Card on File

What is a card on file transaction?

Card on file transactions are transactions where the card details are stored, i.e. kept on file, rather than being entered by the cardholder directly. There are two ways these transaction can be initiated:

By the cardholder, where their payment details have been stored for reuse at checkout.
By the merchant, where the cardholder has given the merchant permission to initiate payments using the card, typically for recurring payments such as subscriptions.

Card on file is often abbreviated to COF. The COF abbreviation can also refer to “Credentials on File”, which has the same meaning - stored payment credentials are used rather than being entered by the cardholder at checkout.

What requirements are there to be able to store card details?

Storing credit card details requires adhering to strict PCI DSS requirements. These requirements are mandated by the credit card schemes. There are various levels of certification that depend on the volume of transactions processed and whether credit card details are stored directly or by a third party.

The PCI DSS requirements are designed to ensure that sensitive card details are stored securely to protect them from malicious actors. As meeting these requirements is costly and requires annual audits, merchants typically outsource the storage of card details in a secure vault to a third party (e.g. IXOPAY). Most merchants opt for this option, as it significantly reduces their PCI DSS scope and associated costs, replacing the need for annual audits with a simple self assessment questionnaire (SAQ). However, if merchants meet all the requirements, have the necessary infrastructure in place and are willing to undergo annual audits, merchants can store credit card details in their own vault.

How are card on file transactions processed if the card details are not stored at the merchant?

To ensure that merchants can process card on file transactions without storing the credit card details locally, a security mechanism called tokenization is used. When the customer enters their credit card details for the first time, the encrypted details are sent directly to the vault provider for storage in encrypted form. A so-called token is then generated by the vault provider. This token consists of a series of random characters that cannot be reverse engineered to reveal the underlying credit card details. Merchants can store this token without any risk of exposing sensitive data and use the token to reference the card details stored in the vault.

When processing a card on file transaction, the merchant simply includes the token as part of the transaction, along with other information such as the amount to be charged. The token is then used to look up the associated credit card details in the secure vault. These raw card details are then forwarded directly to the payment service provider for processing.

How can merchants ensure that credit card data is stored securely?

The best way for merchants to ensure that credit card details are protected and stored securely is to use a third party vault. This removes the burden from the merchant to ensure that their infrastructure is up to standard and avoids the need for costly annual PCI DSS recertification. It also shifts liability from the merchant to the vault provider.

When using a third party to store credit card details, merchants should ensure that the details are never accessed or processed directly by the merchant. Encrypted card details should be sent directly to the vault provider from the checkout form.

What are the advantages of card on file transactions?

They streamline the checkout process for return customers, avoiding the need for cardholders to re-enter their information each time they make a purchase. Instead, customers can simply select from a previously used payment method they have stored. This speeds up the checkout process, eliminates the risk of entering incorrect information and typically leads to lower cart abandonment rates.
They allow for recurring billing where merchants charge the card at regular intervals, e.g. for subscriptions. The merchant simply charges the card whenever payment is due, with no involvement by the customer. However, merchants need to ensure that the credit card details are always up-to-date or face the risk of a payment failing if the card details have changed (e.g. if a new card is issued because the old one has expired).

How can merchants ensure that credit card data is up to date given that cards are regularly re-issued?

Merchants can either use an account updater, such as IXOPAY’s Account Updater, or rely on network tokens issued by the card schemes.

When using an account updater, credit card details are sent to the schemes on a regular basis to check whether the card details have changed. If so, the information stored in the vault is updated accordingly to ensure that payments can continue to be processed using the card.

Network tokens are tokens that are issued directly by the card schemes. The card schemes ensure that the associated card information is kept up to date. The network token retains its validity even if the underlying card details change, ensuring that the card can continue to be charged.

Partner	Name	Description	Duration
IXOPAY GmbH	cookiesConsent	Cookie Banner. Stores your cookie settings.	12 Months
IXOPAY GmbH	_fm	User centric security cookie to detect authentication abuses. Filters out computer/bot generated Website requests.	30 Minutes
Google Ireland Limited	reCAPTCHA	User centric security cookie to detect if a human being or a computer is making a specific entry in our contact or newsletter form.	6 Months
Cloudflare Inc.	cf_clearance	Used by Cloudflare (Website Security Network) to identify trusted web traffic, and protect our website against malicious activity (see Cloudflare's Cookie Informations).	30 minutes

Partner	Name	Description	Duration
Google Ireland Limited	_ga	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	2 years
Google Ireland Limited	_gid	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	24 h
Google Ireland Limited	_gat_ua-keynumber	Analytical cookie set by the service Google Analytics used to throttle the request rate, limiting the collection of data on Websites with high traffic.	Session
Google Ireland Limited	_ga_container-id	Cookie set by the service Google Analytics 4. The cookie is used to persist session state.	12 month
Microsoft Ireland Operations Limited	Clarity	Analytical service capturing your interactions on the Website such as how the page has rendered and what interactions you had on the Website (surfing behavior: mouse movements, clicks, scrolls). Microsoft collects or receives personal data from us to provide Microsoft Advertising (see Microsoft Privacy Statements). Sensitive content such as passwords, usernames, and user input are masked before sending to Microsoft.	12 months
Dealfront Group GmbH	_lfa	Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Leadfeeder only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visit data is aggregated Dealfront Group GmbH / Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Dealfront only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visitor data is aggregated on the company level (no reference to natural persons). Via a connection to Google Analytics, Dealfront shows company visitors' interactions on the Website (pages viewed, visitor source and duration of session). Dealfront also enriches that company data with contact data for individuals from publicly available data sources (eg. LinkedIn).	24 months

Partner	Name	Description	Duration
Google Ireland Limited	_gcl_au	Conversion-cookie set by the service Google Ads for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners.	3 months
Google Ireland Limited	_gac_gb_container-id	Cookie which connects Google Analytics und Google Ads. Google Ads website conversion tags will read this cookie.	90 days
Microsoft Ireland Operations Limited	Universal Event Tracking (UET)	Conversion-cookie set by the service Microsoft Advertising for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners. In general, the cookie in the relevant domain and your IP address are passed to Microsoft with every http request and not just via UET.	13 months

Glossary

Card on File