How eBay reduces fraud and risk with a global payment partner
Card-on-file transactions lie at the heart of several types of business models, from digital subscriptions to retail, and can enable seamless customer experiences. When done right, card-on-file can lead to a higher performance, better risk management, and new cross-channel experiences for cardholders.
Card-on-file is when a business, with the cardholder’s consent, stores the payment card data. The cardholder can then reuse the details for future payments and faster checkouts.
Tokenization is when sensitive card information is replaced with a piece of nonsensitive information called a token. Tokenization and card-on-file tend to go hand in hand. Once a card is stored it’s usual to swap out the sensitive information for a token to maximize security.
Card-on-file payments are a popular choice across many different industries, from subscriptions to mobility. Emerging industries like autonomous stores also use card-on-file to take checkout experiences to the next level.
Subscriptions are standard card-on-file use cases where the cardholder provides consent to the business to bill their card periodically for a subscription. Card-on-file can also be used for additional purchases on top of the cardholder’s usual subscription package, such as transactions initiated by the cardholder.
Mobility and micromobility transactions are usually initiated by the mobility provider’s app. The cardholder's payment details are kept on file to avoid having them re-enter their card details for every taxi, scooter, or bike ride.
Similar to mobility, food delivery apps also use card-on-file to provide cardholders with tailored customer experiences.
In the travel and hospitality sector, card details are usually stored on-file during booking for pre check-in costs such as no-show charges or partial charges following conditions of the accommodation. At check-in, the merchant also stores the card-on-file to enable incidental charges, such as those from restaurant visits or damages.
The core premise in an autonomous store is the absence of a checkout. AI-driven store solutions detect the shoppers’ interactions and charge the total amounts when they walk out of the store. Card-on-file payments are then used to complete the payment during the walk out phase.
Buy Now, Pay Later (BNPL) providers can offer their customers the option to pay off their installments using a card-on-file that is charged periodically by the BNPL provider.
Leveraging card-on-file involves different processes starting with storing the card-on-file, then making cardholder-initiated card-on-file payments or merchant-initiated card-on-file payments, updating the card-on-file, and possibly removing it.
Storing a card-on-file requires the cardholder's consent and can be done by:
At Adyen, we take responsibility for confirming the shoppers consent to storing a card-on-file for future purchases to the issuing bank.
FAQ: What needs to be included in the card-on-file storage agreement that the cardholder must consent to?
FAQ: Can the business store the card-on-file themselves? Or do they need to use a payment provider for this?
Payment card data storage comes along with PCI-DSS security requirements If the business wants to store the data it needs to be compliant and audited. Adyen is fully PCI level 1 compliant and can store payment card data securely on behalf of merchants.
FAQ: Can the CVV/CVC code be stored?
A cardholder-initiated card-on-file transaction is when the customer selects the previously stored card data to pay for goods or services without having to enter their card details again. It’s commonly used in a one-click card-on-file transaction and often needs to be authenticated with 3D Secure technology.
A merchant-initiated transaction is when the cardholder consents to the merchant taking the money from their account. These transactions are linked to the cardholder-initiated transaction where the agreement was initially set up.
Unscheduled card-on-file transactions
Industry specific merchant-initiated transactions
FAQ: Does the customer need to be verified to use their card-on-file details?
During a cardholder-initiated card-on-file transaction the business needs to verify the identity of the cardholder. In some regions it’s required to use 3D Secure for strong customer authentication (SCA) when the purchase amount is above a certain threshold.
For merchant-initiated card-on-file transactions there is no need to verify the cardholder’s identity.
FAQ: Can stored credentials be used across different sales channels?
It all depends on the agreement between the merchant and the cardholder. If the card-on-file is to be used over different channels, it needs to be part of the agreement. If the card-on-file was stored following an in-store payment and the agreement states that the details can be used for future subscription charges or for future ecommerce one-click charges, then it’s possible to use them across channels.
Card-on-file information will probably need to be updated at some point as cards expire or changes are made to the PAN. This results in a lot of friction as transactions are declined and cardholders are asked to update the information.
FAQ: What happens when a customer wants to upgrade their subscription from a standard to a premium plan? Does the business need to verify the customer’s identity again?
Changes to the card-on-file agreement need to have the cardholders consent. Therefore, the cardholder needs to be verified again.
Storing a card-on-file requires establishing the terms of the agreement, including cancellation and refund policies. If the time-period specified in the agreement ends or the cardholder wants to cancel the agreement, the card-on-file can’t be used to process the transaction and the details need to be removed.
There are many things businesses need to be aware of when processing card-on-file transactions. Using a payment service provider for support can be beneficial for businesses that want to create a seamless customer experience and optimize their performance.
Adyen is fully PCI level 1 compliant and can store payment account data on behalf of businesses, allowing them to repeat purchases without storing sensitive information. Through specific transaction indicators, we inform card issuers about the pre-existing relationship between the merchant and the cardholder. These indicators are managed to optimize for higher authorization rates, improved cardholder satisfaction and reduced overhead on merchant customer service teams.
By submitting this form, you acknowledge that you have reviewed the terms of our Privacy Statement and consent to the use of data in accordance therewith.