Transaction Authorization Process

Authorization is the process through which a merchant obtains permission from a customer’s card issuing bank to accept the card for payment. Authorization involves assessing the card’s transaction risk and, if approved, reserving the sales amount on the cardholder’s account. If a merchant does not comply with Visa or MasterCard rules regulating authorization procedures, payment to the merchant may be withheld or the transaction may be charged back at a later time.

Today I will review how the authorization process works in Visa and MasterCard transactions, the possible authorization replies you may get from an issuer and the actions you should take in response to them. Then I will show you the full transaction cycles for both networks and will end with an examination of the differences between the real-time and batch processing modes. Let’s get started.

Transaction Authorization Process — an Overview

The authorization takes place in real time, as the transaction occurs, as illustrated in the chart below:

The exact processing activities during authorization may be different from one card network to another (as we will see below) and may vary among different merchant types but the process goes through the following general stages:

1. Cardholder places an order with a merchant. The authorization, and transaction, process begins when the cardholder places an order at a physical store, on an e-commerce website, or in another environment, and provides his or her card account details: name, address, card account number, card’s expiration date, card verification code (the 3- or 4-digit number on the back or front of credit and debit cards), payment amount (if not estimated by the merchant and automatically provided).
2. Payment data transmission to the acquiring bank. The payment information provided by the cardholder is transmitted to the acquiring bank (also known as acquirer, merchant bank or processing bank).
3. The acquiring bank sends the authorization request to Visa or MasterCard. The processing bank sends the received payment information on to the respective Credit Card Association, requesting transaction authorization.
4. The Credit Card Association sends the authorization request to the card issuer.
5. The card issuer approves or declines the transaction. Once the card issuer makes its authorization decision the response is sent back to the merchant through the same channels. The possible responses in card-present transactions are listed in the table below:

   
   

   Response	Explanation
   Approved	Issuer approves the transaction. This is the most common response-about 95% of all card-present authorization requests are approved.
   Declined or Card Not Accepted	Issuer does not approve the transaction. The transaction should not be completed. Return the card and instruct the cardholder to call the issuer for more information on the status of the account.
   Call, Call Center, or Referrals	Issuer needs more information before approving the sale. Most of these transactions are approved, but you should call your authorization center and follow whatever instructions you are given. In most cases, an authorization agent will ask to speak directly with the cardholder or will instruct you to check the cardholder’s identification.
   Pick Up	Issuer wants to recover the card. Do not complete the transaction. Inform the customer that you have been instructed to keep the card, and ask for an alternative form of payment. If you feel uncomfortable, simply return the card to the cardholder.
   No Match	The embossed account number on the front of the card does not match the account number encoded on the magnetic stripe. Swipe the card again and re-key the last four digits at the prompt. If a “No Match” response appears again, it means the card is counterfeit. If it can be done safely, keep the card in your possession, and make a Code 10 call.

A positive authorization response indicates that there are funds available in the account and that the card has not been reported as lost or stolen. It is not, however, a proof that the card is not fraudulently used, so that you will still have to verify that your customer is an authorized user by comparing the signatures on the card and on the sales receipt..

MasterCard’s Transaction Process

Here is MasterCard’s transaction process — the full cycle:

Visa’s Transaction Process

Here is Visa’s transaction process:

Real Time vs. Batch Authorization Processing

There are two ways in which a transaction can be completed. The first, called “dual-message” protocol, typically requires a signature and can be used for both credit card transactions (except for ATM cash advances) and signature-based debit transactions. Dual-messaging works in the following way. When the merchant receives the authorization response, its payment processing system records this authorization through something called “electronic draft capture” (EDC). These electronic drafts are then put together in a file called a “batch” until that file is processed. For the vast majority of merchants, batches are processed once a day, however some high-volume merchants may do so several times a day and some very low-volume merchants may do it less frequently than on a daily basis. The point, however, is that, whatever the frequency, merchants submit all of their authorized transactions to the acquiring bank as a single file (in batch mode), not individually.

Card-not-present transactions are processed as dual-message ones, even though they are not signature-authorized.

The other mode is, as you might have guessed, the “single-message” protocol. In the U.S. and most of the rest of the world, but excluding Europe, all card transactions authenticated with a PIN are single-message ones. (In Europe all card transactions are processed using the dual message protocol, whether signature- or PIN-based.) In the single-messaging system, the authorization and clearing are performed simultaneously and all of the information needed to post a transaction to the cardholder’s account is exchanged during the transaction. What this entails is that there is no need to create batches to be entered into clearing at some later point, as is the case with dual-messaging — only settlement is required.

Image credit: Connox.com.