This document provides comprehensive implementation guidelines for partners and merchants using Payrix Pro for Card-On-File transactions.
This guide outlines how Merchants can save customer payment methods and process Card-On-File (COF) transactions using Payrix Pro. A COF transaction, sometimes called credential-on-file, uses a cardholder’s previously tokenized and stored primary account number (PAN).
Card-on-File Use Cases
Understanding when to use card-on-file can significantly enhance the customer checkout experience. Recognizing the scenarios in which this payment method is applicable and those in which it is not is essential for setting accurate consumer expectations.
Cardholders can securely store their card for:
Recurring Payments
Subscription Payments: Examples include gym memberships and streaming services.
Bill Payments: Examples include utility bills, monthly car insurance, and mobile phone bills.
Future Purchases
Cardholder-Initiated Payments: Examples include lawn care or snow removal services, and transit card top-ups.
Installment Payments
Installment Payments: Examples include furniture or large technology purchases.
See the Card-on-File Transaction Type Examples table below for a more comprehensive list of use cases.
Note
COF does not support tokenizing one-time use credentials, such as hotel incidentals or flight reservations, or digital wallet solutions where the card isn’t stored with the Merchant’s platform, like Apple Pay or Google Pay.
Cardholder Disclosure Requirements
A Merchant who stores and later uses Card-on-File information for future transactions must comply with the following display and disclosure requirements:
First-Time Card Capture Disclosures
When capturing the PAN for the first time, it is essential to provide the cardholder with a dedicated page, such as a link to the cardholder agreement, that distinctly outlines the following information separate from the general terms and conditions of the platform:
A truncated version of the PAN, such as the last four digits, will be securely stored.
How the Credential Will Be Used
Expiration Date of the Agreement (If Applicable)
How the cardholder will be notified if there are any changes to the agreement
Stored Card-on-File Usage Disclosures
Before using stored credentials, Merchants must first establish a clear agreement with the cardholder that explicitly outlines the following details:
Merchant Name
Merchant address or location (if applicable)
Transaction Amount and Currency
Taxes, surcharges (which require card brand registration), or any additional fees that may apply.
Cancellation and Refund Policies
Transaction frequency or threshold (e.g., maintaining a minimum balance)
Note
All agreements must be readily accessible to cardholders or issuers upon request.
Authorization Requirements
Once disclosure requirements are met for cardholders and issuers, a first-time card authorization must be completed to securely store the Primary Account Number (PAN) and other card information. When a card-on-file is stored, it must follow authorization rules for failed transactions, including whether the card can be used after consecutive authorization failures.
First-Time Card Authorization Requirements
A Primary Account Number (PAN) can only be stored after receiving valid authorization.
This requirement does not extend to token transfers between processors. If no transaction amount is due when storing the credentials, a “$0 Auth” (an authorization transaction with an amount of $0.00) must be approved before storing the credentials.
Note
PANs cannot be stored if the transaction is declined.
Subsequent Authorization Requirements
A stored credential can be used up to four additional times within 16 days of initial authorization failure.
If no valid authorization can be obtained, the credential should no longer be used (in other words, platforms should stop using a credential after a set number of consecutive authorization failures).
Card-on-File Transaction Type Examples
The table below provides a comprehensive overview of the use cases available and unavailable for Card-on-File within the Payrix Pro system. It also considers the regulations established by card brand networks and essential compliance requirements within the payments industry.
Transaction Type | Card-on-File (Credential-on-File) | Notes |
---|---|---|
Apple Pay, Google Pay, Samsung Pay, contactless, in-app or e-commerce website | No | Pass-through or digital wallets, like Apple Pay, Google Pay, and Samsung Pay, are not classified as Card-on-File (COF) transactions through Payrix Pro, regardless of whether they are used for contactless payments or through a Merchant's website or app. |
Visa Click to Pay (formally Visa Checkout) or Mastercard Masterpass | No | |
Guest Checkout | No | |
A Staged Digital Wallet Operator (SDWO) where the Merchant offers a distinctive digital wallet service tailored to their needs. | Options:
| This Merchant-hosted digital wallet enhances user flexibility for transactions across retail platforms, secures payment credentials, and ensures safe, seamless consecutive purchases when needed. |
Simplified customer checkout | COF (Cardholder-Initiated) | For example, online retailers often store cardholder information securely to facilitate smoother transactions and enhance customer convenience. |
Transit: Wallet replenishment initiated by the Merchant when the cardholder’s transit wallet balance goes below the agreed amount. | Unscheduled COF | |
Hotel: The cardholder has a hotel chain membership profile and provides a card number for future reservations. | COF (Cardholder-Initiated) | |
Hotel: The cardholder provides a specific hotel location along with payment details to cover charges, including incidentals, that pertain solely to that reservation. | No | |
Drug Store/Pharmacy: Offers in-person sales using QR codes to link consumers directly to their profiles with the pharmacy Merchant (and subsequently their payment methods). | COF (Cardholder-Initiated) | |
Automated Fuel Dispensers (AFD): Mobile in-app purchases | Possible COF | This is acceptable when a Merchant allows customers to top-up a fuel card from within an app offered by the Merchant. |
Recurring, Installment, Unscheduled COF | Always COF | |
Merchant or their agent uses a payment credential for either a single transaction or a one-time purchase. | No | These single-use transactions include:
|
For more advanced COF setups, see Card-on-File Payments on the Worldpay Developer Hub.
References
Below are additional external materials related to card-on-file information.