If you're moving to Xendit from a previous payments provider and want to migrate your customers' saved card data, we offer a secure and PCI-DSS-compliant way to do this through our Card Token Migration service. This guide walks you through the process, including how to prepare the data, transfer it to Xendit, and understand the results.
Overview
What is card token migration?
Card token migration allows you to import your customers’ card data from your previous provider into Xendit's Cards & Payments API system. This means your customers don’t need to re-enter their card details — making for a smoother transition.
Who is this for?
Merchants migrating from other PSPs (payment service providers), especially those with recurring billing or saved card functionality.
How to migrate
1. Key exchange
You can find the PGP public key at the end of this document. You’ll use this to encrypt the card file before sending it to us. This keeps the data secure during transmission.
2. Prepare your file
We’ll share a sample file template that outlines which fields to include and the format we expect.
You may need to request this data from your previous provider. Once your file is ready, encrypt it using the PGP key provided in Step 1.
3. Transfer the file
You can send us the encrypted file using one of the following methods:
Option 1: SFTP Upload
Share your SSH public key and IP address with us
We’ll provision access for secure SFTP upload
Option 2: Pre-Signed S3 Upload
We’ll provide a secure, time-limited URL
Upload your encrypted file using this one-time link
4. Start the migration
Once the file is uploaded, Xendit will:
Validate the file structure
Begin processing the migration in the background
If the file is malformed or corrupted, we will notify you and stop the process.
5. Track progress
Xendit will monitor the migration and track:
Total number of rows processed
Errors encountered (if any)
Migration job status
You will be notified in case any action is required from your end.
6. Get your result
Once processing is complete, you will receive:
A file containing successfully migrated card tokens:
A file containing any failed rows, with reasons
You will receive an email with links to download the result files
Input file format
Each row represents one customer’s card.
Field | Required? | Description |
|---|---|---|
| Yes | Your Xendit Business ID. Required to support subaccounts. |
| Yes | Full card number. Will be encrypted during processing. |
| Yes | Two-digit format, e.g. |
| Yes | Four-digit format, e.g. |
| No | Optional. Helps improve success rate of future charges. |
| Yes | A unique identifier for the card. Must not be duplicated. |
| No | Optional cardholder information |
| No | |
| No | |
| No | |
| No | Optional billing details |
| No | |
| No | |
| No |
Important: reference_id must be unique for each entry. Duplicate IDs will result in errors.
Output files
After the migration is complete, you will receive two CSV files:
1. Successful migrations
Field | Description |
|---|---|
| Your Xendit Business ID |
| Masked version of the card number (e.g. |
| Expiration month |
| Expiration year |
| Your original reference for this card |
| Token generated in Xendit's Cards API |
| Token generated in Xendit's Payments API |
| Should be |
2. Failed migrations
Only rows that failed to migrate will appear in this file.
Field | Description |
|---|---|
Same fields as the success file | |
|
|
| System-generated error code |
| Human-readable explanation of the issue |
Possible failure reasons
Error message | Description |
|---|---|
| Incorrect card number (Luhn check) or expiry. We do not check if the card is expired, but we do check if the expiry is valid (e.g. month can not be 13) |
| Thrown when there are duplicate reference id’s, either in the same file or on existing tokens used under 1 acccount. |
| When a row is missing required data (required fields):
|
| When |
| General error, catching other errors, should not happen. Need support to resolve the issue in case it does. |
Security and compliance
All files must be encrypted using the PGP public key provided by Xendit
Your data is never stored in plaintext
The process complies with PCI-DSS standards from end to end
Public PGP Key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGajBVQBEAC5m0dbH20NoL4WGGCUQHzjFlYlriPO/KPo0eU3Rx2dGwx6AEh1
q5mR4h0rn9Y8gWkxoOkCLOEtKK5azUqdXfZLJwdFjerQdeWdvZErrVNvey0qaXfq
GUY8nX68wDsOEJe6avpICWj0WiMB/Vxctge3rbe5AtB1teqz52XQ160xViczAEan
zUiLjQ1r/j8upDgRWGDZD8/M800UVrm9f4KaHYiSOWRajBp+smH/WaQMhbMCrX/F
Sn7gpedraXyK+6uKZikpZRq6acW7ltkcksXubNTu1OqKApezPN8ZMi3+WCw1x1ar
BazxT5vchHCRAcNr5JaEO/Q+ncLh0Yf4lgqwYnApkerBMyPS6o4SnjmjGKVFJFl5
AT2z6nqd1KrE1oqZ1cC84oqTw78cly//zQD6IcU5agHr1gqmAPW1yDYXmcC+5uL4
BJPqkn4XZL6fpAmOTJtaPTh1HXTpCNXQKl0BF+jWzTX3s+4VsZdNxZZjgddUnuFs
9MH8GsKn33sk32VMbAhSpF1lFgWJImfnZpEOup5eDydwRKxNptWG1zrljsqgiaE/
ROuxrG9rbGAv85mLo9Ig7waR2nz+xkZGVPy5RIWN2JJZ7iLWSN6fUkp3mxlXEfUE
DrBKlTV2hmI5zv2z19x9uUmL4tb3dI3TmXk7MvK8uMtHNqpNeA2Ny2gPfwARAQAB
tEtTdXBwb3J0cyBNaWdyYXRpb24gKEZvciBjYXJkIGRhdGEgbWlncmF0aW9uKSA8
c3VwcG9ydC1taWdyYXRpb25zQHhlbmRpdC5jbz6JAlQEEwEIAD4WIQRu6u870UW2
rZrjv1FKvmctznTJkwUCZqMFVAIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIe
AQIXgAAKCRBKvmctznTJkwgvEACr+ZxFvO+mxHGie5BLBBEQXJNKeI0J5bLiJhFF
uMAwscOsG/fNrD1IZ0cwCMK9BKaIUeNiu0CZr3jYYb6Z+DGi/MqLi+iMhgBpOPfk
fBSgYETNhyL4yrqDA6W+kTcnaJD9SjW+We1k7wAepX/IOOacg8D1+MkcpevBq/FG
8vV33PKozPdSMrzFCZ1bI54IAz0pABxWym7OAE6ll2Muat/CulFy/kJfoLJDcKg7
zUAzejyl6y91yd1wqfXTQ0uWNzvdt9f9+poSZ2KpmhV79wuOJ2J4ZXagMv0GtDBQ
Rz8VX8iQ/7jgDjqVIBCDnwCNN/74w8S3RFlmf82qJepV0TleNOt+2wscrx6dKKoq
brUUyjE2sf6a7NLLUNW6p2HPZJ72hWFzjbqVEGIXJJmYBcuzhClPxcab35ht34FM
ubmMtb5AgpJp5lKAHCvrT6VR1FgdZvfJ4VemVQ5WTQI7jiZi4c3aCQ/IGd+H40h7
LHRQra5Lbxp5ABqXwEfhv7zU1B8yECGQ8COs3PhO8YKYGMyBMCWRe1dz42KvhGbf
SaUEQggN/CWj5GuNwbjbahdb6vEJ/O0Bld2O1MZzQMjKC5EnWybNz/n06HCpPLpe
gU0kA3NCl0Umz0/3QEDAihmSlDfbZc1WhjH4gLxoo1I/NuNJDnhHeivU4qGLtKIK
1t68mrkCDQRmowVUARAAwxOcHZOINmf+IG0UTPdcuC69PLBu0XB5KN92i7Lu2MOs
Nmot/fgVtrU3ifwYU4aACXTsi963VQwTPJxI0Y5J/oaHJO4u26KQTb+HoGgSqE5M
r5FbnRb1ni4jbmmK2D9cikiD76EGf2Xjqon1DhswqVofOW908nMMaUsrNYxJLKkW
7LlawjelX3OuLHm1KbL+yOnUuLelDY+8zFrQ4+Ms66e1izGdeeA7F7ao2ECUjjIg
hhvee8z9X4L3UNP3Mhuivf0NnC/JxY8pdPgdGvHk+SO3eP+H1O1l9W8vMAFBrog6
IEGYpE35yO6yNfX5r1R/lEZxRzJgm51kkZKxNpFlx8Qs9b4AkVTw+11B0tV+laj1
vMxKVajG+DjvK/tCikYr+JhmkuJt0q6Dq8ZcoeKZpURIwx7r2DQUIugJepexqSgT
Tq95T9nHki4SNflaf3pNtrViBIDFdCPocvBJM90eiuSslZolm+7RKwStBirfLXKO
UcN5jUiNzp70P0tWSXshVivtRZ7g4dgPdStG3bkqhAtV1/nMshASjkFpBKuDGaMA
wcF5cN++jskuku5vwScSoz6gorIuNWEISgk8atZDlxZNc+qPHHYyCo38qjW3zqxy
yiCesbMaq+bw+ZBGzL8Y+OCk5YO+PPpxfGoNZm80B8NooK+bVH5tI+Pf09N4Rw8A
EQEAAYkCPAQYAQgAJhYhBG7q7zvRRbatmuO/UUq+Zy3OdMmTBQJmowVUAhsMBQkD
wmcAAAoJEEq+Zy3OdMmT/VsQAJhQojflLmRS6JEDFsp0KeUXxochmqhPgDNUKChm
JWj0ykoFHw3XniAkLmASCFzr92Fz3xafu5FfRYN2hsHB+cP3gV1AY8zMTMnSozE5
hpI3kW6IyrIK75QGqLemRkAAgwMkhVdzXhmVTQZhfhBOJH2FO7zKzXxd1eCsk7Lb
lF3Lv+QHsnjxB3dg5xScKFWKozrbqJu72ztfjLrPLSjrmTRoONVWocH8zmc3nC0v
jkYWl1sreNgPnKIVFM1zEVBNGjjFL86qn6K/LGMnj8+hJRmm5ZNl/5JUomdDHcfj
YRZE4NA0A6Al+EuPsLV/Y6NGY3CTsamA2Rhd7nsbv4zp5uX67BxflCuuyeNV0LTo
z3VkAfyFPat6TUabqw3nqIY6D/YB0jqCOMTatk/PST0LEQaWtlRzrKnl60eJHeQz
Ilxs8urbjlY5010ClnZUTyc5el9PvYkhvROxtn3V8RliGINjCsHFJjJYbALjJkMq
8oKiKxOxSer70H3FJsGT4+q3Aj0S7U0p0kmWNML/013DTS7fIQNEQD1CbkX9Wh0q
UUQuVJE8ZWbClPvuzUd6qAu/f38575r3Z10lFHsZKAb94hEkN3uHmIN2nGFXnRNn
0zFTDxKdGbOYzMKw0Fcw+fyK/RE+KEOFRg4fHTkgtfeqCQJRObGYRpcafK0W3E7+
tFb6
=5M+t
-----END PGP PUBLIC KEY BLOCK-----Need help?
Our Account Management and Customer Success teams are available to:
Assist with formatting your file
Clarify field requirements
Guide you through the upload and migration process
Help resolve any errors