Learn how saved cards work, how CIT and MIT payments differ, and what PSD2 means for recurring payments.
Tokenization allows card details to be stored securely for future use without saving the actual card number. Instead, a unique card token is generated and stored by Paytrail’s payment service. This makes it possible to offer a smooth checkout experience for returning customers, as well as support for recurring or subscription-based payments.
Saving card details speeds up future purchases and helps improve sales conversion in online and mobile services. Customers can complete a payment in just a few clicks, and paying with a saved card is just as secure as any regular card payment.
What are CIT and MIT payments?
According to the Payment Services Directive (PSD2), card payments using stored card details fall into two categories:
- CIT (Customer Initiated Transaction): The customer initiates the payment.
- MIT (Merchant Initiated Transaction): The merchant initiates the payment without user interaction.
The API request must always indicate whether the payment is CIT or MIT.
A CIT payment is used when the customer actively starts the payment, such as in an online store. Even if the charge happens later (e.g. for a taxi ride or gas station), the transaction is still considered CIT if the customer initiated it.
- The payment must be confirmed using the bank’s authentication method (e.g. the bank’s identification app).
- The card issuer is liable for any potential misuse.
A MIT payment is used when a charge is made without the customer being involved at the time of payment. This is common in recurring billing scenarios, such as monthly charges for an entertainment service.
However, recurring billing does not have to be for the same amount each time (e.g. a phone bill), and it doesn't have to be time-based. Charges can also be based on individual transactions. For example, when a customer exits a parking garage and the final amount is charged automatically.
- A MIT payment is not subject to the PSD2 regulation's requirement to confirm each payment.
- The merchant is liable for any payment issues.
- If you use the subscription/recurring billing model (recurring charges), please review the special requirements that apply below.
Saving card details and PSD2
The new Payment Services Directive (PSD2) also defines rules for how and when card details can be stored and used.
When saving a card, the cardholder must be verified with strong authentication provided by the card issuer (usually through the bank’s app). Strong identification takes place with the identification method provided by the card issuer (bank). In Finland, this is usually done using the corresponding bank's identification app.
- The payment must be confirmed using the bank’s authentication method (e.g. the bank’s identification app).
- The card issuer is liable for any potential misuse.
- Customer-initiated payment (CIT): When the customer starts paying with their saved card, the card payment must be confirmed using the card issuer's confirmation method. It is possible to request a transaction-specific exception for skipping payment confirmation in certain low-risk payment transactions, such as payments under 30 euros. Granting exceptions always depends on the payment card issuer's ability to handle exception requests and business decisions.
- Merchant-initiated payment (MIT): When the merchant initiates a card payment independently (e.g. when charging monthly subscriptions), no separate payment confirmation is required.
How network tokens help with saved cards
Network tokens are an additional layer of functionality that help keep saved card details up to date. When a customer saves a card, a Paytrail token is returned to the merchant. In some cases, this token is also linked to a network token, which is issued by the card network (such as Visa or Mastercard).
If the card is renewed or replaced, the network token can be updated automatically. This helps prevent failed payments and improves the customer experience.
Key benefits of network tokens:
- Saved cards stay up to date automatically if the card is renewed
- Customers don’t need to manually update card details
- Recurring payments continue without interruption
- Reduces failed payments and customer churn
Learn more about how network tokens work for saved card payments.
Special requirements
If you use stored card details for recurring or subscription payments, certain consumer protection rules apply. This help ensure transparency for the customer and reduce the risk of disputes or chargebacks.
You must clearly inform the customer about the subscription terms at the time of payment. This includes:
- The amount that will be billed and the frequency of the billing
- The customer’s acceptance of the terms (e.g. by ticking a checkbox)
Linking to another page (such as terms and conditions), expanding a message box, or requiring the customer to scroll down to see the billing terms does not meet the requirement. The key terms must be clearly visible at the time of payment.
You must send a confirmation email when the customer enrolls in a subscription or recurring billing plan. The email must include:
- The subscription terms
- Any trial period terms (if applicable)
- Instructions on how to cancel
If a free or discounted trial is offered before regular billing begins, you must also disclose:
- Any initial charges
- The length of the trial period
- The amount and frequency of the billing after the trial ends
For example: “You will be billed 4,99€ today for a 14-day trial. After that, you will be billed 39,99€ monthly until you cancel.”
A reminder must be sent before the trial converts into a paid subscription:
- It must be sent no less than 3 days and no more than 7 days before the first paid charge
- It must repeat the key subscription terms and include cancellation instructions
- It can be sent by email or any other electronic method
If the subscription bills the cardholder less than every 6 months, a reminder must be sent:
- At least 7 days before, and no more than 30 days before the next charge
- It must include the subscription terms and how the customer can cancel
If these requirements are not met, the cardholder may have the right to charge back the payment in case of a dispute. We recommend reviewing our documentation for full technical guidance on implementing recurring payments.
FAQ
Can any card be saved for payment and recurring charges?
Yes, any card from Paytrail's payment method selection can be saved (Visa, Mastercard, Amex).
Do I have to store card details, and is it secure?
Card details are securely stored in the Paytrail payment service, and the online store only receives a unique card token. Payments are processed by Nets, our acquirer partner, and Paytrail is responsible for the reliable storage of card data. This means the merchant has no data security risk when using this feature.
Can any service or product be charged repeatedly?
Yes, but card companies require that:
- The customer gives consent for recurring billing.
- The merchant provides information about how recurring payments will be handled and instructions for cancellation.