Credential on File (COF) is a way of identifying stored card transactions. The location of the stored card details doesn't matter—the details could be held within Global Payments card storage or stored securely by the merchant or by a third party for merchant use.
COF mandate explained
The purpose of the COF mandate from the card brands, such as Visa or Mastercard, is to help reduce fraud by requiring merchants to include certain fields in the authorization message when using a customer’s stored credentials for payments. These COF fields indicate to Issuers and Acquirers that the merchant has a prior arrangement with the customer to store their card details and potentially to make subsequent payments on their behalf. This benefits the merchant and cardholder by identifying a more trusted transaction, which can enable scenarios like one-click checkout or recurring transactions.
Use cases
Transactions using stored card details may be customer-initiated or merchant-initiated.
In a customer-initiated transaction (CIT), the customer actively participates in a payment transaction with the merchant, where their card details have previously been stored. This could be the initial transaction before a sequence of recurring payments or where the customer makes a subsequent payment using their merchant-stored card details (one-click checkout).
In a merchant-initiated transaction (MIT), the merchant uses stored card details to raise a payment for which the customer has previously given consent, e.g. a monthly gym membership or subscription. No involvement from the cardholder is required for an MIT. For more information on MITs, see our Merchant-Initiated Transactions article.
The following table describes the required COF fields.
| Required COF Field | Description |
|---|---|
|
Type |
The relationship type the customer agreed to with the merchant and the category of transaction being processed. Allowed values:
recurring - Payment with no fixed duration that continues until the customer cancels. |
| Initiator | The initiator of the transaction. Allowed values:
cardholder |
| Sequence | Indicates the stage of card storage. Allowed values:
first |
| Scheme Reference Data (SRD) | Unique identifier provided by a card scheme, such as Visa or Mastercard, that links to the payment history between the customer and merchant. Also referred to as Transaction ID or Trace ID, depending on the card scheme. This will appear in the response message of an initial transaction. |
These fields can be used together in the following ways:
| Example | Customer Signup | Online Retail: One-Click Checkout | Gym Membership | Car Payments | Account Auto Top-up |
|---|---|---|---|---|---|
| Scenario | CIT: Customer agrees to store a card for the first time | CIT: Unscheduled payments triggered by the cardholder | MIT: Subscription or variable amount billing agreement | MIT: Regular payments for a fixed term | MIT: Unscheduled payments triggered by the merchant |
| Type | oneoff | oneoff | recurring | installment | oneoff |
| Initiator | cardholder | cardholder | merchant | merchant | merchant |
| Sequence | first* | subsequent | subsequent | subsequent | subsequent |
| SRD | not required | not required | required | required | required |
| *The cardholder must successfully complete a challenge on all COF initial (Initiator:cardholder Sequence:first) transactions to confirm the merchant has authority to process subsequent MITs. To ensure this happens, set the “Challenge Mandated” flag (see Initiate Authentication in our 3D Secure article) when going through 3D Secure for all CIT First authentications. | |||||
In the following sections, we provide information on flagging COF transactions whether you’re using direct API calls or our Hosted Payment Page (HPP) and whether you’re using the Global Payments Card Storage solution or a third-party card storage.
API and our card storage
When using Global Payments Card Storage solution for one-off and recurring transactions, if you don’t flag the transaction, we’ll automatically populate the required fields for you.
For any payment type and any card storage method you choose, you can still manage all of the messaging yourself, as outlined above.
Flag a COF
First payment - CIT
Use the flags below for a CIT first payment. In this example the customer and card have already been stored, and we use a receipt-in request as the CIT first, taking a payment from the stored card. It is also possible to store the card and process a receipt-in-OTB as the CIT first, or to carry out a CIT first authorization or OTB just before storing the card with a card-new request, as outlined in our Merchant-Initiated Transactions article.
- 3D Secure flags to indicate that SCA was performed:
- ECI
- Directory server transaction ID
- Authentication value
- Message version
- Stored credential information:
- Type - set to oneoff
- Initiator - set to cardholder
- Sequence - set to first
Sample request
<request type="receipt-in" timestamp="20200614095601">
<merchantid>MerchantId</merchantid>
<account>internet</account>
<channel>ECOM</channel>
<orderid>AiCibJ5UR7utURy_slxhJw</orderid>
<amount currency="EUR">1001</amount>
<autosettle flag="1" />
<payerref>03e28f0e-492e-80bd-20ec318e9334</payerref>
<paymentmethod>3c4af936-483e-a393-f558bec2fb2a</paymentmethod>
<paymentdata>
<cvn>
<number>123</number>
</cvn>
</paymentdata>
<storedcredential>
<type>oneoff</type>
<initiator>cardholder</initiator>
<sequence>first</sequence>
</storedcredential>
<mpi>
<eci>5</eci>
<ds_trans_id>c272b04f-6e7b-43a2-bb78-90f4fb94aa25</ds_trans_id>
<authentication_value>ODQzNjgwNjU0ZjM3N2JmYTg0NTM=</authentication_value>
<message_version>2.1.0</message_version>
</mpi>
<sha1hash>f0b45f1d7aed21e7476c11c22c124f5a44a9c59a</sha1hash>
</request>
Subsequent payment - MIT Example
For a receipt-in request, use the flags below for an MIT recurring subsequent payment. Other types of MITs are also possible within the scenarios outlined in the Use Cases section above.
- 3D Secure flags to indicate that SCA was performed:
- Not applicable. The request is merchant initiated and out of scope for SCA.
- Stored credential information:
- Type - must be set to recurring
- Initiator - must be set to merchant
- Sequence - must be set to subsequent
- Scheme reference data (SRD) - the SRD provided by card scheme in the initial CIT payment response must be included in a subsequent MIT. If a successful authorization has already taken place on the stored card, the SRD from that transaction will have been stored against the card by Global Payments. In that case you can omit this field as that stored SRD will automatically be added during transaction processing.
Sample request
<request type="receipt-in" timestamp="20200614095601">
<merchantid>MerchantId</merchantid>
<account>internet</account>
<channel>ECOM</channel>
<orderid>AiCibJ5UR7utURy_slxhJw</orderid>
<amount currency="EUR">1001</amount>
<autosettle flag="1" />
<payerref>03e28f0e-492e-80bd-20ec318e9334</payerref>
<paymentmethod>3c4af936-483e-a393-f558bec2fb2a</paymentmethod>
<paymentdata>
<cvn>
<number>123</number>
</cvn>
</paymentdata>
<storedcredential>
<type>recurring</type>
<initiator>merchant</initiator>
<sequence>subsequent</sequence>
<srd>MMC0F00YE4000000715</srd>
</storedcredential>
<sha1hash>f0b45f1d7aed21e7476c11c22c124f5a44a9c59a</sha1hash>
</request>
HPP and our card storage
When using the Hosted Payment Page (HPP) with Global Payments Card Storage solution for one-off and recurring transactions, we automatically populate the required fields for you.
Regardless of payment types or if you’re using our Card Storage solution, you can still manage all of the messaging yourself. For a complete guide on how to do this for the HPP, see Card Storage.
Flag a COF
As mentioned above, the HPP automatically handles COF flagging for you, but you can override the default HPP flag settings if necessary.
First payment - CIT
When a customer is making a first payment and storing their card, the HPP sets the CoF flags by default to:
- Sequence = first
- Type = oneoff
- Initiator = cardholder
Subsequent payment - CIT
When a customer is making a subsequent payment and storing their card, the HPP sets the CoF flags by default to:
- Sequence = subsequent
- Type = oneoff
- Initiator = cardholder
You can override the default and use what’s applicable instead within the scenarios defined under the "Use cases" section, using this format:
<input type="hidden" name="HPP_STORED_CREDENTIAL_SEQUENCE" value="subsequent">
<input type="hidden" name="HPP_STORED_CREDENTIAL_TYPE" value="oneoff">
<input type="hidden" name="HPP_STORED_CREDENTIAL_INITIATOR" value="cardholder">
API and third-party card storage
When using third-party card storage for one-off and recurring transactions, you must populate all COF values, as we don’t have access to the appropriate values.
Flag a COF
First payment - CIT
Use the flags below to correctly flag a CIT first payment.
- 3D Secure flags to indicate that SCA was performed:
- ECI
- Directory server transaction ID
- Authentication value
- Message version
- Stored credential information:
- Type - oneoff
- Initiator - must be set to cardholder
- Sequence - must be set to first
Sample request
<request type="auth" timestamp="20200613141207">
<merchantid>MerchantId</merchantid>
<account>internet</account>
<channel>ECOM</channel>
<orderid>N6qsk4kYRZihmPrTXWYS6g</orderid>
<amount currency="EUR">1001</amount>
<card>
<number>4263970000005262</number>
<expdate>0425</expdate>
<chname>James Mason</chname>
<type>VISA</type>
<cvn>
<number>123</number>
<presind>1</presind>
</cvn>
</card>
<autosettle flag="1" />
<storedcredential>
<type>oneoff</type>
<initiator>cardholder</initiator>
<sequence>first</sequence>
</storedcredential>
<mpi>
<eci>5</eci>
<ds_trans_id>c272b04f-6e7b-43a2-bb78-90f4fb94aa25</ds_trans_id>
<authentication_value>ODQzNjgwNjU0ZjM3N2JmYTg0NTM=</authentication_value>
<message_version>2.1.0</message_version>
</mpi>
<sha1hash>87707637a34ba651b6185718c863abc64b673f20</sha1hash>
</request>
Subsequent payment - MIT
Use the flags below for an MIT recurring subsequent payment MIT. Other types of MITs are also possible within the scenarios outlined in the "Use cases" section.
- 3D Secure flags to indicate that SCA was performed:
- Not applicable. The request is merchant initiated and out of scope for SCA.
- Stored credential information:
- Type - must be set to recurring
- Initiator - must be set to merchant
- Sequence - must be set to subsequent
- Scheme reference data (SRD) - include the SRD provided in the response of the initial CIT payment
Sample request
<request type="auth" timestamp="20200717131101">
<merchantid>MerchantId</merchantid>
<account>internet</account>
<channel>ECOM</channel>
<orderid>N6qsk4kYRZihmPrTXWYS6g</orderid>
<amount currency="EUR">1001</amount>
<card>
<number>4263970000005262</number>
<expdate>0425</expdate>
<chname>James Mason</chname>
<type>VISA</type>
<cvn>
<number>123</number>
<presind>1</presind>
</cvn>
</card>
<autosettle flag="1" />
<storedcredential>
<type>recurring</type>
<initiator>merchant</initiator>
<sequence>subsequent</sequence>
<srd>5RRH9LmrvUVbRI6l</srd>
</storedcredential>
<sha1hash>72823f0924b0e9e2ad4fa486cb00907b5a92b660</sha1hash>
</request>