Card brand rules require merchants to identify initial storage and usage of stored payment credentials. A stored credential is payment information that will be used to process future transactions for a cardholder. This can be a credit or debit account number or a payment token. Merchants must be able to demonstrate that they have cardholder consent to store the payment information.

Credential/Card on File (CoF) transactions are categorized in two ways: initial and subsequent. Initial CoF transactions are requests that put the credential to be stored into the system. Whereas, subsequent CoF transactions are requests that use the previously stored credential.

CoF transactions are initiated either by the cardholder or by the merchant.

• Cardholder initiated transactions are authorizations initiated by a cardholder in person, on a phone, or on a web site. These transactions typically include CVV2/CVC2 data or wallet generated cryptogram to prove the cardholder’s participation.
• Merchant initiated transactions are authorizations initiated by the merchant when the cardholder is not present, for example, recurring payments.

CoF processing is supported with the Exchange, GSAP-NA, and GSAP-AP authorization platforms.

• For merchants using an external card on file system, an update should be made to pass in the Credential on File data block with the appropriate data for all transaction requests.
• For merchants using Portico's PayPlan card on file system, no changes are needed for schedule processing; PayPlan automatically populates the appropriate fields. For one-time charges via PayPlan, the appropriate CardOnFile indicator should be included in the transaction request.

• Services Supporting CoF Processing
• Merchants Using Enterprise Tokenization Service (ETS)
• In App or By Browser and CoF