Managing E-Commerce Credit Card Transaction Post-Authorizations

E-commerce merchants need to develop a process for managing credit card transactions after an authorization response is received from the issuer. We have discussed the e-commerce transaction authorization process at length in separate posts, so we will not go over it again here. Once the issuer compares the information it receives in the authorization request to what it has on file for its cardholder, it will either approve or decline authorization. The merchant typically receives the response within a few seconds of submitting the request.

Whatever the authorization response, the merchant will need to have an established set of procedures in place and handle it quickly. An approval will typically be sufficient to warrant a settlement of the transaction, although it is not a guarantee against fraud and you should still examine the transaction for fraudulent characteristics. Remember that an authorization approval will not protect you against fraud-related chargebacks. If the response is a decline, you should not process the transaction. Instead, you should examine the reasons for the decline and use the lessons to avoid declines of this type in the future, where possible.

The following best practices should be incorporated into your post-authorization procedures:

• If the transaction is approved, send an email order confirmation to your customer. This will enable you to verify the validity of the cardholder’s email address. If the email turns out to be invalid, you should research the situation and determine whether the order is legitimate. To minimize customer disputes you should include in the email order confirmation details about the approved purchase.
• If the transaction is declined, review the reasons and take appropriate actions. Request that your customer corrects the submitted payment information or provides an alternative payment method that may allow you to complete the sale.
  • Log authorization declines for review and contact customers to correct problems with their cards (e.g. wrong expiration date or card security code) or ask for an alternative payment method.
  • If the card information is corrected, you will need to obtain authorization approval from the card issuer before completing the sale. Do not assume that the corrected information is valid.
• Regularly evaluate the success of your decline review strategy and modify it, as needed. Your long-term goal should be to drive down your overall authorization decline rate. You should also set separate goals for minimizing declines for specific reasons. The most common causes for authorization declines are:
  • Technical errors in entering payment information. There is not much you can do about technical errors, however you should at least make sure that the card numbers are valid by:
    • Matching the card’s brand to the first digit of the account number. Depending on the brand, the number should begin with:
      • American Express — 3.
      • Visa — 4.
      • MasterCard — 5.
      • Discover — 6.
    • Using the Mod 10 algorithm. Used specifically to validate credit card numbers, the Mod 10 algorithm detects all single-digit errors, as well as almost all transpositions of adjacent digits.
  • Fraud. With time, your fraud prevention measures should be getting stronger as your internal negative file grows and your transaction velocity limits and controls become more accurate. A transaction involving a credit card number in your negative file should not be sent for authorization, nor should you do that for transactions exceeding your velocity limits before you evaluate the risk.
• Monitor your order decline rates. You will need to be able to measure your progress (or the lack of it). In particular:
  • Track your order declines by reason on a daily basis.
  • Separate transactions declined by the card issuer from those declined by you for suspected fraud or other reasons.

Are there any other post-authorization procedures that work for you? Share them in the comments.

Image credit: ZF.ro.