Integration Guidelines
Interchange Optimization Guide
Address Verification Service (AVS) provides additional authentication for a particular transaction by requesting and verifying the cardholder address. The merchant is given better fraud protection when the cardholder is not physically present at the time of purchase. AVS may also help to prevent chargebacks if the merchant can identify a fraudulent transaction prior to completing the purchase. AVS is provided by Visa, MasterCard, American Express, and Discover Cards. Below is a list of general information related to AVS:
- Street addresses to P.O. boxes are accepted if the information is part of the cardholder billing address.
- Visa assesses a lower interchange rate if AVS is requested for MOTO or eCommerce CNP environment transactions. A match is not required.
- Transactions processed in CP Retail environments requiring manually entry of the account information due to a bad magnetic stripe will receive a lower interchange rate if a request and response for verification of the cardholder zip code is completed. A match is required.
Credit card payment brands Visa and MasterCard allow merchants to validate a cardholder account prior to processing a payment transaction. This is commonly referred to as an account status check. Account status checks can be used for both Address Verification (AVS) and Card Verification (CV).
$1 Status Check Authorize- Visa allows a $1.00 status check for Automated Fuel Dispensers (AFD), select lodging, and deferred payment transactions.
- MasterCard allows a $1.00 status check for Automated Fuel Dispensers (AFD) transactions.
Refer to the Visa Authorization Misuse Fees and MasterCard Reversal Mandate for more information.
$0 Status Check Verify
- Visa allows merchants requiring verification of a cardholder account to utilize the $0.00 status check.
- When submitting a $0.00 authorization request, EVO Snap* requires Address Verification Service (AVS) data. Postal code is required, street information is optional.
- Card Verification Data (CV) for validation can be submitted in the same authorization request.
Refer to the Visa Authorization Misuse Fees and MasterCard Reversal Mandate for more information.
CPS/Retail Key Entry
In order for a merchant to receive the best interchange rate on a manually keyed transaction in a CP Retailenvironment, a positive verification of the cardholder zip code is required. This interchange rate only applies to transactions keyed due to an unreadable magnetic stripe. For commercial cards, AVS is not required to qualify for the CPS/Retail Key Entered rate. When AVS is requested, all AVS responses are accepted.
CPS/Card-Not-Present
In card-not-present environments MOTO & eCommerce, Visa requires an AVS attempt in order to receive the lowest interchange rate for this category. Both the cardholder address and zip code can be submitted for verification or just zip code verification can be requested. This interchange rate is only allowed in MOTO environments.
Visa and MasterCard implemented Card Verification Values (CVV) and Card Verification Codes (CVC2) to combat fraud. The values are the result of an algorithm and are encoded on the magnetic stripe of the card. Any alteration of the data elements read from the magnetic stripe prior to sending for authorization causes the value to mismatch when the issuer reruns the algorithm at the time of authorization.
Transactions found to be non-compliant result in higher interchange fees and forfeiture of chargeback protection. Any point-of-sale (POS) device submitting non-compliant transactions is identified and all transactions processed automatically receive a higher interchange rate and lose chargeback protection. In order to be in compliance, a POS device must send the entire unaltered contents of the magnetic stripe (Track 1 or Track 2 data). The definition of a magnetic stripe by Visa/MasterCard is everything after (but not including) the start sentinel '% or ;' and/or up to (but not including) the end sentinel '?' and LRC check character. The maximum length without the starting and ending sentinel of the LRC character is 77 for Track 1 data and 37 for Track 2 data.
Authorization requests containing altered Track 1 or Track 2 data are flagged as 'Not Compliant' by Visa and MasterCard resulting in the the highest transaction rates and forfeiture of chargeback protection. Both associations monitor non-compliant transactions and assess fines and penalties to merchants not in compliance. Refer to White Listed Credit Card Data for certification testing information related to Card Verification.
Card associations implemented enhanced security programs to assist merchants in CNP environments by verifying the cardholder has physical possession of the card. This data is commonly referred to as Card Verification Data (CVD).
CVD Forms by Payment Brand | |
---|---|
American Express Card Identifier (CID) | 4-digit number on the front of the card above and right of the account number. |
Discover Card Identifier (CID) | 3-digit number on the back of the card next to the account number on the signature panel. |
MasterCard Enhanced Card Verification Code (CVC2) | 3-digit number on the back of the card next to the account number on the signature panel. |
Visa Enhanced Card Verification Value (CVV2) | 3-digit number on the back of the card next to the account number on the signature panel. |
Some additional considerations regarding CVD:
- Most card associations and issuers do not validate CVD when the card is swiped. As a result, no response code is returned in the transaction response.
- Although enhanced CVD is considered optional, providing this data ensures additional fraud protection for all manually keyed, CNP authorization requests.
- Visa, MasterCard, and Discover provide a CVD result code on every transaction when CVD is entered. The CVD response can be used by the merchant to determine if the cardholder has possession of the card at the time of the sale. By using the CVD response code to determine the legitimacy of the transaction the merchant can reduce the potential of fraudulent transactions resulting in merchant chargeback losses.
- American Express merchants must be registered with AMX in order to perform the CID match. For registered merchants, if the CID value matches the transaction is approved. For merchants not registered with AMX for this service, CID matching can still be requested, but matching will not be performed. If there is no CID match for proprietary American Express cards the transaction is declined. For American Express cards issued by other banks a CID response value may be returned.
- The CVD response does not need to be a match for a transaction to be approved. The responsibility to accept or reverse an approved transaction when the CVD response is not a match is at the Merchant level.
In order to provide businesses with additional reporting features, merchants are required to submit additional data with each transaction. When data is submitted with the transaction, the merchant may qualify for lower consumer card interchange rates. Level 2 and Level 3 data is not required to be submitted on Travel & Entertainment transactions.
Additional information about Level2/3 data:
- Consumer cards do not support Level 2/3 data.
- Level 3 cards can be processed as standard Level 1 cards.
- When processing Level 3 data, Level 2 data must also be provided.
- Not implementing support for Level 2/3 data (when processing cards supporting Level 2/3 data) results in higher interchange rates.
Merchants should submit as many of the data elements as possible. In order to meet Visa Level 2 data requirements, the sales tax must be greater than $0.00 and the Tax Flag must indicate tax is present. The tax value must fall within 0.1% and 22% of the total transaction amount for Visa to qualify for the best interchange rate allowed on these cards.
Tax Exempt status must be properly identified in the Local Tax Flag field. If the transaction tax amount equals $0.00, the Local Tax Flag must indicate the transaction is tax exempt.
For Visa Canadian merchant locations, the PST (Provincial Sales Tax), QST (Quebec Sales Tax), GST (Goods & Services Sales Tax), or HST (Harmonized Sales Tax) may be included on Business and Purchase Cards.
Visa Purchase Cards can be identified by BIN range. Corporate and Business Cards cannot. At non-petroleum merchant locations, Visa Fleet cards are treated as Purchasing Cards.
In order to meet MasterCard Face-to-Face Commercial Data Rate II data requirements, the sales tax amount must be greater than $0.00 and the tax flag must indicate tax is present. The value must fall within 0.1% and 30% of the total transaction amount to qualify for the best interchange rate allowed. MasterCard does not require a tax amount for fuel transactions.
MasterCard removed the tax edit resulting in transactions with zero or no tax to be eligible for Commercial Face-to-Face and Data Rate II rates for the following Merchant Category Codes (MCC):
MCC Exceptions | ||
---|---|---|
4111 – Transportation | 4131 – Bus Lines | 4215 – Courier Services |
4784 – Bridge and Road Fees | 8211 – Schools | 8220 – Colleges |
8398 – Charitable Organizations | 8661 – Religious Organizations | 9211 – Court Costs |
9222 – Fines | 9311 – Tax Payments | 9300 – Government Services |
9402 – Postal Services |
Transactions for the MCCs listed above can be submitted either with no tax or a tax amount between 0.1% and 30% of the transaction amount.
For MasterCard Canadian merchant locations, the GST (Goods & Services Sales Tax) or HST (Harmonized Sales Tax) may be included on Business and Purchase Cards. MasterCard Purchasing, Corporate and Business Cards cannot be managed by BIN range. At non-petroleum merchant locations, MasterCard Fleet cards are treated as Purchasing Cards.
For American Express Purchasing Card Level 2, if the Customer Reference No, Tax Amount and Destination Zip are submitted by the merchant, Chase Paymentech submits the data to American Express to be considered as Level 2 qualification for conveyed merchants. American Express requires setup on the Amex system for a merchant to support Level 2.
American Express Corporate Purchasing cards are not limited to specific bin ranges and no identification of a corporate purchasing card is included the response message. American Express identifies a Corporate Purchasing card during the Amex settlement process.
MasterCard SecureCode (MCSC) and Verified-by-Visa (VbV) are solutions designed to authenticate cardholders when processing online payments. Both programs require a merchant website (or cardholder) to have additional software to allow interaction with the cardholder issuing bank at the time that the purchase is made. This interaction allows the cardholder to be authenticated at the time of the purchase. Once authenticated, the issuer provides authentication data to pass to the host during the credit authorization process.
MCSC offers a mechanism for securing the Internet channel by providing a unique transaction-specific token that provides evidence that the cardholder originated the transaction. MCSC uses MasterCard’s Universal Cardholder Authentication Field (UCAF) infrastructure to communicate the authentication information among the cardholder, issuer, merchant and acquirer.
Recurring payments should include AAV data for the initial authorization request only. Authentication data is not required for recurring payment authorizations since they are not considered electronic commerce transactions by MasterCard and are not eligible for MCSC processing.
- Supporting MCSC transactions with a token:
- - BankcardTransaction.BankcardTenderData.EcommerceSecurityData.TokenData is required and contains the token provided by the service.
- - BankcardTransaction.BankcardTenderData.EcommerceSecurityData.TokenIndicator is required and must be set to 'UCAFWithData'.
- If MCSC is supported, but the token could not be obtained or will not be sent with the transaction:
- - BankcardTransaction.BankcardTenderData.EcommerceSecurityData.TokenData is not populated.
- - BankcardTransaction.BankcardTenderData.EcommerceSecurityData.TokenIndicator is required and must be set to 'AttemptedCardUnsupported', 'AttemptedServiceUnavailable' or 'UCAFWithoutData'.
Verified-by-Visa (VbV) and MasterCard SecureCode (MCSC) are solutions designed to authenticate cardholders during online purchases. Both programs require a merchant website to interact with the issuing bank at the time of purchase to authenticate the cardholder. Once authenticated, the issuer passes authentication data to the host for validation during the credit authorization process.
VbV adds a new level of security to Internet transactions by real-time verification the ownership of an account during an online payment transaction. VbV gives Visa card issuers the ability to confirm the identity of the cardholder using a variety of authentication methods, including passwords, chip cards, and digital certificates. Real-time authentication during the checkout process results in a safe and more cost-effective eCommerce solution for merchants and consumers. VbV is based on the 3D Secure Protocol using Secure Sockets Layer (SSL) encryption to collect and protect payment card information transmitted via the Internet.
Visa International and Visa U.S.A. operating regulations shift fraud chargeback liability from the merchant to the Issuer when a merchant submits proof the cardholder was authenticated (or attempted to authenticate) in a VbV transaction. The Merchant must not store and submit the Cardholder Authentication Verification Value (CAVV) with any subsequent transaction.
When supporting VbV transactions in CWS:
- Supporting VbV transactions with a token:
- - BankcardTransaction.BankcardTenderData.EcommerceSecurityData.TokenData is required and must contain the token provided by the service.
- - BankcardTransaction.BankcardTenderData.EcommerceSecurityData.TokenIndicator is required and must be set to 'VPAS'.
- - BankcardTransaction.BankcardTenderData.EcommerceSecurityData.XID is is optional and may contain the Visa XID value.
- If VbV is supported, but the token could not be obtained or will not be sent with the transaction:
- - BankcardTransaction.BankcardTenderData.EcommerceSecurityData.TokenData is not populated.
- - BankcardTransaction.BankcardTenderData.EcommerceSecurityData.TokenIndicator is required and must be set to 'AttemptedCardUnsupported' or 'AttemptedServiceUnavailable'.
All approved and partially approved Visa and MasterCard authorizations must be reversed in the case of the cancellation of a sale by the cardholder or an authorization request submitted by the merchant in error. In support of this regulation, merchants and acquirers must process reversals immediately for authorizations cancelled by the cardholder or erroneously entered by the merchant. Failure to do so will result in fees being assessed on any unsettled transaction authorizations.
Additionally, merchants who use the CWS Authorize operation to perform a $1.00 status check to validate the card must reverse (void) the authorization to avoid being charged misuse fees by Visa and MasterCard.
Service providers supporting the CWS Verify operation can use the $0.00 status check to perform the same card validation without performing a reversal (void).
To avoid fees assessed on unsettled authorizations the following is recommended:
- Perform a status check vs. a full authorization for transactions that will not be processed.
- All card-present status check authorizations should be reversed within 24 hours.
- All card-not-present status check authorizations should be reversed within 72 hours.
- Visa requires transactions to be cleared within 10 days of authorization for all MCC's except Travel & Entertainment segments which must be cleared within 20 days of the authorization regardless ofthe transaction date.
MasterCard identifies the following MCCs as exceptions (not required to adhere to the reversal mandate.)
MCC Exceptions | ||||
---|---|---|---|---|
3351-3441 (Car Rental Agencies) | 3501-3999 (Lodging) | 4411 (Cruise Lines) | 7011 (Lodging) | 7512 (Auto Rental Agency) |
Refer to Address Verification Service (AVS) section for additional information.
In order to qualify for the best interchange rates, transactions authorization and settlement amounts must be within the specified tolerance ranges. Tolerance ranges vary by card type and payment industry.
Brand | Processing Details |
---|---|
American Express | American Express does not have the same strict tolerance rules as other payment brands. No support is provided for incremental authorizations or partial reversals. |
Discover | Discover does not have the same strict tolerance rules as other payment brands. No support is provided for incremental authorizations, but it is available for partial reversals. |
MasterCard | MasterCard does not have the same strict tolerance rules as Visa. No support is provided for incremental authorizations, but it is available for partial reversals.
|
Visa | Visa supports very strict tolerance levels; however, they do provide support for incremental and partial reversal transactions so that the authorized and settled amounts can come within the allotted tolerance.
|