September 12, 2017
By Karisse Hendrick, Editor-at-Large, CardNotPresent.com
Beginning Oct. 14, 2017, Visa will unveil a new set of requirements for any business that stores cardholder payment information to enable faster future online checkout. Merchants that store payment information or tokens for a future purchase—whether for a recurring charge, a future single purchase, a delayed charge or to top up an account—will be directly impacted and the time to prepare is now.
A “stored credential” is defined by Visa as “information (including, but not limited to, an account number or payment token) that is stored by a merchant or its agent, payment facilitator, or staged digital wallet provider to process future purchases for a cardholder.”
Overview of the New Requirements
Some stored-credential purchases are always initiated by a customer (e.g., when a CNP merchant stores a card so it can autofill personal and payment information for a customer making purchases on subsequent visits). Of these, Visa separates them into two categories: “Industry Practice”—including incremental purchases, the resubmission of a charge, a reauthorization, delayed charges and no shows (primarily for hotels and other travel-related transactions)—and “Standing Instruction,” which refers to instances in which the customer provides authorization for future purchases in specific instances. This includes installments, recurring charges and “unscheduled on file” charges (i.e., when a cardholder gives permission to a merchant to recharge their card in a specific instance, like topping up a digital wallet when it falls below a certain dollar threshold).
The new requirements for stored credentials will include process changes and possible updates to the text of a checkout page to ensure cardholders provide consent to storing payment credentials with the merchant at the time of their first purchase. The new program also requires technical updates enabling the addition of new data fields notifying the issuer of the initial transaction with a stored card, or that the purchase was made with a stored credential, implying less risk. Visa is setting these new requirements because digital commerce stakeholders are continually innovating in an attempt to find new ways to integrate new business models that rely on charging stored credentials.
The intended benefits include ensuring cardholders understand their cards have been stored and may be charged in the future, and to reduce issuer declines on transactions in which the cardholder has expressed consent to future purchases, depending on the business model. Another benefit may be a reduction in chargebacks, as cardholders will be better informed on the intended use of their card on file for future purchases.
Understand the Details
Beginning Oct. 14, 2017, all customers entering a credential that will be stored for the first time must provide consent, typically through a check box on the checkout page prior to the storage of their card. Additionally, merchants and any other customer-facing platforms must disclose how the card-on-file will be used. How a stored card will be utilized varies based on business model and can be disclosed on the checkout page or in the terms of service, in a designated paragraph regarding stored credentials. Additionally, after this change, merchants are required to notify a cardholder whenever the terms of service have been updated. Retroactive consent and disclosure to cardholders are not required for any new stored cards entered prior to the Oct. 14 effective date.
When a cardholder initiates a purchase and consents to having a payment credential stored for future customer-initiated charges or if future transactions will be unscheduled, the merchant, payment facilitator or digital wallet provider must submit the value of “C” in the POS Field environment. If the credential is being stored for recurring or installment charges, the POS field will need to be filed with an “R” or “I,” respectively.
If the cardholder is storing a card for future charges but is not making a simultaneous purchase, the entity must submit an Account Verification authorization. This requirement already exists for recurring and installment transactions in Europe, but is expanding worldwide starting on the effective date. If either the first payment or the Account Verification authorization is declined, the credential cannot be considered a stored credential, and the merchant must not use the credential for any subsequent transactions.
When initiating a payment transaction utilizing a stored credential, the entity must submit the payment transaction with a value “10” in the POS Entry Mode Code field. Value “10” indicates the credential presented is a stored credential. These requirements apply to card-not-present transactions. Additional requirements for stored credential purchases in card-present environments or multi-channel environments with a mix of CNP and CP purchases can be found on the Visa website.
How You Need to Be Ready
To comply with the first set of requirements, merchants must make changes to the checkout page and possibly terms and conditions. Ensuring the proper data fields are being filled in the correct instances will most likely be a team effort between your development team, gateway and merchant processing partner. The specific criteria for all of these referenced requirements can be found on Visa’s website here. Your merchant processor and/or gateway should be able to provide specific guidance on the configurations needed for their systems and how to integrate to send the proper data fields.
Although these requirements will be in force fairly soon, Visa does not plan to levy fines for non-compliance (though they have not ruled it out). Because the anticipated result is more authorized transactions and a possibility of fewer chargebacks, however, the incentive to comply should be clear.
Overall, these new requirements for stored credentials provide transparency between all of the players in a transaction. Cardholder will understand at the time they store their payment information what future charges they might incur and whether all future charges will be customer-initiated or initiated by the merchant. The merchant provides transparency to their merchant processor, the card brand and the issuer by utilizing the correct descriptor in the “POS field environment” data field. When the issuer is provided additional information that tells them more about the purchase, the general overall result is additional authorizations and sales, benefiting all players in the transaction ecosystem.