One-Time Credit Card Import

This guide describes how to import credit card data into your organization’s Spreedly environment. If you are integrating with an existing Spreedly customer that is a payment platform for this import, see our merchant of a platform migration guide.

Migration Scenarios

Importing cards from an existing gateway account (common)

Steps to import cards to Spreedly:

  1. Contact the existing third-party vault/gateway to request an export of the payment method data. Please also point them to our PCI compliance information. Here’s a good template to send to the gateway:

    Hello [Gateway] Support, I’d like to export all of my payment methods to Spreedly’s Level-1 PCI compliant payment vault. You can find their latest compliance documentation here:

    When the export is ready, please send the export to and reference my organization and merchant’s name. If you have any questions I’m happy to loop you in with Spreedly’s Support team and they will help move the process along. Here’s Spreedly’s public key, which you will use to encrypt the export:

  2. Review the gateway’s export documentation prior to migration to confirm the following:

    • The data will be a GPG-encrypted JSON or CSV file.
    • The data is similar to our suggested data format.
  3. Submit a request to Spreedly with the environment key where data will be imported.

  4. Data transfer depends on the gateway’s process and how they respond to the export.

    • If they prefer to setup the SFTP for the transfer, then they will need our PGP key to provide us credentials. (S/MIME encryption uses an RSA key of at least 2048 bits)
    • If a Spreedly SFTP is requested, we’ll need you to provide us the public PGP key of the third-party vault/gateway. The Gateway’s PGP key will be used to encrypt credentials to a Spreedly-created SFTP server where they will drop the exported payment methods for us to retrieve. Ideally, this key would be hosted on a public page.

If necessary, we will work directly with the third-party vault to manage the import process. Spreedly customers are responsible for managing communication with their merchant(s).

Information about customer subscriptions (amount, dates, etc.) should be obtained directly from the exporting entity. Spreedly will not extract this data from an encrypted data file.

Customer Database Migration (less common)

When bringing cards from your own database follow the same steps listed in the gateway migration above. The data should be PGP encrypted and transferred securely.

If the import source is a merchant of the Spreedly customer, we would treat the merchant like any other 3rd party importing to us and work with them to move the data. Afterwards, they should continue to go to their provider (the Spreedly customer) for support.

Spreedly to Spreedly Migrations

Moving from one Spreedly environment to another. The original payment methods will still be retained in the source environment and the payment method details will be copied onto a newly assigned token in the destination environment. We’ll provide a mapping file which includes the “old” Spreedly token and the corresponding “new” token.

In order to migrate payment methods from one Spreedly environment (or organization) to another, we need the following information:

Source Spreedly Account

  • Confirmation of request to export payment methods
  • Environment key where the payment methods are currently stored
  • A list of Spreedly Payment Method tokens to be exported (CSV)

Destination Spreedly Account

  • Confirmation of request to import payment methods
  • Environment key where the payment methods are to be imported

Managing Communications

It’s important to remember that you support your customer and we support you. While, for PCI reasons, we have to manage the actual transfer with your customer’s existing vault, it’s important to remember that they are still your customer. We need the initial request to come from you versus the merchant/end-user account. We need you to communicate the process to your customer and determine how you might want to handle any fees or other issues. We can never be sure what the current status of the customer’s account is with you so it’s important that you always lead.


Spreedly will complete one import per merchant account, per third party vault. Should the merchant require any additional transfers from the same third party vault, a fee will apply. Please contact Support with any questions.

Merchants should discuss a migration approach early. We recommend making sure new payment methods can be added to your Spreedly vault before requesting the import. This will help ensure you are fully migrated after one import, rather than having new cards added after the first import is complete, resulting in additional fees.

Data Format

Spreedly requires incoming data to be in CSV or JSON format. Any other data format, such as Microsoft Excel (.xlsx), may be assessed an additional fee.

The absolute minimum data required to import credit cards is an external ID and card number. However, we recommend the following information at a minimum. For data supplied as a CSV, the order in which the headers appear is flexible.

  • External ID
  • Full name
  • Card number
  • Expiration month
  • Expiration year

You can include optional fields such as email, address1, address2, city, state, etc. For a full list of acceptable data types, see our API reference.

If you are importing ACH payment methods, be sure to include all fields marked as required in our API reference:

  • First name
  • Last name
  • Bank routing number
  • Bank account number

Data should be GPG-encrypted and transferred securely, such as via SFTP.

Important: The id that you provide will map to our payment_method token so you know which Spreedly payment method maps to the payment method in the existing vault.

Data Validation

When communicating with Support, please provide the following information if possible to help prevent delays in processing:

  • Name of the external identifier to use
  • How many payment methods are expected to be included in the import (a ballpark figure is okay)
  • Known gaps in data, i.e. that names or expiration dates will not be included

We do not validate expiration dates when importing credit cards. Imported cards will be marked as eligible for Account Updater by default, but your organization must be opted in to Account Updater for cards to be updated.


Spreedly generally processes imports within 2 weeks of receiving the required materials. In the case that an importer for the specific third-party vault/gateway has not yet been created, this timeline may be extended to account for the creation of the importer.

This process is a coordinated effort between you as the Spreedly customer, your merchant(s), and the third-party vault/gateway that is performing the export.


Once we complete the import, we will then notify all parties and provide the Spreedly customer with a JSON file of the mappings. It will look like this:


external_id is the unique ID of the payment method in the third party system we’re importing from, and spreedly_token is the token of the payment method in the Spreedly vault. fingerprint is the fingerprint associated with the imported payment method (only applicable to credit cards).

Any non-sensitive data or that was imported on a payment method can be looked up with our APIs. Information about customer subscriptions (amount, dates, etc.) should be obtained directly from the exporting entity. Spreedly will not extract this data from an encrypted data file.

File Transfer

Spreedly accepts migration file transfer via SFTP with the following options:

  • Spreedly will create an SFTP for one time use. Spreedly will require the PGP key from the third party sending the file to encrypt the credentials for the SFTP.
  • The third party sending the import file prefers to create their own SFTP. If this is the case, it must be configured to the standard SFTP port (22). Credentials should be encrypted to Spreedly’s PGP public key. If the third party prefers for Spreedly to authenticate via SSH-RSA key instead of sending encrypted credentials, please use the key listed below.

Spreedly SSH-RSA Public Key



To migrate sensitive data to Spreedly, such as credit card information, it needs to be encrypted using our public key.

If you’re not familiar with PGP, visit GnuPG and start by importing a public key.

Spreedly Public Key

  • Key ID: D60BA557
  • Type: Public Key
  • Length: 4096
  • Algorithm: RSA
  • Fingerprint: 5813 E64C 851F 114D 1ABC  2FA9 8EF9 8493 D60B A557
  • User ID: Spreedly Support <>
Version: GnuPG v2.0.14 (GNU/Linux)