What is a recurring credit card payment?

A recurring payment is an automatic charge executed periodically against a customer’s card or bank account, based on prior and explicit authorization. Unlike a one‑time payment, it establishes an ongoing billing relationship between merchant and consumer.

This model powers the subscription economy: SaaS platforms, streaming services, gyms, insurance, and any business with periodic billing. The two main channels through which funds move are bank direct debit (SEPA direct debit in Europe) and card payments using Credential‑on‑File (COF) technology.

How a recurring payment works

The technical flow of a recurring card charge relies on two transaction types that Visa and Mastercard require merchants to differentiate:

• CIT (Cardholder‑Initiated Transaction): the customer enters their payment details and completes strong customer authentication (SCA). This is the first charge, where the trust link is created and the card token is stored through tokenization.
• COF (Credential‑on‑File): the gateway securely stores the token—never the real PAN—complying with PCI DSS v4.0 requirements on minimal account‑data storage.
• MIT (Merchant‑Initiated Transaction): in each subsequent billing cycle, the merchant triggers the charge using the stored token without customer presence. The issuer validates that a successful CIT exists.

If a merchant attempts an MIT without a valid reference to an original CIT, the issuer will decline the transaction. This CIT → COF → MIT flow is the technical backbone of any automatic card‑billing system.

In the SEPA direct debit channel, the customer signs a mandate authorizing the merchant to initiate debits against their IBAN. The “recurring payment” checkbox must be explicitly marked so that subsequent charges cannot be disputed for up to 13 months.

Regulatory impact and applicable security

European regulation protects both consumers and merchants in the recurring‑billing environment:

• PSD2 (Directive EU 2015/2366), art. 97: requires strong customer authentication (SCA) for electronic payments. Fixed‑amount recurring charges qualify for an exemption after the first authenticated CIT, according to EBA RTS on SCA and secure communication.
• Royal Decree‑Law 19/2018: transposes PSD2 into Spanish law. It establishes an unconditional refund right for direct debits within 8 weeks if authorized, and up to 13 months if unauthorized.
• PCI DSS v4.0: requires minimizing account‑data storage and making the PAN unreadable through strong cryptography. Tokenization drastically reduces compliance scope for merchants with recurring billing.
• SEPA Regulation (EU 260/2012): governs direct debits in the eurozone, distinguishing between Core (consumer, with refund rights) and B2B (no refund rights) schemes.

Visa and Mastercard categorize MITs into 8 specific use cases: delayed charges, no‑show, unscheduled COF, installment payments, resubmission, standing order, subscription, and partial shipment. Correctly classifying each transaction prevents declines and potential scheme penalties.

Operational advantages and disadvantages

The biggest operational risk in recurring billing is expired cards. When an MIT fails due to expiration, the merchant must notify the customer to update their details, generating a new CIT. Without an automated dunning system (smart retries and pre‑billing reminders), involuntary churn can exceed 5–9% monthly in subscription portfolios.