The Visa & Mastercard Mandate for Subscription Transactions

Table of Contents

  1. What Are the New Rules for Stored Payment Credentials?
  2. What Are the New Rules for Subscriptions?
  3. What Kinds of Transactions Are Covered by the Subscription Mandate?
  4. What Are the Full Requirements for Stored Credential Transactions?
  5. When Did the Subscription Mandates Take Effect?
  6. Why Did Visa and Mastercard Change the Rules for Subscriptions?
  7. Do I Have to Comply With the Subscription Mandate?
  8. How Do I Comply With the New Subscription Rules?
  9. Why Is it Important to Comply With Card Network Mandates?
  10. What Is a Mastercard MIP?
  11. What Is a Card-on-File Transaction?
  12. Is it Legal to Keep Credit Card Details on File?

Offering to remember a customer's payment credentials is something that's become almost universal in modern e-commerce. Stored payment information streamlines the checkout process for future purchases and provides a necessary foundation for things like one-click checkout and invisible payments.

There's also one scenario in which storing a customer's payment credentials is a necessity: subscriptions. Merchants who use recurring billing must store payment information in order to process these future transactions, but the rules for storing credentials and processing recurring transactions have become somewhat more complicated in recent years.

Visa and Mastercard have each issued multiple mandates that create additional requirements for subscription merchants. What are the new rules for recurring billing, and what do merchants need to do to make sure they comply with them?

What Are the New Rules for Stored Payment Credentials?

Visa and Mastercard now require that merchants obtain consent from customers to store their payment information, and that this consent be separate from the merchant's ordinary terms and conditions.

The short version is that the agreement to allow the merchant to store payment information must include the last four digits of a credit card, an explanation of how the stored information will be used, and how the customer will be notified of any changes to the agreement.

In addition, merchants are required to include the appropriate indicators to inform the bank of recurring transactions made using stored payment credentials.

What Are the New Rules for Subscriptions?

In 2020, a new Visa mandate went into effect that changed the rules of subscriptions. Merchants must now allow customers to cancel online, notify them before each payment is processed, and link to the cancellation page in these notifications.

Full coverage of this mandate can be found here, but here are the key points:

  • Merchants must provide a digital receipt when a customer enrolls that includes the terms of the agreement and the timeline and amounts for future payments.
  • Customers must be able to cancel their subscriptions online, even if they didn't enroll online.
  • The billing descriptor for recurring charges must clearly indicate the merchant and what the charge is for.
  • The customer must be notified by email or text message at least 7 days before the end of a free trial period, and this notification must include a link to the cancellation page.

Mastercard created changes to its rules with largely similar requirements. The last of these changes, which implements the rule about informing new customers about the timeline and amount of future payments, goes into effect on June 9th, 2022.

What Kinds of Transactions Are Covered by the Subscription Mandate?

The specific types of credential on file transactions covered by the mandate are:

  • Recurring Payments
  • Installment Payments
  • Unscheduled Merchant-Initiated Payments (products automatically shipped when certain conditions are met, accounts that automatically add funds when reaching a certain balance, etc.)
  • Unscheduled Customer-Initiated Payments (one-click shopping)

What Are the Full Requirements for Stored Credential Transactions?

When storing payment credentials for the first time, the merchant must establish an agreement with the cardholder that contains all of the following:

  • A truncated version of the stored credential (for example, the last four digits of a credit card).
  • The method by which the cardholder will receive notice of any changes to the payment agreement.
  • How the stored credential will be used.
  • The expiration date of the agreement, if applicable.

Before processing the initial transaction, the merchant must obtain the cardholder's express, informed consent to an agreement, which must be retained by the merchant for as long as it remains in effect and must be provided to the issuing bank upon request. The agreement must contain the following:

The transaction amount, including all taxes, fees, and other included charges. If the exact amount is unavailable at the time the agreement is made, the agreement must contain an explanation of how the transaction amount will be calculated.

  • The type of currency used in the transaction
  • Acknowledgment of any permissible surcharges
  • Cancellation and refund policies
  • The merchant outlet location

Each subsequent transaction made as part of the agreement must be authorized, and if the authorization is declined, the merchant has at least 14 days to resubmit the authorization, if the reason code provided for the decline allows it.

The merchant also has to provide their customers with a simple way to cancel the agreement and cannot process further transactions if the cardholder makes use of the cancellation procedure.

The merchant is also prohibited from processing additional transactions if the end date of the agreement has passed or if the cardholder requests a change to their method of payment.

Here's a more detailed dive into some of the technical aspects of the new requirements:

  • All the requirements outlined by the mandate must be displayed, separate from the merchant's own general purchase terms and conditions, at the time the cardholder enters into a purchase agreement with the merchant. Some local laws or regulations may also require the merchant to provide the cardholder with a record of their consent to the agreement if requested.
  • When card information is being stored for future transactions, but no simultaneous purchase is being made, the merchant should submit an Account Verification Request (a $0.00 transaction) instead. If either an initial payment or the Account Verification request is declined, the payment credentials must not be stored.

When Did the Subscription Mandates Take Effect?

The stored credentials mandate went into effect for both Visa and Mastercard in October 2018, with the subsequent Visa mandate taking effect in April 2020. Mastercard's other changes were rolled out in December 2021, with the last update scheduled for June 2022.

If your e-commerce business keeps customer card information on file, you need to make sure you're in compliance with these requirements. Fortunately, compliance shouldn't be too difficult, and the end result should result in more authorizations, fewer chargebacks from confused customers, and better outcomes for everyone involved in the process.

Why Did Visa and Mastercard Change the Rules for Subscriptions?

One of the central concerns around these types of payments is that they are recurring, which calls for the merchant to store payment information and process future payments without obtaining further approval from the customer at the time of the transaction.

There have been numerous cases of abuse of this process, most famously negative option billing, which essentially signed customers up for a subscription without their consent.

While the most underhanded forms of this practice have been banned in the U.S., similar schemes have popped up to replace it. Some of the more common ones are as follows:

  • Hiding a subscription agreement in the terms and conditions that most customers never read.
  • Making a subscription opt-out instead of opt-in, with little to no information on the page indicating a subscription is involved at all.
  • Including a checkbox with a vague label that customers must click to checkout, and hiding information indicating that clicking the checkbox means agreeing to recurring payments in fine print elsewhere on the page.

Visa and Mastercard issued this mandate to fight back against these dishonest practices and make sure customers are fully informed anytime their payment credentials are being stored for future automatic transactions.

Do I Have to Comply With the Subscription Mandate?

In short: yes. Not only is complying with the mandates of any card network you operate on good practice in general, but failure to comply with this mandate could also damage your ability to process transactions and fight chargebacks.

Non-compliance may result in the following consequences for merchants:

  • A greater number of declined transactions
  • The inability to take advantage of improved authorization rates
  • The inability to successfully fight chargebacks on applicable transactions
  • Potential fines for non-compliance from card networks, payment processors, or banks.

For the most part, compliance is currently being encouraged by the benefits merchants will see by following the new requirements – namely, more transaction authorizations and fewer chargebacks.

How Do I Comply With the New Subscription Rules?

To bring their procedures into compliance with the requirements outlined by the new mandate, merchants may need to make changes to their checkout pages, terms and conditions, and any other pages or forms that capture payment information or communicate purchase policies to their customers.

In most cases, all that is required to obtain customer consent for stored credentials is a simple checkbox on the page where payment information is entered.

Why Is it Important to Comply With Card Network Mandates?

There are several reasons why merchants comply with mandates like these, the least of which is the penalties they may face from card networks. Most of the potential consequences aren't directly tied to the card network at all.

For one thing, your business could run the risk of increased chargebacks. When following mandates, you can document the cardholder's agreement to payments and services in real time, which means that should they dispute a transaction later, you can protect yourself. You will also earn cardholder trust.

By playing by the rules and providing clear compliance and support for cardholders, you show them you are here to supply a service or product, not steal their money or pull a fast one on them.

Compliance can also protect you from fraudsters that are looking to take advantage of merchants. If you are compliant with all card network mandates, you close some of the loopholes fraudsters can take advantage of.

Making big changes to comply with new rules handed down by the major card networks can be a hassle, but when the outcome is more authorizations and fewer chargebacks, it is well worth the effort.


What Is a Mastercard MIP?

Mastercard Interface Processor is processing software that interfaces with Mastercard’s Global Payment System.

What Is a Card-on-File Transaction?

Card-on-file transactions are where a cardholder authorizes a merchant to store payment information to process transactions later (like subscriptions).

Is it Legal to Keep Credit Card Details on File?

PCI-DSS compliance states that merchants can store this information for legitimate business reasons, including subscription payment processing.

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions, or requests for advice to:

Ready to Start Reducing Chargebacks?