Updated August 19, 2020


In October 2017, Visa and Mastercard issued new rules regarding the use of stored credentials. This mandate requires specific handling and transmission of stored credentials (in this case, tokens representing payment data). See the following documentation from Visa and Mastercard for detailed information:

We are currently in the process of certifying the CardPointe Gateway for compliance with this mandate. This document describes the changes in development for the CardPointe Gateway API, and the changes that you can plan to make to your integration to become compliant.

The changes described in this document are currently in development and are subject to change.

CardPointe Gateway API Changes

The changes required to comply with this mandate affect merchants who:

  • Store and reuse payment tokens and customer information to process recurring card-not-present payments through an E-commerce or ERP application.
  • Use the CardPointe Gateway's profile service to create and store customer profiles and process card-not-present payments using the associated profileid and accountid.

If your payment workflows use either of these methods to store and reuse customer data, you will need to update your integration to identify the initial and subsequent payments.

Initially, these enhancements will only be available for integrators using the CardPointe Gateway API to accept E-commerce or recurring payments.

These enhancements will be deployed to the CardPointe Virtual Terminal and other payment products in future releases of these products.

New Authorization Request Parameters

To support the requirements to identify stored credential transactions, the CardPointe Gateway API includes two new parameters that must be included in the authorization request for all E-commerce and recurring payments using stored customer payment information.

FieldMax LengthTypeDescription
cof1ANThe cof parameter specifies whether the transaction was initiated by the customer or merchant.

Specify one of the following values:
  • C - The transaction was initiated by the customer.
  • M - The transaction was initiated by the merchant.
cofscheduled1ANThe cofscheduled parameter specifies whether the transaction was a one-time payment (for example, a customer placing a one-time order using stored payment information) or a scheduled recurring payment (for example, a monthly automatic payment).

Specify one of the following values:

  • Y - The transaction is a scheduled (automated) payment.
  • N - The transaction is a manual, one-time payment.

The following example illustrates these fields used in an authorization request, where the merchant's billing system initiated a scheduled, automated payment: