scitech talk

Stored credential best practices

Abdullah Al-Shamim

15 March, 2021 12:00 AM printer

Stored credential best practices

The recent surge in digital commerce, combined with the emergence of new business models on a daily basis, has increased the amount of transactions in which a payment agency, such as a retailer or its agent, or a payment facilitator (PF), uses cardholders' payment credentials (i.e., account details) that they had previously saved for future usage.

The future probability of transactions was also increased as a result of this. These risks can be greatly reduced by following correct transaction processing protocols and procedures. As a result, best practices were developed for stakeholders to take advantage of the Stored Credential Transaction framework's advantages and benefits.

The cardholder-initiated transactions (CIT) and merchant-initiated transactions (MIT) are two types of stored credential transactions (MIT). A cardholder-initiated transaction is a card-absent transaction in which the cardholder does not need to insert their card information because the issuer performs the transaction using the payment credential previously stored by the cardholder.

Merchants often initiate a transaction (MIT) without the cardholder's active participation to complete a follow-up transaction to a cardholder-initiated transaction (CIT) or to complete a pre-agreed standing instruction for the provision of products or services. A payment institution that stores credential for a single transaction or purchase is not called a stored credential transaction.

Prior to storing credentials for future use, the payment agency must first reach an agreement with the cardholder, outlining how the information should be shared with the cardholder and all other relevant information. The cardholder should be issued a shortened version of the credential (i.e., first few digits and last four digit of PAN).

The cardholder should also be told of how any modifications would be communicated to them, the consent agreement's expiration date, and how the stored credential will be used. In addition, cardholders should be informed in advance about cancellation and refund policies, merchant location, transaction amount or how it will be calculated, convenience fee or surcharge (if permitted and applicable), transaction frequency (recurring) or event (unscheduled), and, if paying in installments, the total purchase price and terms of future payments.

In the case of a modification to the agreement, the cardholder should be informed during the handling and storage of the stored credential. The consent agreement should be held for the length of the consent period, and any relevant details should be exchanged with the issuer upon request. Where applicable laws or regulations require it, a record of the consent should be given to the cardholder.

The merchant or its agent must verify the cardholder's identity before processing a transaction using a stored credential that was initiated by the cardholder. For installments, receipts must be provided; if the cardholder cancels the installment under the termination policy's terms, the payment agency must provide cancellation or refund documentation in writing, as well as a credit transaction receipt for the amount specified in the cancellation policy, within three business days. Local laws and regulations must be adhered to as required.

Kona Software Lab Limited, the Bangladesh branch of South Korean smartcard and security industry pioneer Kona I Co., Ltd., has been working tirelessly on a safe payment platform and a variety of security solutions for its local and international clients.

As a result, all different best practices according to global standards are well applied to its solutions in order to ensure smart, safe, and uninterrupted services, as well as improve the quality.


Abdullah Al-Shamim is Senior Manager, Research and Development at Kona Software Lab Limited