Mastercard’s Stored Payment Credential Mandate Explained


Table of Contents

  1. Details Of The Stored Payment Credential Mandate
  2. What are Stored Credentials?
  3. Conclusion
  4. Frequently Asked Questions

Mastercard is in the process of rolling out a new mandate that will change the way merchants and payment processors handle transactions and chargebacks. There are several phases to this rollout, which is scheduled to be completed in 2020, each of which may address different aspects of the credit card payments ecosystem.

New call-to-actionOne important component is the Stored Payment Credential Mandate, which dictates how merchants should handle and process payments made with credit card information that's saved on their servers.

Mastercard is introducing this mandate for several reasons, including improving and streamline processes for all stakeholders (e.g. banks, consumers, and merchants), adapt to ever-evolving methods used by fraudsters and cybercriminals, and to keep pace with the rest of the industry (Visa has already launched their own policy and procedural updates).

When merchants are uncertain about how best to comply with new mandates - or the consequences of failing to do so, companies like Chargeback Gurus can be an excellent source of expert guidance

While adapting to these changes may be a challenge for merchants with limited resources, the ultimate goal is to protect their revenues by reducing fraud and chargebacks. In an effort to ease the transition, we've put together a concise guide to the Stored Payment Credential Mandates.

What are Stored Credentials?

Stored credentials are customer information kept by a merchant for future purchases. Merchants will store information like account information, payment tokens, or verification information so that when the customer makes an additional purchase in the future the merchant can leverage that information for a quicker purchase.

Why would merchants even want to store credentials? For starters, merchants providing recurring payments can use stored credentials to streamline repeat billing. This includes subscription services or regular payments over installments. 

Secondly, merchants may want to have payment information on file for non-recurring future payments, like any service that involves customers opting in and out of transactions on a regular basis. 

Details Of The Stored Payment Credential Mandate

“Stored payment credentials” refers to credit card information that a customer has opted to save to a merchant's web server in order to make future purchases more convenient. Data commonly includes billing name, billing address, card account number, and card expiration date. 

It follows, then, that a “stored credential transaction,” is any transaction the merchant initiates against that stored credit card information. These transactions may be merchant-initiated, as in the case of automatic billing for subscription services, or customer-initiated, i.e. when a customer makes a new purchase using their stored credentials. Mastercard also refers to this as a “credential-on-file transaction.”

Mastercard’s new Stored Payment Credential Mandate covers both types of stored payment transactions. It sets the rules and requirements for how merchants are allowed to store these credentials and process subsequent transactions.

Manage Chargeback In-House Or OutshoreThe mandate, which went into effect on October 12, 2018 ,requires merchants, their third-party agents, payment facilitators, and digital wallet operators to do the following any time they are offering cardholders the option of saving their payment credentials:

  1. Via transaction, inform the issuing bank that the customer’s payment credentials are now being stored.
  2. Use appropriate indicators to identify transactions that are made with stored credentials.

The purpose of these “appropriate indicators” is to convey to the issuing bank, as part of the transaction process, that the merchant and the cardholder have a pre-existing relationship and an agreement to use stored payment credentials, all of which makes it easier for issuing banks to identify legitimate transactions, which, in turn, should increase approval rates for credential-on-file transactions.

This is already on top of the traditional requirements for storing payment credentials. These mandates include transparent disclosures on how card information is used, proactive notifications of future transactions, notification of any changes in your TOS, and other requirements.


While it's daunting to hear that a major credit card network is changing the rules, merchants should keep in-mind that these changes are intended to reduce their workload, and increase the approval rates. It's also important to note that the card networks tend to provide a good bit of time for those impacted by the changes to learn about and prepare for them.

When merchants are uncertain about how best to comply with new mandates - or the consequences of failing to do so, companies like Chargeback Gurus can be an excellent source of expert guidance grounded in years of experience in the payments industry. With a little knowledge, preparedness, and help, every merchant can take advantage of the potential benefits they offer.


What is the CIT MIT?

MIT is a framework for merchants to link to and store information from the cardholder-merchant’s initial interaction, required for any merchant that accepts tokens.


What is the VISA mandate?

The Visa stored credentials mandate is similar to the Mastercard mandate, with items to protect consumers with stored credentials. .


What is a Credential on File transaction?

When the cardholder authorizes the merchant to store credentials for future transactions.


Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to:

Mastercard Mandates eBook