Visa’s Stored Credentials Program

The Visa Stored Credentials Program comes into effect on October 14, 2017. This new program is designed to improve transaction processing for both merchants and customers. All merchants who store payment credentials on file will be impacted by this new program.
Recurring billing, subscription services, and m-commerce are on the rise: these are all transactions that can benefit from this update. The Visa Stored Credentials Program supports better storage and tracking of such transactions, making it easier to stop transactions that are likely to result in chargebacks.
Consumers want the ease-of-use and simplicity that comes with storing their data on file. The consumer drive is for faster payment authorizations and simpler checkout interfaces. This consumer demand, along with forecasted sales numbers, has stimulated change in how stored credentials are managed and processed.
The Visa Stored Credentials Program
This new program impacts merchants, acquirers, payment facilitators (PF), and staged digital wallet operators (SDWO) who process stored cardholder credentials. Merchants who support recurring billing, subscription purchases, e-commerce, or m-commerce transactions will be most impacted by the Visa Stored Credentials Program.
When stored credential transactions are easily identifiable, authorization and processing will be improved. According to Visa, this will result in:

  • Greater visibility of transaction risk levels for issuers
  • Results in higher authorization approval rates and completed sales
  • Fewer customer complaints and improved cardholder experience
  • Allowing participation in Real Time Visa Account Updater Service

The Visa Stored Credentials Program should allow merchants and payment solutions to track how and where sales are originating and to reduce the number of fraudulent transactions. 
What Are Stored Credentials?
Visa defines a stored credential as “information (including, but not limited to, an account number or payment token) that is stored by a merchant or its agent, PF, or SDWO to process future purchases for a cardholder.”
These stored credentials are used in cardholder initiated transactions or merchant initiated transactions.

  • Cardholder initiated transaction. The cardholder is an active participant in the transaction.
  • Merchant initiated transaction. The merchant has received consent from the cardholder to store payment credentials for subsequent use. The cardholder does not need to give approval for these future charges.

Typically, merchant initiated transactions are used in subscription services, recurring billing agreements, or in instances where the cardholder has agreed to additional charges based on usage. For example: magazine subscriptions, pay-per-view television charges, or additional charges for use of a mini-bar in a hotel room.
Visa Stored Credentials Program Requirements
Merchants should review and fully understand the complete requirements of the Visa Stored Credentials Program, as detailed in the Improving Authorization Management for Transactions with Stored Credentials guide.
Merchants should ensure that by October 14, 2017 they have updated their authorization and checkout pages to comply with the new stored credentials program.

  • Cardholder consent for credential storage is required.
  • Tell cardholders how this data is stored and used.
  • Update consenting cardholders on any changes to the merchant’s terms of use for this data.
  • Merchants must comply with the new Store Credentials indicators to identify the initial storage and usage of stored payment credentials. Review the Stored Credential Transaction Framework for details on these indicators.

It’s important for merchants to understand that this consent is required for all new transactions, as of October 14, 2017. Merchants are not required to obtain retroactive consent from cardholders for whom this data is already being stored and used.
The proper identification of these stored credentials, including how they are used, is critical in complying with the Visa Stored Credentials Program. Merchants must fully understand these requirements and ensure that their payment solution supports these labelling and processing changes. (Read the sections titled Global Stored Credential Transaction Framework Mandates and Use and Definition of Value “C” in the POS Environment Field for clear details on labelling.)
Getting Cardholder Consent for Stored Credentials
Merchants should clearly communicate to cardholders how and why their data is being collected and stored. Remind cardholders that this storage improves security by eliminating the risk of stolen data, and that this stored data improves transaction processing speeds.
Merchants must comply with specific consent requirements for these stored credentials, including:

  • Only storing a truncated version of the cardholder data
  • Informing the cardholder of specifically how this data will be used
  • Providing details on the consent agreement expiration data and how the cardholder is to be notified of any changes to the agreement

Additionally, merchants should follow standard recommended best business practices of providing clear refund policies, the complete schedule for recurring/subscription charges, details on surcharges, and how to contact the merchant for questions.
Getting Ready for October 14, 2017
The details of the Visa Stored Credentials Program were first made available to merchants in the October 2016 and again in April 2017 Visa Global Technical Letter and Implementation Guide and Visa Rules. Visa recommends you refer to these two guides for full details on compliance with the new program.
Please contact us for more information about the new program requirements and how they impact you. Our team of payments solutions experts are happy to answer any questions to ensure your solutions comply with the Visa Stored Credentials Program.