Credit Card Processing Blog

Now that Visa has made it mandatory for all U.S. processors to support chip-based transactions by April 1, 2013, we will need to start familiarizing ourselves with the new technology. In this post I will review the requirement for all EMV-accepting devices to support terminal risk management. Each point-of-sale (POS) device should be able to determine whether terminal risk management must be performed prior to sending an authorization decision to the card.

The two mandatory risk management checks for POS terminals are floor limit and random transaction selection.

Floor Limit

Floor limit is the transaction amount above which an authorization needs to be requested. Processors determine the floor limit for each of their merchants using Visa and MasterCard regulations, based on the country and merchant type.

Countries can implement different floor limits for chip and magnetic stripe transactions, so POS devices should be capable of supporting both. Alternatively, terminals can have an effective zero floor limit for mag-stripe transactions by forcing all of them online and use a floor limit for chip transactions.

Floor limits for mag-stripe transactions are not applicable for fallback transactions (where the mag-stripe is only used if the chip cannot be read), which all have a zero floor limit. If a mag-stripe fallback transaction cannot be processed online, a paper voucher or key entry processing is allowed with voice authorization. If a fallback transaction cannot be authorized, it must be terminated.

Random Transaction Selection

EMV terminals must support random transaction selection for online processing, which helps protect against counterfeit cards designed to operate exclusively offline. The POS device needs to be programmed to randomly select below-floor-limit transactions for online processing. The values are determined on a per-country basis and designed to achieve two goals:

• Preventing criminals from predicting a POS terminal’s online behavior and exploiting the floor limit.
• Providing adequate opportunities for transactions to be approved offline, depending on the issuer’s card controls.

There are two types of random selection:

• Random selection. Here a certain percentage of below-floor-limit transactions is sent online.
• Biased random selection. In this case a formula is used to determine whether a transaction goes online, with the probability increasing as the transaction amount approaches the floor limit.

Random transaction selection is based on three factors:

• Target percentage for random selection. This percentage (which can be anywhere between 0 and 99) designates the approximate ratio of transactions below the threshold value that the POS terminal sends online for authorization. It also designates the minimum percentage of above-threshold transactions to be sent online. A value of zero turns off the random transaction selection.
• Threshold value for biased random selection. Below this value (which can be anywhere between 0 and the floor limit amount), transactions are subject to random selection and above it – to biased random selection. If the threshold is zero, all transactions will be evaluated by biased random selection. If it is set at the floor limit, random selection is used.
• Maximum target for biased random selection. This value (anywhere between 0 and 99) is used to increase the ratio of selected transactions as the transaction amount approaches the floor limit. The higher the maximum target amount, the more likely that the transaction will go online.

The Takeaway

The POS terminal risk management rules, together with the card rules, are used to determine whether a given transaction should be approved offline, sent online for authorization, or declined offline. You will need to work with your processor and equipment vendor to ensure that your device is properly set up.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Visa uses chargeback Reason Code 77 to designate chargebacks resulting from processing transactions where the account number on the card presented by the cardholder does not match the one on file with the card issuer. MasterCard does not have a reason code that exactly matches Visa’s 77.

What causes these chargebacks? By far the most common cause for a chargeback Reason Code 77 is that the merchant incorrectly key-enters or records a card account number.

How to manage such chargebacks? Your response to Reason Code 77 chargebacks will depend on the particular transaction circumstances and the actions you have taken (or not) so far.

• The account number matches. If the card account number on the sales receipt does match the one on the chargeback and you received an authorization approval from the issuer, contact your processing bank and request that they include their authorization log when they re-present the chargeback. Most processors handle this type of chargebacks automatically and you will never see them.
• The account number doesn’t match. If the card account number on the sales receipt does not match the one on the chargeback, there is no remedy and you should accept the chargeback. Process a new transaction and make sure that the account number is correct. However, do not process a credit at this time, as the chargeback has already performed this function.

How to prevent chargeback Reason Code 77? The following card acceptance best practices will help prevent this type of chargebacks:

• The terminal can’t read the card’s magnetic stripe. For card-present transactions, if the magnetic stripe cannot be read, request authorization by key-entering the account number. Then take a manual imprint from the face of the card onto the sales receipt and have it signed by the cardholder.
• The terminal is not working. If your point-of-sale (POS) terminal is not working, call your processor’s voice authorization center. If you get an authorization approval, be sure to write the response code on the sales receipt. Then take a manual imprint from the face of the card onto the sales receipt and have it signed by the cardholder.
• The embossed account number doesn’t match. If the account number on the terminal or on the sales receipt does not match the one on the front of the card, request a Code 10 call. If you are asked to retain the card, comply only if it is safe to do so.
• Taking orders over the phone. For telephone orders, you should read the account number back to the cardholder to verify it.
• Obtaining authorization. Authorization should always be requested for transactions where the sale’s amount is above the merchant’s floor limit. Floor limits are typically stated in the merchant’s processing agreement. Remember that for all card-not-present transactions the floor limit is zero, which means that they always require authorization.
• Recurring payments. With recurring payments it is possible that, over time, the account number on file can be changed or the account can be closed altogether. If authorization is declined, contact the customer and update the card details. To avoid declined authorizations due to changed account numbers altogether, consider signing up for Visa’s and MasterCard’s automatic card updater services, which enable merchants to update account information on file, as such changes occur.

Your point-of-sale staff should be well trained on employing these best practices, but specifically on comparing account numbers printed on sales receipts to account numbers embossed on the cards. Everyone should understand that, when the numbers differ, the card should not be accepted and a Code 10 call should be made. The phone numbers for voice authorizations should be clearly posted, so that when the terminal is down or the card’s magnetic stripe cannot be read, a voice authorization can be quickly requested. Staff should also be instructed that authorizations are always required for card-not-present transactions.

Learn how to minimize chargebacks and fraud

Learn how to minimize chargebacks and reduce your processing costs. The Chargeback Management kit contains a video and an e-book:

• E-Book – Chargeback Manual (40 pages).
• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).

Accepting Discover card payments is broadly similar to accepting Visa, MasterCard or American Express payments, with a few differences. This post will review the process merchants must follow for each card-present Discover sale they accept.

When a Discover card is presented for payment at the checkout, the merchant is required to perform the following actions:

1. Card expiration date. The first thing you should do is check the card’s expiration date. The card is valid through the last day of the month embossed on it. Merchants are not allowed to accept expired cards and are required to call Discover’s authorization center at 1-800-347-1111.
2. Card signature. Verify that there is a signature on the back of the card and that it matches the name embossed on the front of the card. If the card is not signed, request two pieces of identification, one of which is a picture identification. When you have confirmed that your customer is the cardholder, have him or her sign the back of the card.
3. Obtain authorization. If you are using a point-of-sale (POS) terminal, you are required to transmit the full magnetic stripe data, obtained when the card is swiped through the terminal, with the authorization request. If the magnetic stripe is unreadable and you have to key the transaction information in, you must take a manual imprint, to validate that the card is present. If you fail to take a manual imprint for any key-entered transaction, you will be liable for any resulting chargebacks.

   
   If your POS terminal is unable to connect to Discover’s electronic authorization system, you should call Discover’s authorization center for a voice authorization. Be advised that the floor limit for all Discover transactions is zero, which means that they all must be authorized. Transactions processed without first obtaining an authorization approval may be immediately charged back to you.

   
   For transactions where the merchandise is shipped or the service provided more than thirty days after the order is made, you need to obtain an authorization at the time the order is placed and again immediately before shipping the product or providing the services to the cardholder.

4. Sales receipt. All products and / or services purchased at one time and at one POS terminal must be included on one sales receipt. Split sales, where a merchant uses two or more sales receipts for a single transaction, are not allowed, except for partial payments. The customer must receive a copy of the sales receipt at the time the transaction is completed.
5. Required transaction information. For swipe transactions that are processed electronically using a POS terminal, required information is automatically transmitted to Discover and you are generally not required to obtain a card imprint on the sales receipt. However, if your terminal is not able to read the card’s magnetic stripe, you must obtain a card imprint and include all of the following information on the cardholder’s copy of the sales receipt:
   • The card account number.
   • The cardholder’s name.
   • The card expiration date.
   • The merchant’s name.
   • A description of the purchased merchandise or service.
   • The total amount of the card transaction (including sales tax and / or tip).
   • The transaction date.

   
   For electronically processed transactions, you should compare the account number printed on the transaction receipt to the one on the front of the card. If the two numbers do not match, you should not accept the card.

6. Refunds and returns. If a cardholder returns products or services purchased with a Discover card and in accordance with your return policy, you are required to issue a refund. Your return policy should be clearly displayed and communicated to the cardholder at the time of the sale.

As you see, there is nothing in Discover’s card acceptance requirements that is all that different from Visa’s or MasterCard’s. In general, if you follow the requirements of any of the major credit card companies or associations and apply them to all of your card transactions, you will be in compliance with all of them.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Just as with Visa and MasterCard transactions, merchants are required to obtain an authorization before completing any Discover card transaction. Discover authorizations are valid for 90 days and can be obtained electronically or over the telephone. Upon approval, Discover issues an authorization code, which must be written on the sales receipt, unless the authorization was obtained electronically. In a card-present environment, an electronic authorization request consists of the complete contents of the magnetic stripe on the card presented by the customer, read by the point-of-sale (POS) terminal. In card-not-present transactions, an authorization requests consists of the data, submitted by the merchant (in MO / TO transactions) or the cardholder (in e-commerce transactions).

If a merchant accepts a card payment without receiving an authorization, Discover is not required to pay for the sale. If a payment has already been received, Discover may charge back the transaction. As with Visa and MasterCard, an authorized Discover transaction can still be charged back for other reasons.

Discover authorization procedures:

• Electronic authorization procedures. If you use a POS terminal for accepting card payments, just follow the procedures given to you by your terminal provider for the use of that terminal. If your authorization request returns a “call center” referral code, call Discover’s Authorization Center at 1-800-347-1111 for further instructions (see below). This is also referred to a voice authorization. Additionally, you are required to contact the Authorization Center if your POS terminal is not working.
• Voice authorization procedures. Whenever you have to request a voice authorization, call Discover at 1-800-347-1111 and provide the following information:
  • Card account number (16 digits).
  • Your Merchant ID number (15 digits).
  • Card expiration date (4 digits – MM / YY).
  • The dollar amount of the transaction including tax and tip (dollars and cents).

If your request is approved, you will be given an authorization code, which you must write in the appropriate place on the sales receipt. If you received an authorization code by telephone, complete the transaction (force enter the sale). If a card is invalid, you will receive a message declining the transaction. You should never force transactions where authorization was declined and ask your customer for an alternative payment method instead.

Authorizing installment sales transactions. If you process installment payments, Discover requires that you receive a separate, current authorization for each installment before submitting it. You should do this anyway, as card account information (e.g. expiration date, card security code or even account number) can and does change over time.

Cancellation or change of authorization. If a previously authorized sale is canceled or its amount changes, you have to call Discover and request a cancellation of the authorization. An authorization can be canceled within 8 days of receiving it. You will have to provide the following information when canceling an authorization:

• Card account number (16 digits).
• Your Merchant ID number (15 digits).
• Card expiration date (4 digits).
• The dollar amount of the transaction including tax and tip (dollars and cents).
• Original authorization code given to you by your authorization provider for card transactions.
• The new sale’s amount, if different from the original one.

Authorization floor limit. Discover’s floor limit is zero, which means that you have to request authorizations for all card transactions. If you accept a sale without first obtaining an authorization, Discover may immediately charge it back to you.

Downtime authorization procedures. If Discover’s authorization system is unavailable, the floor limit for the duration of the system down-time is $150.00, but only for sales involving purchases of merchandise for which a cardholder takes immediate possession. For sales requiring delayed delivery, merchants should instead wait and obtain an authorization when the system is available.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Merchants operating restaurants, as well as other businesses where customers are expected to leave a tip, in addition to paying the amount of the bill, need to understand and implement authorization practices that are slightly different from these for transactions where tip is not generally expected.

Firstly, as all of us who live in the U.S. know well, the amount of the tip is not regulated nor is it regulated the form in which it should be paid – in cash or added to the total credit card bill. This is all left to the customer to decide. The merchant is not allowed to estimate the tip and add it to the bill. An automatically added tip can result in a customer dispute and a chargeback. Rather, the merchant must obtain an authorization approval from the card issuer for the full transaction amount of the sum of the bill amount and the tip, as decided by the customer.

It is important that merchants understand when an additional authorization is required. The following procedures apply specifically to transactions in which the cardholder adds a tip:

• The transaction amount is below the merchant’s floor limit, and the cardholder adds a tip in an amount less than or equal to 20 percent of the transaction amount. In this case the merchant is not required to obtain an authorization for the amount above the amount of the bill, even though the total transaction amount may exceed the merchant’s floor limit.
• The merchant has obtained an authorization for a transaction, and the cardholder adds a tip in an amount greater than 20 percent of the transaction amount. In this case the merchant must obtain an authorization for the additional amount. The card issuer is responsible for the full amount of the transaction.
• The cardholder adds a tip in an amount greater than 20 percent of the transaction amount and causes the transaction amount to exceed the merchant’s floor limit. In this case the merchant must obtain an authorization for the total amount of the transaction.

Zero-percent tip transactions. Following this rule is particularly important for restaurants and it means that card transactions should only be authorized for the known amount of the bill. Consumers today can, and do, check their credit card activity online in almost real time. If they see an amount that they do not recognize, cardholders are likely to ask questions and contact their card issuer, which can easily lead to disputes and chargebacks.

For example, if a restaurant bill is $50, but the staff adds a 20 percent tip ($10) and authorizes an amount of $60, that would create a discrepancy if the cardholder actually adds a $7 tip, or chooses to leave cash for the tip. In this case the customer would be overcharged and you might receive an angry phone call, or a chargeback, or both.

To ensure zero-tip authorization for all transactions, restaurant owners and managers should do the following:

• Train your staff to authorize only for the actual amount of the bill. Your personnel should understand the importance of not authorizing amounts that are higher than the bill amount and follow the procedure without exceptions.
• Set up your authorization system for zero-percent authorization. If you do not know how to do that, contact your point-of-sale (POS) terminal provider and ask for assistance.

Visa and MasterCard provide chargeback protection for restaurants. Their authorizations are automatically valid for the transaction amount plus 20 percent to protect merchants from chargeback liability for an incorrect or disputed transaction amount.

Accept card payments quickly and safely

Accept credit and debit card payments at the lowest processing costs. You will get:

• Free merchant account set-up.
• No fixed monthly fees.
• 24 / 7 customer support.