Subscriptions
Cardholder-initiated transaction
Also: CIT
A transaction initiated by the cardholder in real time, typically the first charge that establishes credential-on-file.
A cardholder-initiated transaction (CIT) occurs when the payer is actively involved in the checkout process and authorises a payment in real time. These transactions typically involve the cardholder entering or confirming their card details via a merchant website or mobile application. In the European Economic Area and the United Kingdom, CITs are generally subject to Strong Customer Authentication (SCA) requirements under PSD2, necessitating the use of protocols like 3D Secure. Beyond immediate payment, the primary function of an initial CIT in a subscription context is to establish a credential-on-file (CoF) agreement. Acquirers and schemes like Visa and Mastercard require specific flags to be sent during this initial authorisation to indicate that the cardholder has consented to future charges. The issuer verifies the cardholder identity and the resulting network transaction ID must be stored by the merchant to link subsequent merchant-initiated transactions (MITs) to this original authenticated session.
Frequently asked
Why is the transaction ID from a CIT important for recurring billing?
The transaction ID proves to the issuer that a cardholder-initiated authentication occurred previously. Merchants must include this original ID in future merchant-initiated transaction (MIT) requests to indicate the payment is part of an established chain, which helps maintain higher authorisation rates and ensures compliance with scheme rules.
Can a CIT be exempt from Strong Customer Authentication (SCA)?
While CITs are the primary target for SCA, certain exemptions may apply depending on the transaction value or the acquirer’s fraud rates. Low-value transactions under thirty Euros or those deemed low risk through Transaction Risk Analysis (TRA) might bypass step-up authentication, though the issuer ultimately retains the right to demand a challenge.
Related terms
A charge initiated by the merchant against a previously stored credential, without the cardholder present.
PSD2 requirement that customer-initiated electronic payments in the EEA and UK be authenticated with two of: knowledge, possession, inherence.
Ready for velocity?
Tell us about your business. We'll match you with the right acquiring partners and the right route, typically inside a week.
