PayMaya Payment Vault Overview
Drafted by Diwa del Mundo, Abby Alcantara • Tuesday November 08, 2016 09:13 AM


Card Tokenization

Payment Services

Payment Flow

How to Integrate




Payment Vault enables your web or mobile application to accept credit and debit card payments. It is easy to use, secure, and follows RESTful standards.



Payment Vault supports custom payment workflow depending on your business needs. It also supports the most modern programming languages and app platforms.



Customer information is never compromised. Data transmission is encrypted using industry standard Secure Socket Layer / Transport Layer Security (SSL / TLS).


Reduced PCI DSS Compliance Scope

Payment Vault handles security of your customer's card data via tokenization. All you need is to pass the token before executing a payment transaction.


3-D Secure Support (MasterCard SecureCode / Verified by Visa)

Customer identity can be verified before payment processing to ensure security and prevent fraud transactions.



Payment Vault supports real-time notification on the status of your customers’ payment transactions.


Card Tokenization

Payment Vault provides merchants the ability to store their customer's card details and charge for payments on-demand. It can provide a superior user experience while reducing the merchant's PCI-DSS scope by providing a multi-use “card token” as reference to customer’s card details.


With the use of this service, the Payment Vault provides the following payment services:

  • One-time Tokenized Payments
  • Card Vault as a Service (CVAS)
  • Subscriptions


Payment Services

One-time Tokenized Payments


Key Advantage: Custom Payment Form

PCI-DSS Self-Assessment: SAQ A, SAQ A-EP


Payment Vault accepts tokenized payments from your customers. As a merchant, you do not need to worry about securing your customer's credit or debit card data such as card number, cardholder name, and CVC / CVV / CSC. You just need to pass those data to us and we will return a payment token that you can use when you are ready to charge your customer for payment. The payment token is essentially a secured or encrypted version of your customer's payment information


Card Vault as a Service (CVAS)


Key Advantage: On-demand Payments

PCI-DSS Self-Assessment: SAQ A-EP


Payment Vault lets you manage your customer's information through the Customer APIs. Aside from usual customer information, like personal information and billing addresses, you can also save your customer's credit and debit cards data. You can manage your customer's card details through the Card APIs. Vaulted credit or debit card data gives you customer card tokens which you will use to do on-demand or recurring payments.




Key Advantage: Recurring Payments

PCI-DSS Self-Assessment: SAQ A-EP


Payment Vault also allows subscriptions for verified cards of customers for charging of recurring payment. Schedule of charging for a subscription can be set by the merchant during registration, ranging from days to year of interval. 


Payment Flow

Tokenized Payment

  1. Merchant's application submit the customer's card data to PayMaya Payment Vault using a public API key.
  2. PayMaya Payment Vault return a payment token which will be used for charging the customer.
  3. Merchant's application submit the payment request with the payment token to the merchant's server.
  4. Customer verify his or her identity via a 3D Secure Authentication.
  5. Merchant's server request PayMaya Payment Vault to process the payment using its secret API key.
  6. For 3DS-enabled merchants, Paymaya Payment Vault notify merchant's server of the payment result by calling the registered webhook of merchant.


Payment via Card Vault

  1. Merchant register the customer's details. Payment Vault will return a Customer ID.
  2. Merchant's application submit the customer's card data for Card Vaulting. Payment Vault will return a card token and verification link.
  3. Customer verify his or her identity via a 3D Secure transaction.
  4. Verified card will be vaulted.
  5. Merchant can use the vaulted card for on-demand payments or subscriptions without asking the customer for their card details again.



  1. Merchant registers a subscription for a verified card of a customer.
  2. Subscriptions charge based on the schedule indicated during registration.
  3. Paymaya Payment Vault notify merchant's server of the payment for the subscription by calling the registered webhook of merchant.




Figure 1 - Tokenized Payment Flow from Client to Server


How To Integrate


There are 3 steps to integrate PayMaya Payment Vault to your web or mobile application: integration to sandbox environment, testing, and promotion to production.


1. Integration to the Payment Vault sandbox environment


Integration involves programming your application to communicate with the Payment Vault for the payment service that you need. Sample API requests and API specifications are available here.


2. Testing


Test your integration by creating transactions using test cards and API keys available here. You can also contact us and request for your own set of API keys.


3. Promotion to Production


Once you have fully tested your integration, you can contact us for assistance on your production deployment. Your integration will undergo a certification process. Once certified, you will be given a new set of API keys provisioned in production which you can use to process live payments.



If you have other inquiries or clarification, you can visit our FAQs page or contact us.