Visa Credential on File Updates
Visa announced updates to their requirements for the stored credential transaction framework, including mandates to identify initial storage and subsequent usage of payment credentials. These updates are in response to growth in digital commerce, providing visibility into transaction processing while enabling all parties greater visibility into transaction level risk. Participation results in higher authorization approval rates and improved cardholder experience.
What is a Stored Credential?
A stored credential is information (including, but not limited to, an account number or payment token) that is stored by a merchant or its agent, a payment facilitator, or a staged digital wallet operator (SDWO) to process future transactions.
How is a Stored Credential used?
There are two ways in which a stored credential can be used – by use of a cardholder initiated or merchant initiated transaction.
- Cardholder Initiated transaction (CIT) – any transaction where a cardholder is actively participating in the transaction, whether through an instore or online checkout experience.
- Merchant Initiated transaction (MIT) – any transaction where the cardholder has given prior consent for the merchant to store payment credentials for future use without active engagement from the cardholder.
Merchants may commonly use an MIT to:
- Perform a transaction as a follow-up to a cardholder-initiated transaction (CIT)
- Perform a pre-agreed standing instruction from the cardholder for the provision of goods or services
- Examples of MITs include:
- A hotel charge for mini-bar expenses tallied after the guest has checked out and closed the folio
- A subsequent recurring payment for a magazine subscription
- Other MIT transaction examples may include the following:
- Industry Practice – delayed charges, no show, reauthorization, resubmission and incremental
- Standing Instruction – installments, recurring billing, unscheduled account top ups etc.
Summary of Requirements
- Merchants must obtain cardholder consent for the initial storage of credentials
- Merchant must perform an account verification authorization request during the initial credential setup when there is no initial transaction.
- Merchants must use the appropriate data values in both the authorization and clearing messages to properly identify an initial Stored Credential Transaction and a subsequent Stored Credential Transaction
Merchants and their third-party agents, payment facilitators, or stored digital wallet operators that offer cardholders the opportunity to store their credentials on file must:
- Disclose to cardholders how those credentials will be used.
- Obtain cardholders’ consent to store the credentials.
- Notify cardholders when any changes are made to the terms of use.
- Inform the card issuer via a transaction that payment credentials are now stored on file.
- Identify transactions with appropriate indicators when using stored credentials.
In those scenarios where the consumer wishes to setup a stored credential in the absence of a cardholder initiated transaction, the merchant or its agent, a PF, or an SDWO must submit an account verification request to the card issuer. If the account verification authorization is declined the credential cannot be stored and the merchant must not use the credential. Likewise if the authorization request for the initial first payment is declined the credential cannot be stored and the merchant must not use the credential for any subsequent transactions.
Initial and subsequent transactions must be properly identified in the card present and card not present environments with a POS Environment code of C, R or I as appropriate (refer to link below for additional details regarding the proper use of the C,R,I).
C = credential stored for unscheduled subsequent MIT’s or for subsequent CIT’s
R = credential stored for subsequent recurring MIT’s
I = credential stored for subsequent installment MIT’s
Retroactive identification and cardholder consent and disclosure agreement is not required for credentials stored prior to October 14, 2017. However, effective October 14, 2017, a merchant or its agent, a PF, or an SDWO must submit all stored credential transactions with a value of “10” in the POS Entry Mode Code field, including transactions with credentials stored prior to this date.
Please refer to the publicly available Visa document located here containing additional detailed level information regarding these requirements in support of the mandate for updating merchant systems and processes.
This mandate imposes considerable updates to the TSYS gateways. We are working to support this mandate and encourage our merchants/partners to review their processes and product capabilities to ensure compliance. TSYS is working closely with Visa to ensure seamless processing for our clients. Additional updates will be communicated as further information is made available.