Hi, name is Duncan Malcolm. I convene First Six Last Four to help us understand more about fraud threats and the things that we can do to reduce our risk in the face of highly motivated adversaries.
I thought I’d do a very short post on basic card transaction data. This is just to cover a couple of really basics points around what you should see as a merchant when processing card transactions.
Authorisation vs. Capture
A key concept in card transaction is the difference between authorisation and fund capture.
It is very important in fraud as it allows you to know that you can take funds from a card but allows you to take a risk decision and/or collect more information if you’re unsure about it.
This means that if you’re running an eCommerce operation you don’t slow the checkout process but can stop transactions that might be risky.
Authorisation
Authorisation is the card network telling you the merchant (via a PSP like Stripe or Adyen) that the card has funds available and that they have been ring fenced for your transaction.
This means that you could if you wanted to capture the funds from the customer, or not. You don’t actually have the money in your account but for the customer they might see that a transaction is pending on their account.
Capture
Capture is what it sounds like. You make the request to take the funds from the card and over the following hours/days they will be settled into your merchant account.
In generally from authorisation to capture you can wait up to 14 days and still be able to easily capture funds from a customer. If you didn’t capture after 14 days it’s still possible but would require working with your PSP.
Card transaction data points
In general you should receive all of the following for any card transaction:
- BIN: This is the first six numbers of the card number or PUN;
- Last four: This is the last four digits of the card and combined with the BIN makes it possible to ID the card against others you might have taken a transaction from;
- Network token: If you use a single PSP or use an orchestrator this unique ID allows you to see if one card has been used/attempted on more than one account;
- AVS: This checks whether the address you submitted to the PSP matches or partial matches the registered card address sometimes provided as a code or as a set of true/false values for address, postcode and card holder name;
- 3DS: Depending on the version used 1.x or 2.x this will show if the card has passed the 3D secure check;
- Liability shift: Whether the network has/will assume liability for the transaction if it turns out to be fraudulent;
You should also get the card issuer name e.g. a bank as well as the country the card was issued. If you don’t get this you can use a 3rd party service to look it up.