One-Click Payment
What is one‑click payment?
One‑click payment is a digital checkout method that allows the buyer to complete an online transaction by pressing a single button, without re‑entering card details or shipping information. The technology that makes this possible is tokenization: the real card number (PAN) is replaced with a unique identifier called a token, which the merchant stores instead of the sensitive data.
Amazon patented the original mechanism in 1999. After the patent expired in 2017, the model spread across the entire ecommerce ecosystem. Today, Visa, Mastercard, American Express and Discover unify this experience under the Click to Pay (Secure Remote Commerce) standard, managed by EMVCo.
According to Baymard Institute (2024), more than 70% of online shopping carts are abandoned before payment. Checkout complexity is one of the main causes, and one‑click payment directly removes that friction point.
How one‑click payment works
The process relies on the card‑on‑file model and distinguishes between two transaction types:
- First purchase (CIT – Cardholder‑Initiated Transaction). The customer enters their card details, Strong Customer Authentication (SCA) required by PSD2 is applied, and the payment gateway generates a token that replaces the PAN.
- Subsequent purchases (MIT – Merchant‑Initiated Transaction). The system retrieves the token, the card network resolves it against the token vault and authorizes the charge without the buyer interacting with any form.
- Issuer validation. The cryptogram associated with the token is verified in milliseconds and the issuer returns the authorization.
This CIT–MIT flow is the real technical foundation. Without certified tokenization, one‑click payment does not legally exist under current regulations.
Regulatory impact and applicable security
Three regulatory frameworks define the obligations of the merchant and the payment provider:
- PCI DSS v4.0. Requirement 3 mandates minimizing account‑data storage and making the PAN unreadable using strong cryptography. By tokenizing, the merchant reduces PCI scope because the real number never resides in their systems.
- PSD2 and SCA (Royal Decree‑Law 19/2018). Strong authentication is mandatory for the first payment. Subsequent MIT charges with fixed amounts may benefit from the exemption defined in the EBA RTS, provided there is a documented prior agreement.
- Click to Pay / SRC. Integrates network tokenization and native multi‑factor authentication, eliminating the need to enter the PAN on each merchant site.
A merchant implementing this functionality without a certified payment gateway risks sanctions and losing the ability to process card payments.
Operational advantages and disadvantages
| Aspect | Advantage | Operational risk |
|---|---|---|
| Conversion rate | Reduces checkout steps and lowers cart abandonment | Impulse purchases may increase returns |
| Security | The token is useless outside its domain of use | Unauthorized account access could use stored tokens if initial SCA is weak |
| Payment continuity | Network tokens update automatically when a card is reissued | Migrating tokens between providers creates technological dependency |
The combination of tokenization with 3D Secure 2.0 enables frictionless flows for low‑risk purchases, improving approval rates without compromising security. Disabling SCA entirely shifts fraud liability to the merchant.
Was this term useful?
Leave a Comment