Secure Card on File (SCOF)

  • Updated on Aug 4, 2025
  • Published on Jun 18, 2025
  • 5 minute(s) read
  • PT
  • SC
 Prev Next

Overview

This document covers the functionalities and constraints of the Secure Card on File (SCOF) enablement for the Paynetics Acquiring product. It provides comprehensive information on how to integrate and operate it.

Product Description

Overview: This document provides a comprehensive guide for integrating SCOF into the Paynetics Acquiring product. It covers functional details, integration requirements, transaction flows, and compliance with card network mandates.

SCOF enables merchants to store customer card details securely for future transactions, with proper indicators to comply with Visa and Mastercard regulations.

Scope:

  • SCOF integration with Mastercard.

  • Secure Customer Authentication (SCA) compliance.

Out of Scope:

  • Non-card-based digital wallets.

  • PayPal or alternative e-wallet services.

Mastercard’s Secure Card on File allows merchants, PSPs and commerce platforms to tokenize PANs (Primary Account Numbers) entered by consumers or existing PANs held on file, replacing each PAN with a unique token (subject to issuer participation). These tokens can be used for e‑commerce and in-app transactions in the same way as PANs.

Currency and Country Coverage

The supported settlement currencies are EUR and GBP. Important note is that the currencies that you will choose. The processing currencies are all currencies supported by Paynetics.

The supported countries are EU27, Iceland, Liechtenstein, Norway, or the UK.

Merchant Onboarding

There are no additional onboarding requirements for merchants using SCOF and Network Tokenization beyond the standard Paynetics onboarding process:

  1. Automated Merchant Onboarding – Merchants can onboard through the Paynetics onboarding API.

  2. Manual Onboarding – For cases where automation is not feasible, manual setup is required. Merchants need to submit onboarding documents via a secure shared portal and notify Paynetics at underwriting@paynetics.digital.

Once approved, merchants can start accepting SCOF and Tokenized payments.

Note: Paynetics does not manage cardholder SCOF enrollment; this is handled by Mastercard.

Onboarding via API

The recommended way of onboarding merchants is via API. For more information on the process

During application processing, we may contact you or the merchant to request more information.

Manual Onboarding

To onboard merchants manually we will provide you with dedicated access to a secure shared storage where you must upload the filled in merchant application form together with the required documents. You must notify us by email to underwriting@paynetics.digital for your from to be reviewed.

Please be aware that manual onboarding has limited capacity, and it’s not recommended. Paynetics can only process 10-15 applications a month under the manual flow.

Fees Set-up

The fees setup follows the current procedure with no specifics.

Payouts

The payouts follow the current procedure with no specifics.

Reporting and Reconciliation

You can track all transactions via API real-time. In the end of the day, we will be sending you a reconciliation report with all transactions from the previous day via SFTP.

Profit share

We will be adding your share of the profit in the acquiring monthly commission report file. The file is sent up to the 10th day of the moth. Upon your approval of the commission file, you must send us an invoice. The invoice will be duly paid as per our contractual agreement terms.

Technical Integration

One we have signed agreement for acquiring services you will be provided with access to your Sandbox instance where you can carry on the integration. Once you have integrated the solution, you will run a set of tests validated by Paynetics and you will be ready to move to production. Migrating to production is a matter of receiving and configuring a new API key and changing the API root path.

Execute SCOF payment

The execute a use the POST /v1/purchase or POST/v1/pre-authorization endpoint. No difference in the request parameters sent in the Purchase and Pre-authorization. The Pre-authorization request must always be followed up by capture request POST/v1/capture, otherwise the transaction will not be cleared.

Specific Request Parameters 

card_number

The network card token provided by token requestor

Data Type

String, length 16

Required

Yes

card_expiration_month

The month on which the network token expires 

Data Type

String, “01” to “12”

Required

Yes

card_expiration_year 

The year on which the network token expires 

Data Type

String, min current year

Required

Yes

cardholder_name

The name of the cardholder

Data Type

String, max 27 chars

Required

Yes

recurring_type

3 for CIT; 2 for MIT

Data Type

1 digit

Required

Yes

pos_entry_mode

10

Data Type

2 digits

Required

Yes

wallet_identifier

The parameter supports the transmission of Wallet Identifiers used by the card schemes. Supported values are: click-to-pay

Data Type

String (values from nomenclature)

Required 

Yes

digital_payment_cryptogram

The parameter supports:

DSRP Cryptogram – as per Mastercard CIS DE 104 Sub element 001

Data Type

String

Required 

Required for CIT; Optional for MIT

remote_commerce_acceptor_identifier

The parameter carries a unique identifier agreed by the Merchant with wallet providers.

Data Type

String

Required 

Not Applicable for Visa; Optional Mastercard: recommended for higher approval rates; contains a merchant identifier such as the merchant business website URL or reverse domain name as presented to the consumer during checkout. The merchant identifier is provided encoded as Base64.

Request:

Example Request

{
    "reference": "dsds",
    "merchant": "7cb0db766c86cdda3939871adfece952",
    "amount": 1,
    "currency": "EUR",
    "card_number": "5555555555554444",
    "card_expiration_month": "11",
    "card_expiration_year": "27",
    "pos_entry_mode": "10",
    "recurring_type": "2",
    "cardholder_name": "XXXXXX",
    "wallet_payment": {
        "wallet_identifier": "click-to-pay",
        "digital_payment_cryptogram": "stringstringstringstringstri",
        "remote_commerce_acceptor_identifier": "stringstringstringstring"
    }
}

 

Response:

Example Response

{
  "code": 0,
  "data": {
    "card_number": "555555XXXXXX4444",
    "processing_code": "000000",
    "amount": 1,
    "stan": "180801",
    "local_time": "145916",
    "local_date": "0813",
    "auth_code": "361156",
    "response_code": "00",
    "card_acceptor_terminal_id": "16P17777",
    "card_acceptor_identification_code": "1602071111",
    "currency": "978",
    "transaction": "9310bc2b-171b-47f7-8d2b-d97cdfa546d1",
    "cvv_status": " 06",
    "ccti_id": "80",
    "transaction_stamp": "0000007761232611201A",
    "card": "39da5b38-15f3-4371-8a9b-09f138437b4e",
    "original_network_response_code": "00"
  }
}

3D secured transactions

Mastercard: Required for CIT; Optional for MIT.

3D Secure Request Parameters 

cavv

The Parameter supports:

  • UCAF (Universal Cardholder Authentication Field), applicable for Mastercard or Maestro acceptance

Data Type

String

Required

Yes

eci

The parameter supports the Electronic Commerce Indicator (ECI) which indicates the level of security applied. Supported values:

Mastercard

  • 02: 3DS authentication successful; transaction is secured by 3DS.

  • 01: 3DS authentication was attempted but was not or could not be completed.

  • 00: 3DS authentication is either failed or could not be attempted.

Data Type

String, maxLength: 2

Required

Yes

Version

3D Secure Version Number

Data Type

Integer, value=2

Required

Required for Mastercard only if the card has not been authenticated already

directory_transaction_id

3D Secure Directory Server Transaction ID delivered during the 3D Secure 2.0 authentication process by the directory server

Data Type

String

Required

Yes, if 3D Secure Version Number has been initiated.

Request:

{
    "reference": "dsds",
    "merchant": "7cb0db766c86cdda3939871adfece952",
    "amount": 1,
    "currency": "EUR",
    "card_number": "5555555555554444",
    "card_expiration_month": "11",
    "card_expiration_year": "27",
    "pos_entry_mode": "10",
    "recurring_type": "3",
    "cardholder_name": "XXXXXX",
    "cavv": "AJkCCReZIncEQFcQBZkiAAAAAAA=",
    "eci": "05",
    "version": 2,
    "directory_transaction_id": "7b03c772-dba0-4818-872e-849d63a5a659",
    "wallet_payment": {
        "wallet_identifier": "click-to-pay",
        "digital_payment_cryptogram": " stringstringstringstringstri",
        "remote_commerce_acceptor_identifier": "string"
    }
}

 

Response:

Example Response

{
  "code": 0,
  "data": {
    "card_number": "555555XXXXXX4444",
    "processing_code": "000000",
    "amount": 1,
    "stan": "180801",
    "local_time": "145916",
    "local_date": "0813",
    "auth_code": "361156",
    "response_code": "00",
    "card_acceptor_terminal_id": "16P17777",
    "card_acceptor_identification_code": "1602071111",
    "currency": "978",
    "transaction": "9310bc2b-171b-47f7-8d2b-d97cdfa546d1",
    "cvv_status": "06",
    "ccti_id": "80",
    "transaction_stamp": "0000007761232611201A",
    "card": "39da5b38-15f3-4371-8a9b-09f138437b4e",
    "original_network_response_code": "00"
  }
}

Related articles