Rules on stored credentials are changing: as a business owner here’s what you need to know

They might not be the most exciting part of running a business, but payment industry rules and regulations can’t be ignored. That’s why we’re notifying all Worldpay customers about key changes to Visa and Mastercard requirements regarding stored credential transactions. As these are becoming an increasingly popular way for cardholders to pay for items, the card companies have updated their rules. Merchants should take account of these changes as soon as possible to avoid non-compliance fines.

What are stored credentials?

Stored card numbers or related tokens are popular among consumers as they enable a faster payment experience at the till. They’re also good for businesses, who will welcome new technology that makes payment quicker and easier for customers. Of course, the entity storing these credentials might not be the merchant itself. It could be an agent, payment facilitator or even a staged digital wallet operator (SDWO).

Either way, there are two types of stored credential transaction to think about. When cardholders proactively select a card and complete a transaction using stored details, this is known as a Cardholder Initiated Transaction (CIT). These are limited to sale, pre-authorisation, and account verifications. However, when the merchant or third-party submits a transaction using previously stored details without any cardholder input, it’s a Merchant Initiated Transaction (MIT). These could include reauthorisations, delayed payments, recurring payments and instalments.

So how will the new rules affect your business?

Playing by the rules

Every time you or a third-party completes a CIT or MIT you/they will need to follow the card companies’ rules. These cover everything from the first time you accept stored details to submitting the transaction itself.

The initial consent agreement presented to cardholders when they come to store their details must contain several elements. These include a truncated card number — typically the last four digits; details on how you’ll notify them of any changes to the agreement; details on agreement expiry date; and how you’ll use the stored details. If you also want consent to store details for future MITs, you need to include extra detail such as: cancellation and refund policy; your full postal address and phone number; any additional fees/surcharges; and the amount. If the MIT relates to recurring transactions you’ll need to include details on the frequency, and if it’s instalments then information on the total amount and future payments are required. For non-scheduled MITs, include the event that will initiate the transaction.

This consent must be stored in accordance with Payment Card Industry Data Security Standard (PCI DSS) rules for the duration of the agreement, with one copy sent to the cardholder. Another may be needed to send to the issuer in the event of a dispute.

Cardholders must be told of any changes to the agreement. This must happen within seven working days (for recurring transactions), and within two working days (for unscheduled MITs). It covers changes such as the end of a trial period, or if more than six months has passed since the last transaction. It goes without saying that you can no longer submit transactions after the consent period has ended and you must also stop if a cardholder cancels or you receive a decline response. 

Submitting transactions

Additional information must be sent to Worldpay when you or a third-party submit the stored credential transaction to our gateways. This is where it could get a bit complicated, which is why Worldpay has created a detailed technical guide [i] for you. In short, the details will vary depending on whether it’s an initial transaction or a subsequent transaction. If the latter, merchants or third-parties must submit a “cardholder initiated indicator” if it’s a CIT, or a “merchant initiated indicator” and a specific transaction reason code if it’s a MIT.

This can be a lot to take in, but the reasoning behind the changes is sound: to ensure merchants use customer card details responsibly and issuers have proper visibility into this emerging category of transactions. Visa and Mastercard will be monitoring transaction activity and it makes sense to make the necessary changes as soon as you can. The deadline is 1 October 2018. More information can also be found in our Customer Operating Guide [ii].