Storing payment credentials for future purchases


Follow these instructions when using Account Checks to store the customer’s payment credentials for future purchases.




In order to reduce fraud, Visa has mandated that all merchants with a Merchant Category Code (MCC) of 6012 are required to send additional fields in AUTH and ACCOUNTCHECK requests. Click here for further information.


Failure to submit these fields will result in a “60025” (Invalid request) error being returned in the response.



Mandate considerations

Process overview

stored credential is information (including, but not limited to, an account number or payment token) that is stored in order to process future transactions.

The process of storing credentials for future use is known as Credentials on File (CoF).


Visa and Mastercard have mandated that you must obtain cardholder consent before storing card details for future use, and that these must be flagged at the time of the first authorisation, by submitting the credentialsonfile field in your requests.

You must also flag any subsequent payments that are utilising previously-stored credentials, by including the credentialsonfile field in these requests.



Identifying transactions as using CoF provides the following advantages:




Drop-In View Controller

You can update your Drop-In View Controller to process an Account Check by including the list typeDescriptions, as shown in the example below:

let dropInVC = ViewControllerFactory.shared.dropInViewController(
	jwt: jwt,
	typeDescriptions: [.accountCheck],
	payButtonTappedClosureBeforeTransaction: { (controller: DropInController) in},
	successfulPaymentCompletion: {
			jwt: String,
			responses: [JWTResponseObject],
			successMessage: String,
			cardReference: TPCardReference?
	transactionFailure: {
			jwt: String?,
			responses: [JWTResponseObject]?,
			errorMessage: String,
			error: NSError?

Because only an Account Check is being performed, no funds are reserved on the customer’s bank account as part of this request. They will not be charged.



Update the payload submitted within your JWT to include the additional field, credentialsonfile, with value set to “1”:

"credentialsonfile": "1"


If the credentialsonfile field has been submitted in the request and it is supported by the acquirer processing the transaction, it is returned in the response JWT.
If the parent response indicates an error occurred (errorcode is not “0”), the credential cannot be considered a stored credential, and you must not use these card details in any subsequent payments.