Card Vaulting Guide
Securely tokenize and store payment cards for future charges, subscriptions, and recurring billing. Card data never touches your servers or EPD — it is tokenized directly by EPD Gateway's Collect.js.
Card vaulting is currently handled through EPD Gateway. A native EPD vaulting API is on our roadmap.
Prerequisites
Before you begin, make sure you have:
- An EPD Gateway account with API credentials (security key)
- A Collect.js tokenization key from your EPD Gateway merchant portal
- An EPD API key (
epd_live_sk_...orepd_test_sk_...)
Integration Flow
-
Collect card details
Client-sideCustomer enters card information into Collect.js hosted fields on your checkout page. -
Tokenize
Client-side → EPD GatewayCollect.js sends the card data directly to EPD Gateway and returns apayment_token. -
Create vault
Server-side → EPD GatewayYour backend creates an EPD Gateway customer vault using the token by POSTing tohttps://secure.easypaydirectgateway.com/api/transact.phpwithcustomer_vault=add_customerand thepayment_token. EPD Gateway returns acustomer_vault_id. -
Add card to vault
Server-side → EPD GatewayYour backend adds the tokenized card to the vault by POSTing to the same EPD Gateway URL withcustomer_vault=add_billing, thecustomer_vault_id, and thepayment_token. EPD Gateway returns abilling_id. -
Link to EPD
Server-side → EPDCreate or update an EPD customer with theepd_gateway_customer_vault_id. → Create Customer -
Payment method created
AutomaticEPD validates the vault, extracts card details (brand, last4, expiry), and creates apayment_methodrecord.
The payment_token from Collect.js expires after approximately 15 minutes. Complete steps 3–5 promptly after tokenization.
Key Identifiers
| Identifier | Source | Lifetime | Description |
|---|---|---|---|
payment_token |
Collect.js | ~15 minutes | One-time use token representing raw card data |
customer_vault_id |
EPD Gateway | Permanent | Identifies the customer's card vault in EPD Gateway |
billing_id |
EPD Gateway | Permanent | Identifies a specific card within a vault |
payment_method_id (UUID) |
EPD | Permanent | EPD payment method ID (auto-created on vault association) |
After Vaulting
Once the card is stored, you can use the payment_method for:
- One-time charges — pass
payment_method_idwhen creating an order - Recurring billing — pass
payment_method_idwhen creating a subscription - Default payment method — update the customer to change their default card
- Adding more cards — use Add Payment Method with a new
billing_id
Security
Never log, store, or transmit raw card numbers. Always use Collect.js for client-side tokenization.
- Keep EPD Gateway API keys server-side only — never expose them to the browser
- Use HTTPS for all API calls to both EPD Gateway and EPD
- Rotate EPD Gateway API keys periodically through your EPD Gateway merchant portal