Credentials-On-File (Payments API)

Overview

Credentials‑On‑File (COF), also known as Card‑On‑File or simply COF payments, include subsequent merchant‑initiated transactions (MITs), such as subscription or membership billing plans, as well as customer‑initiated transactions (CITs) that use previously stored payment information for processing. Credentials‑On‑File payments are often referred to as recurring payments.

In all cases where Credentials‑On‑File payments are set up, the cardholder must provide explicit consent for the storage of their payment information and for repeated rebilling.

Credentials‑On‑File payments are supported via the Paysafe Payments API, which uses tokenization mechanisms to securely store and use the cardholder’s payment information, enabling a seamless experience regardless of the payment type.

Supported Credentials-On-File payments

Paysafe supports the following Credentials-On-File payments:

Credentials-On-File flow	Description	Examples	Guides
Cardholder-Initiated Credentials-On-File (CIT COF)	Cardholder payment information is stored from a previous transaction, and the cardholder initiates the payment. Depending on region or merchant preference, the transaction may be authenticated with 3D Secure.	Customer saving their card for subsequent one-click payments with an online store.	Server-To-Server processing Hosted Solutions processing
Merchant-Initiated Unscheduled Credentials-On-File (MIT UCOF)	Merchant-initiated payment that does not occur on a predefined rebilling date or for a predefined amount.	Account top-up transaction	Server-To-Server processing Hosted Solutions processing
Merchant-Initiated Credentials-On-File (MIT COF)	Merchant-initiated payment for a fixed, regular rebilling date and predefined amount.	Utility payments, streaming service subscriptions	Server-To-Server processing Hosted Solutions processing
Installment Credentials-On-File payments	Merchant-financed installment payments based on the stored credential framework. Note: No BNPL product or loan lending service is used in this type of installment plan.	Installment (deferred) transactions for a single purchase of goods or services, paid by the cardholder over multiple transactions.	Server-To-Server processing Hosted Solutions processing
CIT COF combined with MIT	Automatic rebilling payment plan combined with continuous ad hoc Customer-Initiated COF transactions.	Returning customer with an active subscription who also purchases standalone goods using saved payment details.	Server-To-Server processing Hosted Solutions processing

Which flow is suitable for my business?

If your business model is based on rebilling your customers on their behalf (without them being present at checkout), with transactions that are going to occur at fixed, regular intervals with predefined amount (For example, $15 rebilled on the first day of the month), you need to use the Merchant-Initiated Credentials-On-File (MIT COF) flow with type RECURRING in the storedCredential object of the payment request and authentication purpose RECURRING_TRANSACTION in the payment handle creation request.

If your business model is based on rebilling your customers on their behalf (without them being present at checkout), with transactions that are going to occur on an unknown date with variable amount (but not higher than the amount originally authenticated by the cardholder), you need to use the Merchant-Initiated Unscheduled Credentials-On-File (MIT UCOF) flow with type TOPUP in the storedCredential object of the payment request and authentication purpose PAYMENT_TRANSACTION in the payment handle creation request.

If your business model is based on processing transactions from returning customers where the customer is initiating the payment via stored payment information, you need to use the Cardholder-Initiated Credentials-On-File (CIT COF) flow with type ADHOC in the storedCredential object of the payment request and authentication purpose PAYMENT_TRANSACTION in the payment handle creation request.

If your business model is based on processing multiple subsequent transactions that are related to the single purchase of goods or services, you need to use the Installment Credentials-On-File payments flow.

What is an Initial Transaction ID and why is it important?

An initial transaction ID is sent to you when you set up a recurring payment plan with a cardholder with their first successful payment. This is the ID you need to provide for all subsequent Merchant-Initiated Transaction (MIT) payments associated with this payment plan. Note that different payment plans associated with an existing cardholder will have different Initial Transaction IDs. In the Paysafe processing environment, the initial transaction ID is the Paysafe transaction ID. The added security of an initial transaction ID provides a better customer and merchant experience, leads to increased transaction approval rate and revenue retention.

Is the Card Verification Value (CVV/CVV2/CVD) required?

Under PCI DSS requirements, the card verification value (CVV/CVV2/CVD) cannot be stored on merchant or payment service provider premises. Depending on the type of transaction, you may need to obtain this value from the customer and include it in your authorization request.

For example:

Regular/Cardholder-Initiated Credentials-On-File payment (for example, customer returning to your website for an additional purchase) - You should obtain the CVV from the customer and include it together with the card details or the token obtained from the customer vault.
Transaction flagged as subsequent recurring payment – Regular or subscription payments can be flagged by including the storedCredential object and setting it to RECURRING or TOPUP type in your authorization request. If you set the occurrence value to INITIAL you may need to obtain the customer's CVV before processing the request. If the occurrence is SUBSEQUENT then you do not need to provide the CVV.

While providing the CVV value with the initial request to establish a payment plan may not always be necessary, including it can enhance the likelihood of the transaction being approved, especially if the business vertical is considered a high-risk one.

Is Strong Customer Authentication (3D Secure) required?

If your customers are based in the UK or the EEA - regulations require that the customer-initiated transaction that establishes a payment plan must have successfully passed a 3D Secure authentication.
If your customers are based in the US or Canada - although strong customer authentication is not mandatory as it is in the EU/UK, its usage can improve the authorization rate of subsequent merchant-initiated payments.

Paysafe advises the usage of 3D Secure authentication challenge, instead of frictionless authentication, as the authentication challenge is linked to a higher acceptance rate.

Is Address Verification Service (AVS) required?

While it may not always be required, performing Address Verification Service (AVS) with a positive outcome on the customer-initiated transaction that establishes the payment plan has proven to be beneficial for the acceptance rate of both customer-initiated transaction and the subsequent merchant-initiated rebilling transactions.

What are my obligations to my clients?

Clear communication with the cardholder is key to decreasing checkout abandonment and reducing chargebacks. The following steps must be performed in order to achieve customer satisfaction and maintain compliance:

Obtain written confirmation for storing the payment credentials from the cardholder.
Provide the cardholder with clear payment plan information:
- Rebilling prices and dates;
- Amount or rebilling frequency variation
- Processing currency, agreement expiration date (if applicable)
- Length of the trial period or any additional promotional offers, and notify the cardholder at least 7 days prior to their expiration
Provide confirmation of the payment plan immediately after setup.
Provide the cardholder with receipts (if applicable).
Provide the cardholder with a simple cancellation procedure (email, SMS/text message) and subscription management options.
Notify the cardholder before each subsequent rebilling payment. At a minimum, provide a notification when the rebilling occurs at intervals of six months or longer.
Retain all applicable payment plan information and be prepared to present it to the cardholder, PSP, card scheme or card issuing institution if requested.

Additional notes

It is important to remember that subsequent transactions must always be processed with the same Merchant Account IDs that processed the initial transactions, otherwise the transaction will be declined.

Payment plans should never be established with non-reloadable prepaid cards (for example, gift cards).

If the initial cardholder-initiated transaction fails, no payment plan was established, and subsequent rebills cannot be processed unless another successful cardholder-initiated transaction occurs. If a subsequent merchant-initiated transaction fails repeatedly, the merchant may need to establish a new payment plan with a new successful cardholder-initiated transaction.

For Recurring and Installment transactions, Paysafe recommends that the authorized amount matches the amount authenticated by the cardholder, to maximize the likelihood of successful subsequent authorizations. This recommendation does not apply to trial or discounted periods, or to delayed delivery scenarios, where authentication may be performed only for the immediate amount due.

A merchant cannot auto-subscribe a cardholder for a payment plan - cardholders must subscribe themselves to the payment plans.

RECURRING/TOPUP/INSTALLMENT INITIAL transactions are always CIT transactions.
RECURRING/TOPUP/INSTALLMENT SUBSEQUENT are MIT transactions.

Visa Stop Payment Service (VSPS) is a Visa solution that is targeted at card-issuing institutions that process Visa-issued cards. If implemented, the issuers provide the cardholders with subscription management service in the online/web banking solution product. Transactions that are declined by VSPS may not be subject to retry. For more information, please visit the Processor response codes and Visa Stop Payment Service codes section.

If returned by the external processing network, the Paysafe Merchant Advisory Codes provide information on how to navigate transaction decline. They’re a combination of the Visa Decline Code Categorization and Mastercard Merchant Advice Codes. Retrying transactions that are declined with ADVICE-01 may cause scheme fees to be issued and transferred to you.

The storedCredential type of the subsequent transaction must always match the type of the initial transaction.

Paysafe has developed the Payment Scheduler - a solution that allows you to integrate subscriptions, memberships, repeat services and more into your website, and then manage their recurring payment plans and customer subscriptions within Paysafe’s payment platform.

Was this page helpful?

On this Page

Overview
Supported Credentials-On-File payments
Which flow is suitable for my business?
What is an Initial Transaction ID and why is it important?
Is the Card Verification Value (CVV/CVV2/CVD) required?
Is Strong Customer Authentication (3D Secure) required?
Is Address Verification Service (AVS) required?
What are my obligations to my clients?
Additional notes

Search Overlay

Credentials-On-File (Payments API)

Was this page helpful?

Thank you for your response!