Card on file tokenization is the method by which a customer's card data is replaced with a reusable token for future charges, without the real PAN ever being stored in the merchant's systems. For anyone managing subscriptions, recurring plans or authorisation-on-file payments, this technology is not optional: it is the way to stay PCI DSS compliant without building an internal vault. The risks of directly storing card data are too high and the compliance burden too onerous to justify any alternative.
What "card on file" means and why it is risky
A card data record is defined as "card on file" when it is stored with the intention of being reused for future transactions without the cardholder needing to re-enter their data. This scenario is typical of subscription services, SaaS platforms, e-commerce with fast checkout options, and marketplaces that bill recurring. From a PCI DSS perspective, storing a PAN even for a single second after authorisation turns the system into a CDE component subject to all security requirements.
The concrete risks of direct storage are two: the technical risk of a breach that exposes thousands or millions of card numbers, and the compliance risk that translates into fines, forensics costs, and possible loss of payment processing capability. No operational advantage justifies keeping PANs in your own databases when safe, certified alternatives exist.
How tokenization works for recurring payments
In the card on file tokenization model, the flow works as follows: the customer enters card data just once through a secure form or a PCI DSS certified hosted page. That data is sent directly to the tokenisation provider's vault, which returns a unique, persistent token to the merchant. From that point on, the merchant uses only the token to request future charges: the vault retrieves the real PAN, sends it to the network, and returns only the authorisation response.
The token can be configured to be valid for a specific period, bound to a single merchant, or bound to a single maximum amount. This granularity allows the building of flexible recurring payment architectures without ever exposing card data in your own systems. PCI Proxy EU's vault manages this logic with standard APIs, compatible with the leading European PSPs.
PCI DSS obligations for those who store card data
Anyone who stores PANs must satisfy all 12 PCI DSS requirements across their full perimeter. This includes encryption of data at rest with separately managed keys, granular access control, complete logging of every operation on card data, quarterly vulnerability scanning, and annual penetration testing of the entire CDE. For an SME, this translates into compliance costs that can exceed €30,000 per year.
With card on file tokenization, the merchant exits the PAN storage perimeter. Only the systems that transmit tokens and receive authorisation responses remain in scope, which are far less critical from a PCI DSS perspective. The result is a reduced perimeter, a simpler SAQ, and significantly lower compliance costs.
Frequently asked questions
Is card on file tokenization different from encryption?
Yes. Encryption transforms the PAN into encrypted data that can be decrypted with the correct key: the risk remains in the system that manages the keys. Tokenization replaces the PAN with a random value with no mathematical relationship to the original data: even if the token is intercepted, it is impossible to recover the PAN without accessing the vault.
With tokens can I still charge the customer in the future?
Yes. The token is persistent and reusable for all future authorised charges. The merchant sends the vault the token along with the amount and charging instructions; the vault executes the transaction with the real PAN and returns only the authorisation response. The customer does not need to re-enter card data for any charge after the first.
What happens if my PSP fails or I change provider?
With PCI Proxy EU, the vault is independent of the PSP: tokens are portable and can be used with any supported acquirer. If you change payment provider, you do not need to ask customers to re-enter their card data. This is one of the key advantages of an agnostic vault over the proprietary tokens of individual PSPs.
Managing subscriptions or recurring payments and want to eliminate PANs from your infrastructure? Discover PCI Proxy EU.