Stored credentials transactions

Payment systems are evolving, and more cardholders are storing their card details with apps, third-parties and digital wallets.

To make sure merchants use their customers' details responsibly, Visa and Mastercard are introducing new definitions for these 'stored credentials', and new rules for stored credential and merchant initiated transactions.

If you process stored credential transactions, you will need to make changes to comply with these rules.

What is a stored credential?

The rules apply to transactions where you store a card number or token for future purchases, or where you use stored information for future purchases. These rules apply to:

  • Merchants or their agents
  • Payment Facilitators (PFs)
  • Staged Digital Wallet Operators (SDWO)

For simplicity, this article will refer to all of the above as 'you' - even when the entity making the transaction is a third party operating on your behalf.

There are two types of stored credential transactions:

Cardholder initiated
A Cardholder Initiated Transaction (CIT) is where the cardholder actively selects the card to use, and completes the transaction using previously stored details.
Cardholder Initiated Transactions are limited to sale, pre-authorisation, and account verifications.

Merchant initiated
A Merchant Initiated Transaction (MIT) is where is where you submit a transaction using previously stored detail without the cardholder's participation. For example, a recurring payment.

How this affects you

Whenever you process a stored credential transaction (either an MIT or CIT), you must follow Visa and Mastercard rules.

The consent agreement

If you allow cardholders the opportunity to store credentials, you must get their consent to do so.

This consent agreement must contain:

  • A truncated card number (i.e. the last four digits) 
  • Details of how you will notify your cardholder of any changes to the consent agreement
  • The expiry date of the agreement 
  • Details of how you will use the stored card details 

If you are going to use the stored details to initiate transactions (MITs), you must also include:

  • Your cancellation and refund policy 
  • Your full postal address, including country and telephone number
  • The amount, or details of how you will calculate this 
  • Any permitted additional fees or surcharges 
  • The transaction frequency (for recurring transactions) 
  • The total purchase amount, and the terms of future payments (for instalment transactions) 
  • For a non-scheduled MIT (i.e. not a recurring or instalment transaction), the event that will initiate the transaction 

You must store the cardholder's consent in compliance with the Payment Card Industry Data Security Standard, and keep this consent for the duration of the agreement. You must provide a copy to the cardholder and, in the event of a dispute, provide a copy to the card issuer.