Tokenisation reduces PCI scope by replacing sensitive card data with a non-sensitive VaultId (a GUID token) that can be used for future transactions.

▶️ Test in Postman

View WSDL Specification ›

📘
Only credit card data is supported for tokenisation at this time.

Available Vault Request Types

Request Type	Description
`CardVaultRequest`	Create a token for a new card
`LookUpVaultRequest`	Retrieve the masked card details using a Vault ID
`DeleteVaultRequest`	Permanently delete a token from the vault

CardVaultRequest

Create a PayVault token for a credit card.

Request sample:

<SingleVaultRequest>
  <CardVaultRequest>
    <Account>
      <PayGateId>10011072130</PayGateId>
      <Password>test</Password>
    </Account>
    <CardNumber>5200000000000015</CardNumber>
    <CardExpiryDate>112030</CardExpiryDate>
  </CardVaultRequest>
</SingleVaultRequest>

Response sample:

<SingleVaultResponse>
  <CardVaultResponse>
    <Status>
      <StatusName>Completed</StatusName>
      <VaultId>6eb998d9-b4e8-46b8-9772-90ecb644ab54</VaultId>
    </Status>
  </CardVaultResponse>
</SingleVaultResponse>

Field	Description
`StatusName`	Indicates the outcome (`Completed`, `Failed`, etc.)
`VaultId`	The PayVault token used for future token-based transactions

LookUpVaultRequest

Retrieve the masked card number and expiry for an existing token.

Request sample:

<SingleVaultRequest>
  <LookUpVaultRequest>
    <Account>
      <PayGateId>10011013800</PayGateId>
      <Password>test</Password>
    </Account>
    <VaultId>c36a13e8-65a0-49fd-a12f-05fe78bf9eaa</VaultId>
  </LookUpVaultRequest>
</SingleVaultRequest>

Response sample:

<SingleVaultResponse>
  <LookUpVaultResponse>
    <Status>
      <StatusName>Completed</StatusName>
      <CardNumber>520000xxxxxx0015</CardNumber>
      <CardExpiryDate>112030</CardExpiryDate>
    </Status>
  </LookUpVaultResponse>
</SingleVaultResponse>

Field	Description
`CardNumber`	Masked card number (first 6 & last 4 digits)
`CardExpiryDate`	Format: MMYYYY
`StatusName`	Status of the request

DeleteVaultRequest

Remove a token from PayVault when it’s no longer needed.

Request sample

<SingleVaultRequest>
  <DeleteVaultRequest>
    <Account>
      <PayGateId>10011072130</PayGateId>
      <Password>test</Password>
    </Account>
    <VaultId>5c633bfa-5359-482e-b144-2949aa332c74</VaultId>
  </DeleteVaultRequest>
</SingleVaultRequest>

Response sample

<SingleVaultResponse>
  <DeleteVaultResponse>
    <Status>
      <StatusName>Completed</StatusName>
    </Status>
  </DeleteVaultResponse>
</SingleVaultResponse>

Field	Description
`StatusName`	Indicates whether the deletion was successful

Notes & Best Practices

Always store VaultId securely in your system — it replaces the card number.
For 3D Secure or Host-to-Host flows, you can pass the VaultId instead of card details.
To avoid storing sensitive card data, you may use Vault: true in your CardPaymentRequest.

Vault & Reuse Lifecycle

flowchart TD
  A[Customer enters card details on Merchant site] --> B[Merchant sends CardVaultRequest to PayGate]
  B --> C[PayGate securely stores card & returns VaultId]
  C --> D[Merchant stores VaultId & maps to customer profile]
  D --> E[Merchant initiates future payments using VaultId]
  E --> F[Merchant sends CardPaymentRequest or WebPaymentRequest with VaultId]
  F --> G[PayGate retrieves card details & processes payment]
  G --> H[Transaction response returned to merchant]
  H --> I{Card no longer needed?}
  I -- Yes --> J[Merchant sends DeleteVaultRequest]
  J --> K[PayGate deletes VaultId mapping]
  I -- No --> E

  style C fill:#fdf6e3,stroke:#b58900,stroke-width:2px
  style E fill:#dfe8f7,stroke:#268bd2,stroke-width:2px
  style J fill:#ffe6e6,stroke:#dc322f,stroke-width:2px