What’s a Vault token and why does the audit care?

A Vault token (also called a "payment method token" or "card token") is an opaque reference string the payment gateway gives you in exchange for the customer’s real card number. The real card data lives in the gateway’s PCI-validated vault — you only ever see / store the token.

Example flow (Stripe):

1. Customer enters card on checkout via Stripe Elements (JS SDK).
2. Stripe.js sends the PAN directly to Stripe’s servers — it never touches your DOM, your nginx, your PHP.
3. Stripe returns a token like pm_1NqAbcXyZ.
4. Magento stores pm_1NqAbcXyZ in sales_order_payment.additional_information (never cc_number).
5. Future charges use the token: POST /charges {"payment_method": "pm_1NqAbcXyZ"}.

The audit&rsquo>s q13 checks that no raw PAN ever touches your DB. The check looks at:

• Whether any extension stores cc_number, cc_cid, cc_exp_year in cleartext (legacy COD-style payment methods are notorious for this).
• Whether your saved-cards feature uses gateway tokens (Stripe Vault, Braintree Vault, Adyen RecurringDetail) or a custom DB column.
• Whether refunds + retries route through the gateway by token, not by re-asking for the PAN.

A breach where raw PANs are leaked has a 6-figure cost minimum in card-brand fines + customer remediation. Tokenization eliminates the worst case — the gateway carries the liability.