What is the purpose of Credentials on File (MIT Framework)?
While credentials on file made its first appearance in 2018 in the Canadian market through Visa it was not adopted throughout the rest of the world or issuers until now. Over the last year, online merchants across Europe have seen an increase in security surrounding customer privacy. This focus has led to new changes within the payment industry, by implementing what is now known as Secure Customer Authentication. This protocol contains two main features, one is the launch of 3D Secure 2.0 which we will discuss at a later date, and the second is Credentials on file or more commonly known in Europe as the MIT framework. Just like in Canada, Europe is also implementing Credentials on File which will provide further security against fraud by using what is known as the issuer ID. The Issuer ID is a value that will be provided back to the gateways by the Issuing Bank and will be required for all subsequent transactions. Throughout this article, we will discuss the benefits and necessities of Credentials on File as well as how it works.
Let’s start with understanding the purpose behind Credentials on file and when would it be used. Credentials on File is a mandate that was released by Visa in order to reduce the number of fraudulent and chargeback transactions that occur within the eCommerce payment industry. While the initial framework for credentials on file was launched by Visa back in 2018, Mastercard has also recently adopted this mandate and will begin enforcing these changes this year in 2020. Credentials on file works in a two-step process the first being the customer-initiated transaction where Visa or MasterCard identifies that the customer’s credit card is now being stored to the issuing bank. The second step is when the Merchant provides the appropriate issuer ID when sending their subsequent Merchant Initiated Transaction. In order for Merchants to use the credentials on file, the first transaction must contain the security code (CVV), in order for the issuing bank to verify that the customer was present before assigning the Merchant with the Issuer ID for that credit card which will need to provide on any subsequent transaction which may occur. The purpose of implementing the Credential on File mandate is to demonstrate to the issuing bank that both the customer and Merchant having an existing relationship approved by the customer.
With this in mind, What are the benefits of implementing the Credentials on File framework, and what will happen if Merchants choose not to?
When it comes to collecting the CVV from consumers it is only used as a fraud tool and is not required for completing the transaction. However, when the CVV is sent there is a level of chargeback protection which the Merchant receives for going through an additional fraud check vs just validating the funds on the card. Not only are Merchants provided better protection against chargeback they will also receive a higher authorization rate when submitting subsequent transactions through their payment processor. The question then becomes what are the implications of not being compliant with this new framework. Put simply any Merchant initiated transaction which is sent for processing without the Issuer ID opens the Merchant up to an increased failure rate for those transactions, as well as the possibility for an increase in chargebacks from customers.
Credentials on File is the basis of Secure Customer Authentication and is becoming the standard for all types of Merchant Initiated transactions. Not only is this mandate being adopted by other Card issuer brands we are also starting to see it being used for recurring transactions across different mandates as well. For example, as 3DS 2.0 is being rolled out in Europe payment gateways are using the Credential on File framework as a requirement for all 3DS recurring transactions as well with some gateways completely removing the traditional recurring flag protocol and strictly applying Credential on File mandates. While issuers begin to increase customer privacy and security revolving credit card processing Merchants will be required to change their current payment processes in order to meet these new and future mandates. While implementing these new mandates may be an initial challenge for some Merchants, the overall goal is to protect their revenues by reducing fraud and preventing chargebacks, this starts with earning the customers trust and having their best interests at heart.