Skip to main content
🚧 Work in progress. This documentation section is being actively developed. 🚧

How to Securely Store Customer Payment Data

Which approach is right for your business?​

Securely storing customer payment data is essential for any SaaS business that handles recurring payments or wants to provide a seamless checkout experience. This guide will help you implement the right solution based on your specific business needs.

tip

Key Use Cases:

  • "I want to store just card numbers, not customer data" → Use Tokenization
  • "I need to store all customer data in one place" → Use Profiling
  • "I want to offer a 'save card for future purchases' feature" → Use Tokenization + the API
  • "I need to avoid PCI compliance requirements" → Use Client-Side Tokenization
Your SituationRecommended ApproachWhy This Works
You have your own customer databaseTokenizationYou keep control of customer data and only offload payment details
You work with legacy systems or don't have a customer databaseProfilingSimpler integration with fewer infrastructure requirements
You need flexibility in data queriesTokenizationYou maintain control over your data structure and queries
You want to minimize PCI scopeClient-Side TokenizationPayment data never touches your servers

Try our examples yourself: Run in Postman

What is Tokenization and How Does It Help?​

Tokenization is a secure way to handle payment data that replaces sensitive card or bank account numbers with a non-sensitive equivalent (a "token") that can be safely stored in your system. This approach significantly reduces your PCI DSS compliance requirements while still allowing you to process recurring payments or offer one-click checkout. For complete details on all API parameters, see the Tokenization API Reference.

info

Before Tokenization: You store actual card numbers in your database, requiring full PCI DSS compliance, regular security audits, and significant infrastructure investment.

info

After Tokenization: You store only tokens in your database. The actual card data is securely stored by the payment gateway. This dramatically reduces your PCI scope and security responsibilities.

The UniPay tokenization system offers two main approaches:

Tokenization​

This approach converts only the payment card or bank account number into a token, while you continue to store other customer information (name, address, etc.) in your own system. This is ideal when you already have a customer database and just need to add secure payment storage.

Profiling​

This approach stores both the payment information and associated customer data (name, address, etc.) in the payment gateway. This is ideal when you don't have your own customer database or prefer to offload all customer data management.

tip

Real-World Example:

SuperShop, an online store selling magazine subscriptions, needs to charge customers a monthly fee. Storing card numbers in their own database would require expensive PCI compliance. Instead, they use tokenization to securely store customer payment details while keeping other customer information in their existing database. They can now process recurring payments without handling sensitive card data.

Implementation Guide: Adding Secure Payment Storage​

Recipe: Adding a "Save card for future purchases" feature​

What you'll achieve: Allow customers to securely save their payment method for faster checkout on return visits.

Prerequisites:

  • Active UniPay merchant account with API credentials
  • Basic understanding of API integration
  • Front-end capability to collect card information
  • Familiarity with the Tokenization API Reference

Implementation steps:

  • Step 1: Choose the right tokenization approach Review the table above to determine whether basic tokenization or profiling is right for your needs.

  • Step 2: Set up your checkout form Add a checkbox that allows customers to opt in to saving their payment method.

  • Step 3: Implement tokenization When a customer checks the "save my card" box, make the tokenization API call along with the payment. See the Tokenization Request Parameters for details.

  • Step 4: Store the token in your database Associate the returned token with the customer's account in your system.

  • Step 5: Display saved payment methods Show masked card information (e.g., "Visa ending in 1234") on the checkout page for returning customers.

  • Step 6: Enable one-click checkout Allow customers to select a saved payment method and complete their purchase with minimal friction.

Try it yourself: Save Card Feature Collection

Recipe: Setting up secure payment storage without your own infrastructure​

What you'll achieve: Store customer payment data securely without maintaining your own customer database.

Prerequisites:

  • Active UniPay merchant account with API credentials
  • Basic understanding of API integration
  • Familiarity with the Get-Profile API Reference

Implementation steps:

  • Step 1: Enable profiling for your account Contact support to ensure profiling is activated for your merchant account.

  • Step 2: Collect customer and payment information Design forms to capture both customer details and payment information.

  • Step 3: Submit for profiling Make the tokenization API call with all customer data fields populated. Refer to the Billing Address Information API Reference for all available fields.

  • Step 4: Store only the token ID Save the returned token in your system as a reference to the complete customer profile.

  • Step 5: Retrieve profile data when needed Use the get-profile API call to fetch customer information when needed.

Try it yourself: Profiling Integration Collection

Technical Implementation​


Server-side tokenization involves collecting payment information on your server and then sending it to the payment gateway for tokenization. This approach is simple but requires your server to briefly handle sensitive payment data. See the Server-Side Tokenization API Reference for complete parameter details.

// Create a token for a payment card
String url = "https://secure.unipay.com/gates/xurl?";
String data = "requestType=tokenization" +
              "&userName=YOUR_USERNAME" +
              "&password=YOUR_PASSWORD" +
              "&accountId=YOUR_ACCOUNT_ID" +
              "&accountType=R" +
              "&accountNumber=4111111111111111" +
              "&accountAccessory=0525" +
              "&holderName=John Smith";

// Send request and get response
HttpURLConnection conn = (HttpURLConnection) new URL(url).openConnection();
conn.setRequestMethod("POST");
conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
conn.setDoOutput(true);
try (OutputStream os = conn.getOutputStream()) {
    os.write(data.getBytes());
}

// Parse response to get token
BufferedReader reader = new BufferedReader(new InputStreamReader(conn.getInputStream()));
String response = reader.lines().collect(Collectors.joining());
String token = extractTokenFromResponse(response);

// Save to your database (never store the actual card number!)
String customerId = "12345";
String sql = "UPDATE customers SET payment_token = ? WHERE id = ?";
preparedStatement.setString(1, token);
preparedStatement.setString(2, customerId);
preparedStatement.executeUpdate();

warning

Important Security Considerations:

  • When using server-side tokenization, your servers will briefly handle sensitive card data, which increases your PCI compliance requirements.
  • Consider using client-side tokenization instead to completely remove card data from your systems.
  • Never log or store raw card numbers, even temporarily.
  • See the Security Best Practices section in the API Reference.

Try the API: Server-Side Tokenization Collection

Problem-Solving Guide​

If you encounter an issue with tokenization​

info

Problem: Token not being created

Common causes:

  • Incorrect API credentials
  • Invalid card number format
  • Tokenization not enabled for your account

Solution:

  • Verify your API credentials
  • Check card number format and validation
  • Contact support to ensure tokenization is enabled
  • See the Response Codes Reference for detailed error handling
info

Problem: Authorization errors with client-side tokenization

Common causes:

  • Incorrect contextType parameter
  • Temporary password expired
  • CORS issues with API requests

Solution:

  • Ensure contextType is set to "proxynization"
  • Remember temporary passwords are valid for only 10 minutes
  • Verify your domain is whitelisted for CORS
info

Problem: Errors when using tokens for transactions

Common causes:

  • Missing or incorrect accountAccessory (expiration date/routing number)
  • Token has been deleted or is invalid
  • The token belongs to a different merchant account

Solution:

  • Always include the correct accountAccessory field with tokens
  • Verify the token exists and is correct
  • Ensure you're using the correct accountId for the token

Without Technical Knowledge​

If you don't have the technical resources to implement tokenization directly, consider these alternatives:

  • Pre-built plugins: Many popular e-commerce and CMS platforms have pre-built plugins for UniPay that include tokenization functionality.
  • Hosted Payment Pages: UniPay offers hosted payment pages that handle all the tokenization for you, with no coding required.
  • Integration partners: Contact one of our certified integration partners who can handle the implementation for you.

Advanced Tokenization Features​

Retokenization​

Some processors provide the ability to update token data when a customer's payment information changes (such as an updated expiration date). For this purpose, retokenization is used. For full parameter details, see the Retokenization API Reference.

// Update the expiration date for an existing token
Map<String, Object> retokenRequest = new HashMap<>();
retokenRequest.put("token", "tkn_1234567890abcdef");
retokenRequest.put("accountAccessory", "0628");  // Updated expiration date

Response response = api.retokenization(retokenRequest);

Try the API: Retokenization Collection

Untokenization​

Processors charge fees for every stored token. For this reason, it is not cost-effective to keep tokens associated with cards/accounts of customers who no longer perform transactions. The gateway provides the ability to remove unused tokens. For complete parameter details, see the Untokenization API Reference.

// Remove a token that is no longer needed
ApiClient api = new ApiClient();
Response response = api.untokenization("tkn_1234567890abcdef");

info

Note: For PCI compliance reasons, detokenization (retrieving the original card number from a token) typically requires contacting payment gateway support.

Try the API: Untokenization Collection

Business Benefits​

🔒 Enhanced Security Reduce your risk exposure by storing tokens instead of actual card data. Even in the event of a data breach, tokens are useless to attackers.

💰 Reduced Compliance Costs Significantly reduce your PCI DSS compliance scope and associated costs. With client-side tokenization, you can potentially qualify for the simplest SAQ A form.

🔄 Simplified Repeat Purchases Enable one-click checkout experiences that boost conversion rates. Customers with saved payment methods are more likely to complete purchases.

📈 Higher Retention Make it easier to implement subscription billing, reducing customer churn and creating predictable revenue streams.

Getting Started Checklist​

  • Review API Reference Familiarize yourself with all available endpoints and parameters in the Tokenization API Reference.

  • Ensure tokenization is enabled Contact support to confirm your account has tokenization functionality enabled.

  • Choose your approach Decide between basic tokenization and profiling based on your business needs.

  • Select implementation method Choose between server-side or client-side tokenization based on your PCI requirements.

  • Design database schema Create a database structure to securely store and associate tokens with customer records.

  • Implement and test Implement the API calls in your development environment and thoroughly test before deploying.

Implementation Timeline​

StageDurationPotential Delays
API account setup and verification1-2 daysApproval processes, incorrect documentation
Basic tokenization implementation2-5 daysTechnical issues, resources availability
Client-side tokenization setup3-7 daysFrontend integration complexities, CORS issues
Testing and bug fixing3-5 daysEdge cases, integration issues with existing systems
Production deployment1-2 daysDeployment window availability, unexpected issues
info

Need Technical Support? If you encounter issues during implementation, our Developer Support team is available to help. You can also visit our Developer Forum to connect with other integrators. For complete API specifications, refer to the Tokenization API Reference.