Last updated

Migrate sensitive payment data

This topic describes how to migrate sensitive payment data, such as Primary Account Numbers (PANs), which includes full payment card account numbers.

  1. Review this plan with your Rebilly Customer Success Manager. Contact Rebilly, and inform Rebilly on the data you want to import. Rebilly will inform you of any additional information that may be required.
  2. Prepare your request and contact the third party, that holds the payment data:
    1. Use our Draft email to prepare and explain your request. Send it to the third party.
    2. Contact the third party by phone and discuss your request.
  3. Submit a request to migrate sensitive payment data to Rebilly. Describe the format and structure of the data. For more information, see SFTP access.
  4. The third party exports the data and places it on their own SFTP server or on Rebilly's server. Upon export, the third party must notify the merchant or Rebilly.
  5. Rebilly imports the data. Rebilly may use scripts to check the quality of the data before the import, and will raise any concerns about the data.

Draft email

Revise this email where appropriate.

To Whom It May Concern:

{Your Company Name} has contracted Rebilly as its payment orchestration platform. We would like to export all of our payment card data to Rebilly directly.

[Optional: We are going to continue using you as our payment processor.]

In order to complete the export, we need to know if you will export the data will you place it on an SFTP server that Rebilly can gain access to? Or, do you need Rebilly to set up an SFTP server for you to put the information? If so, Rebilly will need the email address of the user placing the information, the SSH public key, and the IP address(es) that need access to the SFTP server. We also need to know what format and structure the data will be in when you export it (example: CSV file with these fields: x, y, z).

Rebilly expects the information to be encrypted. Their GPG key information is here:

We would like to complete the export by [insert date]. Thank you for your help and cooperation.


P.S. Here is a link to Rebilly's most recent PCI DSS attestation of compliance for your records:

SFTP access

If the third party intends to place data on Rebilly's SFTP server, Rebilly needs the following information. You, the merchant, must gather this from the third party.

  1. Email address.
  2. IP addresses.
  3. Public SSH key.

If the third party would like Rebilly to access a SFTP server, they must provide Rebilly with the username and password. This information must be encrypted.