2.9 On-line authorization

2.9 On-line authorization

On-line authorization is the process through which the IH performs the risk management associated with a transaction carried out at the point of service. On-line authorization provides a better control of the risk for the issuer. The cardholder is better assured against fraudulent use of his or her card. Indeed, in an authorization request message the PIN of the cardholder is included in an encrypted form, which allows its verification by the issuer. The benefit to the merchant is that the payment system guarantees its payment for each on-line authorized transaction.

On-line authorization can be triggered for the types of transactions listed below:

  • Cash withdrawals at ATM terminals or branch banks, which are performed with either debit or credit cards;

  • Payments performed at POS terminals with debit cards;

  • Payments performed at POS terminals with credit cards, in case the transaction amount is greater than a floor limit established by the payment system.

In the explanation below we refer to a payment network topology like that described in Figure 2.4. After receiving the demand of on-line authorization from the terminal, the AH checks the completeness and correctness of the transaction data received from the terminal. The AH verifies whether the brand of the card product involved in the transaction is accepted, and whether the service required is appropriate for that brand. If all the verifications are successfully passed, the AH forms an authorization request message (1100) according to the specifications of the payment system network to which is directly connected. This message also includes the identifier of the acquirer. The AH forwards the 1100 message to the AN, which represents the entry point of the AH in the payment system network. The AN verifies whether the 1100 message comes from a member acquirer and whether the data it contains is complete and accurate. If these verifications are passed, the AN uses the issuer identification number (IIN, which is a component of the PAN) for further routing the 1100 message to the adequate destination IN in the payment system network. If the AN knows the IIN, the message is forwarded to the appropriate IN to which the destination IH is connected. Otherwise, the AN forwards the message to the gateway node GN1, which tries to identify the IIN in the cooperating payment system network to which is connected. After performing the appropriate adaptations, the message is forwarded from one payment network to the other, until the destination IH is reached.

The correctness, completeness, and integrity of the 1100 message are verified once it arrives at the IH. If all the controls are passed, the authorization request message is stored in the accounts database. The validity of the PAN and the expiration date of the transacting card are checked. If an encrypted PIN was sent for the cardholder's verification, then the secure module of the IH computes the PIN image control value, which is compared with the PIN image stored value kept in the accounts database for the corresponding PAN. If a debit card is used, the balance of the account is checked for enough funds. If a credit card is used, the issuer checks that the cardholder did not reach the spending limit associated with the card. The guarantee of funds is finally approved or rejected and a response code is included in the authorization request response (1110), giving further details in case the guarantee of funds has been denied .

If the payment network fails to reach the appropriate IN or if the destination IH is not available, then the payment network can stand in for the issuer in elaborating an authorization request response (1110), which is returned to the originating AH. This service can be provided if there is a business agreement between the issuer and the payment system operator and if the issuer has delegated enough approval data to the payment network.

The authorization request response message (1110) is identified with the same reference number as the corresponding authorization request message (1100). The 1110 message is sent back to the terminal over the payment network(s) and the AH. When the card acceptor's terminal receives the approval, cash is disbursed in case of an ATM terminal or the purchase is handed to the cardholder. In case of an attended point of service and if a credit card product was used, a paper slip is printed and the cardholder is required to sign it. The signature on the paper slip is compared against the witness signature on the back of the card for the cardholder's verification. The terminal records the completion of the transaction in order to send it later to the acquirer for clearing. The acquirer records each approved transaction for submitting to the clearing process.