Digital Commerce

Authorization Optimization: Know the Dates

The new decline codes can help you discern between good users and potential fraudsters.


Few can argue that the existing transaction authorization decline code system is in need of an overhaul. Sweeping changes being mandated by Visa began to go into effect April 2020 and will continue to reach their respective enforcement dates through 2023.

The new rules are a result of thorough research by Visa into the key causes of most declines. While these rules and their attendant noncompliance fees primarily focus on decline code management, they also address issues in the card-present environment and first-party fraud. Because the scope of the new rules is so wide-reaching, we’ve prepared this recap to summarize them for all parties.

KEY POINTS

  • Enforcement penalties for new Visa decline code management rules go into effect April 2020 through April 2023
  • All payment types, methods and environments are affected
  • Compliance by all parties will greatly improve authorization rates and mitigate payments fraud
  • Merchants should check with their processing experts for assistance in navigating — and optimizing — this new payments ecosystem

New Decline Code Enforcement

With more than 5,000 issuers in the U.S. alone, it’s realistic to expect a certain degree of variation in authorization decline code usage among them. The reality, however, is that, in some cases, over time issuers may have resorted to defaulting declines to a single code or to a handful of codes that do not clearly identify the reason for the decline.

To improve success rates, both the merchant and acquiring communities have implemented various authorization request strategies. Too often, these strategies:

  • Are overly aggressive and can look like fraud or denial of service attacks
  • Rely on changing data elements in retry attempts, which damages analytics and detection model performance
  • Take up unnecessary authorization bandwidth, creating greater costs for all participants

This lack of clear and consistent decline reason code application has fueled transaction authorization denial rates for many years. It has also inadvertently opened gaps that allow fraudsters to flourish.

Visa in-depth surveys of issuers and acquirers helped determine the main “culprits” behind unnecessary declines. They found several key issues the new rules are designed to address, some specifically aimed at ecommerce payments, others that speak to all payment environments:

  • Cardholder confusion affects all merchants who use card-on-file payment methods, whether subscription/recurring payments models or pay-as-you-go models for ad hoc purchases. Many cardholders simply forget to update their info when they change cards, or their card is lost, stolen or expires, resulting in erroneous information and therefore automatic declines.
  • Enumeration brute force/testing fraud attacks are a growing problem. These false authorization requests attempt to determine valid card account, expiration and Card Verification Value 2 (CVV2) data. Many merchants have no effective controls over such fraudster submissions and so they deploy ineffective — and costly — retry strategies. The result is increased decline management time and costs for all participants.

 

Exactly what are the key developments in these areas?

 

First, it is important to note that there are NO NEW decline codes in the rules change. Instead, Visa is regrouping existing codes into categories and reinforcing usage consistency to enable better monitoring and control for all parties involved.

Visa’s main goal is to create transparency while minimizing cost-creating or damaging behaviors. Though there will be more clarification to follow, here are the key platforms for the new decline code mandates.

Decline Code Grouping

The new decline code grouping rules will require careful review and consideration from merchants, particularly in the card-on-file and recurring space. Visa will assess fees on a per-transaction basis for authorization reattempts outside the boundaries of their framework. The announced categories are as follows.

  • Category 1. Issuer will never approve: A subset of decline codes that indicates the card is blocked for use or never existed. It signals that there is no circumstance in which the issuer will grant an approval (such as a stolen card).
    • Effective April 1, 2021, acquirers and merchants must not retry an authorization that receives a decline response from this category.
    • Beginning October 2021 for EU and April 2022 for the U.S. and Canada, attempts to authorize a transaction that has previously received a Category 1 decline will be subject to a per-transaction noncompliance assessment.
  • Category 2. Issuer cannot approve at this time: This code subset indicates the issuer may approve but cannot do so now, perhaps due to a system detection action or a lack of funds, for example. As this cluster covers issuers’ temporary decline decisions, which may change over time, merchants and acquirers should understand that the issuer would welcome a further authorization attempt in the future. 
  • Category 3. Issuer cannot approve with these details: These codes indicate the issuer cannot approve based on the details provided, such as an invalid account number, incorrect CVV2 or incorrect expiration date. 
  • Category 4. Generic response codes: This category includes all other decline codes, many of which are of a technical nature or provide little to no value to acquirers or merchants. While the great majority of declines fall into the above categories, issuers may use some of these specialized Cat 4 codes for certain circumstances, albeit on a minimal basis, limited to no more than 10 percent of their total declines. Issuers that only respond to authorization requests with a Category 4 decline or exceed the 10 percent limit will be subject to enforcement actions.

 

 

 

Decline Resubmission

 

While the current Visa rules allow a maximum of four authorization reattempts over a 16-day period, authorization attempts far in excess of this limit are actually processed today. This rule will be amended to allow up to 15 reattempts in a 30-day period. More than 15 attempts will result in a non-compliance fee.

 

New data consistency reinforcement

 

Amending data fields, such as MCC, merchant country, AVS and electronic commerce indicators, upon decline has become common practice with some merchants and acquirers. Though this data manipulation practice has been effective in some cases, it wastes time and resources for all parties involved.

To combat its use, Visa is introducing a non-compliance fee that will apply when an authorization request is resubmitted with changed data elements following a decline, whether the original data submitted was the result of fraud attack or  simple miskeying.  

THINGS YOU CAN DO TODAY
 

1. Ensure your account updater services and wallet cleanup tools are functioning correctly

2. Check that your systems have logic in place to change retry action based on authorization response

3. Consider utilizing preventive measures, such as Safetech Fraud Tools, to reduce your attack exposure

4. Call your acquirer for a consult on any of these issues as well as optimizing your payments broadly

 

Program Summary and Effective Dates for these Rules and Fees
 

CATEGORY REGION EFFECTIVE DATE

Decline Code Management Rules*

Visa authorization decline reason codes are now categorized into groups 1-4

Canada, Europe, LAC, U.S. April 2021

Decline Resubmission Rule — Category 1

An authorization with a Category 1 decline reason code must not be resubmitted

Canada, Europe, LAC, U.S. April 2021

Decline Resubmission Fee — Category 1

An authorization with a Category 1 decline reason code must not be resubmitted

Europe

Canada, U.S.

October 2021

April 2022

Authorization Data Consistency and
Decline Resubmission Rules
Canada, Europe, LAC, U.S. April 2021

Authorization Data Consistency Fees

Applied when an authorization is resubmitted with changed data elements following decline

Europe

 

 

Canada, LAC, U.S.

October 2020 (Domestic)
October 2021 (Cross Border)
 

April 2021

Decline Resubmission Fees*

Allows a maximum of 15 re-attempts in a 30-day period

Europe

 

 

Canada, LAC, U.S.

October 2020 (Domestic)
October 2021 (Cross Border)
 

April 2021

*Canada, LAC, U.S.: Category 1-4; Europe: Category 2-4

 

Addressing First Party Fraud

 

First party fraud is a growing issue. It occurs when a cardholder attempts to get a credit for legitimately purchased goods or services. This type of dispute system abuse creates additional costs for both issuers and merchants and cannot easily be controlled by merchants. Effective April 18, 2020, Visa Rules have been modified as follows:

  • Card-not-present (CNP) merchants must validate cardholder approval: Merchants that operate account-on-file business practices with high daily transaction volumes will be required to set base-level daily cardholder velocity controls. The set limit should reflect the merchant’s fraud/dispute rates but cannot exceed a maximum of 25 transactions.
  • Merchants will be required to revoke provision of goods* or services (where practical) after a fraud dispute and put in place a process to prevent future customer usage until the fraud issue has been resolved. If the fraud is due to a merchant account take-over, the merchant will be required to re-authenticate the cardholder prior to further transactions.
  • High-dispute merchants must include contact information in transaction details. CNP merchants are currently required to include dispute contact details in the merchant location field. Going forward, acquirers will be advised quarterly of CNP merchants with excessive dispute rates that are failing to provide this information and non-compliance penalties will apply.

It should be noted that issuers will be required to put in place basic controls over incoming fraud disputes, including formal reviews where excess claims are received. Limits should be based on the issuer’s risk profile and appetite but cannot exceed a maximum of five fraud claims in a 12-month period.

 

EMV Acceptance

 

Many readers are already familiar with certain non-compliance fees that went into effect in January 2020 concerning EMV (Europay/Mastercard/Visa) cards. Though EMV has reached a high level of maturity globally and thus has contributed greatly to fraud mitigation at the point of sale, there remains some magnetic stripe card issues that attract increased fraud.

Non-Chip Terminal Use: In the Canada and EU regions, a non-compliance fee will be assessed for transactions at terminals unable to support EMV.

POS Primary Account Number (PAN) Key-Entered Transaction in a Card-present Environment: In the Canada and EU regions a fee will be applied to transactions that are key-entered, excluding correctly flagged CNP transactions.

CATEGORY REGION EFFECTIVE DATE

Card-Present Authorization Rules

Card-Present Authorization Fees

Applied to key-entered and non-chip transactions in a  card-present environment 

Europe

Canada

January 2020

October 2021 (POS)

October 2023 (UCAT)

Visa First Party Rules Updates

Card-not-present merchant requirement to validate cardholder approval

Merchant withdrawal of services or asset following a fraud dispute

Contact information in transaction details for high-dispute merchants

Canada, Europe, LAC, U.S. April 2020

* For example, within digital goods (such as a music downloads or video gaming) to ensure that you are following the velocity controls.

How We Can Help
 

J.P. Morgan Merchant Services works tirelessly to deliver complete transparency across the payments ecosystem and ensure accuracy of cardholder information. We have long viewed payments optimization as a growth opportunity for clients.

We invest more than $11.5 billion annually in technology firmwide and $600 million annually in cybersecurity1, you can be sure our data science teams are constantly focused on maximizing transaction approvals and avoiding unnecessary cost.

While many merchants assume that most declines are for fraud control, the reality is that most are due to credit insufficiencies, card status or invalid submission data.

Here are some of the ways our experience, expertise and powerful analytics capabilities can assist you in complying with new Visa rules and generally optimizing your payments system.

Account Updater — This automated service updates cardholder information when participating issuers make changes to cardholder data, such as a new account number or expiration date

Transaction messaging — New Visa rules make the accuracy and completeness of all data elements more important than ever.

Authorization retry strategy — By reviewing your current practices and providing decline code mapping we can help you develop a balanced strategy, analyzing the trade-offs of repeated declines against incremental revenues and confirming compliance with all submission rules to avoid potential future fees.

MCC assignment — As certain Merchant Codes can lead to assignment of higher risk ratings than appropriate for your lines of business, let our experienced consultants guide you on any possible MCC status changes that could help maximize transaction authorization rate.

 

Merchants can take many steps to reduce their decline rates, but they cannot do this in a vacuum. After all, it is issuers who make the decision to decline a payment.

J.P. Morgan’s strengths as the largest U.S. issuer and acquirer2 sets us firmly in the center of the dialogue between merchants, payment processors and issuers. Closer collaboration among all parties to the transaction is key.

To that end, we continue to foster a concerted program of negotiation and outreach in order to help solve challenges surrounding data visibility and risk analysis.

We would welcome the opportunity to discuss how we can do this for you. 

MATT BRINGEWATT Headshot

MATT BRINGEWATT, Executive Director, J.P. Morgan

Matt is a payments leader passionate about infusing the client perspective into J.P. Morgan’s culture of innovation. 

As director of client relations for the Technology, Media and Telecommunications space, Matt worked directly with enterprise merchants to optimize the payments experience across domains, including cost, acceptance practices  and digital delivery. 

With his current focus on global expansion and international growth, he has focused his 10-plus years of payments experience toward opening acquiring markets across LATAM and APAC through scaled platform enhancements. 

J.P. Morgan clients rely on Matt to reflect their voice across the landscape of product and technology development.

1. JPMorgan Chase 2019 Annual Report
2. U.S.: The Nilson report, Issue 1171, March 2020, merchant acquiring based on purchase volume and Europe: The Nilson Report, Issue 1153, May 2019 based on e-commerce volume and number one  bank based on U.S. transactions

 

Visa is a registered trademark of Visa International Service Association and is used by the issuer pursuant to license from Visa USA Inc. Mastercard is a registered trademark of Mastercard International Incorporated.

The products and services described in this document are offered by J.P. Morgan Merchant Services or its affiliates subject to applicable laws and regulations and service terms. Not all products and services are available in all locations. Eligibility for particular products and services will be determined by J.P. Morgan Merchant Services or its affiliates.

©2020 JPMorgan Chase & Co. All Rights Reserved.