⚡ Quick Answer

A card on file is a stored payment credential a cardholder authorizes for future charges. Using it correctly requires clear documented consent, proper CIT/MIT transaction indicators on every charge linked via the Original Transaction ID (OTID), and an easy cancellation process. Skip any of those and you are looking at higher decline rates, chargebacks you will not win, and potential card network violations. The rules have tightened a lot over the last several years. Getting this right is not optional anymore.

If your organization collects regular payments from the same people, you have probably thought about putting payment methods on file. Monthly insurance premiums, utility bills, HOA dues, healthcare copays, membership fees. Maybe you already do it. But having a card on file and doing it correctly are two very different things. The gap between them is where compliance problems, failed payments, and cardholder disputes quietly pile up.

Here is what cards on file actually require, what the rules say, and how to set up recurring billing in a way that reduces costs and protects your organization.

What "Card on File" Actually Means

A card on file is a stored payment credential, whether that is a credit card, debit card, or bank account, that a cardholder authorizes your organization to charge later. Simple enough. But how you use that authorization matters a lot, because card networks treat different types of stored-credential transactions differently.[1] Use the wrong type and you will see more declines and lose more disputes.

There are three types you need to know:

  • Recurring billing Same amount, predictable schedule. Monthly water bills, quarterly dues, annual memberships. The customer knows what is coming and when.
  • Installment billing A fixed total split into a set number of payments. A tax bill in six installments, a healthcare payment plan with a known end date. The schedule is agreed to upfront.
  • Unscheduled CoF transactions No fixed schedule, no fixed amount. The charge fires when a condition is met, not a calendar date. An insurance premium after an annual review. A variable utility bill. These require the most careful setup and documentation.

Visa, Mastercard, and the other networks have specific rules for each one. The rules affect how your processor flags the transaction when it is submitted. Get it wrong and your decline rates go up. Get it really wrong and you lose chargebacks you should have won.

Why the Rules Around Stored Credentials Have Gotten Stricter

Card network rules on stored credentials have tightened considerably over the last several years. And they are not going back. Here is what has changed and why it affects you.

Issuer scrutiny and transaction flagging

Banks are paying closer attention to recurring charges. Card networks now require explicit flagging on stored-credential transactions, both the initial cardholder-initiated transaction (CIT) and every subsequent merchant-initiated transaction (MIT) that follows it.[2] Visa also strongly recommends using the Original Transaction ID (OTID) to link every MIT back to the original CIT. This tells the issuing bank the charge is authorized. Without it, your processor is sending transactions that look unfamiliar to banks, and banks are increasingly quick to decline anything that does not look right.

Chargebacks on recurring billing are going up. "I didn't authorize this" and "I already canceled" are two of the most common chargeback reasons in recurring billing. Without a clean authorization trail linking every MIT to its original CIT, those disputes are hard to win. With one, they often get resolved before they even become chargebacks.

Network tokenization and stored credentials

How stored credentials work is changing. The old approach, saving a raw card number against a customer account, is giving way to network tokens. A network token is a credential substitute issued directly by the card network. When a card is renewed or replaced, the token can update automatically. That means fewer failed payments and less time spent chasing down updated card numbers. If you run any volume of recurring billing, this is worth knowing. IntelliPay's tokenization and security approach covers how we handle stored credential security on our platform.

Before You Store a Single Card Number: The Authorization Requirements

⚠ Compliance Note

Storing a payment credential without proper authorization is not just a compliance gap. It is a violation of card network rules that can result in fines, increased chargeback liability, and in serious cases, loss of your ability to accept cards.

There are three things you need before storing a card. All three. Not two out of three.

  1. Clear, informed consent The cardholder needs to know they are agreeing to future charges. A checkbox buried in your terms of service does not cut it. The language needs to be visible and specific. It should spell out the amount or how it will be calculated, the schedule or the conditions that trigger a charge, and how the cardholder can cancel.
  2. A record you can actually produce When a dispute comes in, and eventually one will, you need to show exactly what the cardholder agreed to and when. That means storing authorization records where you can retrieve them, not just a checkbox flag in a database. Without a record, you have no defense.
  3. Correct transaction flagging on every charge Every charge after the initial authorization needs to go out with MIT indicators that tell the issuing bank this is a stored-credential charge the cardholder previously authorized. Ask your processor whether they are submitting MIT indicators per current Visa and Mastercard requirements, and whether they use OTID to link each MIT back to the original CIT.

For government agencies and utilities, it can get stricter. Several states have rules on recurring billing disclosures, cancellation rights, and required notice periods that go beyond what the card networks require. Some of those rules apply specifically to utilities and public agencies. Our utility billing regulations guide covers the state-by-state landscape.

Reducing Failed Payments: The Practical Side of Recurring Billing

Even with everything set up correctly, recurring transactions still fail. Cards expire, banks reissue numbers after fraud, accounts get closed. For organizations billing hundreds or thousands of people a month, a 2 to 5 percent failure rate is not unusual. If you are not handling it systematically, that turns into uncollected revenue and staff time spent on outreach.

Here are four things that meaningfully reduce failure rates:

📅 Proactive expiration outreach Send reminders 30 to 45 days before a card expires. Most payment portals can pull a report of expiring credentials. Getting ahead of it costs very little. Chasing failed payments after the fact costs a lot.
🔄 Account updater services Many processors offer a service that automatically refreshes expired or replaced credentials before a charge runs. Ask whether it is included or an add-on, and whether it runs before or only after a decline.
⚙️ Rule-compliant retry logic Card networks have specific rules on how and when you can retry a failed transaction. Retry too aggressively, or without the right indicators, and a soft decline can harden into a permanent block. A good processor handles this automatically.
📣 Immediate failure notification When a payment fails, notify the payer right away with a simple way to update their card online. IntelliPay's customer portal lets payers manage their own payment methods, which takes the follow-up work off your team.

Cancellation and Consumer Rights

Making cancellation easy might seem like it works against you. It does not. Cardholders who cannot figure out how to cancel do not just stop paying. They call their bank and dispute the charge. Now you are not just losing future billing. You are potentially losing the disputed transactions too, paying chargeback fees, and risking a higher dispute ratio that puts your account under scrutiny.

Regulatory Framework

Under current Visa and Mastercard rules, merchants offering recurring billing are expected to provide clear disclosures and a reasonable, easy way for customers to cancel, and to stop billing within a defined period after a cancellation request.[3]

The FTC's "click to cancel" rule, finalized in 2024 and scheduled to take effect in 2025,[4] adds another layer for consumer subscription and negative-option programs. It requires cancellation to be at least as easy as enrollment. Worth noting: the FTC rule is scoped to consumer subscription plans and does not uniformly apply to contexts like government utility autopay. But making it easy to cancel is good practice regardless of whether you are legally required to do it.

Government agencies have additional obligations here. A resident who sets up autopay for property taxes should be able to cancel online, not by calling a number that is only staffed three days a week.

Do You Have a Cards-on-File Policy?

If not, now is a good time to create one. It does not need to be complicated. At minimum it should cover:

  • Authorization language and storage what consent language you use, where it is stored, how long you keep it
  • Transaction type classification whether your charges are recurring, installment, or unscheduled, and confirmation your processor is flagging them correctly with CIT and MIT indicators and OTID
  • Pre-charge notification how and when payers are notified before a charge runs, especially for variable-amount billing
  • Credential update and removal how payers update or remove a stored payment method
  • Cancellation processing how cancellation requests are received, confirmed, and acted on within the required timeframe
  • Failed payment handling retry timing, payer notification, escalation path for continued failures

Healthcare and insurance organizations also need to account for HIPAA when payment data touches protected health information. Our healthcare payment processing page covers where payment compliance and healthcare privacy requirements intersect.

Five Questions to Ask Your Payment Processor

Not sure if your current setup is handling stored credentials correctly? Ask your processor these five questions directly:

  1. Are you submitting MIT indicators on all recurring charges, and are you using OTID to link them back to the original authorization?
  2. Do you offer account updater services, and does the refresh happen before a charge runs or only after a decline?
  3. How does your platform handle retry logic for failed recurring transactions, and does it follow current Visa and Mastercard retry rules?
  4. Does your platform store a network token or a raw card number (PAN)?
  5. What reporting do you provide on upcoming card expirations?

A processor who handles recurring billing well should answer all five without hesitation. Vague answers, or hearing about MIT indicators and OTID for the first time in this conversation, are worth paying attention to.

Frequently Asked Questions

A recurring transaction is a fixed amount on a fixed schedule. A $45 monthly membership billed on the 1st of every month is a recurring transaction. An unscheduled card-on-file transaction has no fixed schedule or amount. It fires when a condition is met, like a utility billing a variable monthly amount or an insurer charging a premium after an annual review. Card networks treat these differently in their stored credential frameworks, so the wrong flag affects your authorization rate and your chargeback exposure.

You are in violation of card network rules. Practically speaking, that means fines from your acquirer or the networks, disputes you cannot win because you have no proof of authorization, and in serious or repeated cases, termination of your merchant account. It is not a gray area.

CIT stands for cardholder-initiated transaction. That is the initial authorization where the cardholder is actively present and agreeing to the charge. MIT stands for merchant-initiated transaction. That is every subsequent charge you process against the stored credential. Card networks require both to be identified correctly so issuing banks can recognize them as authorized rather than flagging them as suspicious. Visa recommends using the Original Transaction ID (OTID) to link each MIT back to its original CIT. It improves authorization rates and reduces unnecessary declines.[2]

Generally no. The FTC rule covers consumer subscription and negative-option plans. Most government utility autopay programs fall outside that scope. That said, many states have their own cancellation rules for utilities, and card network requirements around cancellation disclosures apply regardless of industry. Check with your acquirer and legal counsel on what applies to your specific situation.

Network tokenization replaces a raw card number with a token managed by the card network, not your processor. When the underlying card is renewed, reissued after fraud, or replaced, the token can often update automatically without the cardholder doing anything. For recurring billing, that means fewer failed payments from expired or reissued cards. Ask your processor whether they are using network tokens or processor-level tokens. The difference matters.

Everything in a standard CoF policy, plus HIPAA. Payment data tied to a patient record or treatment can be subject to HIPAA privacy and security requirements. Your processor agreement should include a Business Associate Agreement where applicable. IntelliPay's healthcare payment processing page covers where payment compliance and healthcare privacy overlap.

Sources and References

  1. Visa. Stored Credential Transaction Framework. Visa Merchant Resource Library. usa.visa.com/support/merchant/library.html
  2. Visa. Visa Merchant Business News Digest -- Original Transaction ID (OTID) guidance for recurring and merchant-initiated transactions. corporate.visa.com/en/resources/visa-merchant-business-news-digest.html
  3. Visa. Visa Core Rules and Visa Product and Service Rules (April 2026). Section 5 -- Transactions Using Stored Credentials. usa.visa.com -- visa-rules-public.pdf
  4. Federal Trade Commission. Negative Option Rule (Final Rule -- "Click to Cancel"). 16 CFR Part 425. Finalized 2024. ftc.gov/legal-library/browse/rules/negative-option-rule
  5. IntelliPay. Utility Billing Regulations by State: What Every Utility Needs to Know in 2025-2026. intellipay.com -- Utility Billing Regulations Guide
Disclaimer This article is for general informational purposes only and does not constitute legal, regulatory, financial, or compliance advice. Card network rules, FTC regulations, and applicable state laws change periodically and may vary based on your industry, location, merchant category code, and contractual arrangements with your acquirer or processor. The regulatory summaries here reflect publicly available information as of the publication date and may not reflect subsequent amendments, enforcement guidance, litigation outcomes, or implementation delays. Consult qualified legal counsel and your payment processor or acquiring bank before making compliance decisions. IntelliPay is a registered ISO/MSP of Citizens Bank, Providence, RI, and Synovus Bank, Columbus, GA.

Not sure if your recurring billing setup is compliant?

IntelliPay has been working with government agencies, healthcare organizations, utilities, and businesses on payment infrastructure since 2004. We will take a look at your current setup and tell you what we see, at no obligation.

Talk to a Consultant →

intellipay.com  |  855-872-6632  |  sales@intellipay.com
PCI DSS Level 1 Certified  ·  Processing payments since 2004  ·  Billions processed annually

Related Reading

How ACH Payments Work: The Complete Guide (2026) Interchange Fees Explained: What They Are and How to Lower Them Tougher Chargeback Rules: How to Stay Paid and Compliant VAMP Compliance After April 2026