Skip to main content

Overview

The Customer Vault enables merchants to securely store customer payment information in a Level 1 PCI certified data facility without maintaining cardholder data locally. This addresses Payment Card Industry (PCI) Data Security Standard requirements and shifts liability to the gateway provider.
Store payment data securely and initiate transactions using stored credentials without handling raw card data.

Benefits

PCI Compliance

Reduce PCI scope by not storing card data

Recurring Billing

Process automatic recurring payments

Quick Checkout

Enable one-click payments for returning customers

Multiple Payment Methods

Store cards, bank accounts, and digital wallets

API Endpoint

POST https://api.ionicfi.com/api/transact.php

Core Operations

Create a new customer record in the vault.
security_key=YOUR_API_KEY
customer_vault=add_customer
ccnumber=4111111111111111
ccexp=1225
cvv=999
first_name=John
last_name=Doe
address1=123 Main St
city=New York
state=NY
zip=10001
Response:
response=1&responsetext=SUCCESS&customer_vault_id=123456

Adding Payment Methods

Credit/Debit Cards

<?php
$url = "https://api.ionicfi.com/api/transact.php";

$data = array(
    "security_key" => "YOUR_API_KEY",
    "customer_vault" => "add_customer",
    "ccnumber" => "4111111111111111",
    "ccexp" => "1225",
    "cvv" => "999",
    "first_name" => "John",
    "last_name" => "Doe",
    "address1" => "123 Main St",
    "city" => "New York",
    "state" => "NY",
    "zip" => "10001",
    "email" => "[email protected]",
    "phone" => "555-1234"
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch);
curl_close($ch);

parse_str($response, $result);
echo "Customer Vault ID: " . $result['customer_vault_id'];
?>

ACH/Bank Accounts

security_key=YOUR_API_KEY
customer_vault=add_customer
checkname=John Doe
checkaba=123456789
checkaccount=987654321
account_type=checking
sec_code=WEB
first_name=John
last_name=Doe

With Collect.js Token

security_key=YOUR_API_KEY
customer_vault=add_customer
payment_token=TOKEN_FROM_COLLECTJS
first_name=John
last_name=Doe

With Digital Wallets

Apple Pay: 
security_key=YOUR_API_KEY
customer_vault=add_customer
applepay_payment_data=ENCRYPTED_TOKEN
Google Pay: 
security_key=YOUR_API_KEY
customer_vault=add_customer
googlepay_payment_data=ENCRYPTED_PAYLOAD

Auto-Generated IDs

If you don’t specify a customer_vault_id, the system will auto-generate one: 
# Without ID - system generates
customer_vault=add_customer

# With custom ID
customer_vault=add_customer
customer_vault_id=CUSTOM_ID_123
Custom IDs must be unique across your merchant account. Use auto-generation for simplicity.

Transacting with Stored Credentials

Once payment information is stored, initiate transactions using the customer vault ID:

Sale Transaction

security_key=YOUR_API_KEY
type=sale
customer_vault_id=123456
amount=50.00

Authorization

security_key=YOUR_API_KEY
type=auth
customer_vault_id=123456
amount=50.00

Credit

security_key=YOUR_API_KEY
type=credit
customer_vault_id=123456
amount=25.00

Validation

security_key=YOUR_API_KEY
type=validate
customer_vault_id=123456

Stored Credential Compliance

When storing payment credentials, implement the Credential on File (CoF) framework:
1

Initial Transaction

First transaction must include stored_credential_indicator: 'stored'
stored_credential_indicator=stored
initiated_by=customer
2

Store Transaction ID

Save the transactionid from the gateway response
3

Subsequent Transactions

Use stored_credential_indicator: 'used' with original transaction ID
stored_credential_indicator=used
initial_transaction_id=ORIGINAL_TXN_ID
initiated_by=merchant

Initial Storage Example

security_key=YOUR_API_KEY
type=sale
amount=25.00
ccnumber=4111111111111111
ccexp=1225
cvv=999
customer_vault=add_customer
stored_credential_indicator=stored
initiated_by=customer

Subsequent Transaction Example

security_key=YOUR_API_KEY
type=sale
amount=30.00
customer_vault_id=123456
stored_credential_indicator=used
initial_transaction_id=987654321
initiated_by=merchant
Card brand matching is enforced between initial and subsequent transactions. You cannot use a Visa token to charge a Mastercard.

Customer Vault Variables

Required Fields

VariableDescription
security_keyYour API security key
customer_vaultAction: add_customer, update_customer, delete_customer

Payment Fields (Add/Update)

VariableDescriptionFormat
ccnumberCredit card numberNumeric
ccexpExpiration dateMMYY
cvvSecurity codeNumeric
checknameAccount holder nameString
checkabaRouting numberNumeric
checkaccountAccount numberNumeric
account_typechecking or savingsString
payment_tokenCollect.js tokenString

Billing Information

VariableDescription
first_nameCustomer first name
last_nameCustomer last name
companyCompany name
address1Street address line 1
address2Street address line 2
cityCity
stateState/province code
zipPostal code
countryCountry code
phonePhone number
emailEmail address

Shipping Information

Prefix all address fields with shipping_: 
shipping_firstname=Jane
shipping_lastname=Smith
shipping_address1=456 Shipping St

Multiple Payment Methods

Store multiple payment methods per customer using billing IDs: 
# Add primary payment method
customer_vault=add_customer
customer_vault_id=CUST123
ccnumber=4111111111111111
ccexp=1225

# Add second payment method
customer_vault=add_billing
customer_vault_id=CUST123
billing_id=BILLING2
ccnumber=5424000000000015
ccexp=1226

Update Operations

Update Payment Method

security_key=YOUR_API_KEY
customer_vault=update_customer
customer_vault_id=123456
ccexp=1227
cvv=123

Update Billing Information

security_key=YOUR_API_KEY
customer_vault=update_customer
customer_vault_id=123456
address1=789 New St
city=Los Angeles
state=CA
zip=90001

Security Best Practices

CVV values cannot be stored per PCI DSS. Only submit during add/update operations.
Attempting to store CVV long-term violates PCI compliance.
Always use HTTPS for API requests. Never transmit payment data over HTTP.
Restrict access to customer vault operations:
  • Separate API keys for vault operations
  • Log all vault access
  • Implement multi-factor authentication
Periodically review stored credentials:
  • Remove inactive customers
  • Update expired cards
  • Verify data integrity

Error Handling

Common customer vault errors:
ErrorDescriptionResolution
Invalid customer vault idID doesn’t existVerify ID or create new customer
Duplicate customer vault idID already existsUse different ID or update existing
Invalid card numberCard number validation failedVerify card number format
Card expiredExpiration date in pastUpdate with valid expiration

Next Steps

Payment API

Process transactions with stored data

Recurring Billing

Set up automatic payments

Collect.js

Tokenize before storing

Query API

Retrieve customer information