Control over Continuous Payment Authorities

(Dan) #1

Something I tried to get my existing bank to do was provide me with a list of continuous payment authorities against a particular card - they obviously refused my ever so kind request.

I assume that the card issuer has the data held for continuous payment authorities. If so, I think it would be beneficial to be able to see these CPAs and possibly even have control over them (cancel).

Though there is the concern that people would look at these as a similar method as direct debit if such controls were in place (liability, etc), but I think with the ever growing popularity of companies using CPAs to take recurring payments it would be useful.


(Derek Beck) #2

Yes, being able to cancel these as easily as a direct debit would be awesome.

It’s not always apparent to a customer that they are giving permission to do this so by giving control back to the customer would make sense.

I would love to see this featured in the Monzo app.


Does the card issuer have sight of these or are the requests simply sent from the retailer? I got the impression it was the latter when closing a credit card - they said that I was responsible for closing any CPAs, and they’d bill me for any that occurred.

(DA) #4

I would love to be able to see and cancel these. I’ve cancelled one that’s pointed at my card twice now with the company and the company in question is still trying to take payments every few months. So a way to see they are still there somewhere would be a huge help.


I was just about to post the same thing when I noticed you’d beaten me to it.

There’s no continuous authority stored as such, normally the merchant just stores your card details securely and uses them again.

So it would have to work by allowing you to block a merchant so that the card would always be declined for cardholder not present transactions.

I’d immediately switch to Monzo if this feature was implemented!


This is incorrect. Most merchants won’t want to store card details “securely” due to the headache of doing this in a PCI compliant manner.

Most merchants will indeed set up a Continuous Payment Authority (there may well be some shoddy merchants who do store and re-use your credit card details, but I’d assume that they are small minority).

It is your right to cancel these by contacting your bank, and although Monzo may not have created a “one click” solution to do so, they must still cancel a Continuous Payment Authority if asked to do so.

If the bank (Monzo or otherwise) refuses to cancel this, you should make a complaint to the relevant ombudsman, as that’s just wrong.

See here for details:

Most relevant quote (emphasis and capitals in the original):


(Jolin) #7

Do you have a source for this? How else are the merchants charging the card subsequently? There’s no such thing as a direct debit on a card. When this has been discussed before, it’s been stated that CPA is a legal concept, but practically merchants just have to store card details and re-charge them for each payment.

I don’t know either way, it’s far outside my area of expertise. But it would be good to hear from someone who has specific knowledge in this area, as speculation on topics such as this can put people in bad situations!

(Dave) #8

I believe the truth is closer to what @andrewvv said, but @nanos is right about merchants not always storing the details themselves due to the need for PCI compliance requirements.

The business I am involved with uses CPAs, but we don’t store the card details. The card details are stored by our payment processor, and they give us a “token” via which we can request a further payment from the same card details (even though we don’t have them). In this way we don’t need to be PCI compliant because that requirement is for our payment processor to fulfil.

The UK Cards Association website says:

“If you have cancelled a CPA directly with your card issuer and then decide to renew your CPA with the same retailer, you should contact your card issuer first, as it is likely they will otherwise decline the payment.”

Last sentence here:

That would seem to indicate that it is the merchant that is blocked when a customer asks for the CPA to be “cancelled”. Therefore, as I understand it there is nothing on record with your bank that says you have agreed to a CPA.

A bank could provide a facility to block a merchant I guess, and then unblock them at a future date if you wished to do so.


My day job is managing technology for an e-commerce business that does about £10 million through continuous authority so I know the technology quite well. I did simplify it a bit as I was posting in a general forum.

As others have pointed out merchants store the card details at a PCI Level 1 provider who in return gives a token. The token can then be used to charge the card at will. If the token is stolen by hackers they cannot use it to steal money so it’s much safer than storing card details.

Again, as mentioned by @jzw95 continuous authority is not a technical concept, it’s a legal concept. The merchant basically can do what they want. It’s not like direct debit where you can cancel it with your bank. It is true that you can probably eventually get a charge back but that’s a lot of work.

I’d love it if Monzo could allow you to block a merchant and always decline for all Cardholder Not Present transactions unless authorised by 3D-Secure. This would allow a continuous authority to be cancelled in the same way you can cancel a direct debit.

Personally, I tend to get round it by using PayPal which has a Billing Agreement concept which allows me to cancel when I want.