Recurring Billing Authorization Forms: ACH, Card-on-File, and Membership Workflows
Build recurring billing authorization forms in 2026: NACHA ACH requirements, card-on-file PCI compliance, state auto-renewal disclosure laws, failed-payment...
Formfy Team
Product Team
Why Recurring Billing Authorization Is the Form You Cannot Get Wrong
A recurring billing authorization form is the legal anchor between a business's monthly revenue and the customer's bank or card. Get it right and the form becomes a defensible record that authorizes monthly charges, supports retry logic on failed payments, and stands up in front of a chargeback dispute. Get it wrong and the business faces NACHA fines for ACH violations, PCI penalties for card-on-file mishandling, and class-action exposure under state auto-renewal disclosure laws.
The complexity sits in the intersection of three regulatory regimes. NACHA governs ACH (bank-to-bank) authorizations. PCI DSS governs card-on-file storage and processing. State auto-renewal laws (notably California's ARL, New York's auto-renewal statute, and the federal ROSCA) govern disclosure and cancellation flows. Each regime has its own technical requirements, and the form must satisfy all of them.
This guide covers ACH (NACHA) authorization requirements, card-on-file storage and PCI compliance, state auto-renewal laws, failed-payment and retry authorization, and refund and dispute workflows.
ACH (NACHA) Authorization Requirements
NACHA (National Automated Clearing House Association) governs ACH transactions in the United States. NACHA rules require that any ACH debit from a consumer account be authorized in writing or by a similarly authenticated method (which now includes electronic authorization), and that the authorization meet specific content and retention requirements.
A NACHA-compliant ACH authorization must include: the consumer's name and contact information, the consumer's bank account information (routing number, account number, account type), the amount (or method for determining the amount), the frequency (one-time or recurring), the start date, the method for revoking the authorization, and the signature (electronic or wet-ink). For variable-amount or variable-date authorizations, additional disclosures apply, and the consumer typically must receive notice in advance of each charge.
NACHA requires retention of the authorization for two years after the last charge. The originator (the business or its processor) must produce the authorization on request from the consumer's bank in the event of a dispute. Failure to produce a valid authorization on request typically results in the disputed charge being reversed and (depending on volume) NACHA fines.
For recurring authorizations, the original signed authorization covers all subsequent charges as long as they fall within the authorized parameters (amount, frequency, etc.). If the parameters change (price increase, frequency change), a new authorization is typically required.
Card-on-File Storage and PCI Compliance
Card-on-file is the practice of storing a customer's credit-card information for future charges. Card-on-file is technically a separate workflow from a one-time card payment, and it carries additional PCI DSS obligations.
The fundamental PCI rule is that businesses should store the minimum card data necessary, and most businesses should not store card data at all. Modern processors (Stripe, Adyen, Braintree) provide tokenization: the full card number is replaced with a token that can only be used by your account, and the token (not the card number) is what your system stores. Tokenization shifts most of the PCI burden to the processor and dramatically reduces compliance scope.
For tokenized card-on-file, the form should include: express authorization to store and reuse the card, the cardholder's name as it appears on the card, the last four digits of the card (for reference, never the full PAN), the amount and frequency of recurring charges, the start date, the cancellation method, and the signature. The full card data should be captured by a processor-hosted form (e.g., Stripe Elements) so the data never touches your servers.
For non-tokenized scenarios (rare in 2026 and not recommended), full PCI DSS scope applies, including secure storage, key management, access controls, vulnerability scanning, and annual self-assessment or third-party audit.
State Auto-Renewal and Cancellation Disclosure Laws
State auto-renewal laws are where many recurring-billing operators get caught. Most states now have some form of auto-renewal disclosure law, and California's Auto-Renewal Law (ARL, Business and Professions Code 17600 et seq.) is the most prescriptive and frequently the basis for class-action litigation.
Under California's ARL, a business that auto-renews a subscription must: present the auto-renewal terms in clear and conspicuous language before the consumer subscribes, obtain the consumer's affirmative consent to the auto-renewal terms (typically a separate checkbox), provide an acknowledgment of the auto-renewal terms in a form the consumer can retain, provide an online cancellation method if the original subscription was online, and (for free-to-paid conversions) send a renewal notice before the auto-renewal charge.
New York's auto-renewal statute (General Business Law 527-a) is similar in structure. Several other states (Florida, Vermont, Oregon, Connecticut) have versions with their own specifics. The federal ROSCA (Restore Online Shoppers' Confidence Act) layers on additional requirements for online sales, including a clear and conspicuous statement of all material terms before billing information is collected.
The 2024 FTC 'click-to-cancel' rule (and follow-on state activity) further requires that cancellation be at least as easy as enrollment, that any required cancellation phone calls or in-person visits be eliminated, and that auto-renewal businesses provide annual reminders. Operators should expect 'click-to-cancel' obligations to expand and standardize across states over the next several years.
Failed-Payment and Retry Authorization
Recurring billing fails occasionally. Cards expire, accounts close, balances run low. The operator's options are governed by the dunning workflow (the sequence of retry attempts and customer notifications) and by the original authorization scope.
NACHA limits ACH retry attempts: an originator may retry a returned ACH debit at most twice within 180 days of the original debit, and the consumer must not have revoked the authorization. Best practice is to communicate the failure to the consumer immediately, request updated banking information, and retry only after consumer acknowledgment.
Card retries are governed by the network rules (Visa, Mastercard, Amex), which limit the timing and frequency of retries to avoid cardholder annoyance and dispute risk. Modern processors handle retry timing automatically (Stripe's Smart Retries, Braintree's Adaptive Retries) and integrate with email notifications to recover failed payments.
The original authorization should specify what happens on failed payment: a typical clause states 'if a charge fails, we will retry up to N times within M days, and we will notify you of the failure within X business days.' This language is the legal basis for retry attempts and customer-facing dunning communications.
Refund and Dispute Workflows
Refunds and disputes are the back end of the recurring-billing workflow. Refunds are voluntary returns of money initiated by the business; disputes (chargebacks for cards, returns for ACH) are involuntary reversals initiated by the consumer through their bank or card network.
Refunds. Refund policies should be disclosed in the original authorization or in a linked terms document. State unfair-trade-practices laws and FTC guidance generally require that refund policies be clear and that refunds be issued in a reasonable time. For subscriptions, refund policies typically address pro-rated refunds for early cancellation, full refunds within a money-back-guarantee window, and limited or no refunds outside that window.
Disputes (chargebacks). When a consumer disputes a charge, the business has a chance to respond with evidence supporting the charge. The original signed authorization is the strongest evidence. Other supporting evidence includes timestamps of service delivery, customer-service communications, IP-address records of the customer's authorization session, and dunning communications. Disputes that go to arbitration with strong evidence often succeed; disputes with weak documentation typically result in chargeback losses plus chargeback fees.
The PCI-friendly pattern is to retain dispute-supporting evidence (the signed authorization, communications, audit-trail data) in a system separate from the card-data system, and to have a documented dispute-response runbook with assigned ownership and SLAs.
Common Mistakes in Recurring Billing Authorization
The patterns that drive most recurring-billing problems:
- Pre-checked auto-renewal boxes. Several state ARL statutes specifically prohibit pre-checked boxes for auto-renewal consent. Affirmative consent must be unchecked-by-default.
- Buried disclosures. Auto-renewal terms in fine print, footnoted, or on a separate page from the consent flow are vulnerable to clear-and-conspicuous challenges.
- No online cancellation method. California's ARL and the FTC click-to-cancel rule require online cancellation for online subscriptions. Phone-only or email-only cancellation flows are violations.
- Missing NACHA elements. An ACH authorization missing the start date, the revocation method, or the amount-determination method is technically deficient and can be reversed on dispute.
- Storing full card numbers. Storing the PAN outside a processor's tokenization service drastically expands PCI scope and is rarely worth the cost.
- No retry-attempt notification. Failing to notify the consumer of a failed payment before retrying creates customer-experience problems and potentially violates network rules.
- Insufficient audit trail. A consent record without IP, timestamp, user agent, and document-version hash is hard to defend against repudiation.
For deeper context on related billing and authorization patterns, see our guides on gym membership liability waivers, personal trainer liability waivers, the free vs. paid waiver software guide, the legally enforceable digital waivers guide, the PDF vs. digital intake forms comparison, and the sending forms electronically guide.
Disclaimer: This article is for informational purposes only and does not constitute legal, financial, or compliance advice. ACH, card, and auto-renewal rules vary by jurisdiction and processor. Consult qualified counsel and a payments-compliance specialist for guidance specific to your business.
Comparing Generic vs. Specialized Recurring Billing Authorization Approaches
Recurring billing authorizations carry NACHA, state UCC, and card-network requirements that generic ACH or card forms routinely miss.
| Recurring Billing Element | Generic Authorization Form | Formfy Recurring Billing Approach |
|---|---|---|
| NACHA-compliant ACH language | Generic authorization missing required NACHA language for recurring debits | NACHA-compliant authorization with proper revocation, notice, and routing language built in |
| Notice of variable amounts | No notice schedule when debit amount varies creating disputes and chargebacks | Variable amount notice schedule with 10-day advance notice when debits exceed authorized range |
| Card-on-file network rules | Generic card storage missing tokenization and PCI compliance attestations | PCI-compliant tokenization with card network mandates for stored credentials documented |
| Cancellation method clarity | Vague cancellation language causing chargeback losses and CFPB complaints | Crystal clear cancellation method with online self-service and confirmation receipt mailed |
| Audit trail of authorization | Single signature record with no IP, device, or session capture | Cryptographic signature with IP, device, and session record satisfying NACHA verification rules |
| State auto-renewal disclosures | Missing California, Oregon, and New York auto-renewal mandatory disclosures | State-specific auto-renewal disclosure block triggered by billing address state during checkout |
| Failed payment retry logic | Single retry attempt with no smart retry or customer notification process | Smart retry schedule with customer notification at each attempt and dunning automation |
Specialized recurring billing authorization protects both the merchant and the customer while satisfying NACHA, card networks, and state auto-renewal laws.
This article is for informational purposes only and does not constitute legal advice. Consult a licensed attorney for jurisdiction-specific guidance.
Most teams build their first form using Formfy's AI Copilot — describe what you need in plain English and the form is ready in under 60 seconds.
To find the right plan for your team's volume and feature needs, see Formfy pricing.
Frequently Asked Questions
What should a recurring billing authorization include?
What's NACHA compliance?
How do auto-renewal laws vary by state?
Can recurring billing authorizations be digital?
What's required for cancellation flows?
Formfy Team
Product Team
Related Articles
Music Teacher Service Forms: Lesson Agreement, Recital Authorization, and Minor Consent
Music teacher service forms cover tuition, instrument rental, recital release, and minor pickup consent. Learn what private studios should capture digitally.
Employee Leave Request Forms: FMLA, PTO, and State-Mandated Leave Workflows
Employee leave request forms cover PTO, FMLA, state paid family leave, ADA accommodation, intermittent leave, and HIPAA-compliant medical certification handling.
Employee Liability Waivers: Wellness Programs, Off-Duty Activities, and Equipment Acknowledgment
Employee liability waivers cover wellness programs, company outings, BYOD equipment, vehicle use, and the workers' comp vs personal-activity distinction.