First, let’s look at what a CoF transaction is and then we can look at how this relates to SCA:
Credential on file transactions (CoF)
Credential on File (CoF) is the process of the cardholder authorising a Merchant to store their credentials (including but not limited to an account number or payment token), so the same Merchant can use them again at a later date.
CoF is a requirement from Visa and Mastercard to provide greater visibility for all parties into transaction processing to identify initial storage and subsequent usage of stored credentials to determine the risk level. If you offer the cardholder to store their credentials for future use or recurring it’s required to have cardholder consent and you must follow Visa and Mastercard rules.
A stored credential can be cardholder or Merchant initiated:
Cardholder Initiated (CIT)
In this type of transaction the cardholder actively selects the card to use and completes the transaction using previously stored details. They are limited to Sale, Pre-authorisation and account verifications.
Merchant Initiated (MIT)
In this type of transaction the Merchant submits a transaction using previously stored details without the cardholder’s participation. This type of transaction can only be processed on a previous CIT. An example of this is a recurring payment.
How does this relate to SCA?
Transactions such as MITs are considered to be out of scope of the Strong Customer Authentication (SCA) mandate so are not subject to SCA. Where the initial payment is set up through a remote electronic channel, SCA is recommended if there is a risk of fraud but should not be necessary for subsequent payments initiated by the Merchant.