What are the New Rules for Stored Payment Credentials?

Storing payment information for later use, which can include both a card number or payment token, streamlines the checkout process for future payments and enables one-click checkout and automatic and recurring payments. Customer expectations are higher than ever. From the ability to use specific payment types to an overall payment experience that is simplified, consistent, and as frictionless as possible, customers are looking for maximum convenience. Due to the increased use of stored payments, both Visa and MasterCard have issued additional stored payment credentials requirements.

Stored payment credentials provide convenience for customers, but businesses must adhere to specific stored payment guidelines. A payment orchestration partner can help companies simplify an ever-changing landscape of compliance mandates and ensure that they adhere to all applicable guidelines.

What are the new guidelines for stored payment credentials?
Stored payment credential guidelines include obtaining cardholder consent for the initial storage of payment credentials and using appropriate data value to identify the initial storage of the credential and the subsequent usage of stored payment credentials.

What are Stored Payment Credentials?

Stored payment credentials refer to customer credit card information, payment tokens, or verification information a business keeps. This is payment information that a customer has opted to save to make future purchases quicker and more convenient. This information commonly includes the billing name, address, card account number, and card expiration date.

Aside from improving convenience, businesses may also store payment credentials to streamline repeat billing for subscription services or payments made over installments. Stored payments are also beneficial for any service involving customers regularly opting in and out of transactions.

What are the Stored Payment Guidelines Businesses Must Follow?

Security should be a top priority for anyone storing payment information. Businesses need to be confident that they can secure and protect cardholder data and personally identifiable information when storing customer data in the payment system. Companies that fail to safeguard cardholder data not only lose their customers’ confidence but can also face fines and other costs associated with a data breach.

As the use of stored payments increases, both Visa and Mastercard have issued additional requirements for businesses to protect cardholders. Stored payment guidelines impact any company that holds payment data for future payments. These guidelines that businesses must follow include:

• Obtain cardholder consent – Businesses are required to obtain cardholder consent for the initial storage of payment credentials. The agreement must include the last four digits of a credit card, an explanation of how to use the stored information, how to notify the customer of any changes to the agreement, and the agreement’s expiration date. This consent from customers must be separate from the merchant’s standard terms and conditions.
• Utilize appropriate data values – Businesses must use appropriate data values, i.e., Stored Credential indicators as per the Stored Credential Transaction Framework, to identify the initial storage of the credential and the subsequent usage of stored payment credentials. The purpose of the appropriate data value indicators is to convey that the business and the cardholder agree to use stored payment credentials, making it easier for issuing banks to identify legitimate transactions.

Stored Payment Guidelines for Subscriptions

This is a primary concern for stored payments centers around subscriptions or recurring payments. These payments call for a business to not only store payment information but also process future payments without obtaining further approval from the customer at the time of the transaction. They are also susceptible to abuse, and additional guidelines are an effort to protect cardholders.

Both MasterCard and Visa have issued mandates that change the rules of subscriptions. Both companies have similar requirements, which include the following:

• Online cancellation – Customers must be able to cancel their subscriptions online, even if they didn’t enroll online initially.
• Terms of subscription agreement – Businesses must provide customers with a digital receipt when they enroll in the subscription that includes the terms of the agreement and the timeline and amounts for future payments.
• Payment notification – Businesses must notify customers before each payment is processed. The billing descriptor must indicate the business and what the charge is for.
• Notification of free trial period ending – Businesses must notify customers at least seven days before a free trial period ends by email or text message. This notification must include a link to the cancellation page.

Payment Orchestration From OLS Helps Businesses Simplify Adherence to Compliance Mandates

Many businesses struggle to stay current with compliance mandates amidst an ever-changing landscape of payment types, laws, and requirements. The OLS platform gives businesses an omnichannel payments solution that expands their payment capabilities while also shifting the management of payment complexity. The OLS platform can significantly lower operational and compliance costs and fully comply with PCI DSS and PA-DSS requirements.

Key Takeaways

• Customers are looking for maximum convenience, including an overall payment experience that is simplified, consistent, and as frictionless as possible.
• Stored payment credentials provide convenience for customers as they enable one-click checkout and automatic and recurring payments.
• Stored payment credential guidelines include obtaining cardholder consent and using appropriate data value.
• Payment orchestration from OLS can help businesses simplify adherence to compliance mandates and significantly lower operational and compliance costs.