How Visa and Mastercard’s new mandates for Stored-Credential transactions effect ecommerce merchants and what you need to do to ensure compliance.
These days, more ecommerce businesses are storing their customers' credit card numbers and other payment credentials to make it easier to process automated or recurring charges for things like subscriptions and one-click shopping. Visa and Mastercard are introducing new guidelines this year for how merchants should handle stored payment credentials.
The purpose of storing payment credentials is to make online shopping faster and more convenient for consumers, but any time a payment is processed without the consumer's direct involvement and awareness, there's a chance for confusion or fraud to occur. Visa and Mastercard's guidelines are intended to make consumers more aware of when their card information is being stored, and how and when it can be used.
The new guidelines have already gone into effect. Visa and Mastercard will start monitoring merchants' compliance starting in October 2018. If your company keeps customers' payment credentials on file, you're going to want to make sure you are prepared to comply with this new mandate. The good news is that it should be easy to follow the new guidelines, and hopefully the outcome will be smoother transactions and fewer erroneous chargebacks.
What types of transactions are affected?
Lots of different types of transactions are covered under the new guidelines, and various steps must be followed at each point in the payment process to comply.
For all transaction types:
- Before the first transaction in a series of recurring payments is processed, the merchant obtains the cardholder's consent to have their payment credentials stored for use in future transactions.
- All the requirements specified by the new guidelines must be displayed, separate from the merchant's own general purchase terms and conditions, when the cardholder enters into a purchase agreement with the merchant. In some places, local laws and regulations may require the merchant to provide the cardholder with a record of their consent to the agreement upon request.
- When payment credentials are being stored for future transactions but not charged for a transaction immediately, for example with a short-term free trial, the merchant should submit an Account Verification Request (a transaction for $0.00). When an initial payment or Account Verification Request is declined, the payment credentials must not be stored.
The following Stored-Credential transactions are covered under the new guidelines:
- Recurring payments such as subscriptions or automatic billings
- Installment payments
- Unscheduled merchant-initiated payments, like goods that are automatically ordered when certain conditions are met, or accounts that automatically get refilled when the balance falls to a certain threshold
- Unscheduled customer-initiated payments, like one-click shopping features
There are some variations in the rules specified for each of these types of transactions, but most of the new rules are applicable in all cases.
Rules for stored-credential transactions
When a merchant stores a customer's payment credentials for the first time, they must establish an agreement that covers all the following:
- A truncated version of the stored credential, like the last four digits of a credit card
- The method by which the cardholder will be notified of any changes to the agreement
- How and under what conditions the stored credential will be used
- The expiration date of the agreement (when applicable)
The merchant must obtain the cardholder's express, informed consent to the agreement before the initial transaction is processed. This agreement must be retained by the merchant for as long as it remains in effect, and a copy must be provided to the issuing bank upon request.
This agreement should contain the following:
- The transaction amount, including all taxes, fees, and other included charges. If the exact amount is unknown at the time the agreement is entered into, it must instead contain an explanation of how the transaction amount will be calculated
- The type of currency used in the transaction
- Acknowledgement of any permissible surcharges
- Cancellation and refund policies
Each subsequent transaction made under the agreement must be authorized. If the charge is declined, the merchant has at least 14 days to resubmit it, if allowed under the reason code provided for the declined transaction.
Customers must also be provided with a straightforward way to cancel the agreement. The merchant cannot process any further transactions if the customer utilizes the cancellation process, if the expiration date of the agreement has passed, or if the cardholder requests that their payment method be changed.
What are the consequences of non-compliance?
Currently, the consequences for failing to comply with the new guidelines have not been provided. While Visa and Mastercard are expected to allow merchants a generous amount of time to get in compliance, it is possible that fines or penalties for non-compliance may be imposed at some future date. As it stands, failure to comply may result in lower authorization rates and an increase in declined transactions.
Presently, the primary motivation for compliance is the benefits merchants may realize by following the new guidelines—higher levels of consumer trust, more transaction authorizations, and fewer chargebacks.
How do I get in compliance?
To make their policies and procedures comply with the card networks' new mandate, merchants may need to update their checkout pages, terms and conditions, and any other pages or forms on their websites that capture payment information or inform customers of their policies.
Usually, a simple checkbox on the page where payment information is entered is sufficient to obtain customers' consent to store credentials.
Revamping your website to comply with the new rules might take a bit of time and effort, but it's worth the trouble when the result could be fewer chargebacks and more authorized transactions.