The Visa & Mastercard Mandate for Subscription Transactions

Table of Contents

1. What Are the New Rules for Stored Payment Credentials?
2. What Are the New Rules for Subscriptions?
3. What Kinds of Transactions Are Covered by the Subscription Mandate?
4. What Are the Full Requirements for Stored Credential Transactions?
5. When Did the Subscription Mandates Take Effect?
6. Why Did Visa and Mastercard Change the Rules for Subscriptions?
7. Do I Have to Comply With the Subscription Mandate?
8. How Do I Comply With the New Subscription Rules?
9. Why Is it Important to Comply With Card Network Mandates?
10. What Is a Mastercard MIP?
11. What Is a Card-on-File Transaction?
12. Is it Legal to Keep Credit Card Details on File?

Offering to remember a customer's payment credentials is something that's become almost universal in modern e-commerce. Stored payment information streamlines the checkout process for future purchases and provides a necessary foundation for things like one-click checkout and invisible payments.

There's also one scenario in which storing a customer's payment credentials is a necessity: subscriptions. Merchants who use recurring billing must store payment information in order to process these future transactions, but the rules for storing credentials and processing recurring transactions have become somewhat more complicated in recent years.

Visa and Mastercard have each issued multiple mandates that create additional requirements for subscription merchants. What are the new rules for recurring billing, and what do merchants need to do to make sure they comply with them?

The short version is that the agreement to allow the merchant to store payment information must include the last four digits of a credit card, an explanation of how the stored information will be used, and how the customer will be notified of any changes to the agreement.

In addition, merchants are required to include the appropriate indicators to inform the bank of recurring transactions made using stored payment credentials.

Full coverage of this mandate can be found here, but here are the key points:

• Merchants must provide a digital receipt when a customer enrolls that includes the terms of the agreement and the timeline and amounts for future payments.
• Customers must be able to cancel their subscriptions online, even if they didn't enroll online.
• The billing descriptor for recurring charges must clearly indicate the merchant and what the charge is for.
• The customer must be notified by email or text message at least 7 days before the end of a free trial period, and this notification must include a link to the cancellation page.

Mastercard created changes to its rules with largely similar requirements. The last of these changes, which implements the rule about informing new customers about the timeline and amount of future payments, goes into effect on June 9th, 2022.

Before processing the initial transaction, the merchant must obtain the cardholder's express, informed consent to an agreement, which must be retained by the merchant for as long as it remains in effect and must be provided to the issuing bank upon request. The agreement must contain the following:

The transaction amount, including all taxes, fees, and other included charges. If the exact amount is unavailable at the time the agreement is made, the agreement must contain an explanation of how the transaction amount will be calculated.

• The type of currency used in the transaction
• Acknowledgment of any permissible surcharges
• Cancellation and refund policies
• The merchant outlet location

Each subsequent transaction made as part of the agreement must be authorized, and if the authorization is declined, the merchant has at least 14 days to resubmit the authorization, if the reason code provided for the decline allows it.

The merchant also has to provide their customers with a simple way to cancel the agreement and cannot process further transactions if the cardholder makes use of the cancellation procedure.

The merchant is also prohibited from processing additional transactions if the end date of the agreement has passed or if the cardholder requests a change to their method of payment.

Here's a more detailed dive into some of the technical aspects of the new requirements:

• All the requirements outlined by the mandate must be displayed, separate from the merchant's own general purchase terms and conditions, at the time the cardholder enters into a purchase agreement with the merchant. Some local laws or regulations may also require the merchant to provide the cardholder with a record of their consent to the agreement if requested.
• When card information is being stored for future transactions, but no simultaneous purchase is being made, the merchant should submit an Account Verification Request (a $0.00 transaction) instead. If either an initial payment or the Account Verification request is declined, the payment credentials must not be stored.

If your e-commerce business keeps customer card information on file, you need to make sure you're in compliance with these requirements. Fortunately, compliance shouldn't be too difficult, and the end result should result in more authorizations, fewer chargebacks from confused customers, and better outcomes for everyone involved in the process.

There have been numerous cases of abuse of this process, most famously negative option billing, which essentially signed customers up for a subscription without their consent.

While the most underhanded forms of this practice have been banned in the U.S., similar schemes have popped up to replace it. Some of the more common ones are as follows:

• Hiding a subscription agreement in the terms and conditions that most customers never read.
• Making a subscription opt-out instead of opt-in, with little to no information on the page indicating a subscription is involved at all.
• Including a checkbox with a vague label that customers must click to checkout, and hiding information indicating that clicking the checkbox means agreeing to recurring payments in fine print elsewhere on the page.

Visa and Mastercard issued this mandate to fight back against these dishonest practices and make sure customers are fully informed anytime their payment credentials are being stored for future automatic transactions.

Non-compliance may result in the following consequences for merchants:

• A greater number of declined transactions
• The inability to take advantage of improved authorization rates
• The inability to successfully fight chargebacks on applicable transactions
• Potential fines for non-compliance from card networks, payment processors, or banks.

For the most part, compliance is currently being encouraged by the benefits merchants will see by following the new requirements – namely, more transaction authorizations and fewer chargebacks.

In most cases, all that is required to obtain customer consent for stored credentials is a simple checkbox on the page where payment information is entered.

For one thing, your business could run the risk of increased chargebacks. When following mandates, you can document the cardholder's agreement to payments and services in real time, which means that should they dispute a transaction later, you can protect yourself. You will also earn cardholder trust.

By playing by the rules and providing clear compliance and support for cardholders, you show them you are here to supply a service or product, not steal their money or pull a fast one on them.

Compliance can also protect you from fraudsters that are looking to take advantage of merchants. If you are compliant with all card network mandates, you close some of the loopholes fraudsters can take advantage of.

Making big changes to comply with new rules handed down by the major card networks can be a hassle, but when the outcome is more authorizations and fewer chargebacks, it is well worth the effort.

FAQ

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions, or requests for advice to: win@chargebackgurus.com