Using our PCI DSS Level 1 compliant Vault you can securely tokenise payment methods. This means that we will give you a non-sensitive value (WhenThen vault token), in place of sensitive payment method details.

When you're ready to process a payment, you can use a WhenThen vault token with any of your connected payment processors using our single unified Payments API , all while minimizing your PCI scope and remaining compliant.

info icon

FYI, our Checkout SDK uses our Vault directly. Only use our Vault SDK if you are using Vault standalone or if you are building a custom checkout experience.


Integration Options

When it comes to tokenising payment methods there are a number of ways you can integrate with WhenThen's Vault. Choose the right integration path based on your requirements below for you.

Tokenisation and PCI Compliance Comparison

HeadlessSAQ A / SAQ A-EPSAQ ASee below

Checkout SDK

The Checkout SDK integrates directly with WhenThen Vault for you and allows you to get up and running with minimal development effort. It keeps you as the minimal level of PCI Compliance (SAQ A).

Vault SDK

The Vault SDK can be used if you are building your own customised checkout experience and cannot use our Checkout SDK. It helps to keep you as the minimal level of PCI Compliance. Please note on Web because you are not using an iFrame you will fall under (SAQ A-EP).

Vault API

The Vault API is similar to the Vault SDK except you call our API directly. You can use the Vault API directly from your frontend using a client token. Please note on Web because you are not using an iFrame you will fall under (SAQ A-EP). You can also use the Vault API on your backend. Please note this will mean you will fll under the highest level of PCI compliance (SAQ D).


Using WhenThen Headless we manage the complexity of storing sensitive data, and integrating with network tokens and your payment processor to tokenise cards. You can use our API to request a network token or a payment processor token and process payments from your own system in a secure manner. When using Headless you will still use one of the options above to tokenise the payment method. After the payment method is tokenised you can use our Headless APIs You PCI compliance level is depending on the option you choose. Checkout the table above for details