Card On File (COF) and Customer Initiated Transactions (CIT)

We have received some information from users of Authorize.net that discuss their approach to forthcoming mandates for using saved credit card data:

Card on File (COF)
- Customer Initiated Transaction (CIT)
- Merchant Initiated Transactions (MIT)
Purchase Return Authorizations (PRA)

Authorize.Net is currently in the process of implementing support for the Visa, MasterCard, and Discover Card on File (COF) for Customer Initiated Transaction (CIT) and Merchant Initiated Transaction (MIT) as well as the separate Purchase Returns Authorization (PRA) Mandates. This article will provide you with the latest, up-to-date information available as well as links to available resources for more information.

What does this mean for Auth.net users (and potentially users of other merchant providers)

Card on file (COF) means that you, the merchant, are saving customer payment data for future reuse.

The vast majority of credit card authorizations in Theatre Manager result from cards entered online by patrons or typed/swiped/tapped at the box office as part of a transaction. These transactions are not the subject of this email from Authorize.net

Theatre Manager supports post dated or recurring payments for donations and other purchases which may be affected by the Visa, MasterCard, Discover rules.

If data is stored in Theatre Manager, post dated payments are considered Card Not Present transactions, and treated as the above - just like they are original transactions with all card data.
If data is stored at the credit card company using merchant profiles they may be subject to any of the Visa/Mastercard/Discover data storage changes described by Authorize.net as 'in-progress'. In this case, as it pertains to Theatre Manager, your merchant processor will handle any changes required.

This directive from Authorize.net is targeted and reusable card data stored using merchant profiles at the credit card companies. It does not affect data stored locally in Theatre Manager since those are always processed with full card data in exactly the same manner as all card transactions.

How to influence stored credit card data in Theatre Manager

Theatre Manager enables saving card data is via settings in system preferences PCI tab:

for self hosted - you can pick schedule D in the PCI tab (see explanations of Schedule A/B/C/D) and decide how long you want to save data, or you can pick the other two options.
for cloud hosted - you can decide to:
- never store data (schedule C), or
- only store card data for only post dated payments (schedule D)
For either self hosted or cloud hosted, you can enable Merchant Profile and Theatre Manager will send card data to your merchant provider to get them to store it. This:
- moves all responsibility for storing card data to your merchant provider -without-
- diminishing your ability to use this stored card data for recurring payments.

Customer Initiated Transactions (CIT) using card on file

According to the Authorize.Net web site, Customer Initiated Transactions means:

A Cardholder Initiated Transaction (CIT) is any transaction where the cardholder actively initiates a transaction. This can be paying online, in a store, over the phone or through a pay link/QR code, etc. In a Card on File transaction, the cardholder initiates a transaction, opting to pay using card information previously used and stored on file with the merchant.

Theatre Manager does NOT support any form of Customer Initiated Transactions using saved data. The customer cannot select 'use saved card' online or at the box office.

If the box office uses a card on file, it becomes a Merchant Initiated Transaction.

Merchant Initiated Transactions (MIT) using card on file

According to the Authorize.Net web site, Merchant Initiated Transactions means:

A Merchant Initiated Transaction (MIT) is a payment initiated by a merchant without the cardholder. To do this, the cardholder must have previously given the merchant permission to store their card details for use in certain types of future payments. This means that an MIT can only happen after a cardholder has previously completed a CIT with the merchant. MITs can be split into two kinds of transactions:
- Standing Instructions:
  These are transactions that reuse the cardholder's credentials on a regular basis or after a certain event occurs. Examples of Standing Instructions are:
  - Recurring Payments - transactions processed according to a fixed interval and fixed amount agreed upon by the cardholder and merchant. Recurring Transactions don't have a specified duration and can continue to be processed until the cardholder cancels the agreement
  - Unscheduled Card on File Transactions - transactions processed for a fixed or variable amount that are not tied to a schedule or recurring transaction date, but to a pre-defined event. For example, when your car's EZ-Pass highway toll booth account falls below a certain minimum, your card automatically gets charged to reload the account balance
- Industry Practices
  These are transactions that reuse the cardholder's credentials on an ad hoc or one-off basis, with previous consent from the cardholder. Examples of Industry Practice Transactions are:
  - Resubmissions - used when the original authorization is not successfully funded to the merchant but goods or services were provided
  - Reauthorizations - used to obtain a new authorization after the previous authorization has expired
  - Delayed Charges - processes an additional charge after the original transaction has been completed
  - No Show - used to collect penalty fees for not showing up for a reservation or cancellation in accordance with the merchant's cancellation policy

Theatre Manager supports Customer Initiated Transactions for Standing instructions only using saved data for recurring payments (eg post dated, recurring donations, and season subscription auto-renewal).

Theatre Manager does not support unscheduled card on file transactions

You can do this in one of two ways. Use one of:

Scheduled 'D' compliance for post dated payments - in this case theatre manager stores the card data internally (encrypted) subject to PCI compliance
Merchant Profiles - in this case card data is sent to your merchant provider and they store it. From that point, the card provider is completely responsible for card storage. You can chose to store card data for longer periods of time.

Note: we do not recommend using Moneris Merchant Profiles - they charge too much money. Other merchant providers are not currently charging for this feature.

If you have Theatre Manager store card data (schedule D), it is a Merchant initiate TRansaction. however, the issue become mute - as Theatre Manager retrieves complete card data from the database and sends it to the merchant provider as a Card Not Present Transaction. That is exactly like the customer called you on the phone to give you the card or paid online by typing in their card.

Theatre Manager does not actively implement any of the aforementioned Industry Practice Transactions that cause additional since all transactions are completed when the customer provides card data in full.

Purchase Return Authorization (PRA)

According to Authorize.Net website, Purchase Return Authorizations mean:

The Visa, MasterCard and Discover card brands are now requiring that refunds made to customers be authorized in real-time, to validate the payment data in real-time and provide a real-time response of the success or failure of the refund attempt.

Theatre Manager has only ever supported real-time refunds to cards. Currently, the majority of merchant providers use linked refunds which the original card is refunded to the original order, patron and card number up to the original amount.

These requirements are implemented by your merchant provider. You have to contact your provider if you want to use independent refunds which is a refund to any card for any order (not always advised).