Applications can use the Cards API and Gift Cards API to store, manage, and retrieve cards on file for a customer. Cards on file are encrypted tokens that represent credit card, debit card, or gift card information that can be used for payment. The App Marketplace requirements described in this topic apply to partner applications that store or manage cards on file or support cards on file as a payment method.
Note
You should use the Cards API and Gift Cards API to store, manage, and retrieve cards on file instead of the deprecated CreateCustomerCard endpoint, DeleteCustomerCard endpoint, or Customer.cards field in the Customers API. For more information, see Migrate to the Cards API and Gift Cards API.
Customers must consent to allowing their card details to be stored.
Applications must inform the buyer that their card details will be stored and receive consent from the buyer. For example, applications can provide a checkbox that allows customers to consent to storing card details for future purchases.
Partner applications often enable buyers to create accounts to manage purchases. If the accounts allow buyers to store cards on file, the corresponding customer profiles must include a form of unique identification.
Applications must use a unique identifier when creating the customer profile, such as an email address, a phone number, or a reference ID that maps the customer to an external system. If storing a card on file for an existing customer profile, the application must update the customer profile to add the unique identifier.
Applications must implement a form of identity verification before storing a card on file that is linked to a buyer account. For example, applications can send a confirmation code to the email address or phone number on the account.
Partner applications that support cards on file must provide a complete buyer experience that aligns with their application flow.
Applications that store or use cards on file must allow buyers to perform actions that would be expected for a given flow. For example, an authenticated checkout flow that allows the buyer to select a stored card for a given payment should also allow the buyer to add or remove stored cards.
Applications must display only the cards on file that are stored using their own platform. They must not display other cards linked to the customer profile. Note that cards on file can be linked to a customer profile through the Seller Dashboard, Square Point of Sale, the Reader SDK, and Square APIs.
Applications that process payments for sellers in the United Kingdom and EU (where Square is available) must have Strong Customer Authentication (SCA) built into their application flow for storing a card on file. For more information, see Strong Customer Authentication Overview.
Note
A customer must be present online or in person to complete the SCA flow for saving a card on file. When a saved card is used for a purchase, the customer must also be available to complete the SCA flow for each purchase.