Engage both your source and destination payment processors to understand their token portability or PAN export/import processes; note that raw PAN export is only available under strict PCI DSS controls
Request a token-to-PAN export from your source processor through their PCI-compliant data export service; ensure the export is encrypted and transferred via a secure channel to a PCI-DSS-compliant intermediate environment
In the intermediate PCI environment, re-tokenize each exported PAN against the destination processor's tokenization vault API, capturing the new token reference for each card
Build a mapping table from old tokens to new tokens in your application database; deploy a code change that queries the new token for any payment method older than the migration cutover date
Run a parallel period where both old and new tokens are valid; validate a sample of re-tokenized cards by running zero-dollar verification authorizations against the new processor
After validation, decommission the old token vault and remove the old token references from your database
Known gotchas
Raw PAN export is typically a one-time, heavily audited process; plan for significant lead time (weeks to months) to obtain processor and PCI assessor approval
Not all processors offer token portability; if the source processor uses proprietary tokens not backed by network tokenization, you may need to collect new card details from cardholders rather than migrating tokens
Zero-dollar verification authorizations may be declined by some issuers without triggering actual declines in live use; complement verification with a small sample of real low-value transactions before full cutover
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp