March 10th 2020

CoF Payments: New requirements for online payments with stored data

Bargeldloses Bezahlen

Credential-on-File Payments, or CoF for short, refers to payment methods in e-commerce where customers' credit card details are stored for future transactions.

The major credit card brands Mastercard and Visa have now issued new guidelines for CoF payments. Concardis expert Dragan Nojic answers the most important questions about paying with stored card data and the new requirements. What are CoF payments exactly?

One CoF payment method that most people are familiar with is One-Click-Shopping: The customer stores their credit card information during the initial purchase on the online store and can then complete the checkout process and pay for the goods with just one click for future purchases. Since the customer initiates the payment here, it is also referred to as consumer initiated transactions (CIT).

Furthermore, there are also online transactions that are initiated solely by the merchant, known as merchant-initiated transactions (MIT). This includes handling subscriptions (recurrings) or installment payments: Once the card details are stored, the merchant automatically debits the due amount at regular intervals from the customer's credit card—eliminating the need for the customer to take any further action. An example of this is subscription services for streaming platforms.

Payments initiated by the merchant at irregular intervals can also be easily processed in this manner. These payments are referred to as Unscheduled Credential-on-File Payments (UCoF), which means irregular payments using stored card data. This includes, for example, automatically topping up a mobile phone card with a certain amount when the balance falls below a specified threshold. Another example of a UCoF payment is billing for the use of rental bicycles. What these payment examples have in common is that they are triggered for agreed services by the merchant alone and without the involvement of the customer.

Why are new requirements for CoF payments necessary?

Until now, Visa and Mastercard only had guidelines for processing subscriptions and installment payments. However, with the growth of digital commerce and the development of new business models, UCoF payments are also becoming increasingly relevant. In addition, the legal requirements of the PSD2 directive place new demands on customer authentication when initiating electronic payments. For this reason, the major credit card organizations have also defined parameters for UCoF payments as part of the new requirements. From now on, UCoF payments must be clearly marked as such. This way, the card issuer knows that the payment was initiated solely by the merchant and without the active participation of the cardholder.

When does the new regulation come into effect?

The new mandatory requirements for merchants apply to Visa starting from April 30, 2018, and to Mastercard starting from June 12, 2018.

What exactly do online retailers need to do?

All online merchants who initiate subsequent bookings in the form of CoF payments and store their customers' card data for this purpose must obtain the express consent of the cardholder. This consent must contain the following elements:

  • Confirmation of the stored card number (PCI-compliant, e.g. by specifying the last four digits of the card number)
  • The purpose for which the card data is used and the duration of the agreement
  • The merchant's confirmation that any changes will be communicated to the cardholder through an agreed-upon communication channel.

Of course, the storage of card data must only occur in a secure, PCI-certified environment, and payments must be initiated solely for the purposes mentioned in the consent declaration. Importantly, all merchants who already initiate CoF payments with existing customers today do not need to obtain subsequent confirmation from the cardholder. This regulation only applies to the handling of new customers.

Furthermore, merchants must ensure that CoF payments can be processed smoothly on the technical side. In most webshops, the Payment Service Provider (PSP) hosting the payment page is responsible for this— they should be notified early if CoF payments are to be offered in the shop. At Concardis, we ensure that payments labeled as CoF are processed smoothly and securely. Customers using our new Multichannel platform, Payengine, will be informed about technical adjustments in the near future. Online retailers who use their own solution should get in touch with the responsible contact persons to make the necessary settings.

For further inquiries on this topic or any other concerns, please feel free to contact us by phone. We are here to assist you. We look forward to hearing from you!

Select language