Card on File compliance for REST Pay Display

United States
Canada

Overview

Tokenization or vaulted card requests made through Clover REST Pay Display API require additional steps for developers to ensure compliance with Card on File (COF) mandates, also called the Stored Credential Transaction framework.

📘

NOTE

Tokenization through REST Pay Display API is not supported in Europe.

Card on File background

In October 2017, Mastercard® and Visa® issued new rules regarding the use of stored credentials. This mandate requires specific handling and transmission of stored credentials—in this case, tokens representing payment data. See Visa documentation for more information: Improving Authorization Management for Transactions with Stored Credentials

A stored credential is information, including but not limited to an account number or payment token, that a merchant or its agent stores to process future transactions.

Use Ecommerce API for subsequent transactions

📘

NOTE

Only Clover Ecommerce API allows the use of Clover tokens for subsequent transactions. REST Pay Display does not support the use of a token as a payment method.

Tokens generated through REST Pay Display API can be set as the source value on the Ecommerce API. If the token is to be used for subsequent payments or charges, then the following object or properties are also required:

  • The sequence value as a FIRST or SUBSEQUENT transaction.
  • The is_scheduled value as whether this transaction is scheduled or part of an installment.
  • The initiator value as whether this transaction is initiated by the MERCHANT or with CARDHOLDER consent.
"source":"{multi_pay_token}",
  "stored_credentials":{
  	"sequence": "SUBSEQUENT",
  	"is_scheduled": false,
  	"initiator": "CARDHOLDER"
  }'

Use case: Monthly gym membership

A customer enrolls as a new gym member completing their initial enrollment in person by paying in person. All subsequent payments for monthly membership will be made through Clover Ecommerce Recurring and Subscription API.

  • Application requests to Pay and Vault through REST Pay Display, saving the token returned from Clover.

  • Application creates the customer's recurring payment plan on Clover Ecommerce API using the previously obtained token.

  • See Recurring Payments and Subscriptions APIs for more information.

Use case: Payment upon delivery of service or goods

Customer requests to authorize the card in person, saving their card-on-file for future use. The customer and merchant agree to submit the final payment upon receiving goods or services.

  • Application requests the token through REST Pay Display.

  • Application creates a charge through the Clover Ecommerce API using previously obtained tokens. Stored Credential Settings: subsequent, scheduled, and merchant-initiated.

  • See Use a multi-pay card token for more information.

Product update

User experience for tokenization

A key component of the Mastercard and Visa mandate is that merchants must obtain the cardholder's consent before storing their credentials (vaulted card or token).

If a token is requested, customers are presented with the following prompt:

960

If the customer elects for the merchant to save their card, REST Pay Display proceeds with the tokenization attempt.

V2 tokenization

📘

NOTE

To use v2/card/tokens, the Clover Core Payments App must be installed on the device.

Tokenization requests are subject to a card verification check with the payment processor. Only if the card is successfully verified a token is returned. Otherwise, REST Pay Display API returns a Tokenization Failure error.

Only v2/card/tokens prompt customers for their consent. The endpoint v1/card/tokens does not support this behavior. This customer prompt can be suppressed by setting the "suppressConfirmation": true as needed, but Clover recommends to always prompting for consent by default.

V2 tokenization request and response

POST /connect/v2/card/tokens HTTP/1.1
Host: {env}.clover.com
X-Clover-Device-Id: {deviceSerialNumber}
X-POS-ID: {posId}
Idempotency-Key: {idempotencyKey}
Content-Type: application/json
Authorization: Bearer {oauthToken}


{
    "cardEntryMethods" : ["EMV","NFC","MANUAL","MAG_STRIPE"],
    "suppressConfirmation" : false
}
{
    "confirmationSuppressed": false,
    "expirationDate": "0521",
    "first6": "512857",
    "last4": "7294",
    "token": "clv_1TSTSBiZ9ze8VBZCuWBkrr7t",
    "tokenType": "ECOMM_COMPAT"
}

Pay and tokenize

Clover semi-integrated payment solutions now support prompting cardholders for their consent upon tokenization requests automatically.

Pay and tokenize request and response

📘

NOTE

"vaultCard": true must be set in order to request a token as part of the payment response.

POST /connect/v1/payments HTTP/1.1
Host: {env}.clover.com
X-Clover-Device-Id: {deviceSerialNumber}
X-POS-ID: {posId}
Idempotency-Key: {idempotencyKey}
Content-Type: application/json
Authorization: Bearer {oauthToken}

{
    "amount": 216,
    "final": true,
    "externalPaymentId": "SALE_VAULT_216",
    "deviceOptions": {
        "vaultCard": true,
        "suppressConfirmation": false,
        "cardEntryMethods": ["EMV","NFC","MANUAL","MAG_STRIPE"]
    }
}
{
    "issues": {
        "duplicate": {
            "description": "POTENTIAL_DUPLICATE"
        },
        "signature": {
            "signature": {
                "data": "/9j/4AAQSkZJ...",
                "format": "JPG",
                "gzip": false
            }
        }
    },
    "payment": {
        "amount": 207,
        "cardTransaction": {
            "authCode": "914017",
            "cardType": "MC",
            "cardholderName": "CHIP TEST CARD",
            "entryType": "EMV_CONTACT",
            "extra": {
                "applicationLabel": "4465626974",
                "authorizingNetworkName": "MASTERCARD",
                "routingIndicator": "C",
                "cvmResult": "SIGNATURE",
                "applicationIdentifier": "A0000000042203"
            },
            "first6": "512857",
            "last4": "7294",
            "referenceId": "204500606690",
            "state": "CLOSED",
            "transactionNo": "2500036",
            "type": "AUTH"
        },
        "createdTime": 1644857673691,
        "employee": {
            "id": "G9ZDEKXHQF5V6"
        },
        "externalPaymentId": "SALE_VAULT_207",
        "id": "T0QF97YZ2DF3A",
        "offline": false,
        "order": {
            "id": "79KNQ85KCZFCR"
        },
        "result": "SUCCESS",
        "taxAmount": 0,
        "tipAmount": 0
    },
    "token": {
        "confirmationSuppressed": false,
        "expirationDate": "0521",
        "first6": "512857",
        "last4": "7294",
        "token": "clv_1TSTSVmgTQD6A6L64bSD1P8b",
        "tokenType": "ECOMM_COMPAT"
    }
}

If the payment is successful and the tokenization fails, no token is returned, and a tokenizationFailure is added to the issues object.

{
    "issues": {
        "signature": {
            "signature": {
                "data": "/9j/4AAQSkZJR....",
                "format": "JPG",
                "gzip": false
            }
        },
        "tokenizationFailure": {
            "description": "User declined Tokenization : USER_DECLINED"
        }
    },
    "payment": {
        "amount": 204,
        ...
    }
}

Additional requirements for developers

If your application stores tokens to use in subsequent transactions, you are responsible for the following components of this mandate:

📘

NOTE

Clover collects a general consent agreement from the customer to proceed with either a tokenization request and/or payment. Card on File rules require additional steps that merchants and software developers must take to reach full compliance. Merchants are still responsible to perform the following activities when saving customer cards (tokens) on file.

  • Inform the account issuer that payment credentials are now stored on file; this is done by processing an initial payment or by a $0 account verification through Clover REST Pay Display API.
  • Disclose to cardholders how those credentials will be used.
  • Notify cardholders when any changes are made to the terms of use.