Card-on-file transactions lie at the heart of several types of business models, from digital subscriptions to retail, and can enable seamless customer experiences. When done right, card on file can lead to a higher performance, better risk management, and new cross-channel experiences for cardholders.
What is card-on-file?
Card-on-file is when a business, with the cardholder’s consent, stores the debit or credit card details. The cardholder can then reuse the details for future payments and faster checkouts.
It’s important to know that payment data storage comes along with PCI-DSS considerations. Businesses that want to leverage card-on-file need to be compliant and audited.
What’s the difference between card-on-file and tokenisation?
Tokenisation is when sensitive card information is replaced with a piece of non-sensitive information called a token. Tokenisation and card-on-file tend to go hand in hand. Once a debit or credit card is stored on file, it’s usual to swap out the stored card's sensitive information for a token to maximise security.
Use cases for card-on-file transactions
Card-on-file payments are a popular choice across many different industries, from subscriptions to mobility. Emerging industries like autonomous stores also use card-on-file to take checkout experiences to the next level.
Subscriptions
Subscriptions are standard card-on-file use cases where the cardholder provides consent to the business to bill their card periodically for a subscription. For example, if a consumer decides to sign up for a streaming service like Disney+ or Netflix, card-on-file will enable these streaming services to bill their stored card regularly, without the need for the user to constantly enter their card details, making it convenient and seamless for them to use the streaming service.
The debit or credit card on file can also be used for additional purchases on top of the cardholder’s usual subscription package, such as transactions initiated by the cardholder.
Mobility
Mobility and micromobility transactions are usually initiated by the mobility provider’s app. The cardholder's payment details are kept on file to avoid having them re-enter their card details for every taxi, scooter, or bike ride.
Similar to mobility, food delivery apps also use card-on-file to provide cardholders with tailored customer experiences.
Travel and hospitality
In the travel and hospitality sector, card details are usually stored on file during bookings for pre-check in costs such as no-show charges or partial charges following conditions of the accommodation. At check in, the merchant also stores the guest's debit or credit card on file to enable incidental charges, such as those from restaurant visits or damages.
Autonomous stores
The core premise of an autonomous store is the absence of a checkout. AI-driven store solutions detect the shoppers’ interactions and charge the total amounts when they walk out of the store. Card-on-file payments are then used to complete the payment during the walk out phase.
Unified commerce retail
Businesses leveraging unified commerce can collect card details in one channel and use stored cards in another to complete payments and make refunds.
Buy Now, Pay Later providers
Buy Now, Pay Later (BNPL) providers can offer their customers the option to pay off their installments using a card on file that is charged periodically by the BNPL provider.
How does card-on-file work?
Leveraging card on file involves different processes starting with storing the card on file, then making cardholder-initiated card-on-file payments or merchant-initiated card-on-file payments, updating the card on file, and possibly removing it.
Storing the card on file
Storing a card on file requires the cardholder's consent and can be done by:
Making a purchase and agreeing to store the card on file for future transactions
Verifying the account through a zero-amount transaction
Completing an in-person payment – this is more commonly used in unified commerce, where a card stored on file in a physical store can be used for online purchases
At Adyen, we take responsibility for confirming the shoppers' consent to storing a card on file for future purchases to the issuing bank.
FAQ: What needs to be included in the card-on-file storage agreement that the cardholder must consent to?
Information about the transaction, including a description of the goods and the total amount that will be billed
Information about the business, including its location and contact details
A shortened version of the stored credential (such as the last four digits of a credit card)
Information on how the stored card details will be used and the expiry date of the agreement if applicable
Instructions on how the cardholder can cancel the agreement
FAQ: Can the business store the card on file themselves? Or do they need to use a payment provider for this?
Payment card data storage comes along with PCI-DSS security requirements. If the business wants to store the data, it needs to be compliant and audited. Adyen is fully PCI level 1 compliant and can store payment card data securely on behalf of businesses that we work with.
FAQ: Can the CVV/CVC code be stored?
Due to PCI regulations, neither the business nor the acquirer can store the CVV/CVC code on file.
Cardholder-initiated card-on-file payments
A cardholder-initiated card-on-file transaction is when the customer selects the previously stored card data to pay for goods or services without having to enter their card details again. It’s commonly used in a one-click card-on-file transactions and often needs to be authenticated with 3D Secure technology.
Merchant-initiated card-on-file payments
A merchant-initiated transaction is when the cardholder consents to the merchant taking the money from their account. These transactions are linked to the cardholder-initiated transaction where the agreement was initially set up.
Merchant-initiated transactions include:
Subscriptions
Recurring transactions at scheduled intervals using a card on file
Commonly used for streaming service subscriptions or recurring utility payments
Unscheduled card-on-file transactions
Transactions that don’t occur at a scheduled or recurring date, but are triggered by an event
Commonly used for account top up transactions
Installments
When a single purchase of goods or services is split up into several transactions scheduled at pre-agreed dates
Industry specific merchant-initiated transactions
No-shows: Commonly charged by hotels in case a guest fails to show up to a reservation
Delayed charges: Transactions used to process supplementary charges after the original services have been delivered; these are delayed as the charges aren’t evident at the point when the original transaction is processed
Resubmissions: Used when the original authorisation was declined due to insufficient funds
FAQ: Does the customer need to be verified to use their card-on-file details?
During a cardholder-initiated card-on-file transaction the business needs to verify the identity of the cardholder. In some regions it’s required to use 3D Secure for strong customer authentication (SCA) when the purchase amount is above a certain threshold.
Alternatively, the merchant can collect the 3-digit CVC/CVV code from the cardholder as an additional verification during the checkout.
For merchant-initiated card-on-file transactions, there is no need to verify the cardholder’s identity.
FAQ: Can stored credentials be used across different sales channels?
It all depends on the agreement between the merchant and the cardholder. If the card on file is to be used over different channels, it needs to be part of the agreement. If the card on file was stored following an in-store payment and the agreement states that the details can be used for future subscription charges or for future ecommerce one-click charges, then it’s possible to use them across channels.
Updating a card on file
Card-on-file information will probably need to be updated at some point as cards expire or changes are made to the PAN. This results in a lot of friction as transactions are declined and cardholders are asked to update the information.
With Adyen, any update to the card is automatically picked up, leading to reduced declines and seamless cardholder experiences.
FAQ: What happens when a customer wants to upgrade their subscription from a standard to a premium plan? Does the business need to verify the customer’s identity again?
Changes to the card-on-file agreement need to have the cardholders' consent. Therefore, the cardholder needs to be verified again.
Removing a card on file
Storing a debit or credit card on file requires establishing the terms of the agreement, including cancellation and refund policies. If the time period specified in the agreement ends or the cardholder wants to cancel the agreement, the card on file can’t be used to process the transaction and the details need to be removed.
Card-on-file with Adyen
There are many things businesses need to be aware of when processing card-on-file transactions. Using a payment service provider for support can be beneficial for businesses that want to create a seamless customer experience and optimise their performance.
Adyen is fully PCI level 1 compliant and can store payment account data on behalf of businesses, allowing them to repeat purchases without storing sensitive information. Through specific transaction indicators, we inform card issuers about the pre-existing relationship between the business and the cardholder. These indicators are managed to optimise for higher authorisation rates, boost cardholder satisfaction, and reduce overhead on customer service teams.
Discover other ways to unlock more revenue. Learn more here.
Fresh insights, straight to your inbox
Subscribe to email alerts
By submitting your information you confirm that you have read Adyen's Privacy Policy and agree to the use of your data in all Adyen communications.