Credentials on File (Payment Pages)


stored credential is information (including, but not limited to, an account number or payment token) that is stored in order to process future transactions.

The process of storing credentials for future use is known as Credentials on File (CoF).


Visa and Mastercard have mandated that you must obtain cardholder consent before storing card details for future use, and that these must be flagged at the time of the first authorisation, by including the credentialsonfile field in your POST to Trust Payments.

You must also flag any subsequent payments that are utilising previously-stored credentials, by including the credentialsonfile field in these requests.


Examples of situations where the CoF mandate applies:


This mandate came into effect on 30th April 2018.

Requests processed before the cut-off are not affected, but new requests after the cut-off must include the credentialsonfile field.

While this is only mandated by Visa and Mastercard, you can still submit these values in all your requests, and we will ignore them for other payment types.




Identifying transactions as using CoF provides the following advantages:



Initial payment request including CoF

For customers processing a transaction for the first time on your site, you will need to include credentialsonfile=1 in the POST to Payment Pages, as shown in the following example:

It is imperative that the credentialsonfile field is also included in the string used to generate your request site security hash. Failure to do so will result in the customer being shown an “Invalid details” error message.


<form method="POST" action="<DOMAIN>/process/payments/choice">
<input type="hidden" name="sitereference" value="test_site12345">
<input type="hidden" name="currencyiso3a" value="USD">
<input type="hidden" name="mainamount" value="100.00">
<input type="hidden" name="version" value="2">
<input type="hidden" name="stprofile" value="default">
<input type="hidden" name="credentialsonfile" value="1">
<input type="submit" value="Pay">

Replace <DOMAIN> with a supported domain. Click here for a full list.


If an error occurs (errorcode is not “0”), the credential cannot be considered a stored credential, and you must not use these card details in any subsequent payments.
Returning customers


If you are processing a new payment using previously-stored credentials, you will need to include credentialsonfile=2 in the new request.




Processing Merchant Initiated Transactions

Transactions processed by the merchant are called Merchant Initiated Transactions (MIT).

Visa mandate that you must provide a reason for processing MIT.


This does not apply to Customer Initiated Transactions (CIT).
Refer to the following resources to learn more: