What is Card on File?

What Is Card on File?

Card on file -- often abbreviated to CoF -- is the practice of securely storing a customer's payment card details so they can be used for future transactions without the customer needing to enter them again. You encounter card on file every time you make a one-click purchase on a shopping site, pay for a ride-hailing service without getting your wallet out, or have your gym membership automatically renewed each month. The card details are "on file" with the merchant or their payment provider, ready to be charged when needed.

In practice, "storing card details" does not mean the merchant keeps the actual card number in their database. That would be a security nightmare and a PCI DSS violation. Instead, the card number is replaced with a token -- a meaningless reference number -- through a process called tokenisation. The token is stored by the merchant and used to initiate future payments, while the real card data sits securely in the payment provider's vault.

How Card on File Works

The card-on-file process involves an initial capture of the card details, followed by storage and subsequent use for future payments.

Initial Capture

The first time a customer provides their card details -- whether through a website checkout, a phone payment, or an in-person transaction -- those details are sent to the payment provider, who processes the initial transaction and creates a token. This token is returned to the merchant and linked to the customer's account. From this point on, the merchant only stores the token, the last four digits of the card (for identification purposes), the card brand, and the expiry date. They never store the full card number or CVV.

Consent and Authentication

Storing a customer's card on file requires their explicit consent. The customer must agree to have their details saved for future use, and this consent must be clearly documented. Under Strong Customer Authentication (SCA) requirements, the initial transaction where the card is captured typically requires full authentication -- such as 3D Secure verification -- to confirm that the person providing the card details is the legitimate cardholder.

Subsequent Transactions

When the merchant needs to charge the stored card -- for a repeat purchase, a subscription renewal, or a manual charge initiated by an agent -- they submit the token to the payment provider along with the transaction details. The payment provider looks up the real card data, submits the payment to the card network, and returns the result. The merchant never sees the actual card number during this process.

Card Updates

Cards expire and get replaced. When this happens, the token needs to be updated with the new card details. Card updater services, provided by the card networks, automatically update stored card details when a card is replaced. This happens behind the scenes, keeping the card on file current without any action from the customer or the merchant.

Why Card on File Matters for Businesses

Frictionless Repeat Payments

The most obvious benefit is convenience. When a customer's card is on file, they can make repeat purchases or pay recurring charges without entering their card details every time. This reduces friction, speeds up the payment process, and makes it more likely that the customer will complete the transaction. For subscription businesses, card on file is essential -- you cannot charge a monthly subscription if you need the customer to manually enter their card details each month.

Improved Conversion Rates

Every step in the payment process is an opportunity for the customer to change their mind or get distracted. Removing the need to type in card details eliminates one of the most tedious and error-prone steps. One-click purchasing, made possible by card on file, has been shown to significantly improve conversion rates compared to full checkout processes.

Customer Retention

A customer with a card on file is more likely to stay with you than one who has to actively set up payment each time. This is partly convenience and partly inertia -- switching to a competitor means entering card details somewhere new. For subscription businesses, card on file reduces voluntary churn by making it easier to stay than to leave.

Revenue Predictability

When you have cards on file for recurring charges, you can predict your revenue with greater accuracy. You know which customers are set up for automatic payment and can forecast your income accordingly. This predictability is valuable for financial planning, cash flow management, and business valuation.

Card on File and Telephone Payments

Card on file has particular significance for businesses that take payments over the phone, because it can reduce the number of times card details need to be captured during phone calls.

First Call: Capture and Tokenise

During the customer's first phone payment, the agent guides them through the process of entering their card details -- either by keying them in on their phone keypad (using DTMF capture) or by directing them to a payment link. The card details are tokenised and stored securely. The agent confirms that the customer consents to having their card stored on file for future payments.

Subsequent Calls: Pay Without Re-Entering Details

When the same customer calls again to make another payment, the agent can look up the customer's account and see that there is a card on file. With the customer's verbal confirmation, the agent can process the payment using the stored token without the customer needing to re-enter their card details. This saves time on the call and provides a better customer experience.

Setting Up Recurring Payments by Phone

Many businesses set up subscriptions and recurring payments during phone calls -- membership sign-ups, service agreements, instalment plans, and so on. Card on file makes this possible: the customer provides their card details once during the call, the details are tokenised, and all future recurring payments are charged against the token. The customer does not need to call back each month.

Agent Never Sees Card Data

In a well-designed telephone payment system, the agent never sees the actual card number at any stage. During the initial capture, the customer enters their details via DTMF or a payment link. For subsequent payments using the card on file, the agent works with the token reference. The real card data is handled entirely by the payment provider. This keeps the agent's environment out of PCI DSS scope.

Practical Considerations

Customer Consent

Always obtain clear, documented consent before storing a card on file. This is both a regulatory requirement and a good business practice. Make sure the customer understands what they are agreeing to, how their card will be used, and how they can remove it.

Card Expiry Management

Cards expire, and when they do, payments will fail unless the stored details are updated. Use account updater services to automatically keep stored card details current, and have a process in place for reaching out to customers whose details cannot be updated automatically.

Security and PCI Compliance

Card on file only works safely when implemented with proper tokenisation. Never store actual card numbers in your own systems. Work with a PCI DSS Level 1 certified payment provider and ensure your tokenisation setup meets current security standards.

Customer Control

Give customers the ability to view and manage their stored cards -- including updating details and removing cards they no longer want on file. This transparency builds trust and gives the customer control over their payment data.

Transaction Identification

Card-on-file transactions need to be properly flagged when submitted to the card network. Visa and Mastercard have specific rules about how stored credential transactions are identified and processed. Your payment provider should handle this, but make sure you understand the requirements to avoid increased decline rates or compliance issues.