A Guide to Safe and Secure Card-on-File Transactions
According to a completely informal, unscientific, and made-up survey, the coolest way to pay for a purchase is to casually say “add it to my tab” or “bill it to my room.” The circumstances where you can actually do this are relatively few and far between, but that may be changing.
Increasing demand for fast, frictionless, contactless payments is motivating some merchants to offer card-on-file payments that can be authorized without any interaction with a payment terminal. What are the benefits—and risks—of card-on-file transactions, and what do merchants need to know about making this payment option available to their customers?
Card-on-file payments are nothing new. They’ve long been widely used by subscription services, club memberships, and other recurring billing schemes. These payments are also a frequent practice in e-commerce, where customers can store payment credentials to their user account so they don’t have to re-enter their credit card information every time they want to make a purchase. They also serve as an indispensable facilitator for making funding digital wallets and making top-up payments.
The COVID-19 pandemic has caused a surge in demand for touch-free payments, but even contactless payment cards and digital wallets sometimes require some physical interaction with a payment terminal. Card-on-file payments don't.
Some retailers have started offering to store payment credentials so customers can make card-on-file payments that don’t require them to go anywhere near a payment terminal. This can be a very convenient and user-friendly solution, but storing payment credentials comes with certain risks and obligations.
What Is a Card-On-File Transaction?
From a technical standpoint, all you really need to process a card transaction is the account number. If you want it properly authorized—and you should always properly authorize every card transaction—you’ll also need the expiration date, billing address, and security code. The elements of data necessary to place an authorized card transaction are known as payment credentials.
Customers can give merchants permission to store their payment credentials for later use, and purchases charged to those stored payment credentials are called card-on-file transactions.
Payment credentials can be captured and stored at any time: when the card is used at a terminal for a card-present transaction, when a merchant keys in a card number over the phone for a card-not-present purchase, or when a cardholder provides their payment credentials on a written or electronic form. Cardholders may be able to initiate payments verbally or electronically, or according to an agreed-upon schedule or set of conditions.
Gyms, streaming services, and other recurring billing services use card-on-file transactions for automatic monthly payments. Digital wallets and transit cards often irregular card-on-file transactions to top up their funds when they dip below a preset threshold.
In retail spaces, card-on-file transactions are often paired with loyalty programs. At Starbucks, for example, the app that tracks your reward points also lets you use stored payment credentials to make purchases.
Why Use Stored Payment Credentials for Card-On-File Transactions?
The main advantage of card-on-file transactions is that they’re convenient, frictionless, and fast. Customers don’t need to get out their wallet, wait for the EMV reader, enter a PIN, or sign anything—all they need to do is confirm their intent to authorize the purchase.
The benefit of using card-on-file transactions for subscriptions, installment payments, and other recurring billings should be self-evident, but for one-off retail purchases the slight uptick in convenience was offset by the added work of managing and securing stored payment credentials.
However, once COVID-19 came along, the equation changed. Suddenly contactless payments were of paramount importance, and card-on-file transactions became a way to enable customers to make safer, socially-distant payments even if they didn’t have a contactless card or digital wallet.
Having lived under a pandemic for more than a year, consumers are getting more and more accustomed to making digital, card-not-present payments in various forms. There are good reasons for brick-and-mortar merchants to consider giving their customers the option to pay for a purchase simply by saying “charge my card on file,” but merchants need to know how to follow the card network rules governing these transactions.
What Are the Risks of Card-On-File Transactions?
The greatest danger with stored payment credentials is that you will suffer a data breach that allows cybercriminals to steal your customers’ data. This has been a serious ongoing problem for e-commerce merchants. When a company gets hacked, thousands of sets of their customers’ payment credentials can end up on the dark web for sale to the highest bidder.
Even when their card accounts are locked down before any actual fraud can occur, customers tend to hold merchants responsible for these breaches, resulting in a loss of trust and significant damage to their reputation.
The card networks issued updated regulations for handling stored payment credentials a few years back, and legal frameworks like the Revised Payment Services Directive address the issue as well. Merchants should familiarize themselves with the rules that apply to them, but Visa’s rules provide a good outline for what is generally required:
- Obtain consent from the cardholder before initially storing payment credentials.
- Disclose to the cardholder exactly how and when their stored payment credentials will be used.
- Use the proper data indicators to identify transactions made using stored payment credentials.
In order to meet PCI DSS requirements, merchants must also properly encrypt all stored payment data.
While they may be terra incognita for card-present retailers, card-on-file transactions are a necessity for many merchants, not an option. That means there’s plenty of good advice and best practices established for safely storing and using customers’ payment credentials.
Just keep in mind that card-on-file transactions will impact your chargeback exposure. When stored payment credential transactions are carried out improperly, the cardholder may have the right to demand an authorization-related chargeback.
If you start offering this payment option to your customers, make sure you carefully monitor your chargeback data in the days that follow so you can quickly determine whether your chargeback rate is going up, and if so, take immediate steps to address it.