Credentials-On-File(Cards API)

Overview

Credentials-On-File, also known as Card-On-File or simply COF payments, include subsequent merchant-initiated (MIT) billing payment plans, such as subscriptions and membership fees, installments, or customer-initiated transactions (CIT) that are using an already saved payment information for the processing. The Credentials-On-File are often referred to as recurring payments.

In all instances where Credentials-On-File payments are set up, the cardholder must have given their explicit consent for the payment information storing and repeated rebilling.

Credentials-On-File payments are supported via the Paysafe Customer Vault API and Card Payments API. Merchants can use the Customer Vault API to create a customer profile and link a card or payment method to the profile. The Paysafe platform returns a payment token that can then be included in subsequent payment authorization and settlement requests, without requiring the merchant to collect card details again from the cardholder.

Supported Credentials-On-File payments

Paysafe supports the following Credentials-On-File payments:

Credentials-On-File flow	Description	Examples	Guides
Cardholder-Initiated Credentials-On-File (CIT COF)	Cardholder payment information is stored from a previous transaction, but the cardholders themselves are the ones who initiate the payment. Depending on the region or merchant preferences, the transaction is often authenticated with 3D Secure.	A customer that saved their card for subsequent one-click payments with an online store.	Server-To-Server processing Hosted Solutions processing
Merchant-Initiated Unscheduled Credentials-On-File (MIT UCOF)	Merchant-initiated payment that doesn’t occur on a predefined rebilling date.	Account top-up transaction	Server-To-Server processing Hosted Solutions processing
Merchant-Initiated Credentials-On-File (MIT COF), Recurring/Subscription	Merchant-initiated payment for fixed, regular rebilling date and predefined amount.	Utility payments, streaming service subscription	Server-To-Server processing Hosted Solutions processing
Installment Credentials-On-File payments	Merchant-financed installment payments, based on the stored credential framework. Note that no BNPL product or loan lending service is used in this type of installment plan.	Installment (deferred) transactions are applicable for a single purchase of goods or services that is paid by the cardholder via multiple transactions over a period of time.	Server-To-Server processing Hosted Solutions processing
Cardholder-Initiated Credentials-On-File combined with Merchant-Initiated Credentials-On-File (CIT COF combined with MIT)	Automatic rebilling payment plan combined with continuous ad hoc customer transactions performed with stored credentials.	Returning customer that has active subscription and also purchases standalone goods or services with saved payment method.	Server-To-Server processing Hosted Solutions processing

Which flow is suitable for my business?

If your business model is based on rebilling your customers on their behalf (without them being present at checkout) with transactions that are going to occur on fixed, regular intervals with predefined amount (Example: $15 rebilled on the first day of the month), you need to use the Merchant-Initiated Credentials-On-File (MIT COF) flow with type RECURRING in the storedCredential object of the authorization request and authentication purpose RECURRING_TRANSACTION in the authentication request.

If your business model is based on rebilling your customers on their behalf (without them being present at checkout) with transactions that are going to occur on an unknown date with variable amount, you need to use the Merchant-Initiated Unscheduled Credentials-On-File (MIT UCOF) flow with type TOPUP in the storedCredential object of the authorization request and authentication purpose PAYMENT_TRANSACTION in the authentication request.

If your business model is based on processing transactions from returning customers where the customer is initiating the payment via stored payment information, you need to use the Cardholder-Initiated Credentials-On-File (CIT COF) flow with type ADHOC in the storedCredential object of the authorization request and authentication purpose PAYMENT_TRANSACTION in the authentication request.

If your business model is based on processing multiple subsequent transactions that are related to the single purchase of goods or services, you need to use the Installment Credentials-On-File payments flow.

What is an Initial Transaction ID and why is it important?

An Initial Transaction ID is sent to you when you set up a recurring payment plan with a cardholder with their first successful payment. This is the ID you need to provide for all subsequent Merchant-Initiated Transaction (MIT) payments associated with this payment plan. Please note that different payment plans associated with an existing cardholder will have different Initial Transaction IDs.
In the Paysafe processing environment, the Initial Transaction ID is a Paysafe Transaction ID. The added security of an Initial Transaction ID provides a better customer and merchant experience, leads to increased transaction approval rate and revenue retention.

Is the Card Verification Value (CVV/CVV2/CVD) required?

Under PCI DSS requirements, the Card Verification Value (CVV/CVV2/CVD) cannot be stored on merchant or payment service provider premises. Depending on the type of transaction, you may need to obtain this value from the customer and include it in your authorization request. For example:

Regular/Cardholder-Initiated Credentials-On-File payment (e.g., customer returning to your website for an additional purchase) - You should obtain the CVV from the customer and include it together with the card details or the token obtained from the Customer Vault.
Transaction flagged as subsequent recurring payment – Regular or subscription payments can be flagged by including the storedCredential object and setting it to RECURRING or TOPUP type in your authorization request. If you set the occurrence value to INITIAL you may need to obtain the customer's CVV before processing the request. If the occurrence is SUBSEQUENT then you do not need to provide the CVV.

While providing the CVV value with the initial request to establish a payment plan may not always be necessary, including it can enhance the likelihood of the transaction being approved, especially if the business vertical is considered a high-risk one.

Is strong customer authentication (3D Secure) required?

If your customers are based in UK or EEA - regulations require that the customer-initiated transaction that establishes a payment plan must have successfully passed a 3D secure authentication.
If your customers are based in USA or Canada - Although strong customer authentication is not mandatory in USA and Canada, as it is in EU/UK, it's usage can improve the authorization rate of the subsequent merchant-initiated payments.

Paysafe advises the usage of 3D Secure authentication challenge, instead of frictionless authentication, as authentication challenges are linked to a higher transaction acceptance rate.

Is Address Verification Service (AVS) required?

While it may not necessarily be always required, performing address verification service (AVS) with a positive outcome on the customer-initiated transaction that establishes the payment plan has proven to be beneficial for the acceptance rate of the both customer-initiated transaction and the subsequent merchant-initiated rebilling transactions.

What are my obligations to my clients?

Clear communication with the cardholder is a key to decreasing checkout abandonment and reducing chargeback. The following steps must be performed in order to achieve customer satisfaction and maintain compliance:

Obtain written confirmation for storing the payment credentials from the cardholder.
Provide the cardholder with clear payment plan information:
- rebilling prices and dates;
- amount or rebilling frequency variation
- processing currency, agreement expiration date (if applicable)
- length of the trial period or any additional promotion offers, and notify the cardholder at least 7 days prior to their expiration
Provide the cardholder with payment plan establishment confirmation immediately after confirmation.
Provide receipts to the cardholder (if applicable).
Provide the cardholder with simple cancellation procedure (email, SMS/text message) and subscription management options.
Notify the cardholder before each subsequent rebilling payment. At a minimum, provide a notification when the rebilling occurs at intervals of six months or longer.
Retain all applicable payment plan information and be prepared to present it to the cardholder, PSP, card scheme or card issuing institution if requested.

Additional notes

It is important to remember that the subsequent transactions must always be processed with the same Merchant Account IDs that processed the initial transactions, otherwise the transaction will be declined.

Payment plans should never be established with non-reloadable prepaid cards (ex: gift card).

If the initial cardholder-initiated transaction fails, no payment plan was established and subsequent rebills cannot be done unless another successful cardholder-initiated transaction occurs.

If a subsequent merchant-initiated transaction fails multiple times, the merchant may need to establish a new payment plan with a new successful cardholder-initiated transaction.

For Recurring and Installment transactions, Paysafe recommends that the authorized amount matches the amount authenticated by the cardholder, to maximize the likelihood of successful subsequent authorizations. This recommendation does not apply to trial or discounted periods, or to delayed delivery scenarios, where authentication may be performed only for the immediate amount due.

The storedCredential type of the subsequent transaction must always match the type of the initial transaction.

A merchant cannot automatically subscribe a cardholder for a payment plan - the cardholder themselves are the ones that are subscribing to the payment plans. This means that RECURRING/TOPUP/INSTALLMENT INITIAL transactions are always CIT transactions. RECURRING/TOPUP/INSTALLMENT SUBSEQUENT are MIT transactions.

Visa Stop Payment Service (VSPS) is a Visa solution that is targeted at card-issuing institutions that process Visa-issued cards. If implemented, the issuers provide the cardholders with subscription management service in the online/web banking solution product. Transactions that are declined by VSPS may not be subject to retry. For more information, visit the Processor response codes and Visa Stop Payment Service codes section.

If returned by the external processing network, the Paysafe Merchant Advisory Codes provide information on how to navigate transaction decline. They’re a combination of the Visa Decline Code Categorization and Mastercard Merchant Advice Codes. Retrying transactions that are declined with ADVICE-01 may cause scheme fees to be issued and transferred to you.

Paysafe has developed the Payment Scheduler - a solution that allows you to integrate subscriptions, memberships, repeat services and more into your website, and then manage their recurring payment plans and customer subscriptions within Paysafe’s payment platform.

Was this page helpful?

On this Page

Overview
Supported Credentials-On-File payments
Which flow is suitable for my business?
What is an Initial Transaction ID and why is it important?
Is the Card Verification Value (CVV/CVV2/CVD) required?
Is strong customer authentication (3D Secure) required?
Is Address Verification Service (AVS) required?
What are my obligations to my clients?
Additional notes

Search Overlay

Credentials-On-File(Cards API)

Was this page helpful?

Thank you for your response!