The Brands consider tokenization a form of stored credential and therefore merchants using tokenization should obtain cardholder consent to put the credentials on file. Each transaction processed with a TaaS token should include the CardOnFileData block.

It is the merchant's responsibility to provide the CardOnFileData block in the transaction request to Portico:

• When requesting a new token, request as Initial CoF.
• When processing a transaction with a token, request as Subsequent CoF.
• When storing the token, merchant systems should be updated to also store the CardBrandTxnId of the first or most recent approved transaction.