Beginning October 14, 2017, Visa will be mandating a number of changes in the way that merchants handle “stored credential” card information for Visa cardholders. Stored credentials refer to the instances that customer card data is stored on a business’ servers in order to be charged later. Stored credential payments are divided into two categories: subscription and card-on-file.
Card-on-file refers to the storing of a cardholder’s information for them to later make payments that they initiate; an example would be an online shopping website that allows a card number to be stored on a user’s account for a faster checkout next time. A subscription is a pre-authorized, recurring payment that the merchant makes on a consumer’s card, such as a Netflix or Hulu plan that charges a set amount every month, on the same day. Beginning October 14, businesses must classify stored card information as either a subscription or a card-on-file.
According to a guidance document from Visa issued for merchants, the operational requirements for stored credentials will now include the following provisions:
Effective October 2017:
Merchants and their third-party agents, payment facilitators, or stored digital wallet operators that offer cardholders the opportunity to store their credentials on file must:
• Disclose to cardholders how those credentials will be used.
• Obtain cardholders’ consent to store the credentials.
• Inform the issuer via a transaction that payment credentials are now stored on file.
• Identify transactions with appropriate indicators when using stored credentials.
Visa’s document emphasizes that their new guidelines apply to all “card-absent transactions,” including those made with a payment token or primary account number, those that are initiated by the consumer themselves (stored-card transactions on online shopping portals, for example), and those that are initiated by the merchant. Merchant-initiated transactions include recurring subscription payments for services, as well as pre-authorized payments like paying for incidental expenses on a hotel reservation.
So what does this mean for consumers? The primary impact for consumers will be enhanced disclosure requirements. Visa outlines a number of rules for disclosure to cardholder and relating to cardholder consent, as well as rules having to do with the handling of storage of consumer card data. Among other rules, merchants must notify cardholders of: how the stored card will be used, cancellation and refund policies, any convenience fee or surcharge, and any change to the agreement.
The full Visa rules document, will a full list of required disclosures to consumers, may be found here.