One-Time Credit Card Import

This guide walks you through what happens when you would like credit card data that’s currently stored somewhere else to be stored in the Spreedly vault.

Your Customer Wants to Import Their Cards

It’s important to remember that you support your customer and we support you. While, for PCI reasons, we have to manage the actual transfer with your customer’s existing vault, it’s important to remember that they are still your customer. We need the initial request to come from you versus the end-user account. We need you to communicate the process to your customer and determine how you might want to handle any fees or other issues. We can never be sure what the current status of the customer’s account is with you so it’s important that you always lead.

Pricing

Spreedly does one complete vault import per customer for each third party vault they currently use. Should your customer ask for a second transfer from the same existing third party vault, we will charge you to perform the additional import. Please contact us to discuss the actual pricing of such imports.

Make sure that once your customer begins the export process from the third party vault, they do not add new customers (and therefore stored cards) requiring a second transfer. Any new customers should be added directly via your Spreedly integration otherwise they will not be included in the data import process. It is worth communicating this to your customer early in the process so that the customer does not prematurely request the vault transfer and incur additional unnecessary cost.

Data Format

Gateways typically provide a GPG-encrypted JSON or CSV file. The order in which the headers appear is flexible. If sending a CSV file, a header line of:

id, first_name, last_name, card_number, expiration_month, expiration_year would work.

You can add additional optional fields such as email, address1, address2, city, state, etc if you’d like.

Important: The id that you provide will map to our payment_method token so you know which Spreedly payment method maps to the payment method in the existing vault.

The Process

Spreedly generally processes imports within a week of receiving the required materials. In the case that an importer for the specific third-party vault/gateway has not yet been created, this timeline may be extended to account for the creation of the importer.

This process is a coordinated effort between you as the Spreedly customer, your merchant(s), and the third-party vault/gateway that is performing the export.

The steps are as follows:

  1. Contact the existing third-party vault/gateway to request an export of the payment method data.
    • If the third party vault requires information on Spreedly?s PCI compliance, you may provide them with our PCI page here.
  2. Email Spreedly with the environment key where data will be imported and include the public PGP key of the third-party vault/gateway.
    • The PGP key will be used to encrypt credentials to a Spreedly-created SFTP server for the exported payment methods.
    • S/MIME encryption uses an RSA key of at least 2048 bits (Our PGP key is located below.)
  3. We will work with the third party vault to manage the import process. Spreedly customers are responsible for managing communication with their merchant(s).
    • Make it clear to your merchant(s) that any subsequent imports will incur additional cost.
  4. Once Spreedly has received the data file and environment key, we will import the file to the designated environment and map the card data to new Spreedly tokens.

Once we complete the import, we will then notify all parties and provide the Spreedly customer with a JSON file of the mappings. It will look like this:

[
  {
    "external_id":"3397a8kI2ervRYgo2ExEhQc7r",
    "spreedly_token":"7I4Pe91tKQA1paBLd8Lm5YmYKcU"
  },
  {
    "external_id":"a127a9kI2eZvKYlo2CxBhQc7J",
    "spreedly_token":"ErHJlkd1GvJXOzYrEAIrDZwdv9r"
  }
]

external_id is the unique ID of the payment method in the third party system we’re importing from, and spreedly_token is the token of the payment method in the Spreedly vault.

Any non-sensitive data that was imported on a payment method can be looked up with our APIs. We cannot provide sensitive data back in a file as that compromises the security provided by tokenizing the payment methods.

PGP

To encrypt your communications with support@spreedly.com, you can use our PGP public key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.14 (GNU/Linux)

mQINBFTKucgBEADkg4fW09Ejcy22AqXcYDGwBaasKBvEA/ft9ZK2QQcjlxCD7e+q
MRjxQ0Kw72CVZSX8IDLuZ4falNjRlGifKXBZLX2yYhOXtud/fAnv9LjVcccM+yh3
LKLBcQnsMv73NWL4e8HS2y3N9gRXsnozBDuLQccznCXpFBkNN6wsUmOscB4DYFuu
xXPjGz6DvXfjBjnEolqg4PvG3VCdC4CsR3YV34WKwBkYkXfKc2eokELLj7cXbaaz
uyGxqZUNCEBxsfRgwwOY3D0kJgjS7ot2nX72qlXTMa1wAE64FHP1zoAT8GrbWaAL
7JxSwA58mO2XBRjDisw6Q5kiutPChSOYTw2YLZeuc07MPsx6USB+yS+NxP+ouuWw
4yM1STQ8ylNPi0gJCxxjPXod9G5PjjhRdU91lVa5jANjzSq29xEJvFrEVuGHE73c
Zbh/8TuXoQv9e2PnV50HryaZ7eym4GuhD0E1+UhWZOVzrlfp9wYCbIfQeudKJHYt
NhLNlhGQdgCg4mMQaA+I2Nb1udETi0cjIRuoBShBbL9FmG+Kse8Mi23H+63dytc/
SGVZ/jd/cxnBAMdGrrTeuMYmReBJMKPDN3zimB6yUQlmy1RS59P5gGhltLkyFyfa
bGTZn1tXNzgfPxHFfYdDXA//roZUvhOB10XnP8rUDUbsyWxf0K5LTeorcwARAQAB
tCdTcHJlZWRseSBTdXBwb3J0IDxzdXBwb3J0QHNwcmVlZGx5LmNvbT6JAjgEEwEC
ACIFAlTKucgCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEI75hJPWC6VX
HAUP/i9NiEX/dawe9ze86dA7yDWc5YVpC2XyFXArPz1pS3ezHQTi+5pxuaY0/k5c
08XoTBp0DfdC6MX/hKcWFz+LLlfSMwyLJ9HypuDa0PvSauVyW2d7tmQH+LjAt/ln
GEoJqPPAzO0iCrpWGKCwkW4sAYiVHnhY3hBMljc8XNxfZHjBgGh2l6W51UzmsJeS
1Gcv17Krg87dIV+1D0q1utvLMdNEXd9mpnifYH4MZ3LC3uEJ+tLkWEGVJXJhtA4N
qJGmXelcT4j7axHK653bq+kttEeYLZpQTl46UiEpsk1zwRqO+i2LuoZMPk/o7aeh
VyxvL5B3x1TnimqEztooX49baBo+ptUFYNltJ3meWw9Ei+UJsn3HWkEW0nqi33A+
1n+rtJNHAGB+6hlQBdqCiuHHoLlUXHx27OTx/e+JuMB3mQ+xOKAQ1r3hwtNV+ErV
kjaKRx7e/5tjUeyJ6ZFpj+V3RdEGVw4M62ScD2vbWPmm7S2y7L5VGNnRm5NT1Hx0
i9fwWGUm8t8v11Bz6LBRhKzbrZnz/kalcJBYmNjAKspO9xkWUSFnVtHTO2q57O6w
+8h28HBv+LhzD3STrnRraIeFIgh3orPCwmjscmxEmYypcl1PcBsf6C56HZgpgRq8
8OlfZn5SK0893mQvBANA3YY7VUS4qVrwUhpphJHCPQ0CwwacuQINBFTKucgBEADb
jwNCer/sbzSb42Vv/8WyYsGOVbB4rhZNELXP3n520ehlpdD/wgAm1iGFQhi48fWK
8XoNsQvlfZrpsvOu8Y72bZEiRGhZ2W+PZkswOsok3KX17SLYbz9hnzgxmTyDdeQe
MYsurlyoK1oboLzNzikFGREG1mGcXp5JG7wCwJNHGbMHy4JsglWaCxobTbLRsJu/
ZnvaQ7YjV1O2s76CC+uQQVljJeQFORgZd6Kj5hUTaiqKbMCxDxYqouLrgiE/PhAu
GDociIWTIAuf6gnT5ZfvSuRvFb1oS8gnGosxkY725uHQ01cJNricu2aqfhqLx5g2
ZH6U0YOsfUAzMEG6HkGBycmkfrQyCab7vI2tF00wfjXfq2okOzvsi87dFhqEs9OX
ZbPpS3bktVyN520xQi02Dop7dBHaetcz3qU8+Ot/J4/7Gy8BntX8pmr/X4b9v34k
C34to0G2lM+vCxxGCE8eeeI+xuR1O1VyW5rGmukonnT0rQPb0Dw9JbQqNrQQ7G7H
XXCMoC1f2g6U+czypcOE6HFtYk7ve0p6BM/Pf3tULJ35tWoHwjUbdY2UPgmLo9TU
XpCGxBf0CJXAO+7oZXt6zXbScfOo3csqtAolALe05+/j4d2H0tqFm0RVr8LBoFtZ
8JgVT0ojidB9MysiMy0+jMspVO2myMb7Fym1o23FQQARAQABiQIfBBgBAgAJBQJU
yrnIAhsMAAoJEI75hJPWC6VXHS4P/iRsNUuoZxXBUuvHWOgsrt5A8RawjEHlW3r8
IFGQZ2tI06jqqW2zHyMLlzpKoTgAQsh9N35LAOFUzujl0JJuzQVNpe38GZ1t9pLm
9muSKdeM5fAwkENY9Qc+kfPvavkSSsgkODujbU35tJF+0cU6KVHKmdL/9qUikUTD
xvakM4zd0P1n9kdef1iMg3DQNc7/XwGFfGxzny4NsBgFTCPu25R1oQu79Er2q059
Ct8CwGoKK4AVQQ5n3zod3jKEF0ZxPvF7M6Xc/f9hR7VuT/GLH+u4UAspCz5H2bNP
JPfEILe51pBXvt42tuUvnnXvkGtPG79mZwXzm84J8xoXsvqLqeG3T4R/UTDhNo+C
98DGpWRHgEnaTLakh5v4lEOlw4rleCRQaOIMs89PLzIMimvMpqXkN3PL3zdEc2Nw
HMfDTUTb0dX3aPQXHvpCgNk2YHLbYG6z0T3bmYdNBa/XWjdlgfgIahzhQ9RVxncO
rCjSOFAl79EoImpGrCXwu4/t2BxdfX4gkYDhr2U28sKf53v+uMElFZBrldt8csRj
W9VBGGVKDzQMvbjPypoPD2bOAaK3cdPaQwkodtdfZEi3JMIwWiga9FSJii2H6TVV
LpaH1Y6vtuVyq2nFz8ZzFRtLZceCWs/YOfl9hYXgH2m8IsJy6qEemqE2ouqVbVnL
ID0E/Ab9
=0eWU
-----END PGP PUBLIC KEY BLOCK-----