March 11, 2021

CIT/MIT Framework for Stored Payment Credential Transactions

Card Issuers are always looking at innovations to improve and streamline processes for all stakeholders in the payments landscape (processors, merchants, and consumers). It’s not surprising that they strive to adapt to ever-changing schemes used by fraudsters and cybercriminals and continue to work to reduce fraud and chargebacks.

One such endeavor, first presented by Visa, is the Stored Payment Credential mandate, which dictates how merchants should manage and process payments made with card information on file.

The Stored Payment Credential Mandate—Overview

What constitutes a stored credential? It is information (including, but not limited to, an account number or payment token) held by a merchant or its agent, payment facilitator, or stored digital wallet operator to process future purchases for a cardholder.

The term stored payment credentials refers to credit card information that a customer has opted to save to a merchant’s server to make future purchases more convenient. Data commonly includes items like billing name and address, card account number, and card expiration date.

A stored credential transaction is a transaction generated against that stored consumer and credit card information. There are two types of these transactions: CIT—or cardholder-initiated transaction—and MIT—or merchant-initiated transaction.

CIT is any transaction where the cardholder is actively participating in the transaction, either at a terminal in-store or through a checkout experience online.

MIT is a subsequent transaction with already-stored credentials, for which a cardholder has given prior consent to the merchant to store payment credentials for future use without his or her active engagement. Such would be the case in the automatic billing for subscription services, to name one example.

As a whole, these are commonly referred to as “credential-on-file transactions” or COFs, in their shortened form. The mandate covers both types of stored payment transactions. It establishes the rules and requirements for how merchants can keep these credentials and process subsequent transactions.

When a merchant offers cardholders the option of saving their payment credentials, the directive requires the merchant, their third-party agents, and payment facilitators to inform the issuing bank—through the transaction—that the cardholder/client payment credentials are now kept on file and to use suitable, as-prescribed indicators to identify transactions that are made using those stored credentials. These indicators convey to the issuing bank that the merchant and the cardholder have an established relationship and an arrangement to use stored payment credentials as part of the transaction process. These make it easier for issuing banks to identify legitimate transactions, which, in turn, should increase approval rates for credential-on-file transactions.

What does this mean for me?

MCM connector builds spanning several acquirers in the Americas will incorporate this change to support the CIT/MIT framework, as prescribed by the acquirer, in cases of:

  • Installment payments
  • Recurring payments
  • Payments with Card on File (COF), merchant- or cardholder-initiated

If your business currently supports the type of transactions listed—which can be conducted in the Retail, MOTO, or eCOM environments—the point-of-sale systems interfacing to our middleware will be expected to make changes. The changes will accommodate the need to send relevant and additional information about these transactions to the middleware.

Our MCM specifications will outline precisely what will be required for this implementation, but modifications are anticipated in—and may not be limited to—the following areas:

  • Our response (RCP) will have an added field (TXNID)
  • The SAF file will have structural changes, but there is no impact provided that SAF is cleared prior to the update, as recommended by our best practices.


In matters of compliance—especially in payments—knowledge and preparedness are key. Remaining informed on items of conformity, their observance, and relevance to you is of paramount importance.

For more information on the MCM middleware changes expected, version releases, and impact on your POS integration, please contact our Client Services team.

For more information on conditions, exceptions, use cases, cardholder consent, or other such questions, please contact your payment processor or Card Brand representative.