Working with Tokenization

From WHMCS Documentation

Tokenization is a process in which sensitive payment details are stored remotely by a payment gateway processor. This is intended to reduce the security burden and limit the liability on you as a business. Examples of payment gateways that support tokenization include, Stripe, Quantum Gateway, etc...

When a tokenization payment gateway is in use, the details for a Pay Method are stored remotely by a given payment gateway and therefore the Pay Method is restricted for use only by the given payment gateway.

In such scenarios, the ability to use a given Pay Method with other payment gateways will be restricted. This will become apparent during checkout when switching between payment methods (also referred to as payment gateways) and the list of available Pay Methods changing. For example, a Stripe Pay Method cannot be used to pay an invoice assigned to and vice-versa.

Tokenization Migration

If you have previously used a Payment Gateway that stores credit cards locally and wish to switch to a Tokenized Payment Gateway solution, the following considerations apply:

  1. Activating a Tokenization Payment Gateway module in addition to a non-tokenized Merchant Gateway module will still allow credit cards to be stored locally by both Admin and Client Users.
  2. Activating a Tokenization Payment Gateway does not remove existing locally stored credit cards from the database. To do this, please refer to the Related Settings above.
  3. To enforce use of a tokenization Payment Gateway for Clients, please see the Enforcing Tokenization section below.
  4. In many cases, WHMCS can convert locally stored credit cards to tokenized cards upon the next automated recurring payment attempt automatically. With some tokenized Payment Gateways this may not be possible due to technical restrictions imposed by the Payment Gateway. Please refer to the documentation for your specific Payment Gateway for further information.

Enforcing Tokenization

To enforce the use of a Tokenization Payment Gateway and prevent new credit cards from being stored locally, you simply need to hide all non-tokenization Payment Gateways from the order form.

To do this, go to the appropriate location for your version of WHMCS:

  • For WHMCS 8.6 and later, go to Configuration () > System Settings > Payment Gateways.
  • For WHMCS 8.0 through WHMCS 8.5, go to Configuration () > System Settings > Payment Gateways and choose Manage Existing Gateways.
  • For WHMCS 7.10 and earlier, go to Setup > Products/Services > Payment Gateways and choose Manage Existing Gateways.

Then, ensure the Show on Order Form checkbox is deselected for all non-tokenization Merchant Gateway Modules.

Note that doing this does not delete existing credit cards stored locally in the database. If you wish to do this, an option is available in the Security tab at Configuration () > System Settings > General Settings or, prior to WHMCS 8.0, Setup > General Settings. Please refer to the Related Settings for more information.