Skip to content

Last Updated: 15 July 2025 | Change Log

Use a stored card

Use a previously stored card to send a payments request. This is for customer initiated transactions (CIT) only.

Additionally, to collect the CVC value, use the Checkout SDK to create a cvc session and maintain a low PCI burden.

The request must contain:

"customerAgreement": {
    "type": "cardOnFile",  // used to indicate the customer has agreed to storing their card (CIT)
    "storedCardUsage": "subsequent" // subsequent payment 
}

If PSD2/SCA or other regional mandates apply you should follow the steps for enabling 3DS

1. Integration Type

Use a Worldpay Token or Network Token and optionally provide the CVC in the API or use our PCI-compliant Checkout SDK to create a cvc session.


2. Basic Request

application/json

Use a previously stored Worldpay token for a customer initiated payment (CIT)

{ "transactionReference": "Memory265-13/08/1876", "merchant": { "entity": "default" }, "instruction": { "method": "card", "paymentInstrument": { "type": "token", "cvc": "333", "href": "https://try.access.developer.com/tokens/eyJrIjoxLCJkIjoialRBL0FFelBzcnZpNCtzRGNRemh0NzI0NE1rdUtjMUFJdjYxVnlibWZuUT0ifQ" }, "customerAgreement": { "type": "cardOnFile", "storedCardUsage": "subsequent" }, "narrative": { "line1": "trading name" }, "value": { "currency": "GBP", "amount": 42 } } }

3. Add additional features

In most cases you will need to add some additional features such as 3DS, auto settlement or a risk assessment

4. Response

Features that change the API flow

Certain features add additional requests and responses:

  • 3DS - you will receive a 201 - 3dsDeviceDataRequired as well as the possibility of an issuer challenge
  • FraudSight - you may receive a 201 - fraudHighRisk outcome, stopping the payment
  • Auto Settlement - automatic 202 - sentForSettlement following authorization.
    • If any of the AVS/CVC response riskFactors are marked as notMatched the payment will be sentForCancellation automatically by default but can be disabled.
application/json
No response example