Updated July 23rd, 2022

Overview

In October 2017, Visa and Mastercard issued new rules regarding the use of stored credentials. This mandate requires specific handling and transmission of stored credentials (in this case, tokens representing payment data). See the following documentation from Visa and Mastercard for detailed information:

We are currently in the process of certifying the CardPointe Gateway for compliance with this mandate. This document describes the changes in development for the CardPointe Gateway API, and the changes that you can plan to make to your integration to become compliant.

The changes described in this document are currently in development. This document will be updated as development completes.

Support for stored credential (also known as card on file, or COF) transactions is enabled in production for the following processors:

  • First Data North
  • First Data Omaha
  • First Data Rapid Connect
  • Chase Paymentech Salem
  • TSYS

Understanding Stored Credentials

A stored credential is information (including, but not limited to, an account number or payment token) that is stored by a merchant or its agent to process future transactions. 

If your application stores cardholder data (for example, using the CardPointe Gateway profile service to manage cardholder profiles or storing  tokens in your own database) for use in future one-time or recurring payments, you must do the following to become compliant with this mandate:

  • Disclose to cardholders how those credentials will be used.
  • Obtain cardholders’ consent to store the credentials.
  • Notify cardholders when any changes are made to the terms of use.
  • Inform the account issuer that payment credentials are now stored on file, either by processing an initial payment or a $0 account verification.
  • Identify the initiator (cardholder or merchant) and frequency (one-time or scheduled) of transactions with appropriate indicators when using stored credentials.
  • Provide proactive notification of future payment transactions and ability to cancel a subscription or recurring payment.

Additionally, merchants offering subscription services in Europe must send an electronic reminder notification (email or SMS/text message, if cardholder accepted future notification) and a link to online cancellation at least seven (7) days before initiating a recurring transaction if a trial period, introductory offer or promotional period has expired.

Identifying Cardholder and Merchant-Initiated Transactions

Payment applications must determine whether each applicable transaction is a Cardholder-Initiated Transaction (CIT), or a Merchant-Initiated Transaction (MIT). 

A Cardholder-Initiated Transaction is any transaction in which the cardholder is actively participating in the transaction (by phone, online, or in-person) using stored credential and payment details, for example:

  • A cardholder creating a standing order for a recurring, fixed-amount payment for goods or services (for example, a scheduled rent payment).
  • A cardholder authorizing a payment on an account over the phone. 

Cardholder-Initiated Transactions must be identified by including "cof":"c" in the authorization request to the CardPointe Gateway. 

A Merchant-Initiated Transaction is any transaction in which the cardholder is not available to participate:

  • A follow-up payment after an initial cardholder-initiated transaction.
  • A direct deposit agreement for the payment of goods or services (for example, a recurring bill payment for a streaming service subscription).

Merchant-Initiated Transactions must be identified by including "cof":"m" in the authorization request to the CardPointe Gateway. Periodic recurring transactions must also include "cofscheduled":"y"

The following table describes some sample scenarios using stored credentials:

For Cardholder-Initiated Transactions, cofscheduled is optional. This value should be omitted or N if included.


Scenariocofcofscheduled
A new customer makes a one-time purchase on your web store or app, and opts to create an account to store their billing and payment information.CN 
A patient calls your office to make a one-time payment over the phone. The customer provides their billing information to an associate, who enters it into your application. When asked, the customer agrees to store their billing information for future payments.CN
A patient calls your office to make a one-time payment over the phone, and their billing information is already stored for use in your application.CN
A new customer creates an account on your website for the purpose of making one-time purchases.
Your application processes the initial payment or a $0 authorization to verify the billing details.		C

N 

A new customer creates an account on your website and enrolls in a subscription service, which is billed monthly. Your application processes the initial payment or a $0 authorization to verify the billing details.

M

  • Y for an initial (non-$0) payment
  • N for a $0 authorization
A customer previously enrolled in your subscription service, and is automatically billed for the monthly amount using their saved billing details.MY
An existing customer purchased multiple items from your web store, and checked out with their stored profile; however, only some goods were in stock at the time of the order. 

The customer is charged twice for the split shipment, where:
  • The customer is initially charged for the in-stock goods at the time of the order.
CN
  • The customer is charged a second time for the remainder of their purchase once the goods are available.
MN

Integrated Payment Application Changes

If you or your merchants use an application that integrates the CardPointe Gateway API to accept and manage transactions, you must update your application to become compliant with this mandate.

The changes required to comply with this mandate affect merchants who:

  • Store and reuse payment tokens and customer information to process recurring payments through an E-commerce or ERP application.
  • Use the CardPointe Gateway's profile service to create and store customer profiles and process card-not-present payments using the associated profileid and accountid.

If your payment workflows use either of these methods to store and reuse customer data, you will need to update your integration to identify the initial and subsequent payments.

New Authorization Request Parameters

To support the requirements to identify stored credential transactions, the CardPointe Gateway API includes the following new parameters, which must be included in the authorization request for all E-commerce, telephone, and recurring payments using stored customer payment information.

FieldMax LengthTypeDescription
cof1AN

The cof parameter specifies whether the transaction is initiated by the customer or merchant.

  • C - Customer-Initiated Transaction (CIT)
  • M - Merchant-Initiated Transaction (MIT)
cofscheduled1AN

The cofscheduled parameter specifies whether the transaction is a one-time payment or a scheduled recurring payment.

Required for a Merchant-Initiated Transaction (MIT), and optional for a Customer-Initiated Transaction (CIT).

Specify one of the following values:

  • Y - The transaction is a scheduled (automated) payment.
  • N - The transaction is a one-time payment.
cofpermission1AN

For an authorization request with "profile":"y" to create a new profile, or for a profile create or update request, optionally include cofpermission to specify if the cardholder provided their permission to store and reuse their payment information.

This field is optional, and is only used for reporting purposes, via the get profile response.

Specify one of the following values:

  • Y - The cardholder provided their consent to store and reuse their payment details.
  • N - The cardholder did not provide their consent.

Defaults to N if not provided.

The following example illustrates the cof and cofscheduled fields used in an authorization request, where the merchant's billing system initiated a scheduled, automated payment:

Example Recurring Payment with COF Fields

{
  "merchid":"177203351990",
  "currency":"USD",
  "expiry":"0420",
  "orderid":"000246560010",
  "accttype":"Visa",
  "account":"4005562231212123",
  "amount":"210.03",
  "address":"1307 Broad Hollow Road",
  "postal":"11747",
  "capture":"Y",
  "cof":"M",
  "cofscheduled":"Y"
}

New Authorization Response Field

When a transaction is identified as a stored credential transaction, the CardPointe Gateway records the transaction as either an initial or subsequent transaction for card account and merchant ID. 

The cof field has been added to the CardPointe Gateway's authorization response. When the cof field is present in the request, it will also be returned in the response to help you track your stored credential transactions.

CardPointe Payment Application Changes

If you or your merchants use the CardPointe Virtual Terminal or CardPointe Mobile app to accept and manage payments, you may need to become familiar with minor changes to these applications to become compliant with this mandate.

See Handling Stored Profiles for more information on these in-app changes.

FAQs

When Can I Update and Test my Integration?

You should plan to update and test your integration as soon as possible. 

For First Data Rapid Connect, the UAT environment is configured to emulated the production environment and to echo the cof field and value from the request in the response.

For other First Data/Fiserv processors, the UAT  environment is currently configured to ignore the cof and cofscheduled  parameters, so your application can begin to send these values without encountering errors in testing.

What Will Happen if I Do Not Update My Application?

Compliance with this mandate is required to continue processing recurring payments. Recurring transactions that do not include the required COF parameters may be flagged for a data-integrity issue and may incur fines.

Do I Need to Update My Existing Recurring Transactions?

No, the CardPointe Gateway will identify the initial transaction using existing stored credentials once your application has been updated to include the required cof and cofscheduled fields in your recurring transactions.