Menu

Developer Resources

  • All Files

Complying with the Stored Credential Framework

The number of transactions where a merchant or its agent, a payment facilitator (PF), or a staged digital wallet operator (SDWO) uses cardholders’ payment credentials (i.e., account details) that they previously stored for future purchases has increased. In response, Visa has announced requirements for its Stored Credential Transaction framework to identify the initial storage and usage of stored payment credentials for use in differentiated processing.

ClosedWhat are the Benefits?

Identifying the stored credential transactions specifically allows for differentiated treatment through the authorization approval process. The results are:

  • Greater visibility of transaction risk levels for issuers.
  • Results in higher authorization approval rates and completed sales.
  • Fewer customer complaints and improved cardholder experience.
  • Allows participation in Real Time Visa Account Updater Service, which enables real-time updates as part of the standard purchase authorization process.
ClosedWhat is a stored credential?

A stored credential is information (including, but not limited to, a credit/debit account number or payment token) that is stored by a merchant or its agent, PF, or SDWO to process future purchases for a cardholder.

Payment credentials received by merchants from third parties including pass-through digital wallets that are not stored by the merchant, its agent, or PF are not considered stored credentials.

For example: A payment credential received by a merchant on a purchase from Visa Checkout and not stored by that merchant, its agent, or PF is not considered a stored credential.

A credential is also not considered a stored credential when the merchant or its agent, PF, or SDWO stores the credential to complete a single transaction or a single purchase for a cardholder (including multiple authorizations related to that particular transaction).

For example: When a cardholder provides a payment credential to a hotel to cover future reservations and charges as part of the cardholder’s membership profile, it is considered a stored credential. However, when the cardholder provides the payment credential to a hotel to cover charges related to a specific reservation only, it is not.

ClosedWhat are Visa's requirements?

Merchants and their third-party agents, PF, or SDWO that offer cardholders the opportunity to store their credentials on file must meet the following requirements:

  • When capturing a stored credential for the first time, a merchant or its agent, a PF, or SDWO must:
    • Follow all cardholder disclosure and consent requirements specified in the Visa Rules:
      • Disclose to cardholders how those credentials will be used.
      • Obtain cardholders’ consent to store the credentials.
      • Notify cardholders when any changes are made to the terms of use.
    • Submit a transaction (authorization/full financial) to Visa if an amount is due at the time credentials are stored. If no amount is due at the time credentials are stored, the merchant or its agent, a PF, or an SDWO must submit an Account Verification authorization.

    Note: This requirement already exists for recurring and installment transactions in the Europe region.

    • Identify in the transaction or Account Verification authorization that the credential is being stored:
      • If the credential is being stored for cardholder-initiated, stored credential transactions (CIT) or for Unscheduled Credential-on-File (UCOF) transactions, the merchant or its agent, a PF, or an SDWO must submit the value “C” in the POS Environment field.
      • If the credential is being stored for a recurring or installment relationship, the merchant or its agent, a PF, or an SDWO must submit the transaction with the existing value of “R” or “I,” respectively in the POS Environment field.

    Note: If either the first payment transaction or the Account Verification authorization is declined, the credential cannot be considered a stored credential, and the merchant must not use the credential for any subsequent transactions.

  • When initiating a transaction using a stored credential, the merchant or its agent, a PF, or an SDWO must submit the payment transaction with a value “10” in the POS Entry Mode Code field. Value “10” indicates the credential presented is a stored credential.
    This applies to card-absent transactions using stored credentials, including transactions that are:
    • Performed with credit/debit card numbers or payment tokens.
    • Initiated by a cardholder for purchases of goods or services with payment credentials already stored by the merchant or its agent, a PF, or an SDWO.
    • Initiated by the merchant without active participation of the cardholder:
      • Based on standing instructions with the cardholder (i.e., recurring, installment and UCOF transactions). Standing instruction transactions for recurring, installment or UCOF transactions must be submitted with an “R,” “I,” or “C,” respectively, in the POS Environment field.

      OR

      • For industry-specific business practice Merchant-Initiated Transactions (MIT), such as incremental payments, no shows, delayed charges, reauthorization, or resubmission where the credentials were previously stored for future purchases (and not to complete that specific transaction only).

    Note: Subsequent merchant-initiated recurring, installment, or UCOF standing-instruction transactions must always be submitted with a POS Entry Mode Code of “10.” Standing-instruction transactions are only permitted when credentials are stored on file.

ClosedWhat should the cardholder consent disclosure include?

Prior to storing credentials for future use, the merchant or its agent, the PF, or the SDWO must establish an agreement with the cardholder with the following requirements met:

  • Truncated version of the stored credentials (i.e., last four digits of credit/debit card number),
  • How the cardholder will be notified of any changes to the consent agreement,
  • The expiration date of the consent agreement (if applicable), and
  • How the stored credential will be used.

If the cardholder is providing consent to the merchant or its agent, a PF, or a SDWO to initiate transactions using stored credentials, the following additional requirements must be met:

  • Cancellation and refund policies,
  • Location of merchant,
  • Transaction amount or how it will be calculated,
  • Convenience fee or surcharge (if permitted and applicable),
  • The frequency (Recurring) or event (Unscheduled) that will prompt the transaction, and
  • For installment payments, the total purchase price and terms of future payments, including the dates, amounts, and currency.

Note: Retroactive identification and cardholder consent and disclosure agreement are not required for credentials stored prior to 14 October 2017. However, effective 14 October 2017, a merchant or its agent, a PF, or an SDWO must submit all stored credential transactions with a value of “10” in the POS Entry Mode Code field, including transactions for credentials stored prior to this date.

ClosedWhat are the handling and storage requirements?

When storing credentials for future use, the merchant or its agent, the PF, or the SDWO must meet the following requirements:

  • Notify the cardholder in the event of a change to the agreement,
  • Retain the agreement for duration of the consent; provide it to the issuer upon request, and
  • Where required by applicable laws or regulations, provide to the cardholder a record of the consent.

Do not complete a transaction:

  • Beyond the duration expressly agreed by the cardholder, or
  • If the cardholder requests that the merchant or its agent, a PF, or a SDWO change the payment method, or
  • If the cardholder cancels according to the agreed cancellation policy, or
  • If the merchant or its agent, a PF, or a SDWO receives a decline response.
ClosedAre there any other requirements to follow?
Authentication:

For a transaction using a stored credential initiated by the cardholder, the merchant or its agent must validate the cardholder’s identity before processing. Local regulations and laws must be followed as appropriate.

Receipts:

Receipts must be provided for installments; if the cardholder cancels the installment within the terms of the cancellation policy, within three business days the merchant or its agent, a payment facilitator, or a staged digital wallet operator must provide cancellation or refund confirmation in writing and credit transaction receipt for the amount specified in the cancellation policy.

Merchant-Initiated Transactions (MIT) in Europe:

Provide notification for recurring transactions (seven business days) and for Unscheduled Credential On File transactions (two business days) before any of the following:

  • End of trial period, or
  • More than six months have elapsed since the previous transaction in the series, or
  • Any change to the agreement including date, amount, or how it is calculated.
Card Verification Value Requirements:

An issuer must not decline a transaction based solely on a missing CVV2, if the authorization request is for the subsequent transaction after the credential is stored. This rule previously applied only to recurring transactions and is now applicable to:

  • Recurring,
  • Installment,
  • Unscheduled Credential On File (UCOF), and
  • Transactions initiated by the cardholder using a stored credential.
ClosedWhat are some possible implications of non-compliance?

Merchants and their third-party agents, PF, or SDWO that do not implement the Stored Credentials Framework requirements may experience the following:

  • Merchant/acquirer will be non-compliant with Visa’s rules and risk Non-Compliance Assessments, or
  • Merchant will not benefit from an improved authorization rate that is expected with the adoption of the framework, or
  • Increased customer complaints and poor cardholder experience, or
  • Not able to participate in Real Time Visa Account Updater service.