[olug] [OT] PCI authorize without actual posting

Rob Townley rob.townley at gmail.com
Thu Apr 9 19:23:01 UTC 2009


On Tue, Apr 7, 2009 at 12:43 AM, Edward Pluta <epluta3 at cox.net> wrote:
> I used to work at a large credit card processor in town. Not sure if I
> remember much but, an authorization is done when the card is swiped to make
> sure you have enough money available. When the ticket is actually presented
> to VISA, AMEX, MC, whatever and run through the system and comes to the
> issuer when it is posted.
>
> How the issuer (your bank) shows the money on their system, is separate from
> the merchant system. If you pay a bill on Friday and the charge disappears
> Sat. that is the issuer's fault (they said you were good for the money, so
> should reserve the money until it posts or ages off). The merchant actaually

a telephone banker for a visa check/debit card bank told me (if i
understood correctly) that the authorizations charges are dropped that
night to prevent a checking account overdraft.  i did not understand
that reasoning unless it specifically applied to very large hotel room
deposits.  As i understood it, the practice of dropping the auth is by
design.

So what happens when the harddrive crashes over the long weekend.  In
a rush to bring the system back up Monday morning, the sysadmin
restores the database but not the logfile of transactions.  That is
just one scenario, i can imagine many other scenarios where programmer
mistakes or sysadmin mistakes end up making charges not actually post
after being authorized.   Most systems would have adequate redundancy,
but there may be some choose to do things less expensively.

> has three days (I believe, at least on VISAnet) to post the ticket. In the
> frat boy example, if they caused no damage and payed for the room in cash,
> they would just let the authorization fall on the floor and the money would
> not be moved from the account. NO, businesses are not so stupid as to just
> "forget" to post a charge.
>
> Once the actual ticket is posted the correct amount is removed from the
> issuer to the merchant. That is how you can get gas and right afterward you
> have a charge of $50 but only got $20 worth, or go out for dinner and spend
> $50 on food, give a $10 tip but only $50 is charged to your account when you
> get home. You are authorized for one amount, $50 in gas or for food, then
> when it posts its for the correct amount, $20 in gas or $60 for dinner and
> tip.
>
> Tickets now are all digital, some folks may remember when they had those
> wierd swiper things they made imprints of the card in, same rules different
> technology.
>
> There are a number of ways to request authorization, payment, chargeback,
> etc for a card and all the players (VISA, MC, etc) have different rules and
> protocols. Skimming the link you provided looks like a protocol for
> interacting with the netfilling system, and not the rules for being a credit
> card processor. Which is incredibly difficult.
>
> I have been up for far too long as well. Was there a question in there?



>
> ----- Original Message ----- From: "Rob Townley" <rob.townley at gmail.com>
> To: "Omaha Linux User Group" <olug at olug.org>; "Perl Mongers of
> Omaha,Nebraska USA" <omaha-pm at pm.org>
> Sent: Sunday, April 05, 2009 6:45 AM
> Subject: [olug] [OT] PCI authorize without actual posting
>
>
>> PCI for this convo isn't Peripheral Component Interconnect, but
>> Payment Card Industry.  There should be a few pros on the list
>> considering this is Omaha.
>>
>> There are authorizations to withdraw money and a few days later, the
>> actual withdrawal - termed a post.  Pay a bill online Friday morning
>> and it shows up Friday morning via your banks website immediately.
>> Saturday, the transaction disappears from your online account.  Monday
>> you wonder if you actually paid the bill.  Tuesday, it appears again
>> and the money is actually withdrawn.
>>
>> Have any of you had low level experience with a merchant processing
>> system platform?  gnucash may be an example, maybe.   My banker said
>> that sometimes the authorization goes through, but the merchant system
>> does not go back and do a successful post to actually take the money
>> out.  I find that a little hard to believe - i mean there are bugs and
>> then there is giving money away.  Capitalism makes that bug
>> impossible.  The battery backup could die, but the transaction
>> processing would fix it later, boss.
>>
>> Consider some frat boys renting a hotel room.  The hotel may require a
>> credit card and request authorization to withdraw for a hefty room
>> deposit.  This creates some kind of authorization number that usually
>> goes unused.  The frat boys check out Sunday morning calmly thinking
>> management won't notice the hole in the wall and the missing faucet.
>> Sunday afternoon, the cleaning lady reports the damage.  Management
>> cashes in that deposit authorization number, effectively converting it
>> to a sale.
>>
>> I can see that authorizations and capturing a previous authorization
>> would be two different steps, but nobody ever forgets that second
>> step, right?  No website is that dumb, right?
>>
>> For more info, do a search for tran_type on the following page.
>>
>> http://secure.netbilling.com/public/docs/merchant/public/directmode/directmode3protocol.html
>>
>> i have been up far too many hours ... sorry for the rambling.
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/mailman/listinfo/olug
>>
>
>



More information about the OLUG mailing list