Glossary · Payments core

What is
Card on file (COF)?

Complexity Working
Shows up Monthly
Scope Optional
Operator relevance Context
Related tokenization account updater emv 3ds parent merchant account
Share definition X LinkedIn Reddit HN Email
Quick definition

Card on file is a stored payment credential a merchant holds — with customer consent — to charge for future transactions without re-entering the card. Visa and Mastercard require the original auth to be flagged as COF and subsequent charges to carry a stored-credential indicator.

The short answer

Card on file (COF) is the card network framework for any merchant that stores a customer's payment credential to use on a later transaction. Visa and Mastercard formalized the rules in 2017-2018 and tightened them again in 2023: the initial transaction has to be a cardholder-initiated purchase that explicitly captures consent to store, and every subsequent charge has to carry a stored-credential indicator in the auth message so the issuer knows it's a COF transaction and not a fresh entry.

The two transaction types that live under COF

  • Cardholder-initiated transaction (CIT). The customer is present and triggers the charge — logs in, clicks "buy again," enters CVV. Issuer treats it like a regular e-commerce auth.
  • Merchant-initiated transaction (MIT). No customer present. You, the merchant, trigger the charge based on a prior agreement — subscription renewal, overage bill, no-show fee, post-service invoice. Must carry the MIT indicator and the original transaction ID.

At the moment you capture the card for storage, you need an unambiguous disclosure: what will be charged, when, how often, and how to cancel. Visa specifically requires the consent language to be "clear and conspicuous" — not buried in terms of service. For subscriptions, this is where the 3DS step and email confirmation pay for themselves.

What operators need to know

  • Flag the initial auth. The first transaction needs the "initial storage" flag. If you store a card without ever flagging the initial auth as COF, every subsequent MIT will decline at a higher rate — the issuer sees a credential with no origin story.
  • Keep the transaction ID. Every MIT has to echo back the original CIT's network transaction ID (the Visa TxID or Mastercard trace ID). Lose it and your renewals degrade.
  • Update the credential. Use account updater so when a card expires or is replaced, your COF keeps working. Approval rates on MITs with updated credentials are 20-30 points higher than on expired ones.
  • Watch the chargeback codes. COF transactions flagged as unauthorized hit with reason code 10.4 (Visa) or 4837 (Mastercard). Your defense is the stored consent record, the original CIT auth, and proof of delivery / service.
  • Recurring vs. unscheduled. A subscription is a recurring MIT. A post-ride Uber charge or a hotel incidental is an unscheduled MIT. Both are COF but carry different indicators and the rules around them differ — unscheduled is stricter.

For multi-brand operators, COF gets interesting: a customer who consented to store their card with Brand A has NOT consented to Brand B, even if both brands sit under the same parent MID. Sharing tokens across brands without fresh consent is a network violation.

Keep learning

Go deeper on
Card on file (COF).

7 min read

free-card-brand-assessment-fee-calculator

Instant card brand assessment fee calculator. Adds up Visa, Mastercard, Amex, Discover network fees (APF, NABU, FANF, cross-border) on your volume.

Read the post

Related glossary terms

tokenization account updater emv 3ds parent merchant account

Processing across
multiple brands?

multiflow consolidates your ledger, keeps per-brand billing descriptors, and fans out payouts to the right legal entity.

Start your application How it works

The Operator Briefing

Twice-monthly. No fluff.

Processor shutdowns, reserve-hold playbooks, reconciliation lessons, and the merchant-account decisions that save operators six-figure years. Delivered to your inbox — never spam.

No spam. Unsubscribe in one click.

We use essential cookies · Privacy