What Exactly is a Credit Card on File Agreement?
What is a Credit Card on File Agreement?
Receiving and holding a consumer’s credit card information is a common occurrence for many businesses, but it is important to note that such information must be handled carefully and with a high regard for protecting the consumer’s sensitive personal information. Consumer confidence in your company is at the foundation of the business relationship and must be maintained while at the same time complying with payment processor obligations, applicable law, and industry standards. It is critical that you, and anyone handling the consumer’s credit card information , understand how to properly protect credit card data that is stored on your computer systems and understand the legal risks associated with said data. A consumer, client, or customer relationship often begins with the signing of a "credit card on file" agreement (an "agreement"), which gives you the right to hold onto said consumer’s credit card information and submit charges to their credit card that arise from your contractual relationship with the consumer. The following scenarios are examples of when a credit card on file agreement may make sense: The above scenarios describe a few potential uses that businesses may have for keeping a consumer’s credit card information, but there are likely many others.
Significance of Credit Card on File Agreements for Companies
Credit card on file (CCOF) agreements contain a number of benefits for businesses. Like NACHA, the electronic payments association for the U.S., firms frequently seek business certainty when it comes to funds coming in and going out of their accounts. Sometimes, they are even able to provide terms to third parties, which is not often the case when a new customer starts up with a business. CCOF agreements can also help solve the issue of less than perfect payment histories among customers. Rather than extend credit without some security, businesses can place a hold on a certain amount of charges against the credit card. They can also include their own amounts – depending on what they’re purchasing – toward the balance. With particular advantages for high-ticket items, CCOF terms have become popular with restaurant and hospitality industries, auto dealerships, and other companies with customers of varying payment histories. CCOF arrangements also provide one of the most secure methods of paying bills, which is why they are used businesses for their employees, in many states.
Legality and Compliance Issues
Credit card on file agreements are subject to numerous legal and regulatory requirements. For example,‐ ‐ PCI DSS. PCI compliance standards establish stringent data security requirements for any entity that accepts, transmits, or stores customer credit/debit card information. Requirement 3 of the PCI Data Security Standards focuses on data protection and retention, including requirements for encryption and masking. Requirement 3.1.1 states that "if the first digit of the card number is not used in any printing, a zero (0), filler, or spaces must be used in its place." The associated guidance explains that this applies to printed receipts as well as other materials that might display the entire Primary Account Number ("PAN"). In order to display only a portion of the PAN, with the first digit obscured, "significant effort" may be required as many POS systems are not designed to enable merchants to omit the first digit. Requirement 3.4 discusses encryption methods in which the PAN should be encrypted at the moment of capture and other technical requirements apply. Merchants should consult with their operational and IT departments to determine how to achieve PCI compliance with credit card data storage requirements.
‐ FCRA. The Fair Credit Reporting Act ("FCRA") regulates the collection and dissemination of credit information and imposes requirements on entities receiving "consumer reports" from consumer reporting agencies. Where credit card on file agreements are used to obtain consent to authorize periodic charges or billing, entities may become subject to FCRA requirements when using information that could qualify as a consumer report. The FCRA is discussed with respect to various credit card on file agreement scenarios, including a buy now, pay later product, below. In addition, merchants are subject to penalties for overflow of the information of another consumer that could result in a compromise of a consumer’s confidential information.
Consumer Rights and Protections
Consumers have certain rights and protections under credit card on file agreements as well. Generally, if you authorize a company to store your credit card information electronically and then that information is used in a way that you did not authorize, you have certain rights under the Electronic Fund Transfer Act (EFTA) and Regulation Z (which implements the Truth in Lending Act). In general, the EFTA protects consumers from unauthorized electronic fund transfers, such as if someone makes charges on your credit card without authorization or purposely debits other consumer accounts for unauthorized amounts. The EFTA encourages consumers to review their monthly statements from their card provider to see any unauthorized charges, and, if they see any, to notify his or her financial institution or credit card provider immediately .
In addition to the EFTA, Regulation Z (which is a Federal Reserve Board regulation to implement the Truth in Lending Act) offers additional protection to users in credit care on file agreements. Under Regulation Z, the consumer may either permanently revoke consent for preauthorized transfers or access to funds, or may temporarily revoke same should the consumer have a good faith belief that the further consent should be revoked. Even if the consumer has previously provided consent, the consumer may intrinsically revoke that consent verbally or in writing, or if the consumer has a hand signature, such practice may be accepted by many companies as well.
Creating a Simple and Straightforward Agreement
To this, we add that a Credit Card on File Agreement should include the following clauses to the extent applicable: (1) assignment; (2) binding effect; (3) confidentiality; (4) governing law; (5) severability; (6) waiver; and (7) entire agreement. Some of the clauses discussed above are routine in everyday business agreements (confidentiality, severability, etc.) while others require further explanation. In the context of an agreement to pay a monthly recurring membership fee, the parties will find it is essential to include a clause in the agreement clarifying the date on which the credit card will be charged each month. Of course, one party may charge the same amount each month while another party only charges the consumer following the consumer’s submission of a new order form. To ensure there is no misunderstanding, the agreement should state the timing and amount of the charge. It is also essential to include clauses spelling out how the parties will deal with any problems arising from the contract or its performance. For example, if Company X agrees to process credit card payments in exchange for a monthly membership fee and fails to do so for an entire month, the consumer may have a strong legal claim against Company X for breach of contract. However, if the agreement is carefully drafted, Company X will likely have an equally strong claim against the consumer for failing to make payment pursuant to the contract. Because Problems Will Arise Finally, it is impossible to draft a contract that addresses every conceivable question or dispute that might arise. This is just the nature of business. However, the assumption on both sides should be that the parties are "in it" together for the long haul. The goal should be to resolve disputes amicably and, if necessary, to litigate them in court. In this regard, a well-drafted Credit Card on File Agreement can serve as the basis for resolving a contract dispute in one of two ways. First, the contract itself should be written in a clear and concise manner and should specifically identify what is being sold and what obligations exist. Second, and just as importantly, the Credit Card on File Agreement should establish a process whereby both parties – ideally – can resolve any disputes without litigation. One possible method would be to require that the parties engage in some type of alternative dispute resolution effort – such as mediation – before either party can litigate any dispute. This method is not fool-proof – for example, a party might be frustrated enough by a breach to immediately file suit rather than mediate for 90 days – but it is certainly worth including. The goal, again, is a good (and enforceable) agreement that protects both parties and allows them to avoid disputes.
Best Approaches for Handling Card on File Payments
Merchants should be proactive in managing card on file agreements with their customers, and ensure that they are doing everything to protect their customers’ information and maintain a good relationship with their customers. Here are some best practices that we have found to be useful:
1. Data Security Precautions
As a merchant that stores cardholder data, you should ensure that you are doing everything possible to comply with PCI DSS and the requirements of your processor or acquiring bank. One way to ensure compliance is to limit the amount of data you keep as a result of a card on file agreement. Do you really need to store all of the information contained in a card on file agreement? For instance, it is generally unnecessary to retain the CVV/CVC numbers on the back of credit cards, as these numbers are only relevant when a cardholder is issuing instructions for a single transaction. If you keep these numbers as part of a card on file agreement, you can potentially be liable in the event of a breach of your security system. Storing these numbers puts your customers at risk, but it probably does not give you any real benefit. Also, if you do keep this information, it must be stored separately from the rest of the information contained within a card on file agreement.
In addition, merchants should regularly review their invoice processing policies to ensure that invoices are being processed in a timely manner, and payments applied to the invoices before those invoices are written off as uncollectible. This seems more like an obvious business concern, but it also mitigates the risk that the business processes invoices and writes off aged invoices as uncollectible without applying any payments to those invoices.
Finally , merchants should always be on the lookout for their IP address on blacklists. If your IP address is on a blacklist, consider changing it and monitor which websites are making the request.
2. Customer Communications
The relationship that merchants have with their customers varies from business to business, so unfortunately there is no one size fits all approach to customer communications. However, there are some general steps that merchants should follow:
This communication should be clear, simple, and easy to understand. Avoid using complex terms and jargon that will be difficult for customers to understand, as this will only lead to frustration and confusion. In addition, give detailed ‘how to’ instructions to ensure that customers will actually follow through with the steps that you have outlined. Any form that has to be filled out should be easy to fill out (i.e. no pop-ups with additional information that customers have to click through to see) and should be short. The shorter, the better!
3. Disputes
While you will certainly try to avoid disputes over your card on file agreements, it is important to have a plan in place in case a dispute ever arises.
Because card on file agreements are contractual in nature, their dispute resolution should follow the same pattern that applies to other contracts. When disputes arise, the merchant should review the language in the agreement to determine how it should be resolved. In addition, we recommend that businesses attempt to resolve issues with merchants using the same open lines of communication that we described above.