How DECTA Payment Gateway Enables Card-on-File Management for Recurring Payments

For PSPs, acquirers, and payment system integrators, building a secure and compliant recurring billing system starts with robust Payment Gateway Card-on-File Management. DECTA delivers a comprehensive solution purpose-built to support tokenized, recurring, and one-click payment flows—empowering partners to manage card credentials throughout their full lifecycle.

What Is Card-on-File (CoF) Management?

Card-on-File Management refers to the secure storage and lifecycle control of customer card credentials for future use. This enables subscription billing, automated top-ups, one-click checkouts, and other Merchant-Initiated Transactions (MITs) without the need to re-enter card details.

DECTA’s White-Label Payment Gateway supports network-approved tokenization, secure vaulting, and RESTful API access to enable full CoF functionality while maintaining compliance with PCI DSS, PSD2 SCA, and Visa/Mastercard stored credential frameworks.

DECTA's Technical Framework for Card-on-File Management

This framework outlines the APIs and infrastructure that power DECTA’s Card-on-File capabilities. It covers how cards are issued, credentials are secured, and tokens are provisioned across channels.

1. Card Issuance and Lifecycle APIs

The DECTA Card Lifecycle API allows merchants to track any cards issued and their current states: 0 = ACTIVE card state, 1 = SUSPENDED card state and 2 = CLOSED card state. ACTIVE cards can authorise; SUSPENDED cards are in limbo; CLOSED cards can no longer be used.

A physical card is issued as SUSPENDED—what the customer will see for the first time upon receipt—and only when the customer activates it will it switch to the ACTIVE card state. Virtual card issuance creates cards that are issued already ACTIVE card state. All transactions are processed in real-time.

This API includes card issuance, Card status change, Transaction history and Recurring payments.

2. Secure Credential Access

DECTA provides Card-on-File (CoF) security via Tokenization and AES-256 encryption. DECTA's system replaces valid card information with Internal tokens before leaving the device so the merchant server never sees sensitive information from the outset.

Tokenized values are secured for API calls using HMAC-SHA256 and SSL/TLS. If token value delivery fails, the Retry logic will seek to resend while Real-time webhooks will notify the user of all CoF lifecycle events.

3. EMV Tokenization and Digital Wallet Support

DECTA possesses connectivity to Visa Token Service (VTS) and Mastercard Digital Secure Remote Payments (MDES) for EMV tokenization. Thus, DECTA provides Network-level tokens while permitting Digital wallet provisioning to readily accept sources of payment.

Use Cases for DECTA CoF Management

These use cases show how Card-on-File management supports different transaction models. 

Compliance and Risk Controls

Compliance and risk controls ensure that card data will not be mishandled, and merchants and their partners will not face undue exposure to liability. DECTA implements these compliance and risk controls through its own certifications, protections at the transaction level, and anti-fraud solutions.

PCI DSS Level 1 and ISO 27001 certified cloud infrastructure: DECTA is PCI DSS Level 1 and ISO 27001 certified. It handles card data within a secure, on-premise data centre. The Certification pertains to software development and storage of code.

3D Secure v2.2 support with biometric and out-of-band SCA: Licensed for EMV 3DS 2.3.1.1 with Mastercard. Offers biometric authentication (face/fingerprint/voice) and out-of-band flows via SMS or email for in-app authentication.

Stored credential flagging for MIT exemptions: DECTA's technology can use MIT indicators in transaction messages, compliant with card brand regulations and PSD2 SCA requirements, for exemptions for subsequent charges.

Rule-based Fraud Engine with network velocity limits: DECTA's fraud detection tool tracks transaction volume and pattern recognition to suggest potential fraud SOF. Velocity checks flag if any unique card number, IP address, or device exceeds another device's reasonable transaction frequency within set parameters.

Dedicated chargeback tagging for CoF disputes: Chargeback tagging is dedicated to CoF pricing disputes, enabling merchants to acknowledge challenges faced by their customers with subscription-based transactions for easier evidence compilation.

Merchant & Partner Tools

Merchant and partner tools give direct access to manage tokens, monitor Card-on-File transactions, and automate key cardholder operations.

Back-office dashboards

DECTA provides comprehensive merchant dashboards featuring intuitive navigation for payment management, with Dynamic Descriptor functionality offering detailed transaction descriptions to help customers recall purchases and reduce dispute rates

Bulk card cancellation tools

The platform supports bulk card management operations that comply with Visa Stop Payment Service requirements, allowing merchants to handle mass cancellations while maintaining proper network compliance. These tools help merchants manage discontinued subscriptions and prevent unauthorised recurring charges.

Multi-tier reporting hierarchy

DECTA's reporting infrastructure supports complex partnership structures with customizable reporting hierarchies that enable PSPs, ISOs, and merchants to access relevant transaction data and analytics based on their role in the payment ecosystem. The platform provides SFTP reporting capabilities with dedicated chargeback reports containing all disputes submitted by DECTA PC and related payment information.