Imagine you’re in a shopping spree, and now ready to snag that trendy new sweater you’ve been eyeing. Instead of typing in your lengthy card number and expiration date for the umpteenth time, you had clicked a button that says, “Save my card details” at the very first time you shopped on the site!
And from then on, all you need to do is enter your CVV and OTP or just swipe to place the order of your favorite trendy new sweater.
That’s my friend, the magic of a Card-on-File (CoF) transaction.
CoF securely stores your payment card (credit or debit) information with a merchant for future purchases. When you make a purchase, you identify yourself (name, email, etc.) and the stored payment information automatically takes care of the payment.
Various categories of CoF transactions exist, each fulfilling distinct purposes. These categories encompass:
· Recurring payments
· Reauthorized payments
· Incremental payments
· Resubmitted payments
· No-show payments
· Instalments, etc
Some of the real-time use cases of CoF transactions are:
Businesses that offer subscription services such as
· Streaming services (E.g.: Netflix, Amazon Prime, etc)
· Software-as-a-Service (SaaS) providers (E.g.: Adobe, Microsoft, etc)
· Subscription boxes (E.g.: BarkBox, Fabfitfun, etc)
Ola, Uber, etc
Food Delivery Apps
Swiggy, Zomato, etc
Travel and Hospitality
Booking.com, Airbnb etc
Amazon, Flipkart, etc
PhonePe, Google Pay wallets, etc
Not only restricted to the above example but CoF is also used in so many other scenarios.
Initiation of CoF transaction
Two types of CoF transactions exist. Both require a prior purchase where the merchant securely stores the card details. However, before processing further charges, the merchant must obtain explicit authorization. With proper authorization, either the customer or the merchant can initiate the transaction.
i) Merchant Initiated (MIT)
Merchant-Initiated Card-on-File Transactions (MITs) are initiated by the merchant rather than the cardholder. These transactions are contingent upon the cardholder having previously initiated a transaction with the merchant and has granted consent for future use. MITs are typically categorized as either one-time or recurring transactions. These transactions serve various purposes like club memberships, donations, etc.
To enable MITs, the cardholder must not only store their card information but also grant explicit authorization for the merchant to initiate payments without requiring their direct participation.
ii) Cardholder Initiated (CIT)
When a cardholder engages in a purchase on a merchant’s platform, they input their card details into the payment gateway. The gateway then processes the payment and transfers the funds into the merchant’s account. This entire process is initiated and completed by the cardholder, requiring no action from the merchant. This is known as Cardholder-Initiated Card-on-File Transactions (CITs).
In CITs, the cardholder is actively present during the sale, providing their payment credentials. The term “present” does not strictly imply physical presence; a CIT can occur through an in-store terminal or online via a checkout experience. The crucial aspect is that the cardholder takes the initiative by choosing to pay with the card information previously stored on file with the merchant.
Pros and Cons of CoF
1. Preferred Payment
· Enables cardholders to use their preferred payment method consistently.
· For Merchants, it enhances customer retention by simplifying the payment process.
2. Faster Transactions
· Significantly speeds up transactions by eliminating the need to re-enter payment details.
· Reduces checkout time.
3. Single-Click Billing
· Facilitates one-click billing, streamlining the payment process.
· Enhances speed and convenience for both customers and businesses.
4. Flexible Billing Options
· Provides a simple solution for debt repayment, installment plans, and recurring billing.
· Offers businesses flexibility in managing billing cycles.
5. Easy Card Updates
· Effortlessly allows customers to update their card details when needed.
· Ensures seamless service continuation without disruptions.
1. Security Concerns
· Security risks associated with storing card information online.
· Some websites may be susceptible to malicious activities like spyware or keylogging, leading to potential card information theft.
· Cautious customers may hesitate to engage in CoF transactions due to these security concerns.
2. High Transaction Costs
· Card networks often charge high fees for CoF transactions.
3. Card Changes and Failures
· Merchants/Cardholders may encounter issues when cardholder change their cards (due to expiration, loss, or theft).
While the benefits of CoF are numerous, concerns about security risks, high transaction costs, and potential payment failures when cards change are potential drawbacks.
The convenience of storing customer card information for streamlined checkout comes at a significant cost: inherent security risks.
PCI DSS regulations mandate the secure storage and protection of cardholder data from unauthorized access and breaches. This is where Card-on-File Tokenization (CoFT) emerges as a robust security solution.
The Reserve Bank of India (RBI) has also expanded tokenization to COF transactions. Introduced in January 2019 and August 2021 for device-based tokenization, it also encompasses COF transactions.
Card issuers can act as token service providers, requiring explicit customer consent and an additional factor of authentication. This extension also includes consumer devices like laptops, desktops, wearables, and IoT devices. The circular reinforces card transaction security without compromising convenience.
Card on File Tokenization (CoFT)
Card-on-file tokenization operates through a simple yet ingenious mechanism. Sensitive card data elements like the PAN (Primary Account Number), CVV (Card Verification Value), and expiry date are replaced with unique, randomly generated alphanumeric identifiers called “tokens.”
These tokens function as secure surrogates for the actual card information, enabling merchants to process payments without ever possessing the sensitive details themselves.
In essence, Card-on-File (CoF) transactions mark a transformative leap in payment dynamics, offering unparalleled convenience in the digital era. While their efficiency is undeniable, a responsible approach to security is imperative. The adoption of secure technologies like CoF Tokenization (CoFT) emerges as the linchpin, fostering a harmonious balance between seamless transactions and safeguarding sensitive data.
P.S: What topic do you think we should explore next? Let us know in the comments.