One-Time Credit Card Import

This guide describes how to import credit card data into the Spreedly vault.

Migration Scenarios

Importing cards from an existing gateway account (common)

Steps to import cards to Spreedly:

  1. Contact the existing third-party vault/gateway to request an export of the payment method data. Please also point them to our PCI compliance information. Here’s a good template to send to the gateway:

    Hello [Gateway] Support, I’d like to export all of my payment methods to Spreedly’s Level-1 PCI compliant payment vault. You can find their latest compliance documentation here: https://spreedly.com/pci

    When the export is ready, please send the export to support@spreedly.com and reference my organization and merchant’s name. If you have any questions I’m happy to loop you in with Spreedly’s Support team and they will help move the process along. Here’s Spreedly’s public key, which you will use to encrypt the export: https://docs.spreedly.com/guides/migrating/one-time/#pgp

  2. Review the gateway’s export documentation prior to migration to confirm the following:

    • The data will be a GPG-encrypted JSON or CSV file.
    • The data is similar to our suggested data format.
  3. Email Spreedly with the environment key where data will be imported.

  4. Data transfer depends on the gateway’s process and how they respond to the export.

    • If they prefer to setup the SFTP for the transfer, then they will need our PGP key to provide us credentials. (S/MIME encryption uses an RSA key of at least 2048 bits)
    • If a Spreedly SFTP is requested, we’ll need you to provide us the public PGP key of the third-party vault/gateway. The Gateway’s PGP key will be used to encrypt credentials to a Spreedly-created SFTP server where they will drop the exported payment methods for us to retrieve. Ideally, this key would be hosted on a public page.

If necessary, we will work directly with the third-party vault to manage the import process. Spreedly customers are responsible for managing communication with their merchant(s).

Customer Database Migration (less common)

When bringing cards from your own database follow the same steps listed in the gateway migration above. The data should be PGP encrypted and transferred securely.

If the import source is a merchant of the Spreedly customer, we would treat the merchant like any other 3rd party importing to us and work with them to move the data. Afterwards, they should continue to go to their provider (the Spreedly customer) for support.

Spreedly to Spreedly Migrations

In order to migrate payment methods from one Spreedly environment (or organization) to another, we need the following information:

Source Spreedly Account

  • Confirmation of request to export payment methods
  • Environment key where the payment methods are currently stored
  • A list of Spreedly Payment Method tokens to be exported (CSV)

Destination Spreedly Account

  • Confirmation of request to import payment methods
  • Environment key where the payment methods are to be imported

Managing Communications

It’s important to remember that you support your customer and we support you. While, for PCI reasons, we have to manage the actual transfer with your customer’s existing vault, it’s important to remember that they are still your customer. We need the initial request to come from you versus the merchant/end-user account. We need you to communicate the process to your customer and determine how you might want to handle any fees or other issues. We can never be sure what the current status of the customer’s account is with you so it’s important that you always lead.

Pricing

“Spreedly will complete one import per merchant account, per third party vault. Should the merchant require any additional transfers from the same third party vault, a fee will apply. Please contact Support with any questions.

Merchants should discuss a migration approach early. We recommend making sure new payment methods can be added to your Spreedly vault before requesting the import. This will help ensure you are fully migrated after one import, rather than having new cards added after the first import is complete, resulting in additional fees.

Data Format

Gateways typically provide a GPG-encrypted JSON or CSV file. The order in which the headers appear is flexible. If sending a CSV file, you can include a header line of:

id, first_name, last_name, card_number, expiration_month, expiration_year

You can include optional fields such as email, address1, address2, city, state, etc.

Important: The id that you provide will map to our payment_method token so you know which Spreedly payment method maps to the payment method in the existing vault.

Timing

Spreedly generally processes imports within a week of receiving the required materials. In the case that an importer for the specific third-party vault/gateway has not yet been created, this timeline may be extended to account for the creation of the importer.

This process is a coordinated effort between you as the Spreedly customer, your merchant(s), and the third-party vault/gateway that is performing the export.

Results

Once we complete the import, we will then notify all parties and provide the Spreedly customer with a JSON file of the mappings. It will look like this:

[
  {
    "external_id":"3397a8kI2ervRYgo2ExEhQc7r",
    "spreedly_token":"7I4Pe91tKQA1paBLd8Lm5YmYKcU"
  },
  {
    "external_id":"a127a9kI2eZvKYlo2CxBhQc7J",
    "spreedly_token":"ErHJlkd1GvJXOzYrEAIrDZwdv9r"
  }
]

external_id is the unique ID of the payment method in the third party system we’re importing from, and spreedly_token is the token of the payment method in the Spreedly vault.

Any non-sensitive data or that was imported on a payment method can be looked up with our APIs. Information about customer subscriptions (amount, dates, etc.) should be obtained directly from the exporting entity. Spreedly will not extract this data from an encrypted data file.

PGP

To migrate sensitive data to Spreedly, such as credit card information, it needs to be encrypted using our public key.

If you’re not familiar with PGP, visit GnuPG and start by importing a public key.

Spreedly Public Key

  • Key ID: D60BA557
  • Type: Public Key
  • Length: 4096
  • Algorithm: RSA
  • Fingerprint: 5813 E64C 851F 114D 1ABC  2FA9 8EF9 8493 D60B A557
  • User ID: Spreedly Support <support@spreedly.com>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.14 (GNU/Linux)

mQINBFTKucgBEADkg4fW09Ejcy22AqXcYDGwBaasKBvEA/ft9ZK2QQcjlxCD7e+q
MRjxQ0Kw72CVZSX8IDLuZ4falNjRlGifKXBZLX2yYhOXtud/fAnv9LjVcccM+yh3
LKLBcQnsMv73NWL4e8HS2y3N9gRXsnozBDuLQccznCXpFBkNN6wsUmOscB4DYFuu
xXPjGz6DvXfjBjnEolqg4PvG3VCdC4CsR3YV34WKwBkYkXfKc2eokELLj7cXbaaz
uyGxqZUNCEBxsfRgwwOY3D0kJgjS7ot2nX72qlXTMa1wAE64FHP1zoAT8GrbWaAL
7JxSwA58mO2XBRjDisw6Q5kiutPChSOYTw2YLZeuc07MPsx6USB+yS+NxP+ouuWw
4yM1STQ8ylNPi0gJCxxjPXod9G5PjjhRdU91lVa5jANjzSq29xEJvFrEVuGHE73c
Zbh/8TuXoQv9e2PnV50HryaZ7eym4GuhD0E1+UhWZOVzrlfp9wYCbIfQeudKJHYt
NhLNlhGQdgCg4mMQaA+I2Nb1udETi0cjIRuoBShBbL9FmG+Kse8Mi23H+63dytc/
SGVZ/jd/cxnBAMdGrrTeuMYmReBJMKPDN3zimB6yUQlmy1RS59P5gGhltLkyFyfa
bGTZn1tXNzgfPxHFfYdDXA//roZUvhOB10XnP8rUDUbsyWxf0K5LTeorcwARAQAB
tCdTcHJlZWRseSBTdXBwb3J0IDxzdXBwb3J0QHNwcmVlZGx5LmNvbT6JAjgEEwEC
ACIFAlTKucgCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEI75hJPWC6VX
HAUP/i9NiEX/dawe9ze86dA7yDWc5YVpC2XyFXArPz1pS3ezHQTi+5pxuaY0/k5c
08XoTBp0DfdC6MX/hKcWFz+LLlfSMwyLJ9HypuDa0PvSauVyW2d7tmQH+LjAt/ln
GEoJqPPAzO0iCrpWGKCwkW4sAYiVHnhY3hBMljc8XNxfZHjBgGh2l6W51UzmsJeS
1Gcv17Krg87dIV+1D0q1utvLMdNEXd9mpnifYH4MZ3LC3uEJ+tLkWEGVJXJhtA4N
qJGmXelcT4j7axHK653bq+kttEeYLZpQTl46UiEpsk1zwRqO+i2LuoZMPk/o7aeh
VyxvL5B3x1TnimqEztooX49baBo+ptUFYNltJ3meWw9Ei+UJsn3HWkEW0nqi33A+
1n+rtJNHAGB+6hlQBdqCiuHHoLlUXHx27OTx/e+JuMB3mQ+xOKAQ1r3hwtNV+ErV
kjaKRx7e/5tjUeyJ6ZFpj+V3RdEGVw4M62ScD2vbWPmm7S2y7L5VGNnRm5NT1Hx0
i9fwWGUm8t8v11Bz6LBRhKzbrZnz/kalcJBYmNjAKspO9xkWUSFnVtHTO2q57O6w
+8h28HBv+LhzD3STrnRraIeFIgh3orPCwmjscmxEmYypcl1PcBsf6C56HZgpgRq8
8OlfZn5SK0893mQvBANA3YY7VUS4qVrwUhpphJHCPQ0CwwacuQINBFTKucgBEADb
jwNCer/sbzSb42Vv/8WyYsGOVbB4rhZNELXP3n520ehlpdD/wgAm1iGFQhi48fWK
8XoNsQvlfZrpsvOu8Y72bZEiRGhZ2W+PZkswOsok3KX17SLYbz9hnzgxmTyDdeQe
MYsurlyoK1oboLzNzikFGREG1mGcXp5JG7wCwJNHGbMHy4JsglWaCxobTbLRsJu/
ZnvaQ7YjV1O2s76CC+uQQVljJeQFORgZd6Kj5hUTaiqKbMCxDxYqouLrgiE/PhAu
GDociIWTIAuf6gnT5ZfvSuRvFb1oS8gnGosxkY725uHQ01cJNricu2aqfhqLx5g2
ZH6U0YOsfUAzMEG6HkGBycmkfrQyCab7vI2tF00wfjXfq2okOzvsi87dFhqEs9OX
ZbPpS3bktVyN520xQi02Dop7dBHaetcz3qU8+Ot/J4/7Gy8BntX8pmr/X4b9v34k
C34to0G2lM+vCxxGCE8eeeI+xuR1O1VyW5rGmukonnT0rQPb0Dw9JbQqNrQQ7G7H
XXCMoC1f2g6U+czypcOE6HFtYk7ve0p6BM/Pf3tULJ35tWoHwjUbdY2UPgmLo9TU
XpCGxBf0CJXAO+7oZXt6zXbScfOo3csqtAolALe05+/j4d2H0tqFm0RVr8LBoFtZ
8JgVT0ojidB9MysiMy0+jMspVO2myMb7Fym1o23FQQARAQABiQIfBBgBAgAJBQJU
yrnIAhsMAAoJEI75hJPWC6VXHS4P/iRsNUuoZxXBUuvHWOgsrt5A8RawjEHlW3r8
IFGQZ2tI06jqqW2zHyMLlzpKoTgAQsh9N35LAOFUzujl0JJuzQVNpe38GZ1t9pLm
9muSKdeM5fAwkENY9Qc+kfPvavkSSsgkODujbU35tJF+0cU6KVHKmdL/9qUikUTD
xvakM4zd0P1n9kdef1iMg3DQNc7/XwGFfGxzny4NsBgFTCPu25R1oQu79Er2q059
Ct8CwGoKK4AVQQ5n3zod3jKEF0ZxPvF7M6Xc/f9hR7VuT/GLH+u4UAspCz5H2bNP
JPfEILe51pBXvt42tuUvnnXvkGtPG79mZwXzm84J8xoXsvqLqeG3T4R/UTDhNo+C
98DGpWRHgEnaTLakh5v4lEOlw4rleCRQaOIMs89PLzIMimvMpqXkN3PL3zdEc2Nw
HMfDTUTb0dX3aPQXHvpCgNk2YHLbYG6z0T3bmYdNBa/XWjdlgfgIahzhQ9RVxncO
rCjSOFAl79EoImpGrCXwu4/t2BxdfX4gkYDhr2U28sKf53v+uMElFZBrldt8csRj
W9VBGGVKDzQMvbjPypoPD2bOAaK3cdPaQwkodtdfZEi3JMIwWiga9FSJii2H6TVV
LpaH1Y6vtuVyq2nFz8ZzFRtLZceCWs/YOfl9hYXgH2m8IsJy6qEemqE2ouqVbVnL
ID0E/Ab9
=0eWU
-----END PGP PUBLIC KEY BLOCK-----