Improving Authorisation Performance for Card-Not-Present Payments
When it comes to Card-Not-Present (CNP) transactions, authorisation rates are a concern for all parties in the payment ecosystem. For online merchants, losing revenue and market position is a risk. If a valid card that has not breached its spending limit is declined, then the customer may abandon the transaction. Or worse, due to the ease of the internet, the buyer could simply switch to a competitor offering a similar product – without leaving their seat. In fact, when asked about their biggest payment processing concerns, 60% of merchants said their main worry was authorisation declines.1
Card issuers also face a very real competitive threat. If a customer’s card keeps being rejected, they could switch to an alternative from a rival, an increasingly likely scenario in Western economies where people routinely have multiple e-commerce-enabled credit and debit cards. “If someone has a bank card that tends to get declined more often, causing confusion and wasting their time, they may end up putting a different card at the top of their wallet,” says Darragh Lee, International Head of Acquiring Network Relations at J.P. Morgan. If the payments were made for a service, this might well be a recurring payment made every month or year – depriving the issuer of lucrative regular revenue. Even if the transaction were a small one-off payment, if the card has been rejected several times, the consumer may decide that it is unreliable.
Meanwhile, Visa®, Mastercard® and other card schemes also have an incentive to improve authorisation rates. They already have to compete with entities such as PayPal that offer rival methods of transacting, and the competition will likely grow stronger with the growth of fintech digital payment services companies. Within the EU, the Second Payment Services Directive, which came into force in January 2018, aims to create a level playing field by allowing specialist digital payment firms to use data held by banks, which could spur further innovation in the payments space.
However, merchants, card issuers and card schemes can, through taking small but significant steps, greatly reduce decline rates. And even a seemingly minor reduction can make a huge difference. “As an acquirer, J.P. Morgan processed $1.4 trillion in payments last year,” says Lee.2 “While a somewhat simplistic take, an improvement of just 1% in authorisation acceptance rates would equal $10 billion in payments, so the reward for cutting the rate of declines across the world is potentially enormous.”
Competition within the wallet
In many cases, an unreliable card is dispensable: in developed markets, the majority of householders have more than one card with which they can make payments. In the UK, for example, 60% of adults have a credit card and 96% also have a debit card, according to creditcards.com.3 In the US, the average adult had 2.35 credit cards in 2016.4 One in six Americans had five cards or more.5
Read more about card penetration and the UK e-commerce market in our UK Payment Trend Report
Why are CNP payments declined?
There are many reasons why a legitimate CNP payment may not be authorised. One common issue is that the card is still on the merchant’s system but is no longer valid. This may be because it has been lost or stolen, or discontinued because the consumer has switched to a different issuer. Alternatively, it may have simply expired. It is easy to understand why this happens: how many people have the time, inclination or farsightedness to remove an old card from a website’s account details unless they are either prompted to do so, or the merchant tells them that a payment has not gone through? Payment timings can also present challenges. The cardholder may have insufficient funds at the time when the merchant tries to take payment, but might have sufficient funds again a few days later – after payday, for example.
Another challenge surrounds the use of the Merchant Category Code (MCC). J.P. Morgan’s acquiring experience reveals many merchants use codes that tend to be general and vague. Imprecise codes have higher decline rates because issuers associate them with higher rates of fraud. MCC Code 5072 (Hardware Equipment and Supplies), for example, could cover anything from building supplies to computer equipment and kitchen units. Also, some codes are treated more favourably by issuers, so analysing and understanding the right MCC for specific products can have a beneficial impact.
Transactions are also rejected because they appear suspicious: they do not fit the spending profile of the cardholder. A customer suddenly making a number of high-value purchases when they have little history of doing so before could raise a red flag – or if a consumer started spending in a new category, such as online gambling, especially if the cardholder has never engaged in this previously.
The fact that there can be so many different, and often unrelated, factors that cause a decline becomes an operational issue because merchants are rarely given detailed reasons by the card issuer as to why a payment has not gone through. This makes it difficult for merchants to change their processes to optimise and improve their authorisation rates.
The importance of transparency
“The key word is ‘enrichment’,” says Lee. “Issuers need to provide as much information as they can on why the transaction has been declined.” Some issuers provide granular data, but many supply response codes that are unclear and hard to interpret. Others provide response codes that cannot be interpreted at all; ‘card not honoured’ contains no information about the reason for the authorisation decline. He adds, “Merchants want to work with cardholders to complete transactions, but vague or non-existent explanations from the card issuer about why the payment was declined make it very difficult for the merchants to manage these declines.” Providing merchants with more visibility into Bank Identification Number (BIN) level data would be a useful start, as would providing information on the remaining balances on prepaid cards. Many merchants are unable to accept prepaid cards because they lack this visibility. Yet in a country like Italy, which is the world's biggest market for prepaid credit cards, with more than 25 million issued, this could be a major disadvantage.6
Updating risk engines
It is easy to understand why issuers are quick to decline purchases by card if they have any suspicions. After all, fraud is a major threat for e-commerce both in terms of monetary value and also reputational damage to the whole sector. However, issuers may sometimes not take enough into account regarding the sophisticated work undertaken by many merchants to block potential fraud. Some merchants have the same systems of monitoring and filtering that the issuers have. These can include velocity checking – a sudden change in the frequency with which the card is being used on the site – and hygiene checking, as well as monitoring information such as whether the home address associated with the IP information is the same as the card billing address.
The largest worldwide e-commerce sites have applied next-generation analytics to their customer data, conducting a huge amount of work aimed at filtering out potentially fraudulent transactions. These global players have a good understanding of warning flags when applied both generally and specifically to each customer: with so many returning regular customers, they can build profiles of an individual’s spending that rivals profiles held by the card issuer.
Given these measures, it makes sense for issuers to listen to what providers with sophisticated anti-fraud systems are telling them. “Some transactions might appear suspicious in a vacuum, but the issuer should take confidence if they have been approved by e-commerce providers with excellent fraud prevention,” says Lee.
However, a real risk exists that merchants without sophisticated fraud-detection systems are treated the same as merchants who have implemented these extensive measures. One measure that issuers could take to offset this would be to take a merchant’s fraud and chargeback rates into consideration in their risk engines.
What can merchants do to improve authorisation rates?
Advocacy and outreach
Merchants can reduce their decline rates, but it stands to reason that they cannot do this in a vacuum because it is issuers who make the decision to decline a payment. They must therefore work in co-operation with issuers, especially to solve challenges around data visibility and risk analysis. This takes a concerted programme of negotiation and outreach. To get this right, merchants need to think from the perspective of issuers and to highlight the benefits that closer collaboration will have for their own businesses.
One strategy is for the merchant to work closely with their acquirer in this area, as larger acquirers will have the knowledge to help merchants understand their problems and find solutions; they also have insight and expertise beneficial to working closely with issuers. They know, too, what changes are feasible in the short term for specific clients, while continuing to press in the long term for more ambitious reforms to the whole system of practices and procedures that is followed by the issuers and policed by the card services companies.
Payment processers like Visa and Mastercard will also play a key role as they are a major broker in the exchange of information between merchant, acquirer and issuer. “The modern credit card has been around for 60 years, but e-commerce only took off 20 years ago, and a lot of intricacies exist,” says Lee. “For example, card brand rules are sometimes not fully aligned with the customer experience. You can have a customer present for some card-on-file applications but the card brand will still consider it a customer-not-present scenario, adding complexity to the transaction. Merchants, their acquiring banks, issuers and credit card services companies need to step up the conversation about what needs to be done to avoid this complexity.”
Enriching message data sent to issuer
One of the simpler steps is for the merchant to include all security fields where possible in the initial authorisation request, including ‘card verification value’, ‘address verification service’ and ‘expiration date’ – and to take care to input these data points accurately. Another relatively easy change is for the merchant to alter the way it treats recurring billings. In the first place, merely identifying a recurring transaction as such when making the initial authorisation request can increase approval rates, because such transactions are regarded by issuers as lower fraud risks. The same applies to tagging a request as relating to a card on file. Again, a merchant’s acquiring bank can play a key role in supporting this, for example, J.P. Morgan’s robust analytics capabilities can help identify specific data elements that will improve each merchant’s authorisation rates.
Timing strategy for initial transaction submissions
Another potential area of improvement is for merchants to optimise the timing of recurring billings. In certain locations data for debit cards could suggest lower rates for insufficient funds declines, and therefore higher approval rates in aggregate on weekends and Wednesdays, coinciding with timings for weekly payroll. Or it may be that credit card transactions show the lowest rates for declined authorisations on Tuesdays and Wednesdays, because customers are often paid on Fridays, and then need a few days to reduce or clear the balance on their card account.
Conceiving a timing strategy that takes these patterns into account can work well both for retries and for initial transaction requests. However, each ecommerce merchant’s customer profile is different, so they first need to conduct the analytics on their own recurring billings before taking action. The acquiring bank can work with the merchant to analyse the most effective days for transaction retries for their site.
It is also a good idea for the merchant to send retry requests that have all the optional fields filled out, to give the issuer greater comfort that the transaction is legitimate.
If authorisation is declined for a recurring billing, many merchants retry again and again with the issuer. Their reasoning: simple risk versus reward – while there is a cost associated with processing an authorisation, the potential revenue gains when a transaction is eventually approved outweigh that cost. However, doing this could greatly reduce the merchant’s overall card approval rates, leading to the outcome that they might be treated by the card issuer as a problem company with a higher risk of fraudulent transactions. Instead of retrying recurring billing requests again and again, a better approach would perhaps be for the merchant to bide their time, waiting for a few days before retrying the transaction in the hope that by that time the cardholder has sufficient funds. Again, using timing analysis can help with this.
Changing MCC codes
The merchant should also consider changing their response code from a catch-all MCC to something more specific to give the issuer better information on what they do. In many cases, different, more specific MCCs are appropriate for different lines of business carried out by the merchant. In mainstream commerce, specific MCCs tend to have higher approval rates than catch-all codes because they provide the issuer with more detail about the nature of the transaction. However, before the merchant changes their code it pays to do some research and have a discussion with your acquirer, to avoid changing to a new MCC which could mislead issuers about the riskiness of the transaction which has the opposite effect of reducing approval rates.
The merchant can also profit from undertaking a “wallet clean-up”: removing lost, stolen, expired and discontinued cards from customers’ account details.
In the case of Card-Not-Present transactions, the merchant has an advantage over a bricks-and-mortar store in one respect: they can follow a different strategy when dealing with a cardholder whose transaction has been declined, by giving them more information. “In physical stores, merchants are often cautious about giving too much information back to the cardholder, to avoid embarrassment: if you’re in a shop and the merchant tells you there’s no money left on your card, you’re in an awkward situation,” says Lee. “But in an e-commerce environment the circumstances are different: it’s not so embarrassing to be told by email that you have insufficient funds, and you’ll probably be grateful for the information, rather than experiencing the frustration of having your card turned down but without knowing the reason why.”
Tools like J.P. Morgan’s Account Updater can also be valuable in this area. This automated system updates cardholder information when participating banks make changes to the card data, such as a new account number or expiration date.
Authorisation declines frustrate and alienate cardholders, lose revenue for e-commerce merchants and reduce the income stream of issuers by pushing cards from top to bottom of the customer’s wallet and purse. However, as an acquiring bank, J.P. Morgan is well placed to help merchants improve their authorisation rates and facilitate better dialogue between merchants, payment processers and issuers.. Longer-term advocacy and outreach programmes have the potential for a further beneficial impact, by making data more visible and by rewarding merchants that already have sophisticated fraud controls in place.
Next steps for e-commerce merchants
- Analyse decline rates of recurring billings by time period
- Review Merchant Category Code
- Purge old cards from system
- Supply enhanced data to issuers
- Request enriched data from issuers
- Open a conversation with issuers and card service companies about reducing decline rates
- Engage with your acquirer to capitalise on their relationships with issuers
The information herein or any document attached hereto does not take into account individual client circumstances, objectives or needs and is not intended as a recommendation of a particular product or strategy to particular clients and any recipient of this document shall make its own independent decision. This document and the information provided herein may not be copied, published, or used, in whole or in part, for any purpose other than expressly authorised by Chase Paymentech Europe Limited. © 2019, JPMorgan Chase & Co. All rights reserved.
Chase Paymentech Europe Limited, trading as J.P. Morgan, is regulated by the Central Bank of Ireland.
Registered Office: J.P. Morgan, 200 Capital Dock, 79 Sir John Rogerson's Quay, Dublin 2, D02 RK57, Ireland.
Registered in Ireland with the CRO under the Registration No. 474128.
Directors: Catherine Moore (UK), Carin Bryans, Dara Quinn, Steven Beasty (US), Eilish Finan