Better CX with Card on File

Being able to store customer’s card details offer merchants and consumers a range of benefits. For consumers, reusing stored payment information streamlines the checkout process. They no longer need to re-enter their details for every purchase - a process which can be error prone and inconvenient. As an upside for merchants, reducing these barriers for consumers at checkout increases the chances of consumers following through with the purchase. Another significant advantage of storing payment details is the ability to handle recurring billing, which is particularly important for subscription-based offerings. Merchants can simply bill the customer at regular intervals without the consumer being involved in the process at all.

What is “Card on File”?

Card transactions where card details for the transaction are retrieved from storage, rather than entered manually by the cardholder, are referred to as “card on file” transactions, i.e. transactions where the card details are kept “on file”. “Card on file” is often abbreviated to COF. An alternative term with the same meaning is “credentials on file”.

However, handling card on file payments is not as easy as simply storing card details and accessing them whenever needed. Storing card details is governed by PCI DSS, which lays out strict requirements for how credit card details must be stored securely to safeguard this sensitive information.

Mandated by the credit card schemes, there are 4 levels of PCI DSS certification. What level a merchant falls into depends on both the volume of transactions they process and whether or not card details are stored locally. Organizations that store card details in their own systems need to comply with far stricter requirements. These cover how credit card details are stored in encrypted form, as well as the requirement for annual audits by a third party to ensure that the infrastructure meets all PCI DSS requirements.

Fulfilling these requirements comes with significant costs. These include costs for the secure infrastructure used to store credit card information, wages for the well-educated IT staff that maintain this infrastructure and costs for annual audits. Merchants therefore typically outsource the storage of card details to a secure third party vault. This significantly reduces the merchant’s PCI DSS scope and costs, while shifting liability from the merchant to the third party provider. But doing so raises another issue: how can merchants process card on file transactions if the card details are not stored locally?

How Tokenization Enables COF

The answer is tokenization. When a customer enters their credit card details for the first time, the encrypted details are sent directly to the vault provider and stored in the vault in encrypted form. A so-called token is then generated by the vault provider. This token consists of a series of random characters that cannot be reverse engineered to reveal the underlying credit card details. Merchants can store this token without any risk of exposing sensitive data and use the token to reference the card details stored in the secure vault.

To process a card on file transaction, the merchant simply includes the token as part of the transaction along with other transaction details, such as the amount to be charged. The token is then used to look up the credit card details in the secure vault. These card details are then forwarded directly to the payment service provider for processing. This ensures that card details are never presented directly to the merchant.

Ensuring Card Details are Up-to-Date

Another challenge merchants face is that cards are regularly reissued, e.g. when they expire or due to loss or theft. If the card details change, any charges made to the old card by merchants will be declined. Merchants have a few options available to ensure that stored credit card details are always up-to-date:

By using an account updater, which requests updated card details from the card schemes at regular intervals. Any changes to the card details are updated in the secure vault to ensure that payments can continue to be processed.
Using network tokens, which are issued directly by the card schemes (Visa, Mastercard etc.). The card schemes ensure that the card information associated with the token is kept up to date. The network token retains its validity even if the underlying card details change, ensuring that the card can continue to be charged using the same token.

Both of these options are available when storing payment details in IXOPAY’s secure vault.

Card on File in IXOPAY

IXOPAY provides a PCI DSS Level 1-certified vault for storing credit card details securely. These are encrypted by IXOPAY and a token is generated that merchants can store locally and use to reference the credit card details. These tokens generated by IXOPAY have a significant advantage over PSP-specific tokens: they can be used to process card transactions with any payment provider integrated via IXOPAY. This is in contrast to tokens generated by PSPs, that can only be used to process credit card transactions with that PSP.

Being able to process card on file transactions with any payment provider means that merchants can take full advantage of IXOPAY’s cascading options - if a provider is unavailable or the transaction is declined as a result of the PSP’s own risk assessment, the transaction can be retried with an alternative provider. This can potentially recover the sale without requiring the consumer to re-enter their credit card details. Furthermore, it allows merchants to switch out payment providers without impacting their ability to process card on file transactions and thus avoiding any issues with vendor lock-in.

IXOPAY also supports network tokens issued by the credit card schemes themselves. Changes to the card’s data, such as when a card is re-issued, do not invalidate the token stored by merchants and used to process transactions.

Who Benefits from Card on File?

Card on file transactions benefit any merchant who needs to process transactions without the consumer entering their credit card details. This includes subscription services, online stores with return customers or services that involve automatic charges upon reaching certain thresholds, e.g. topping up mobile credit or buying cryptocurrencies if the value falls below a certain threshold. Some examples include:

Telecommunications: Monthly invoicing and automatic top-ups of mobile credit
E-commerce platforms: 1-click checkout and subscription services (e.g. Amazon Prime)
Hospitality: Hotels and booking sites use card on file transactions for reservations, incidental charges and recurring services
Exchanges: Buy limit orders

Streamlining these payments not only benefits merchants, but also consumers. Simplifying the checkout process for return customers reduces cart abandonment, increasing conversion and retention rates. Processing subscription payments without involving the customer avoids the risks of late or non-payment, ensuring the consumer continues to have access to these services without additional overheads.

If you would like to learn more about how IXOPAY can help improve your global payment processes, get in touch!

Contact IXOPAY

About IXOPAY

IXOPAY is a best-of-breed payment orchestration platform offering flexible and independent global payment processing options. Fully PCI-DSS Level 1 certified and highly scalable, IXOPAY caters to the needs of enterprise merchants and white label clients, including payment service providers (PSPs), acquirers and independent sales organizations (ISOs). Built upon modern, easily extendable architecture, IXOPAY provides smart transaction routing with cascading, state-of-the-art risk and fraud management, fully automated reconciliation and settlements processing, comprehensive reporting and access to hundreds of acquirers, payment service providers and alternative payment methods.

IXOPAY is trusted by national and international enterprises and has offices in Austria and the USA. The owner-led and financed company has grown from 2 to nearly 100 employees by delivering innovative eCommerce solutions.

For more information, visit: https://www.ixopay.com

Partner	Name	Description	Duration
IXOPAY GmbH	cookiesConsent	Cookie Banner. Stores your cookie settings.	12 Months
IXOPAY GmbH	_fm	User centric security cookie to detect authentication abuses. Filters out computer/bot generated Website requests.	30 Minutes
Google Ireland Limited	reCAPTCHA	User centric security cookie to detect if a human being or a computer is making a specific entry in our contact or newsletter form.	6 Months
Cloudflare Inc.	cf_clearance	Used by Cloudflare (Website Security Network) to identify trusted web traffic, and protect our website against malicious activity (see Cloudflare's Cookie Informations).	30 minutes

Partner	Name	Description	Duration
Google Ireland Limited	_ga	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	2 years
Google Ireland Limited	_gid	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	24 h
Google Ireland Limited	_gat_ua-keynumber	Analytical cookie set by the service Google Analytics used to throttle the request rate, limiting the collection of data on Websites with high traffic.	Session
Google Ireland Limited	_ga_container-id	Cookie set by the service Google Analytics 4. The cookie is used to persist session state.	12 month
Microsoft Ireland Operations Limited	Clarity	Analytical service capturing your interactions on the Website such as how the page has rendered and what interactions you had on the Website (surfing behavior: mouse movements, clicks, scrolls). Microsoft collects or receives personal data from us to provide Microsoft Advertising (see Microsoft Privacy Statements). Sensitive content such as passwords, usernames, and user input are masked before sending to Microsoft.	12 months
Dealfront Group GmbH	_lfa	Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Leadfeeder only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visit data is aggregated Dealfront Group GmbH / Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Dealfront only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visitor data is aggregated on the company level (no reference to natural persons). Via a connection to Google Analytics, Dealfront shows company visitors' interactions on the Website (pages viewed, visitor source and duration of session). Dealfront also enriches that company data with contact data for individuals from publicly available data sources (eg. LinkedIn).	24 months

Partner	Name	Description	Duration
Google Ireland Limited	_gcl_au	Conversion-cookie set by the service Google Ads for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners.	3 months
Google Ireland Limited	_gac_gb_container-id	Cookie which connects Google Analytics und Google Ads. Google Ads website conversion tags will read this cookie.	90 days
Microsoft Ireland Operations Limited	Universal Event Tracking (UET)	Conversion-cookie set by the service Microsoft Advertising for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners. In general, the cookie in the relevant domain and your IP address are passed to Microsoft with every http request and not just via UET.	13 months