenEx will collect the response file from the acquirer.  We will decrypt the file, replace all payment card numbers with tokens, and send it back to you in the same format  you have been receiving  all along from the acquirer.  Using TokenEx, you see, you will never interact with payment card information – only tokens from your TokenEx vault.  This allows you to maintain your business processes as they are designed today; it allows your Information Security and Compliance Teams to maintain their security and compliance objectives.  Further, this service— using TokenEx— allows you to provide a convenient service for your customers or donors.

TokenEx is the industry leader in cloud tokenization and encryption. For more information on supporting account updater services for your customers or donors, contact us at

Topic(s): payments , PCI DSS , tokenization

Keep Up With Our PCI & Privacy Blog