Save Card Use Case Scenarios

The Save Card Flow enables merchants to securely store card details with Tap Payments for future transactions, facilitating recurring payments, express checkouts, involving both Customer-Initiated Transactions (CIT) and Merchant-Initiated Transactions (MIT). Proper integration scoping, implementation and review are essential to ensure compliance with PCI DSS, EMV 3DS, and regional regulations, particularly for mada in Saudi Arabia, while maximizing transaction acceptance rates.

Express Checkout and Recurring Payments (Real-World Use Cases)

For express checkout, a customer selects a saved Visa card during checkout on an e-commerce platform, bypassing manual card entry. The transaction uses the Subsequent CIT (Bypass 3DS) scenario, leveraging a stored card (card_on_file: TRUE) to complete a SAR 150 purchase instantly, with status CAPTURED via the Charges API. This reduces checkout time and enhances user experience.

For recurring payments, a streaming service charges a customer SAR 50 monthly using a saved Mada card. The first payment follows the First Time Payment (With Saved Card) scenario, saving the card with 3DS authentication. Subsequent charges use the Second Time Payment (Merchant-Initiated) scenario, bypassing 3DS (threeDSecure: FALSE) and resulting in a CAPTURED status, ensuring seamless subscription billing.

Save Card Use Case Scenarios

ScenarioDescriptionsave_cardcustomer_initiatedthreeDSecuresource.on_filepayment_agreement.idResultExampe
First Time Payment (Without Saving Card)First-time transaction, manual card entry, card not saved"save_card": false,truetruefalseNot required3DS URL, status: INITIATED; redirect to 3DS URLUser enters Visa card for a SAR 50 one-time purchase. Redirects to 3DS URL.
First Time Payment (With Saved Card)First-time transaction, manual card entry, card saved for future use"save_card": true,truetruefalseNot required3DS URL, status: INITIATED; redirect to 3DS URLUser enters Mada card to save during a SAR 100 subscription signup. Redirects to 3DS URL.
Second Time Payment (Customer Present, Bypass 3DS)Card on file, customer-initiated, no re-authentication required"save_card": false,truefalsetrueRequired3DS bypassed, status: AUTHORIZED (Authorize API) or CAPTURED (Charges API)User pays SAR 30 with saved Visa card for a recurring service. 3DS bypassed, transaction captured.
Second Time Payment (Customer Present, Enforce 3DS)Card on file, customer-initiated, re-authentication for risk purposes"save_card": false,truetruetrueRequired3DS URL, status: INITIATED; redirect to 3DS URLUser uses saved Mastercard for a SAR 200 purchase, risk team requires 3DS. Redirects to 3DS URL.
Second Time Payment (Customer Not Present, Merchant-Initiated)Card on file, merchant-initiated, no authentication required"save_card": false,falsefalsetrueRequired3DS bypassed, status: AUTHORIZED (Authorize API) or CAPTURED (Charges API)Merchant charges SAR 15 to saved Mada card for a monthly subscription. 3DS bypassed, captured.

📘

Notes

  • 3DS URL, status: INITIATED indicates the merchant must redirect the customer to the provided 3DS URL to complete payment authentication.
  • Transaction status is AUTHORIZED when using the Authorize API or CAPTURED when using the Charges API.
  • Thorough testing of each scenario ensures high acceptance rates, reduces declines, and enhances customer experience.

Checklist for Save Card Flow Implementation

Clear Use Case Guidance:

  • Define and implement distinct scenarios for first-time payments (with/without saving card), subsequent CITs (with/without 3DS), and MITs to cover all customer interactions.
  • Ensure scenarios account for customer presence (CIT) and absence (MIT) to align with user expectations.

Compliance:

  • Adhere to PCI DSS standards for secure card storage, using tokenization (card.id) instead of raw card data.
  • Implement EMV 3DS for fraud prevention, ensuring 3DS is correctly enabled or bypassed per scenario requirements.

mada or Local payment Methods

  • Address mada-specific or local payment method requirements, such as mandatory 3DS for most CITs, to comply with respective local regulations.
  • Support dual-branded Mada/Visa cards by detecting the correct card scheme and applying appropriate 3DS rules.

Error Mitigation:

  • Validate API parameters (save_card, customer_initiated, threeDSecure, source.on_file, payment_agreement) to prevent integration errors.
  • Handle declined transactions gracefully with actionable error messages to avoid poor user experiences.

Acceptance Rate Optimization:

  • Optimize configurations for Visa, Mastercard, and Mada to maximize successful authorizations.
  • Flag MITs correctly to avoid unnecessary authentication challenges, especially for recurring payments.

3DS Variability:

  • Ensure correct 3DS handling: enforce 3DS for first-time CITs and high-risk subsequent CITs; bypass for low-risk CITs and MITs.
  • Redirect customers to the 3DS URL when status: INITIATED is returned, ensuring seamless authentication.

Card Scheme Compliance:

  • Follow Visa and Mastercard rules for saved card transactions, including proper MIT flagging and payment agreement usage.
  • Use the correct API (Authorize API for AUTHORIZED, Charges API for CAPTURED) based on transaction needs.

Risk Management:

  • Enforce 3DS for subsequent CITs when required by risk teams to prevent fraud while maintaining user trust.
  • Monitor transaction patterns to identify and address high-risk scenarios proactively.

Recurring Payments:

  • Implement proper MIT handling with payment_agreement: TRUE to ensure uninterrupted subscription charges.
  • Obtain explicit customer consent for recurring payments and store agreement details for audits.

Customer Experience:

  • Bypass 3DS for low-risk subsequent CITs and MITs to reduce checkout friction and boost conversions.
  • Provide clear feedback during 3DS redirects (e.g., “Processing your payment…”) to enhance user trust.

Testing Recommendations:

  • Use Tap Payments sandbox test cards to validate all scenarios.
  • Conduct one round of testing with real cards in the live environment to validate configurations under real-world conditions.
  • Verify transaction statuses (AUTHORIZED for Authorize API, CAPTURED for Charges API) and 3DS URL redirects.