Migrate sensitive payment data

If you want to migrate sensitive payment data (such as PANs -- full payment card account numbers), follow this process.

  1. Review plan with Rebilly account manager
  2. Prepare request information
  3. Submit request to 3rd party
  4. Submit request to Rebilly
  5. 3rd party exports the data
  6. Rebilly imports the data

Step 1: Review this plan with your Rebilly account manager

Talk to us and let us know what you want to import. We'll let you know if we need any extra information compared to what this page recommends.

Step 2: Prepare request information

Here is a draft email. Revise it as appropriate.

To Whom It May Concern:

{Your Company Name} has contracted Rebilly as its payment orchestration platform. We would like to export all of our payment card data to Rebilly directly.

[Optional: We are going to continue using you as our payment processor.]

In order to complete the export, we need to know if you will export the data will you place it on an SFTP server that Rebilly can gain access to? Or, do you need Rebilly to set up an SFTP server for you to put the information? If so, Rebilly will need the email address of the user placing the information, the SSH public key, and the IP address(es) that need access to the SFTP server. We also need to know what format and structure the data will be in when you export it (e.g. csv file with these fields: x, y, z).

Rebilly expects the information to be encrypted. Their GPG key information is here:


We would like to complete the export by [insert date]. Thank you for your help and cooperation.


P.S. Here is a link to Rebilly's most recent PCI DSS attestation of compliance for your records: https://www.rebilly.com/docs/content/concepts-and-features/concept/pci-compliance.

Step 3: Submit request to 3rd party

After editing the draft email, submit it to your 3rd party provider. It may be appropriate to first do a phone call with the provider to give them additional context and awareness for the request.

Step 4: Submit request to Rebilly

This will be contingent on the data you collect from the 3rd party.

Rebilly needs to know the format and structure of the data exported.

SFTP access

If they plan to place data on to Rebilly's SFTP server we need this information for the user who will access the server (you'll need to gather it from the 3rd party):

  1. Email address
  2. IP address(es)
  3. Public SSH key

If they plan to have Rebilly access the SFTP server, they may supply Rebilly with the username/password (it should be encrypted).

Step 5: 3rd party exports the data

The 3rd party exports the data and either places it on their own SFTP server or on Rebilly's server. Upon export, the 3rd party should notify our mutual client (or us).

Step 6: Rebilly imports the data

Rebilly may have scripts that check the quality of the data prior to import. We may raise any concerns we have about the data at that time.