Anyone running a subscription business knows that card-on-file tokenization is not an option but a necessity. SaaS models, digital subscriptions and streaming services store card data by definition: without a stored card number, there is no automatic renewal. This automatically places any subscription business within the PCI DSS perimeter, with specific obligations that many businesses underestimate.
The subscription model and PCI DSS: you are automatically in scope
A company offering subscriptions and automatically charging the customer's card on each renewal is storing or has access to card data. Even if the data is held by the PSP, the merchant is involved in the flow and remains in PCI DSS scope for the system components that orchestrate recurring billing, manage payment failures, send renewal notifications or update card information. Simply using a PSP token is not sufficient to exit the perimeter if the merchant's billing system interacts with that token.
PCI DSS requirements for subscription businesses include in particular Requirement 3 (protection of stored card data), Requirement 6 (security of systems and applications), and Requirement 8 (identification and authentication of access). Token management, recurring transaction logs and failed payment retry systems must be designed with these requirements in mind.
How card-on-file tokenization protects your recurring billing
With card-on-file tokenization, the customer's PAN is replaced by a token the first time the card is registered. All subsequent renewals use the token: the merchant's billing system never sees a card number in cleartext, and the external vault handles de-tokenization at the point of authorisation with the PSP. The merchant's PCI perimeter is reduced to just the systems handling tokens, which by definition contain no sensitive data.
Another practical advantage is card update management. When a customer receives a new card (due to expiry or replacement), the vault can update automatically via account updater services offered by the networks (Visa Account Updater, Mastercard Automatic Billing Updater). The token remains unchanged in the merchant's system, but is internally mapped to the new PAN. This reduces failed payments from expired cards without requiring any user interaction.
Upgrades, downgrades and cancellations: token lifecycle in subscriptions
The lifecycle of a subscription is more complex than a single transaction: plan upgrades, downgrades, pauses, cancellations with partial refunds and reactivations after unsubscription are all scenarios that the billing system must handle. With tokenization, all these events operate on the token, not the PAN. The token remains valid for the entire duration of the customer relationship, regardless of changes in plan or commercial terms.
In the event of cancellation, the token must be rendered inactive in the vault but not necessarily deleted: PCI DSS regulations and accounting data retention requirements may require maintaining a record of the original transaction for a minimum period. Correct management of the token lifecycle, from creation to deactivation, is an integral part of a PCI compliance programme for subscription businesses.
Frequently asked questions
How do I manage automatic renewal with a PCI token?
The billing system sends the vault a charge request using the token associated with the customer. The vault retrieves the corresponding PAN, transmits it to the PSP for authorisation and returns the outcome. The merchant receives only the authorisation confirmation, without ever seeing the PAN. The process is identical to any other recurring transaction, but card data never passes through the merchant's systems.
What happens to the token if the customer changes their card?
With network account updater services, the vault automatically updates the token-PAN mapping when a card is renewed or replaced. The token in the merchant's system remains unchanged. Alternatively, when the customer manually enters the new card, a new token is generated that replaces the previous one in the customer profile.
Does SEPA mandate replace card-on-file for recurring payments?
SEPA Direct Debit mandate is a valid alternative for recurring payments in euros, but operates on IBAN, not card data. It does not fall within the PCI DSS perimeter. For merchants accepting both cards and SEPA, card-on-file tokenization remains necessary for the card channel, while SEPA payments follow a separate path outside the PCI perimeter.
Running a subscription business and want PCI DSS-compliant recurring billing without friction for your customers? Discover PCI Proxy EU.