Stored Credentials and SCA requirements
A lot of confusion is associated with recent regulations, which all fall under the objective to strengthen SCA (Strong Customer Authentication), and minimize fraud. As card-not-present transactions are consistently growing both online and offline, the need for added security for transactions is on a new rise. According to the European Central Bank, Card Not Present (CNP) fraud was recorded at 1.32 Billion Euros in 2016 and unlike ATM and POS related fraud, it was the only one on the rise compared with the data from the previous year (an increase of 2%). A study from Juniper Research estimates a loss for merchants of $130 between 2018 and 2023 resulting from CNP frauds. Card-not-present frauds give merchants a hard time both because they create an increase in chargebacks, and also because frauds effect shoppers behavior, drawing them away from CNP shopping, and ultimately reducing merchant's potential revenue.
What are Stored-Credentials (Card-on-File)?
A stored credential is information such as a payment token or account number, which is stored by a payment provider/facilitator, merchant, or SDWO (Staged Digital Wallet Operators), and is saved for future purchases/payments.
What is not considered a stored credential?
Stored credentials received by third parties are not considered stored credentials since they are not saved by the merchant. Another exemption for a stored credential is when credentials are stored for the purpose of completing a single transaction/purchase. E.g. when a user provides credentials to cover charges related to multiple payments connected to a single reservation.
Consumer Vs. Merchant Initiated Transactions
There are two categories of transactions relevant to our topic - a Consumer-Initiated Transaction(CIT) and a Merchant Initiated Transaction (MIT). An MIT stems from a CIT and relies on the original authentication of the latter. This also allows the MIT to be excluded from SCA requirements. Both types of transactions need to be addressed by merchants: A CIT occurs when a consumer is actively entering a payment process (transaction). This can happen when either an in-store or online transaction is taking place. A CIT contains proof that the cardholder was involved in the transaction and that he voluntarily entered his credentials.
An MIT is a transaction that stems from the original CIT but is conducted without the consumer present and without additional actions performed on his side. This can happen for a variety of transactions, the best examples would be a recurring payment (e.g. subscription) or an account top-up.
What do you need to do to store credentials?
In order to be able to store credentials, merchants are required to get a consent from the cardholder. A Consent needs to include the cardholder’s approval for the merchant to store his card’s information (last 4 digits). Additionally, that consent will need to include complete information about the future use of the credentials and the merchant’s obligations to the user if anything is changed. (for a complete list of requirements please refer to the Visa website).
When storing customers' card information for use in authorization, charge or credit requests, or when the information is stored for future transactions, the major card brands now require merchants to send the appropriate transaction indicators* (recurring, Merchant Initiated, etc.).
*Please check our documentation for more information.
Benefits of Transactions with Stored Credentials
Transactions identified as those with stored credentials are treated differently through the authorization approval process, resulting in:
• Greater visibility of transaction risk levels for issuers
• Higher transaction approval rates
• Improved customer experience thanks to a seamless, fluid checkout process.
• Exclusion from SCA requirements (in MIT transactions which were originally authenticated).
The ability to store credentials benefits both merchants and consumers and creates a more fluid and safe marketplace with a reduced fraud risk.
If you are interested to learn more about how to reuse card information make sure to check our documentation.