Account Updater Services Explained: VAU vs ABU vs Amex Cardrefresher (and When You Still Need Network Tokens)

Written by Tyler DurbinMay 27, 2026
Merchant Alternatives is reader-supported. When you make purchases through links on our site, we may earn a commission. This is always at no additional cost to you and helps us continue to provide accurate, transparent and up-to-date information on the things that matter most to your business, for free.

If you run subscriptions, memberships, or any kind of card-on-file billing, expired and replaced cards are a quiet revenue killer. Account updater services fix that by refreshing stored card credentials when an issuer changes the number or expiration date.

In plain terms: an account updater is a network-backed way to reduce declines caused by stale credentials. It can improve authorization rates and reduce involuntary churn. But it is not the same thing as network tokenization, and it is not a cure-all for every decline or fraud problem.

Below is a merchant-focused guide to the three big programs, how enrollment actually works, what data you can and cannot store, and a practical implementation checklist.

What is an "account updater" service for merchants?

An account updater is a card network service that sends updated card credentials to merchants (usually through an acquirer or payment provider) when a card is reissued, replaced, upgraded, or expires.

Longer answer: Networks maintain a secure repository of account changes reported by issuers. Participating merchants submit lists of their stored credentials (or the provider submits on their behalf). The network responds with updates such as a new PAN, new expiration date, or a message that the account is closed and you should contact the cardholder.

This is most relevant for:

  • Subscription and SaaS billing
  • Memberships
  • Utilities and insurance
  • "One-click" saved cards
  • Installment plans and recurring donations

How do Visa VAU, Mastercard ABU, and Amex Cardrefresher compare?

They all aim to keep credentials on file current, but the access model and operational details differ.

Program Network What gets updated How merchants typically access it Typical cadence
Visa Account Updater (VAU) Visa PAN updates, expiration updates, closed account and "contact cardholder" responses Via your acquirer, gateway, or vault provider that supports VAU Batch inquiries before billing, plus ongoing update files depending on your provider
Mastercard Automatic Billing Updater (ABU) Mastercard Updated credentials (card number and expiration date) for credential-on-file and recurring payments Via acquirer/provider; also available as APIs and batch inquiry for enrolled customers Pull inquiries, batch, and (for some implementations) push subscription model
American Express Cardrefresher American Express New card number, new expiration date, or account closure for Amex cards Often via a file exchange process or via certain Amex merchant products/providers Daily update files after initial enrollment

If you only remember one thing: these services are usually not "a button" inside your admin panel. In most cases, your processor, gateway, or vault provider is the one enrolling and handling the network connection.

When should a merchant use account updater instead of network tokens?

Short answer: you should prefer network tokens when you can, and use account updater as a backstop.

Network tokenization can automatically manage credential lifecycle for many cards without passing new PANs through your systems. That is a big win for security and PCI scope. Account updater, by contrast, can involve receiving updated PANs and expiration dates, which your vault and processes must protect.

Where account updater still matters:

  • You are not tokenized for a portion of your stored cards (by issuer, region, or card type)
  • You store cards through a legacy gateway token vault that is not using network tokens
  • You need a fallback for edge cases where token lifecycle does not update in time
  • You are migrating processors and want to reduce churn during the change

If you want a deeper primer on token types and what "network tokenization" really means, see our guide: https://merchantalternatives.com/network-tokenization-vs-gateway-tokenization-merchant-guide/

What lifecycle events can trigger updates?

Short answer: most programs cover common reissue events, not just expiration.

Common triggers include:

  • Card expiration and renewal
  • Lost or stolen replacement
  • Product upgrades or portfolio conversions
  • Account closures

Visa describes VAU as exchanging updated account info between merchants and issuers when account information changes, including expiration, loss/theft replacement, account closure, and other changes. Mastercard describes ABU as communicating account changes for credential-on-file and recurring payments to merchants. Amex describes Cardrefresher as delivering updated card account information including new card numbers issued as a result of replacement or card upgrade, new expiration date, or account closure.

Does account updater fix all declines?

Short answer: no. It mainly addresses "stale credential" declines.

Account updater helps when the issuer has changed the credential. It does not fix:

  • Insufficient funds
  • Do not honor / generic issuer declines
  • Suspected fraud declines
  • Velocity controls
  • AVS/CVV mismatches (depending on how you run recurring billing)

Practical tip: if your top decline reason is "expired card" (or a similar code), you are a strong candidate for account updater. If your top decline reason is fraud-related, you should look at fraud tooling, SCA/3DS strategy, and descriptor/customer support flow first.

How do merchants actually enroll in VAU or ABU?

Short answer: usually through your acquirer or payment provider, not directly.

Visa states that qualified merchants are enrolled in VAU through participating acquirers. Mastercard ABU has both batch processes and developer APIs, but Mastercard also notes that merchants and acquirers must be enrolled/registered and that terms are set in an ABU reference guide accessed through Mastercard Connect.

What this means in practice:

  1. Ask your processor/gateway/vault provider: "Do you support VAU and ABU for our MID?"
  2. Confirm whether updates happen automatically for stored cards or if you must submit batch inquiry files.
  3. Confirm fees. Many providers pass through per-update fees.
  4. Confirm how "closed account" or "contact cardholder" responses are handled.

If your provider cannot support these services, consider moving your vault or using an orchestration layer that supports updater plus network tokens.

What data do you need to send, and what do you get back?

Short answer: you send stored credential identifiers; you get back updated credentials or status messages.

Exact fields vary by program and your provider. The general pattern:

  • You submit: PAN (or token reference if your provider abstracts it), expiration date, and account identifiers used by your vault
  • You receive: updated PAN, updated expiration date, closed account advice, or a message to contact the cardholder

Security note: treat updater outputs like full cardholder data. Your vault should ingest updates without exposing PANs to your application logs, support tools, or BI pipelines.

What are the security and compliance implications?

Short answer: updater can reduce churn, but you must handle updated credentials safely.

Account updater does not eliminate PCI obligations by itself. If you store PANs, you are in PCI DSS scope and need a compliant storage and access model.

If you are using network tokens stored in a PCI-compliant vault, you can often reduce your exposure because the token is not the PAN. But even with tokens, you still need to follow your provider and network rules for credential-on-file transactions.

Recommended controls for merchants implementing updater:

  • Ensure card data is stored only in a PCI-compliant vault (gateway vault, PSP vault, or your own compliant vault)
  • Disable PAN access for non-production staff
  • Ensure updates are applied server-side with no manual handling
  • Monitor updater logs for unusual volumes (could indicate data quality issues or a compromised list)

What does implementation look like for subscriptions?

Short answer: run updater before your retry cycle, then tune retries around decline codes.

A practical workflow for subscription billing:

  1. Store credentials using a vault that supports network tokens where possible.
  2. Enable account updater as a scheduled job (often monthly, plus ad hoc checks after specific declines).
  3. Before running your monthly billing, refresh cards expiring this month.
  4. If a charge fails with an "expired" or "invalid account" reason, trigger an immediate updater check (if your provider supports it).
  5. If updater returns "closed" or "contact cardholder," stop retries and trigger an email/SMS to update payment method.

Example: decline handling map

Use a simple ruleset that matches how issuers behave:

  • Expired card: run updater, then retry
  • Suspected fraud: do not hammer retries; consider step-up auth (3DS) on next attempt
  • Insufficient funds: retry on a schedule (for example, 3, 7, 14 days)

The point is to avoid wasting retries on a credential that will never succeed.

How much does account updater cost?

Short answer: pricing is usually per update and varies by provider.

Networks charge fees to participants, and providers typically pass them through. Some processors bundle updater inside their subscription billing tooling; others charge per update event or per inquiry file.

When you evaluate cost, compare it to:

  • The margin on a retained subscriber
  • Customer support cost for failed payments
  • The cost of payment recovery emails and dunning

In many subscription models, saving even a small fraction of involuntary churn pays for updater quickly.

What are common pitfalls merchants run into?

Short answer: unclear ownership of the vault, bad data hygiene, and assuming it runs automatically.

Common issues:

  • Your gateway vault is separate from your subscription platform, so updates never reach the billing system.
  • You have duplicate customer profiles, so an updated card is applied to one record but not others.
  • You store cards in multiple places (for example, app plus CRM), creating drift.
  • Your provider only runs batch updates monthly, but you need more frequent checks.

Fix these by mapping where the "source of truth" token lives, and making every billing attempt pull from that vault.

How do account updater and chargeback risk relate?

Short answer: updater can reduce chargebacks caused by confusion, but it can also keep billing going after a customer forgets about a subscription.

If you use updater to keep charging a card that has been replaced, you should be extra careful about:

  • Clear descriptors
  • Cancellation UX
  • Pre-billing notifications for annual plans
  • Fast refunds when a customer complains

This ties directly into chargeback management programs. If you are already close to network monitoring thresholds, preventing "friendly fraud" disputes matters. If you want background on chargeback monitoring thresholds, see our guide: https://merchantalternatives.com/mastercard-excessive-chargeback-program-ecm-hecm-guide/

FAQ

Is account updater the same as Visa tokens or network tokenization?

No. Account updater typically refreshes PAN/expiration data based on issuer lifecycle events, while network tokenization uses network-issued tokens with lifecycle management that can update behind the scenes.

Will account updater work for debit cards?

Sometimes. Eligibility depends on issuer participation, card product, region, and whether the credential is enrolled through your provider's updater connection.

Do I need customer consent to use account updater?

You still need proper consent to store and reuse credentials (credential-on-file rules), and your agreements and checkout language should match how you bill. In practice, most updater participation is tied to ongoing merchant relationships like subscriptions or saved cards.

What should I do when I get a "closed account" response?

Stop retries and ask the customer for a new payment method. A closed account response is a strong signal that continued attempts are wasted and can increase fraud risk.

Can high-risk merchants use account updater?

Sometimes, but it depends on the provider and the risk category. Some providers restrict features for certain MCCs. If you are high-risk and struggling with recurring billing stability, prioritize a processor that can support credential-on-file best practices.

Next steps: get the right merchant account for recurring billing

You can apply for a merchant account through Easy Pay Direct or another processor that fits your model. Other options worth a look:

  • https://merchantalternatives.com/go/easy-pay-direct/
  • https://merchantalternatives.com/go/paymentcloud/
  • https://merchantalternatives.com/go/soar-payments/
Written by 

Tyler Durbin