Card-On-File (CoF)

Updated
  • Updated on Jul 10, 2025
  • Published on May 13, 2025
  • 4 minute(s) read
Prev Next

This document provides comprehensive implementation guidelines for partners and merchants using Payrix Pro for Card-On-File transactions.

This guide outlines how Merchants can save customer payment methods and process Card-On-File (COF) transactions using Payrix Pro. A COF transaction, sometimes called credential-on-file, uses a cardholder’s previously tokenized and stored primary account number (PAN).

Card-on-File Use Cases

Understanding when to use card-on-file can significantly enhance the customer checkout experience. Recognizing the scenarios in which this payment method is applicable and those in which it is not is essential for setting accurate consumer expectations.

Cardholders can securely store their card for:

  • Recurring Payments

    • Subscription Payments: Examples include gym memberships and streaming services.

    • Bill Payments: Examples include utility bills, monthly car insurance, and mobile phone bills.

  • Future Purchases

    • Cardholder-Initiated Payments: Examples include lawn care or snow removal services, and transit card top-ups.

  • Installment Payments

    • Installment Payments: Examples include furniture or large technology purchases.

See the Card-on-File Transaction Type Examples table below for a more comprehensive list of use cases.

Note

COF does not support tokenizing one-time use credentials, such as hotel incidentals or flight reservations, or digital wallet solutions where the card isn’t stored with the Merchant’s platform, like Apple Pay or Google Pay.

Cardholder Disclosure Requirements

A Merchant who stores and later uses Card-on-File information for future transactions must comply with the following display and disclosure requirements:

First-Time Card Capture Disclosures

When capturing the PAN for the first time, it is essential to provide the cardholder with a dedicated page, such as a link to the cardholder agreement, that distinctly outlines the following information separate from the general terms and conditions of the platform:

  • A truncated version of the PAN, such as the last four digits, will be securely stored.

  • How the Credential Will Be Used

  • Expiration Date of the Agreement (If Applicable)

  • How the cardholder will be notified if there are any changes to the agreement

Stored Card-on-File Usage Disclosures

Before using stored credentials, Merchants must first establish a clear agreement with the cardholder that explicitly outlines the following details:

  • Merchant Name

  • Merchant address or location (if applicable)

  • Transaction Amount and Currency

  • Taxes, surcharges (which require card brand registration), or any additional fees that may apply.

  • Cancellation and Refund Policies

  • Transaction frequency or threshold (e.g., maintaining a minimum balance)

Note

All agreements must be readily accessible to cardholders or issuers upon request.

Authorization Requirements

Once disclosure requirements are met for cardholders and issuers, a first-time card authorization must be completed to securely store the Primary Account Number (PAN) and other card information. When a card-on-file is stored, it must follow authorization rules for failed transactions, including whether the card can be used after consecutive authorization failures.

First-Time Card Authorization Requirements

A Primary Account Number (PAN) can only be stored after receiving valid authorization.

This requirement does not extend to token transfers between processors. If no transaction amount is due when storing the credentials, a “$0 Auth” (an authorization transaction with an amount of $0.00) must be approved before storing the credentials.

Note

PANs cannot be stored if the transaction is declined.

Subsequent Authorization Requirements

A stored credential can be used up to four additional times within 16 days of initial authorization failure.

If no valid authorization can be obtained, the credential should no longer be used (in other words, platforms should stop using a credential after a set number of consecutive authorization failures).

Card-on-File Transaction Type Examples

The table below provides a comprehensive overview of the use cases available and unavailable for Card-on-File within the Payrix Pro system. It also considers the regulations established by card brand networks and essential compliance requirements within the payments industry.

Transaction Type

Card-on-File (Credential-on-File)

Notes

Apple Pay, Google Pay, Samsung Pay, contactless, in-app or e-commerce website

No

Pass-through or digital wallets, like Apple Pay, Google Pay, and Samsung Pay, are not classified as Card-on-File (COF) transactions through Payrix Pro, regardless of whether they are used for contactless payments or through a Merchant's website or app.

Visa Click to Pay (formally Visa Checkout) or Mastercard Masterpass

No

Guest Checkout

No

A Staged Digital Wallet Operator (SDWO) where the Merchant offers a distinctive digital wallet service tailored to their needs.

Options:

  • Unscheduled COF

  • Recurring

  • Installment

  • Cardholder Initiated

  • Full or partial prepayment

This Merchant-hosted digital wallet enhances user flexibility for transactions across retail platforms, secures payment credentials, and ensures safe, seamless consecutive purchases when needed.

Simplified customer checkout

COF (Cardholder-Initiated)

For example, online retailers often store cardholder information securely to facilitate smoother transactions and enhance customer convenience.

Transit: Wallet replenishment initiated by the Merchant when the cardholder’s transit wallet balance goes below the agreed amount.

Unscheduled COF

Hotel: The cardholder has a hotel chain membership profile and provides a card number for future reservations.

COF (Cardholder-Initiated)

Hotel: The cardholder provides a specific hotel location along with payment details to cover charges, including incidentals, that pertain solely to that reservation.

No

Drug Store/Pharmacy: Offers in-person sales using QR codes to link consumers directly to their profiles with the pharmacy Merchant (and subsequently their payment methods).

COF (Cardholder-Initiated)

Automated Fuel Dispensers (AFD): Mobile in-app purchases

Possible COF

This is acceptable when a Merchant allows customers to top-up a fuel card from within an app offered by the Merchant.

Recurring, Installment, Unscheduled COF

Always COF

Merchant or their agent uses a payment credential for either a single transaction or a one-time purchase.

No

These single-use transactions include:

  • A No-Show Transaction

  • An amended amount or a delayed charge

  • Incremental Authorization

  • Reauthorization Auth Type

    • Merchants, such as those involved in e-commerce with split shipments, are permitted to submit an Authorization Request for the same transaction.

  • Resubmission Auth Type

    • A transaction that has received a specific authorization decline response can be resubmitted for approval, as allowed by Visa regulations.

For more advanced COF setups, see Card-on-File Payments on the Worldpay Developer Hub.

References

Below are additional external materials related to card-on-file information.

Related articles