Card-on-File Done Right: How to Stay Compliant with the Stored Credential Mandate
Understanding CIT vs. MIT
Cardholder-Initiated Transactions (CIT)
CITs are transactions where the cardholder is actively involved in the payment process. These include:
- One-Time Purchases: The customer is directly involved when entering payment details, whether online or in a brick-and-mortar store.
- Repeat Purchases: Even if a saved payment method is used, if the customer is actively engaged in the transaction (for example, by confirming the payment on the checkout page), it qualifies as a CIT.
- Regulatory Impact: Under frameworks such as PSD2 in Europe, the initial CIT requires strong customer authentication (SCA) to mitigate fraud.
Merchant-Initiated Transactions (MIT)
MITs are transactions initiated by the merchant using stored payment credentials without the customer’s real-time input. These are typically seen in:
- Subscription-Based Services: Recurring billing where the initial payment (CIT) is authenticated, and subsequent payments (MIT) reference that initial authorization.
- Automated Billing: Examples include periodic charges for memberships or recurring services where the customer has previously consented.
Real-World Examples
Example 1: Subscription Merchant – StreamFlix
Imagine StreamFlix, a fictional video streaming service:
- Initial Signup (CIT): When a new subscriber signs up, they enter payment details on the website. This first transaction is strongly authenticated (per PSD2) and captures a Trace ID.
- Recurring Billing (MIT): Each month, StreamFlix charges the subscriber using the stored credential. The recurring transaction includes the same Trace ID, linking it to the original authenticated CIT.
- Compliance Implications: If the Trace ID isn’t properly stored or passed, recurring payments may become non-compliant—leading to data-integrity errors or lower authorization rates.
Example 2: Non-Subscription Merchant – ShopSmart
Consider ShopSmart, an online retailer that offers a “save my card” feature for faster checkout:
- One-Time Purchase (CIT): When a customer checks out using a saved card, the transaction is initiated in real time and qualifies as a CIT.
- Repeat Purchases: Even if the same card is reused, these remain CITs while the customer actively confirms payment.
- Potential Pitfalls: If ShopSmart automatically processes a reorder without direct confirmation and fails to reference the initial Trace ID, it becomes a mis-tagged MIT, creating compliance risks.
Compliance Requirements and Key Data Elements
There are two critical parts to ensuring compliance with the Stored Credentials Framework:
Data Element Configuration
Ensuring all the relevant Data Elements relating to tagging a transaction as a Customer initiated transaction or a Merchant initiated transaction should be properly set.
The first step is to audit all your transaction flows and correctly tag each as a Customer Initiated or Merchant Initiated Transaction. If the first transaction isn't tagged correctly, all the associated recurring transactions will create a chain of non-compliant transactions.
A simpler way to think about it: If a customer is actively participating in the transaction in real-time, that's a Customer Initiated Transaction. Even when using a saved card, if the customer is actively making the purchase, it's still considered a CIT.
Specific Data Elements Required for Visa and Mastercard
For Visa Transactions: Merchants must use appropriate data values in both authorization and clearing messages to properly identify initial and subsequent Stored Credential Transactions. The POS Entry Mode Code field should include a value of "10" for stored credential transactions.
For Initial Transactions (Both Visa and Mastercard):
1. Credential On File (COF) Indicator: Must be marked as "First" or Initial transaction.
2. Cardholder Authentication: For the first transaction, Strong Customer Authentication is typically required.
3. Consent Verification: Indication that customer consent has been obtained.
For Subsequent Transactions:
1. COF Indicator: Should be marked as "Subsequent" transaction.
2. Transaction Identifier:
a. For Visa: Network Transaction ID (NTI)
b. For Mastercard: Mastercard Trace ID
3. Transaction Type: Specify the type (recurring, installment, unscheduled)
The Mastercard Trace ID is a combination of the Mastercard Financial Network Code, Banknet Reference Number, and Banknet Settlement Date included in the authorization response from the initial transaction. It has a specific format: "MCCABC1XY0101" where "MCC" is the Financial Network Code, "ABC1XY" is the Banknet Reference Number, and "0101" is the Banknet Settlement Date.
Tracking Transaction IDs
For each CIT, merchants need to get the Trace ID or Network Transaction ID and must use it in the following Merchant Initiated Transaction.
Common challenges with Transaction IDs include:
a. Some processors may not have the capability to send the Trace ID, particularly in markets where the mandates aren't strictly enforced yet.
b. Merchants may fail to properly save the Trace ID from an initial transaction.
c. Some merchants may still be using static values as Trace ID, which are no longer acceptable under the mandate. Merchants must send the actual dynamic value.
Non-Compliance Risks and Fee Structures
Potential Costs of Non-Compliance
Merchants that fail to adhere to the mandate may face:
- Per-Transaction Surcharges:
Some networks levy a surcharge on each non-compliant transaction. Although fee amounts can vary—from a few cents to a small percentage of the transaction value—the costs can accumulate rapidly.
- Periodic Fines:
Persistent non-compliance might result in monthly or quarterly fines. The exact amounts depend on contractual agreements and the severity of the compliance issues.
- Impact on Approval Rates:
Non-compliant transactions may experience higher declines and lower authorization rates, further impacting revenue.
Understanding these fee structures is crucial. Merchants are advised to collaborate closely with their PSPs and acquirers to monitor compliance metrics and avoid unnecessary financial penalties.
Compliance Monitoring and Assessment by Networks
How Visa and Mastercard Evaluate Compliance
Card Network Monitoring Systems
Card networks employ sophisticated transaction monitoring systems to assess merchant compliance with the Stored Credential Framework. Mastercard specifically monitors transaction data submitted by acquirers (merchant processors) through their Data Integrity reporting system to ensure accuracy of all required data elements. This monitoring isn't random but systemic and comprehensive across their network.
ICA-Level Monitoring
Mastercard assigns each financial institution and processor a unique Interbank Card Association (ICA) number—a four to six-digit identifier that allows them to track transactions across their network. Compliance assessment happens at this ICA level, with processors responsible for ensuring their merchants' transactions include proper credential-on-file indicators and transaction identifiers.
Data Element Verification
For credential-on-file transactions, Mastercard requires specific POS Entry Mode values (value of 10 for authorization messages and value of 7 for clearing messages). Their systems may automatically flag transactions missing these required elements. This includes:
- Verification of proper Trace ID inclusion in subsequent transactions
- Validation of transaction coding (CIT vs MIT indicators)
- Correct flagging of transaction types (recurring, installment, unscheduled)
- Proper identification of initial versus subsequent transactions
Data Integrity Alerts
When non-compliant transactions are detected, Mastercard issues Data Integrity alerts to the acquirer, who then notifies the merchant. These alerts typically include a deadline for correcting the issue before financial penalties are applied. For example, recurring transactions missing credential-on-file indicators may trigger an "Edit 21, Recurring CoF Monitoring" failure alert.
Comprehensive Transaction Analysis
Rather than sampling, card networks may analyze transaction patterns across their entire network to identify:
- Merchants with recurring transaction patterns missing proper MIT indicators
- Inconsistencies between authorization and clearing message formats
- Missing or invalid transaction reference numbers in subsequent transactions
- Improper handling of initial cardholder authentication
Compliance Enforcement Mechanisms
Non-compliant transactions are flagged for data integrity issues and may incur escalating penalties. Initial violations typically result in warnings, but continued non-compliance leads to financial assessments. The penalties can include:
- Direct fines for non-compliance
- Increased interchange rates on improperly tagged transactions
- Liability shifts for disputed transactions
- Potential processing restrictions for serious violations
This systematic monitoring ensures that merchants across the payment ecosystem maintain the standards required by the Stored Credential Framework, protecting both consumers and the integrity of the payment system.
Conclusion
Understanding and implementing the Stored Payment Credential Mandate is essential for modern merchants—whether you operate a subscription service like StreamFlix or a retail platform like ShopSmart. By clearly distinguishing between CIT and MIT, capturing all required data elements, and building a resilient, scalable system, merchants can safeguard transactions, avoid hefty fines, and maintain high approval rates.
This guide aims to simplify complex regulatory requirements through practical examples and a detailed engineering framework, ensuring that your merchant operations remain secure, compliant, and scalable.
About the Author
Devang Gaur is a Senior Product Manager (Payments) at Adobe, focused on optimizing authorization performance and compliance across global markets.
About Adobe
Adobe is a global leader in creativity and digital experience solutions. Through its Creative Cloud, Document Cloud, and Experience Cloud offerings, Adobe empowers individuals and enterprises to design, create, and deliver exceptional digital experiences.
