Q. What’s happening?
A. Cardholders are increasingly storing their card details in apps with third parties and digital wallets. Visa and Mastercard are introducing new definitions and rules for these types of transactions, called ‘stored credentials’.
Worldpay is currently required to comply with these rules by 30 April 2019
Q. What is a stored credential?
A. Stored credentials are a card number or tokenized card number that's been collected and stored for future use by a merchant, payment facilitator or digital wallet. There are two types of stored credential transactions:
- Cardholder initiated – where the cardholder actively completes a transaction using previously stored details
- Merchant initiated – where the merchant completes a transaction using previously stored details, e.g. a recurring payment. This is completed without the active participation of the cardholder
Q. What do I, as a merchant, need to do?
A. There are two specific things you will need to do:
- Obtain cardholder consent for initial storage of payment credentials
- Send indicators in your XML to identify initial storage usage of stored payment credentials
Details for both of these requirements are available in our technical documentation.
Q. What are the new rules on processing stored credentials?
A. The new rules are complex, and cover three main areas:
1. The consent agreement – if merchants are storing credentials for cardholders, they must get the cardholder’s agreement to do so
2. Amending and cancelling consent – merchants must notify the cardholder in advance if they are changing a stored credential agreement, and must not submit transactions beyond the duration of the agreement, and stop submitting transactions if the cardholder cancels or they receive a decline
3. Submitting stored credentials – merchants must submit a new ‘stored credential identifier’ when sending transactions to Worldpay
Q. For card numbers stored before these changes came into effect, I will not have a scheme transaction ID. What do I do?
A. When submitting these details, flag the transaction for first time storage - as if it were the start of the agreement
Q. Where can I find more information on the rules?
A. We’ve prepared an operational guide that explains the rules in detail, you can find it here:
Q. Can Worldpay’s platforms support the stored credential identifier?
A. Yes, both Corporate Gateway and Business Gateway XML Direct integrations work with the stored credential identifier. A number of our products are compliant with this mandate including Tokenisation, Pay as Order and Futurepay.
For details on submitting a stored credential on our Corporate Gateway, including for initial transactions, see the following guide:
Q. I don’t use Worldpay as my acquirer, do I have to comply with these rules?
A. Yes. Please speak to your Relationship Manager or Corporate Support Manger to discuss your specific acquirer and their requirements.
Q. I don’t use Worldpay as my PSP, do I have to comply with these rules?
A. Yes. Please contact your PSP to ensure they are ready to support your Worldpay acquirer accounts.
Q. I don’t have the resources to prepare for the change by 30 April 2019, what does this mean for my business?
A. Worldpay strongly recommends that all customers are ready for the change by 30 April 2019. Visa and Mastercard will monitor transactions after the deadline and merchants are at risk of non-compliance action.
Q. What is ‘non-compliance action’?
A. Visa and Mastercard can issue fines for non-compliance. Please contact your Relationship Manager or Corporate Support Manger for further information.
For further information regarding stored credentials, see the article Stored credentials transactions