info@3dsecurempi.com
+44.(0).870.490.8278

Recurring Transactions, Merchant Initiated Transactions and Stored Credentials

Posted On: Thursday, June 23rd, 2022

The subscription model has gained in popularity but as anyone with experience with these type of payments knows, the model can lead to disputes through lack of clarity, misuse or poor management.

Recurring Transactions and Merchant Initiated transacting require that the card number is stored by the merchant. But it’s also common for merchants to store card number for convenience at the point of checkout. Stored Credentials used for Cardholder Initiated Transactions are therefore also mentioned in this document and specific rules for storing the card and sending it for processing must be followed; Cardholder initiated transactions are still regular eCommerce transactions and are not exempt from PSD2 regulations within the EEA and are still required to used 3DSecure when processing.

Visa updates for transaction type

Through consultations with Issuing banks who receive these disputes, Visa has been able to outline a set of rules designed to improve customer experience, allow cardholders and issuing banks to identity subscriptions transactions more easily, and establish clearer and more specific guidelines for claims related to subscription transactions.

Through the implementation of these rules, cardholders should benefit from more opportunities to be reminded of their subscription agreement, have easier cancellation processes and better notification of future transactions.

In September 2019 Visa and MasterCard introduced a new ‘initial transaction id’ value which is provided for original transactions initiated by a cardholder. This ID should be sent in all subsequent merchant initiated transactions (MIT) that follows the original transaction (for example in subscription payments, automated billing events and more) This ensures that every merchant initiated transaction references the original transaction in which the cardholder was properly authenticated including the application of strong-customer-authentication (SCA).

To enable easier implementation by merchants at the time, Visa and MasterCard allowed older transactions, made before September 2019, to be exempt from this requirement, and the merchant-initiated transaction was allowed to be sent with a generic value instead of the actual ID.

However, as of 1 April 2022, Visa planned to remove this exemption and requires that any merchant-initiated transaction have a proper ‘initial transaction id’ value that is sent with every subsequent transaction. This is applicable for any transaction that is included in the SCA scope. The new date for this mandate is now 01 October 2022. Merchants affected by this mandated are advised to make the necessary preparations to avoid fines or declined transactions.

So what are these new requirements for subscriptions and merchant initiated transactions?

Express Consent:

When Customer enrolls in a subscription for the first time, merchants must obtain their express consent to entering into ongoing recurring payments for the subscription service. Express consent means that an SCA must be carried out for the initial transaction.

Enhanced Notification:

Upon Enrolment, the merchant must provide the customer with copy of the terms and conditions of the subscription. This is required even if no payment is due on enrollment. This information can be provided via email, text or some other method agreed to by the customer

Terms and Conditions must include

  • Confirmation that the cardholder has agreed to a subscription unless they cancel it
  • The date the subscription starts
  • Details about the goods or services included in the subscription
  • The recurring transaction amount
  • The billing frequency or due dates
  • A hyperlink or some other simple way for the cardholder to easily cancel the subscription and any recurring transactions

If a trial, introductory, or promotional period is about to end, or if the terms of the subscription agreement are changing, merchants must send a reminder notification with a link to their subscription cancellation page. This must be done at least seven days before initiating a recurring transaction.

Explicit Transaction Receipts:

Certain information will now be required on all merchant receipts for subscription transactions

  • The length of any trial, introductory or promotional offer, along with a clear statement that the cardholder will be charged after the offer ends unless they take action to cancel their subscriptions
  • The amount and date of the initial transaction, even if no payment is due yet, and for any recurring transactions to follow: A link or some other simple method through which the cardholder can cancel their subscription and any future transactions.

Statement Descriptor:

Merchants must add a descriptor that indicates a transaction related to a trial offer to the first transaction processed after the trial offer ends. This descriptor should be added to the merchant Name field of the clearing Record and should include language like ‘trial’, ‘trial period’’, ‘free trial, and the like. This will then appear on bank statements, banking apps, and text alerts that the cardholder sees

Easier Cancellation: Regardless of how the customer enrolled (online, in person, over the phone, at a kiosk), the merchant must provide an easy way to cancel the subscription online.

Expanded Dispute Rights: The dispute condition ‘Misrepresentation” can now include transactions where the good purchases either through a trial; offer or as a singular purchase and the cardholder was not clearly advised that further billings would occur after the initial purchase date,

Merchants who believe they have received an unfair or erroneous ”Misrepresentation’ chargeback for a recurring billing should represent the charge with both of the following pieces of evidence:

  • Documented proof that the cardholder expressly agreed to future transactions at the time of the initial transaction.
  • Records showing that the merchant sent a notification to the cardholder, according to the notification method the cardholder specified, at least seven days before processing the first transaction after the end of the trial period,

What about MasterCard?

MasterCard created changes to its rules with largely similar requirements. The last of these changes, which implements the rule about informing new customers about the timeline and amount of future payments, went into effect on June 9th, 2022.

What Kinds of Transactions Are Covered by the Subscription Mandate?

The specific types of credential on file transactions covered by the mandate are:

  • Recurring Payments
  • Installment Payments
  • Unscheduled Merchant-Initiated Payments (products automatically shipped when certain conditions are met, accounts that automatically add funds when reaching a certain balance, etc.)
  • Unscheduled Customer-Initiated Payments (one-click shopping)

What Are the New Rules for Stored Payment Credentials?

While recurring transactions clearly require stored payment credentials, cards can be stored solely for convenience so that the cardholder can check out without entering his card number.

Visa and MasterCard now require that merchants obtain consent from customers to store their payment information, and that this consent is separate from the merchant’s ordinary terms and conditions. Consent also means that a 3DS SCA must be carried out when storing the card details.

The short version is that the agreement to allow the merchant to store payment information must include:

  • the last four digits of a credit card
  • an explanation of how the stored information will be used
  • how the customer will be notified of any changes to the agreement
  • The method by which the cardholder will receive notice of any changes to the payment agreement
  • How the stored credential will be used
  • The expiration date of the agreement, if applicable

In addition, merchants are required to include the appropriate indicators to inform the bank of recurring transactions made using stored payment credentials. These indicators are set at the time of the Authorization the transaction and will be specific to the payment provider and Acquiring platform.

Before processing the initial transaction, the merchant must obtain the cardholder’s express, informed consent to an agreement, which must be retained by the merchant for as long as it remains in effect and must be provided to the issuing bank upon request. The agreement must contain the following:

  • The transaction amount, including all taxes, fees, and other included charges. If the exact amount is unavailable at the time the agreement is made, the agreement must contain an explanation of how the transaction amount will be calculated
  • The type of currency used in the transaction
  • Acknowledgment of any permissible surcharges
  • Cancellation and refund policies
  • The merchant outlet location

Each subsequent transaction made as part of the agreement must be authorized, and if the authorization is declined, the merchant has at least 14 days to resubmit the authorization, if the reason code provided for the decline allows it.

The merchant also has to provide their customers with a simple way to cancel the agreement and cannot process further transactions if the cardholder makes use of the cancellation procedure.

The merchant is also prohibited from processing additional transactions if the end date of the agreement has passed or if the cardholder requests a change to their method of payment.

Here’s a more detailed dive into some of the technical aspects of the new requirements:

  • All the requirements outlined by the mandate must be displayed, separate from the merchant’s own general purchase terms and conditions, at the time the cardholder enters into a purchase agreement with the merchant. Some local laws or regulations may also require the merchant to provide the cardholder with a record of their consent to the agreement if requested.
  • When card information is being stored for future transactions, but no simultaneous purchase is being made, the merchant should submit an Account Verification Request (a $0.00 transaction) instead. If either an initial payment or the Account Verification request is declined, the payment credentials must not be stored.

When Did the Subscription Mandates Take Effect?

The stored credentials mandate went into effect for both Visa and MasterCard in October 2018, with the subsequent Visa mandate taking effect in April 2020. MasterCard’s other changes were rolled out in December 2021, with the last update scheduled for June 2022.

If your e-commerce business keeps customer card information on file, you need to make sure you’re in compliance with these requirements.

Full support for major card brands and banks

Making eCommerce Safe

Be in the know

Industry news, events and major releases.

Getting ready for 2.2
Posted on: Saturday 19th November, 2022

Now that version 1 has been decommissioned and Version 2.3 specification has been released, focus is shifting to moving from version 2.1 to 2.2 and eventually decommissioning version 2.1 completely.

Meet us at Money2020
Posted on: Wednesday 19th October, 2022

Once again we will be at Money2020 in Vegas.

Visa guidelines for mandatory rolling out of EMV 3DSecure for Asia Pacific
Posted on: Wednesday 4th May, 2022

Visa has issued guidelines for rolling out of EMV 3DS for the Asia Pacific Region. Countries covered: Australia, Cambodia, Hong Kong, India, Indonesia, Macau, Malaysia, New Zealand, Philippines, Singapore, Hong Kong, South Korea, Taiwan, Thailand and Vietnam.

Here to help

Questions? We've got answers.

Kindly note that we do not support cardholders wanting to activate 3D Secure on their card. Please contact your bank directly using the phone number provided on the back of your card.