Card Consent for Initial Storage of Payment Credentials

With the evolving payment system, instances in which payment transactions are initiated with a stored credential based on a card holder’s consent for future use have increased to significant levels. Ensuring that our customers comply with Visa and MasterCard’s consent regulations for recurring, installment or renewal payment, NetForum has introduced the functionality which ensures that informed consent is being given by the card or account holder not just to store the payment credentials but also to use the stored credentials to perform the expected future payment transactions.

In NetForum, all forms on iWeb that contain automatic payment option now display the text “With Consent” along with the check box caption. This makes it clear that the check box should only be selected with explicit informed consent from the cardholder (or account holder for ACH) to store the specified payment information and use it for processing the associated ongoing payments.

Hovering the cursor over the Auto-Pay check box displays the consent text as shown in the below screenshot.

On eWeb, any form that has an option to enroll in automatic payment or automatic renewal by selecting the Charge my card/account automatically check box now contains a help text stating, “By clicking this checkbox I consent to the associated ongoing automatic payments using the provided payment info.” The check box should only be selected with explicit informed consent from the cardholder (or account holder for ACH) to store the specified payment information and use it for processing the associated ongoing payments.

Product areas where the Card Consent functionality is applicable are:

Any product when purchased with installment payments and set to Auto-Pay.
For products like memberships, exhibits, grants when purchased with installment billing and set to Auto-Pay.
Existing memberships and subscriptions when set to Auto-Renew (Auto-Pay) with stored payment credentials.
Existing orders when set to Auto-Pay with stored payment credentials.

Verifying Date of Consent for an Auto-pay Transaction Order

Important! NetForum records the date when the consent was given by turning on the Auto-Pay option, when the user edits the order, membership, or subscription and changes the stored credential.

The date of consent to use stored credentials for processing recurring, installment, and renewal payment will be recorded in the new av_date_small fields. The below fields are added to the database tables to support the stored credential rules.

For Orders: oe_order.ord_cpi_consent_date
For Membership auto renewals: mb_membership.mbr_cpi_consent_date
For Term product auto renewals: ac_invoice_detail_term.trm_cpi_consent_date

Association staff user can view when a customer gave consent for the storage of their credit card or ACH information for an installment, recurring, or unscheduled payment.

To view the consent date for an order:

Once an order is placed, open the Orders child form on the profile and click the GoTo button on the order record.
On the Order Profile, click the Edit profile menu and then click the Order drop-down option.

You can verify the Auto-Pay (With Consent) check box is selected or not and also view the customer payment info populated with the masked credit card or ACH number used for payment.

Copy the Order Code or Order Key, open the SSMS, and run the below query using the noted order code or key:

SELECT ord_auto_pay, ord_cpi_key, ord_cpi_consent_date, ord_type, * FROM oe_order WITH (NOLOCK) WHERE ord_code = 'ORDER CODE'

SELECT ord_auto_pay, ord_cpi_key, ord_cpi_consent_date, ord_type, * FROM oe_order WITH (NOLOCK) WHERE ord_key = 'ORDER KEY'

Use the CST KEY from the above query and run this query to verify the cpi_key:

SELECT * from ac_customer_payment_info WITH (NOLOCK) WHERE cpi_cst_key = 'CST KEY'

For Membership auto renewals, you can use the Order Key as described above and run the same query for membership to get the response or you can run the below query using the member key in the url of the Membership profile (which comes after the &key).

SELECT mbr_auto_pay, mbr_cpi_key, mbr_cpi_consent_date, * FROM mb_membership WITH (NOLOCK) WHERE mbr_key = 'MBR KEY'

For Term product auto renewals such as Subscriptions, you can run the below query using the Subscriber Key in the url of the subscriber profile (which comes after the &key).

SELECT trm_auto_pay_flag, trm_cpi_key, trm_cpi_consent_date, * FROM ac_invoice_detail_term WITH (NOLOCK) WHERE trm_ivd_key = 'KEY'

Stored Payment Credentials Tracking

With the recorded card or account holder consent, the new rules outline additional data to be sent in transaction request when processing transactions that use stored credentials.

The four pieces of information that NetForum sends in transaction request when processing transactions using stored credentials are:

Initiator: Indicates whether the transaction is initiated by the Cardholder or by the Merchant.
Indicator: Indicates whether the processed transaction is first or subsequent transaction for a given stored credential.
Stored Id: This is the ID that Visa or Mastercard assigns to the first use of a given stored credential.
Type: Indicates whether the transaction is Recurring, Installment, or Unscheduled.

How does NetForum decide the values for Indicator, Initiator, Type

Indicator: If the cpi_stored_credential_id of the associated stored payment information (cpi record) is null/empty, NetForum considers it the "First" use. For the first use of the stored credential, the gateway returns a stored id which will be stored into cpi_stored_credential_id, any future payment transactions using this cpi record will be treated as "Subsequent."

If the existing cpi record is used first time for any purchase, then stored_credential_indicator will be F.

Initiator: Payments processed via iWeb and Scheduled Tasks are considered Merchant-Initiated. Payments processed via eWeb are considered Cardholder-Initiated.

Type: Installment Payments and Installment Billing transactions are considered Installment. If the payment is applied to recurring orders or orders with auto-renewal turned, then it is considered Recurring. Unscheduled is used for non-recurring, non-auto-renewal, non-installment, one-off payments that happen to use a cpi that was already flagged with a stored_credential_id from a previous transaction.

The aforementioned stored credential handling information currently applies to BluePay credit cards and is recorded in the ac_gateway_transaction_log table. The ac_gateway_transaction_log table records the following fields information.

gtl_stored_credential_initiator (“M” for Merchant / “C” for Cardholder)
gtl_stored_credential_indicator (“F” for First / ”S” for Subsequent)
gtl_stored_credential_type (“R” for Recurring / ”I” for Installment / ”U” for Unscheduled)

Note: This functionality only applies to regular NetForum payment transactions against invoices. NetForum does not allow use of stored payment information (cpi records) on payment transactions for Credits and Misc Transactions. For those Credit and Misc Transaction payments, the user must always enter the explicit card information.

To view the stored credentials of any transaction:

Once you place an order, copy the CST KEY in the profile url (which comes after &key in the url).
Open the SSMS and run the following query.

SELECT cpi_stored_credential_id, gtl_stored_credential_initiator, gtl_stored_credential_indicator, gtl_stored_credential_type, gtl_request, gtl_response, *

FROM ac_gateway_transaction_log WITH (NOLOCK)

LEFT JOIN ac_payment_info WITH (NOLOCK) on gtl_item_key = pin_key

LEFT JOIN ac_customer_payment_info WITH (NOLOCK) on pin_cpi_key = cpi_key

WHERE gtl_cst_key = 'CST KEY’ and gtl_transaction_type = 'PreAuthorization'

order by gtl_add_date desc

Note: If the query returns a null value, then the transaction might not be treated as a stored credential transaction. This might be because the transaction could be a simple prepaid purchase that is not using the cpi record specified for the auto-renewals or auto-payments.