To comply with the Stored Credential Transactions (SCTs) framework, Zuora has provided support for SCTs for specific payment methods and payment gateways since 2019. Since the 2023.07.R2 release in July 2023, Zuora has rolled out the automatic creation of stored credential profiles for Credit Card, Debit Card, Apple Pay and Google Pay payment methods. For payment methods newly created through UI, API operations, or Payment Pages, the stored credential profiles including the network transaction ID (NTI) or equivalent will be created and activated for all supported card brands.
If you want the NTI to be added when creating a payment method, ensure that the Verify new payment method setting is enabled on the gateway instance configuration page. Otherwise, only an empty stored credential profile in Agreed status will be created.
If the Verify new payment method setting is enabled, a stored credential profile with the following properties is automatically created by Zuora.
Zuora will send a cardholder-initiated transaction (CIT) to the payment gateway to validate the stored credential profile. If the CIT succeeds, the status of the stored credential profile will be Active. If the CIT does not succeed, Zuora will not create a stored credential profile.
If the payment gateway does not support the stored credential transaction framework, the status of the stored credential profile will be Agreed.
|Profile type||Recurring||The stored credential profile can be used to process recurring but not unscheduled transactions.|
|Consent agreement source||External||Indicates that you have established the consent agreement with your customers through an external system outside of Zuora.|
For existing payment methods that do not have an active stored credential profile, Zuora has created and activated stored credential profiles of the recurring type and stored the NTI that is returned from the gateway when performing payment grandfathering. The gateway uses an interim NTI to do payment grandfathering. In the case that the gateway no longer supports interim NTI values, the grandfathering period is over on the gateway end, so the payment grandfathering will fail and Zuora will not be able to retrieve the NTI. To stay in compliance with the Stored Credential regulation, Zuora must use the NTI that is retrieved from a successful authorization or payment on subsequent requests. If the grandfathering method does not work, the end-users must be brought back on-session to re-add their payment method details so that Zuora can retrieve and store the NTI.
Zuora’s automatic creation of stored credential profiles is based on the assumption that you have a process in place to capture the agreement elsewhere from your customers.
Through the Zuora UI or API operations, you can view and manage the stored credential profiles created by Zuora or by yourself. For details, see Manage stored credential profiles.
For Payment Pages implemented through Direct POST to perform CITs within Zuora, you still need to implement a way for customers to give consent for their payment credentials to be stored on file, and then configure your Payment Pages to set the Direct POST fields for stored credentials.
The following gateway integrations in Zuora support stored credential transactions.
Note that Chase Orbital Gateway integration supports both recurring and unscheduled stored credential transactions. The other integrations support only recurring stored credential transactions.
|Payment gateway||Visa||Mastercard||Discover||American Express||JCB||Diners Club|
|Adyen Integration v2.0|
|Chase Orbital Gateway|
|CyberSource, Payment API v2.0|
|First Data Payeezy Gateway|
|Stripe v2 Payment Gateway|
|Vantiv (Now Worldpay) Payment Gateway|
|Vantiv Payment Gateway, API v8.10|
|Worldline Global Collect|
|Worldpay Payment Gateway|
If you use a gateway that is not in the preceding table, Zuora will process payments as usual, but the payments will not comply with the Stored Credential Transaction framework.
Zuora supports stored credential transactions for the following types of payment methods:
|Payment method||Payment gateway integrations that support SCTs for the payment method|
|Credit Card/Debit Card||All payment gateway integrations listed in the Payment gateways section|
Stored credential profile status
- Agreed - The stored credential profile has not been validated via an authorization transaction with the payment gateway.
- Active - The stored credential profile has been validated via an authorization transaction with the payment gateway.
- Canceled - The stored credentials are no longer valid, per a customer request. Zuora cannot use the stored credentials in transactions.
- Expired - The stored credentials are no longer valid, per an expiration policy in the stored credential transaction framework. Zuora cannot use the stored credentials in transactions.
Stored credential profile types
Zuora supports the following types of stored credential profiles:
- Recurring profile: Indicates that you have obtained the customer’s consent to initiate future transactions at regular intervals.
- Unscheduled profile: Indicates that you have obtained the customer’s consent to initiate future transactions that do not occur on scheduled or regularly occurring transaction dates. Only one Unscheduled profile is allowed for each payment method. Currently, the Unscheduled profile is only supported in Chase Orbital Gateway integration.
When configuring your Zuora tenant, the goal is to contain an Active stored credential profile for the payment methods created on the preceding gateway instances.
The stored credential profile with the “Unscheduled” type is only supported for Chase Orbital Gateway integration.
For general information about Visa's Stored Credential Transaction framework, see Visa's guidance for merchants.