Authorization Flashcards
When does authorization happen?
At the moment of the swipe
2 possible results of authorization?
- Places hold on funds and puts transaction in pending
- Declines the transaction
What is ISO 8583?
Messaging standard that is used by banks and card networks to exchange messages between themselves
11 Step Authorization Process
- Cardholder enters card details and cardholder credentials into the check-out page of the online storefront
- Gateway encrypts card details and cardholder credentials
- Gateway sends the encrypted card details and cardholder credentials to the merchant’s Acquirer Processor
- Acquirer Processor identifies the Card Network affiliated with the card
- Acquirer Processor forwards the card details to that Card Network, requesting Authorization
- Card Network identifies the bank that issued the card
- Card Network routes the transaction to the Issuer Processor affiliated with the Issuing Bank
- Issuer Processor validates that the transaction is not fraudulent, verifies that the cardholder’s account is in good standing, and verifies that the cardholder has sufficient credit to cover the amount of the purchase
- Issuer Processor sends back an approval message to the Card Network
- Card Network relays the authorization to the Acquirer Processor
- Acquirer Processor relays the authorization to the Gateway
- Gateway notifies the Cardholder that the transaction is approved
What are auth rates?
Percentage of a merchants transactions that successfully pass through the authorization process
Reasons for failed authorization
- Technical errors
- Internet outages
- Page inactivity
- Issuer refusals
- Insufficient funds
- Stolen card
- Expired card
- Billing address that does not match
Auth Rates CP vs. CNP
Overall, in-store (POS) transactions tend to have very low decline rates, while e-commerce transactions can have 5 to 10 percent decline rates
‘Do Not Honor’
- Most common decline reason for an online transaction
- Does not really tell the merchant why the issuer is declining the transaction
‘NSF’
Insufficient Funds
‘Invalid CVV’
The CVV that a customer provided does not match the issuer’s records
AVS Failed
The Address Verification Service cross checks the billing addresses a merchant submits with authorization, and the issuer says it does not match what they have on file
Hard Declines
- Any refusal due to an invalid card, stolen card or closed account
- Not much the merchant can do
- Should not be reattempted
Soft Declines
- Temporary Declines
- If it is a technical error, waiting to retry later could resolve the issue
- For an expired card, a merchant can either reach out to the shopper for them to ass a new card, or they can reach out to the relevant Network for updated details
Auth rates online vs. POS
Auth rates can be 10% lower for online payments
Why are auth rates lower for online payments?
Issuing banks use more conservative logic to approve or deny an online transaction because of the increased risk of fraud
Network declines are also referred to as…
Issuer declined charges, meaning that the customer’s bank has declined the transaction request
Strategy to deal with network decline should be based on:
- Type of decline code
- Specific issuing bank
Strategy For Insufficient Funds:
- Prompt your customer for another payment method
- Obtain authorization to retry the transaction at a later date, when the original payment method is more likely to have adequate funds
Strategy For Inaccurate or outdates card information:
- First time customer: Likely that they simply made a mistake, reach out and ask them to re-enter
- If transactions are declined using cards you have on file, the card information is likely outdated
- Ask your customers to update their credentials and ensure that your payment provider or processor offers a card account updater
Strategy for suspicion of fraud:
- Have fraud prevention and management tools in place to help detect and block illegitimate charges
5 Ways To Increase Auth Rates
- Collect and submit additional billing information
- Keep your fraud rates low
- Accept digital wallets
- Higher acceptance rates thanks to two factor authentication - Enable card account updater
- Enable network tokens
Stripe Enhanced Issuer Network
- Set of partnerships with major US card issuer and networks
- Stripe shares fraud scores from Radar, its fraud prevention solution, through an encrypted pathway with Capital One and Discover to help fight fraud
- Issuers already operate their own fraud detection models, yet they only have partial information about a transaction, which reduces their accuracy in determining whether to approve or deny it. Using Radar fraud scores for transactions in tandem with the information the issuer already has leads to more accurate fraud determinations
Stripe Adaptive Acceptance
- Uses machine learning models to selectively retry payments declined by the Issuer in real time, before a response is returned to the customer
- Stripe dynamically adjusts different factors in the payment request to increase the chances of acceptance, running dozens of experiments with different issuing banks at the same time to understand which treatment is most likely to result in a successful payment—within milliseconds
- For example, let’s say some customers in the UK quickly type their postal code in all lowercase, with no spaces, into a checkout form. Stripe would notice this pattern and test a variety of variations to find out if a certain postal code format gets better authorization rates than others
Stripe Smart Retries
For example, we look at issuer behavior (like when the issuing banks change their review thresholds), check for card updates, and analyze activity across Stripe to see if the payment method is being used successfully. Stripe then uses this information to choose the optimal times to retry failed payments attempts, so as to increase the chance of successfully paying an invoice
Stripe Card Account Updater
Stripe works with card networks and automatically attempts to update saved card details whenever a customer receives a new card
Stripe Network Tokens
- Network tokens are a card network solution that can substitute primary account numbers (PANs) for online purchases
- Network tokens are unique to an individual user
- Stripe works with payment networks to tokenize a user’s repository of PANs into network tokens and maintains them so they stay current, even if the underlying card data changes
- For example, if a customer lost their card, Stripe would get notified by the network and update the token directly so it would continue to work without the customer having to update their payment information
What is the Primary Account Number (PAN)?
The 15- or 16-digit numbers found on every credit or debit card
Fraud Definition
“Any false or illegal transaction.”
- It typically occurs when someone has stolen a card number or checking account data and uses that information to make an unauthorized transaction
Dunning
The process of recovering declined or failed payments for recurring revenue businesses.
Decline Code: offline_pin_required
- The card was declined because it requires a PIN
- The customer needs to try again by inserting their card and entering a PIN
3 Steps Of A Payment
- Is the payer genuine and allowed to make the payment transaction? This is the Authorization process
- Do all stakeholders involved in the payment process agree on a single truth of payment transaction information? This is Clearing
- Has the value moved from payer to payee? This is Settlement
Main question of Authorization?
Is the payer genuine and allowed to make the payment transaction?
Question-Answer Process
Acquirer asks the issuer to verify that the payment transaction is genuine before it is allowed to progress to the next stage.
- The Issuer gives their answer, either authorizing or declining the transaction
STIP
Stand-in-Processing
STIP is a card scheme’s backup process for authorizing transactions when an issuer can’t respond in real-time
2 Main Stages of Authorization
- Auth Request
- Auth Decision
Does using Apple Pay drastically change the authorization process?
No.
- Ultimately, regardless of the underlying technology used, the cardholder is still making a purchase with a card
- These technologies simply introduce a layer of abstraction on top of existing infrastructures for the convenience of consumers
- The form factor is irrelevant and the authorisation process is the same. Underneath, the ducks still paddle in the same way
“You can say that it is an overlay service on top of the card information which wraps a card to present it in a different way”
Industry Approved Standard for authentication during authorization:
3D Secure