Stored credentials - FAQs

Q. What’s happening?
A. Cardholders are increasingly storing their card details in apps with third parties and digital wallets. Visa and Mastercard have introduced new definitions and rules for these types of transactions, called ‘stored credentials’.

Q. What is a stored credential?
A. Stored credentials are a card number or tokenized card number that's been collected and stored for future use by a merchant, payment facilitator or digital wallet. There are two types of stored credential transactions:
  • Cardholder initiated – where the cardholder actively completes a transaction using previously stored details
  • Merchant initiated – where the merchant completes a transaction using previously stored details, e.g. a recurring payment. This is completed without the active participation of the cardholder

Q. What do I, as a merchant, need to do?
A. There are two specific things you will need to do:
  • Obtain cardholder consent for initial storage of payment credentials
  • Send indicators in your XML to identify initial storage usage of stored payment credentials
Details for both of these requirements are available in Worldpay developers.

Q. What are the new rules on processing stored credentials?
A. The new rules are complex, and cover three main areas:
    1. The consent agreement – if merchants are storing credentials for cardholders, they must get the cardholder’s agreement to do so
    2. Amending and cancelling consent – merchants must notify the cardholder in advance if they are changing a stored credential agreement, and must not submit transactions beyond the duration of the agreement, and stop submitting transactions if the cardholder cancels or they receive a decline
    3. Submitting stored credentials – merchants must submit a new ‘stored credential identifier’ when sending transactions to Worldpay

Q. For card numbers stored before these changes came into effect, I will not have a scheme transaction ID. What do I do?
A. When submitting these details, flag the transaction for first time storage - as if it were the start of the agreement

Q. Where can I find more information on the rules?
A. We’ve prepared an operational guide that explains the rules in detail.

Q. Can Worldpay’s platforms support the stored credential identifier?
A. Yes, both Corporate Gateway and Business Gateway XML Direct integrations work with the stored credential identifier. A number of our products are compliant with this mandate including Tokenization, Pay as Order and Futurepay. See our Stored Credentials guide for details

Q. I don’t use Worldpay as my acquirer, do I have to comply with these rules?
A. Yes. For questions about your acquirer and their compatibility with Worldpay please contact your Worldpay Relationship Manager or Corporate Support Manger to discuss your specific acquirer and their requirements.

Q. What is ‘non-compliance action’?
A. Visa and Mastercard can issue fines for non-compliance. Please contact your Relationship Manager or Corporate Support Manager for further information.

For further information regarding stored credentials, see the article Stored credentials transactions