Ever more numerous digital payments and better management tools are helping transform the venerable stored-credential transaction.
As ubiquitous as card-on-file transactions have been, the expectation is that this payment method is poised to grow in volume and importance in coming years, especially as more commerce moves online and consumer comfort with the transaction type increases.
As an example, 36% of U.S. adults, as of January, had used a ride-hailing service. That requires storing payment card credentials in the app or using a wallet that does so, such as Apple Pay or Google Pay. That’s up from 15% in 2015, says the Pew Research Center.
Apps are just one avenue for exploiting the convenience of card-on-file transactions, but it’s one that has a potentially significant growth outlook. Though Javelin Strategy & Research is working on its projections for card-on-file transactions for 2020 through 2023, early data show that 45% of customers made a mobile purchase within a 30-day period, and 63% made a browser-based purchase in the same time frame, says Krista Tedder, director, payments, at the Pleasanton, Calif.-based firm.
Card brands and other payments providers are making it easier for merchants to store a consumer’s payment credentials without the challenges of just a few years ago.
“Merchants have access to a number of encryption technologies which enable them to safely store personally identifiable information,” Tedder says. “The technology generally resides at their payments processor or payment service provider.”
Some methods, such as Apple Pay, Google Pay, Samsung Pay, and Amazon Pay, offer additional security because they create tokens for the cards that are stored in the digital wallets, she says.
Using tokens in lieu of actual card data is safer and makes updating stored data easier when the original card is replaced through expiration, loss, or inclusion in a breach.
Changing Expectations
One major reason for the surge in interest in card-on-file payments (Visa calls it credential-on-file) is that consumer expectations are changing. “They expect frictionless payment experiences,” says Ansar Ansari, Visa senior vice president of digital products. “Therefore, not having to go back and re-enter credit card information after losing your card becomes increasingly important to the consumer.”
Subscription payments are one manifestation of the usefulness of card-on-file transactions, says Julie Conroy, research director for Aite Group’s fraud and anti-money laundering practice. She says these transactions also are essential to e-commerce, which continues to grow. It now accounts for 10.7% of U.S. retail sales according to the U.S. Census Bureau.
More and more merchants want less friction in the checkout process to make a purchase as easy as one click, she says. “The more clicks you can reduce for the customer the more likely they are to fulfill the transaction,” Conroy says.
One of the early standard-bearers for pushing payments to the background is Uber Technologies Inc., the ride-share service. Now, delivery services for groceries and restaurant meals reliably take advantage of this payment method.
Visa’s vested interest in ensuring the integrity and ease of making card-on-file transactions is evident. One way it does that is with the Visa Token Service (other card brands offer similar services), which replaces the actual personal account number throughout the transaction flow, Ansari says. Using the service can result in a 3% improvement in authorization rates and a 67% reduction in fraud chargebacks, he says.
While early tokenization services provided value—especially for security and PCI compliance by reducing the amount of actual card data stored in merchant databases—they did not address problems surrounding reissued cards, says Alisa Ellis, vice president of digital and emerging products at Discover Network.
“[A] problem merchants faced was when card re-issuance or expiration caused their stored card information to become inaccurate and transactions to fail,” Ellis says. “Customers needed to visit each merchant that had stored their card information and manually provide the new card information.”
That’s why account updater tools were created. They enable merchants to submit the stored cards to a network and receive updated information before the customer attempts the next transaction, she says.
Current tokenization services, which Ellis dubs tokenization 2.0, attempts to solve the issue of safely storing card data and eliminating customer inconvenience. “In the new world, EMV-grade network tokens come with a built-in account-update functionality that enables transactions to continue in the case where a primary account number may get outdated, such as when a card is lost, replaced, or expired,” Ellis says.
Discover, she says, is working on additional services for merchants that use card-on-file transactions.
“For instance, some merchants may prefer to keep primary account numbers for continuity of loyalty programs or other reasons,” she says. “For those merchants, we’re improving our account-update solution so that instead of a merchant having to submit their stored cards, we can actually deliver the update within a transaction using the old primary account number, so the very first transaction will succeed and the account will be updated at the same time.”
Discover expects to introduce this capability early next year, Ellis says.
Javelin’s Tedder says account updater tools provide a valuable service to consumers. “Visa and Mastercard require U.S. issuers to participate, which enables the merchants to take advantage of the service at scale,” she says. “With the number of card reissuances due to data-breach events, the EMV migration, and now the move to contactless, consumers are receiving a lot of new cards.”
“We’ve seen a steady increase of merchant card-on-file transactions in the last five years,” Ansari says.
For merchants, such services can be key differentiators, says Aite’s Conroy. “The more you can do to make it super easy to shop on your site … that will increase the throughput through your funnel,” she says, referring to a common e-commerce descriptor for transaction flow.
Risky Business
But there are some issues with card-on-file transactions that must be addressed, experts say. They include: data retention; timeframes for how long merchants can store credentials when a consumer is no longer active; participation in security protocols; and how to incorporate biometrics, Tedder says.
Card-not-present fraud, account takeover (when a criminal masquerades as a legitimate online consumer), and new account fraud will continue to be the challenge, Tedder says.
Though he doesn’t cite data, Ansari says merchant credential-on-file transactions typically have a lower risk of fraud. “Fraud is actually much more likely to happen on a single, independent transaction,” he says. “One of the main benefits of Visa tokenized transactions is that they facilitate more information passed to the issuer, which helps with issuer decisioning.”
That will become more important as EMV 3-D Secure 2.0 enters the market over the coming months. This online fraud-prevention technology sends scores of transaction data to an issuer, which aids their ability to decide on approving or declining a transaction.
“The addition of multifactor authentication, specifically the 3DS 2.0 protocols, which balance security with consumer experience, are promising,” Tedder says.
Other fraud-prevention tools, such as device fingerprinting, can make card-on-file transactions less risky for merchants, Conroy says. “Device fingerprinting is something that a lot of merchants use,” she says. It is a technique to uniquely identify online devices and computers by their distinct characteristics with a reasonable degree of certainty, according to NS8 Inc., an online fraud-prevention provider.
‘A Dramatic Increase’
Another tool card-on-file merchants can use is transactional analytics, which may use machine learning, to evaluate patterns of transactions, Conroy says. Technology that can interrogate an email address for its reputation also may help, she adds. This technology can look at how old the address is and see if it’s been used on other sites. A new email with limited use online may indicate potential fraudulent activity.
Despite the challenges, the prospects for card-on-file transaction growth is very positive.
“Tokens will see a dramatic increase in adoption in the years to come,” Discover’s Ellis says. “With innovation in the payment space, we will see an increase in engagement and commerce via emerging experiences such as connected cards, connected/smart homes, augmented and virtual reality, gaming, and voice.”