A cloud-based secure card storage is the foundation of any modern payment architecture that aims to reduce data breach risk and the PCI DSS perimeter. The card vault is the component that receives, encrypts and stores payment card data, returning an opaque token in exchange. Understanding how it works technically, what certifications it requires, and why building one internally is almost always the wrong choice helps you make more robust architectural decisions.
What a card vault is and how it works technically
A card vault is a secure system for storing PAN (Primary Account Number) and sensitive data associated with payment cards. The basic technical flow involves the card number being transmitted directly to the vault via HTTPS API, encrypted with cryptographic keys managed in an HSM (Hardware Security Module), and replaced by a token that is returned to the caller. The token has the same length and format as a PAN, but contains no real data and cannot be used for transactions without going through the vault.
Internally, the vault maintains the token-to-PAN mapping in an encrypted database with extremely limited access. Every detokenisation request - that is, every retrieval of the original PAN - is logged with a timestamp, source IP and caller identity. The audit trail system is mandatory for PCI DSS compliance and must be immutable: no operator, even with administrative privileges, can delete logs of vault operations.
Required certifications: PCI DSS Level 1, HSM, FIPS 140-2
A production-ready vault must be certified PCI DSS Level 1, the highest level of the standard, which requires an annual audit conducted by an independent QSA and a semi-annual penetration test. Level 1 certification is not obtained by filling in a questionnaire: it requires a thorough analysis of all technical and organisational controls, from cryptographic key management to physical data centre security.
Cryptographic keys must be managed with HSMs certified to FIPS 140-2 Level 3 or higher. This means that keys never leave the hardware in readable form, even in the event of application software compromise. FIPS 140-2 certification ensures that the hardware has been validated by an NIST-accredited laboratory to resist physical and logical attacks. Without a certified HSM, a vault cannot obtain PCI DSS Level 1 certification.
In-house vault vs vault-as-a-service: the real comparison
Building an in-house card vault requires an initial investment that rarely falls below €200,000–€500,000, considering HSM hardware, redundant infrastructure, tokenisation system development, initial audit and team training. To this must be added an annual operating cost of €50,000–€150,000 for maintaining certification, penetration tests, key management and dedicated personnel. For a merchant with average volumes, the ROI on this choice is never achieved.
A vault-as-a-service like PCI Proxy EU's transfers all these costs and responsibilities to the provider. The merchant pays based on transaction volumes, immediately gains coverage of the provider's PCI DSS Level 1 certification, and does not need to manage infrastructure or specialist staff. Token portability ensures that if you decide to change provider in the future, card data remains accessible without having to re-collect information from users.
Frequently asked questions
Is a cloud card vault as secure as an on-premise one?
If the cloud provider has the correct certifications (PCI DSS Level 1, ISO 27001, SOC 2 Type II), the level of security is equivalent to or higher than an internally managed on-premise vault. Most companies do not have the resources to maintain the physical controls, redundancy and specialist staff that cloud providers dedicate to infrastructure security.
Does my current PSP offer a portable vault?
Most PSPs offer a proprietary vault whose tokens are valid only on their own platform. This creates vendor lock-in: if you want to change PSP, you have to re-collect card data from all your customers. A processor-agnostic vault like PCI Proxy EU's generates tokens usable with any PSP, eliminating this constraint.
How much does it cost to build an in-house card vault?
Implementation costs start at around €200,000 for a minimal certifiable infrastructure, with annual operating costs between €50,000 and €150,000. To these must be added the costs of specialist staff, QSA audits, penetration tests and certification maintenance. For most companies, vault-as-a-service is economically advantageous from the very first year.
Want a PCI DSS Level 1 certified card vault without managing infrastructure and without PSP lock-in? Discover PCI Proxy EU.