Priority Vaulting allows you to securely store customer card details in tokenized form for future transactions. While Checkout handles active payments, the Priority Vault is a consumer-facing hosted widget purely dedicated to securely tokenizing (saving) card information. It keeps your site out of PCI scope, but it is specifically optimized for capturing a card for the first time. Its features include:

• Secure Storage: It securely tokenizes the card data and obtains authorization from the user, utilizing consumer-facing consent language such as, "By clicking Save, you authorize the merchant to securely store this card and charge it for future transactions".
• Flexible Payment Types: In addition to credit cards, the Vault widget can be configured to allow customers to add payment methods.
• Address Verification: It can be configured to require full billing address details to verify the customer when saving a new method.
• Saved Cards Management: The Vault interface can also be configured to display the customer's existing saved cards so they can manage them

How Vaulting works

The vaulting process focuses on secure data tokenization and obtaining proper customer consent:

1. Widget Initialization: Similar to the checkout widget, your backend generates a secure token, and your frontend loads the Vault widget into your application's UI.
2. Data Entry: The customer enters their credit or debit card details. If configured (optional), they will also be required to enter their full billing address. Billing address collection is controlled by merchant-level settings. If this feature needs to be enabled or modified, please contact the PCE Account Management team.
3. Customer Disclosure: Before submitting, the widget displays consumer-facing consent messgae (e.g., "By clicking Save, you authorize the merchant to securely store this card and charge it for future transactions"). This message is presented for transparency and regulatory disclosure purposes. The widget does not collect a separate or explicit consent action beyond this.
4. Tokenization: Once the customer submits their card details, the widget encrypts the data and sends it directly to Priority. The sensitive card or bank details never touch the merchant's servers. Priority securely stores the method and returns a safe **token** that your business can use to charge the customer in the future.

Before you begin

Ensure you have the following prerequisites in place before starting your integration:

Security and Compliance

Maintaining a secure environment is a shared responsibility. While the widget significantly reduces your compliance burden by keeping sensitive data out of your environment, these five pillars ensure the integrity of every transaction.

1. Generate Client Secrets only from your backend: Never expose your secret API key in frontend code or public repositories. The Client Secret API must be called exclusively from your server.

2. Use HTTPS in Production: Ensure your application is served over HTTPS so that communication between your page and the widget remains secure.

3. Use one Client Secret per Session: Create a new client secret for every vaulting session. Do not reuse secrets that are expired or already consumed.

4. Restrict allowed origins (if supported): Configure security.allowedOrigin with your frontend origin (e.g., https://yourdomain.com) to restrict which domains can interact with the widget.

5. Handle errors securely: Within onError, log only the necessary details for troubleshooting. Avoid exposing sensitive or internal error information to end users.