Acquirer
The acquirer gathers authorization requests from accepters and returns approvals. If the acquirer is an issuer as well, "on us" transactions will typically be turned around locally. As before, the acquirer does not have to forward any requests on to the actual issuer. However, acquirers are not willing to take the financial risks associated with generating local approvals. Thus most transactions are sent on to the issuers (interchanged). The purpose of interchange is to shift finan- cial liability from the acquirer to the issuer.
Typically, an acquirer connects to many issuers, and negotiates differ- ent business arrangements with each one of them. But the acquirer gen- erally provides a uniform interface to the accepter. Thus, the interchange rules are sometimes less stringent than those imposed on the accepter. Also, most issuers will trust acquirers to with respon- sibilities they would never trust to accepters. The acquirer can therefore perform some front-end screening on the transactions, and turn some of them around locally without going back to the issuer.
The first screening by the acquirer would be a "sanity" test, for valid merchant ID, valid Luhn check on PAN, expiration date not past, amount field within reason for type of merchant, etc. After that, a floor limit check will be done. Issuers generally give acquirers higher floor limits than acquirers give accepters, and floor limits may vary by type of merchant. Next, a "negative file" check would be done against a file of known bad cards. (This is essentially the same as the bulletin.) Then a "velocity file" check may be done. A velocity file keeps track of card usage, and limits are often imposed on both number of uses and total amount charged within a given time period. Sometimes multiple time periods are used, and it can get fairly complicated.
Transactions that pass all the checks, and are within the authority vested in the acquirer by the issuer, are approved by the acquirer. (Note that, under the business arrangement, financial liability still resides with the issuer.) An "advice" transaction is sometimes sent to the issuer (perhaps at a later time), to tell the issuer that the transaction took place.
Transactions that "fail" one or more checks are denied by the acquirer (if the cause was due to form, such as bad PAN) or sent to the issuer for further checking. (Note that "failure" here can mean that it's be- yond the acquirer's authority, not necessarily that the card is bad.) Some systems nowadays will periodically take transactions that would otherwise be approved locally, and send them to the issuer anyway. This serves as a check on the screening software and as a countermeasure against fraudulent users who know the limits.
Transactions that go to the issuer are routed according to the first six digits of the PAN, according to the ISO registry mentioned in an earlier section. Actually, it's a bit more complicated than that, since there can be multiple layers of acquirers, and some issuers or acquirers will "stand in" for other issuers when there are hardware or communication failures, but the general principal is the same at each point.
Issuer
An issuer receiving an interchanged transaction will often perform many of the same tests on it that the acquirer performs. Some of the tests may be eliminated if the acquirer is trusted to do them correctly. This is the only point where a velocity file can actually detect all usage of a card. This is also the only point where a "positive file" lookup against the actual account can be done, since only the issuer has the account relationship with the cardholder. If a PIN is used in the transaction, only the issuer can provide true PIN verification - acquirers may be able to do only "PIN offset" checking, as described in a previous section. This is one reason why PINs have not become popular on credit and charge cards.
An account typically has a credit limit associated with it. An ap- proved authorization request usually places a "hold" against the credit limit. If the sum of outstanding holds plus the actual outstanding balance on the account, plus the amount of the current transaction, is greater than the credit limit, the transaction is (usually) denied. Often in such a case the issuer will send back a "call me" response to the merchant. The merchant will then call the issuer's number, and the operator may even want to talk to the cardholder. The credit limit could be extended on the spot, or artificially high holds (from hotels or car rental companies) could be overlooked so that the transaction can be approved.
The difference between the credit limit and the sum of holds and out standing balance is often referred to as the "open to buy" amount. Once a hold is placed on an account, it is kept there until the actual the transaction in question is settled (see below), in which case the amount goes from a hold to a billed amount, with no impact on the open to buy amount, theoretically. For authorizations of an estimated amount, the actual settled amount will be less than or equal to the ap- proved amount. (If not, the settlement can be denied, and the merchant must initiate a new transaction to get the money.) Theoretically, in such a case, the full hold is removed and the actual amount is added to the outstanding balance, resulting in a possible increase in the open to buy amount.
In practice, older systems were not capable of matching settlements to authorizations, and holds were simply expired based on the time it would take most transactions to clear. Newer systems are starting to get more sophisticated, and can do a reasonable job of matching autho- rizations for actual amounts with the settlements. Some of them still don't match estimated amounts well, with varying effects. In some cases, the difference between actual and estimated will remain as a hold for some period of time. In other cases, both the authorization and the settlement will go against the account, reducing the open to buy by up to twice the actual amount, until the hold expires. These problems are getting better as the software gets more sophisticated.
Some issuers are also starting to use much more sophisticated usage checks as well. They will not only detect number of uses and amount over time, but also types of merchandise bought, or other patterns to buying behavior. Most of this stuff is new, and is used for fraud prevention. I expect this to be the biggest effort in authorization soft- ware for the next few years.
American Express does things completely differently. There are no credit limits on AMEX cards. Instead, AMEX relies entirely on usage patterns, payment history, and financial data about cardmembers to determine whether or not to automatically approve a transaction. AMEX also has a policy that a cardmember will never be denied by a machine. Thus, if the computer determines that a transaction is too risky, the merchant will receive a "call me" message. The operator will then get details of the transaction from the merchant, and may talk to the cardmember as well, if cardmember identity is in question or a large amount is requested. To verify cardmember identity, the cardmember will be asked about personal information from the original application, or about recent usage history. The questions are not the same each time. If an unusually large amount is requested, the cardmember may be asked for additional financial data, particularly anything relating to a change in financial status (like a new job or a promotion). People who are paranoid about Big Brother and computer databases should not use AMEX cards.
No comments:
Post a Comment