Card Storage and Tokenisation

Back to APIs

Paythru offer secure storage of your customer's debit and credit card details resulting in a faster checkout experiences and enabling repeat card payments to be made when the customer is offline.


One of the key benefits of using Paythru is our card storage and tokenisation service. Whenever a customer's card is accepted by Paythru, the card details may be stored for future use. A reference or 'token' for the card may also be returned to the merchant for storage, providing them with the ability to conduct further payments and faster checkout experiences, with much reduced PCI DSS compliance obligations.

PCI DSS Compliance

Companies who wish to store payment card details are obliged to conform to the Data Security Standard defined by Payment Card Industry's Security Standards Council. Paythru exceed the highest level of compliance available and are independently audited annually to attest and certify that these standards are maintained.

Why store card details?

Storage of your customer's payment card details introduces a number of benefits to both you and your customers. Customers returning to your website to make further purchases will benefit from a faster checkout experience as they will not be required re-enter their card details. It is not only the time taken to enter the card details that is saved, but also the time it may take them to locate the card in the first place.

Payments with stored cards are not just faster but are more convenient. Mobile card payment interfaces delivered by Paythru allow customers to make impulsive purchases in situations when their card may not be to hand such as when watching television.

Card payments may also be initiated in a number of different ways when the customer is not online. For example, Paythru support a car parking payment service in partnership with Parkeon known as SwishPark. The service charges customers for their parking session by recognising the number plate of their vehicle when they exit the car park. This service would simply not be possible without card storage. Other examples include accepting payments within IVR services or by sending a SMS text message.

Provided that the customer has granted permission to a merchant known as a CPA (Continuous Payment Authority), the merchant may also initiate payments using the customer's stored card. This may include subscription services where the payment is taken on a regular basis (such as monthly), or on an ad-hoc basis such as when a pre-ordered item is despatched.

Faster checkouts

Stored payment cards ensure a slicker checkout experience for your customers. Returning customers must authenticate themselves before Paythru will present their previously used card as a payment option. Customers using Paythru's Hosted Payment Pages may authenticate themselves either with Paythru, or with the merchant as described below.

Merchant authenticated

If the merchant's application is such that the customer has already authenticated before proceeding to payment, the merchant may pass a unique ID of the customer in the API request to Paythru. Paythru will then automatically store and retrieve the customer's card details without any further authentication.

Paythru authenticated

If the payment pages are configured to use Paythru Authentication, the customer will be given the option to store their payment card details at the end of their first payment by nominating a username and a password. When they return, they may enter their username and password into Paythru's payment pages to retrieve their stored details.

Device authenticated

For certain low transaction value applications, Paythru can offer a device authenticated payment model. Returning customers using the same device as previously are not required to enter any authentication credentials at all, but must enter the security code of their card with each transaction.

Offline payments

Payments initiated by the Enterprise API return a unique transaction ID. This ID may be used to conduct further payments using the same card with the customer's consent by means of the APIs 'repeat' method. This method may be used by merchants wishing to process subscription fees and other payments triggered by scheduled or ad hoc events.