[olug] [OT] PCI authorize without actual posting

Ed Pluta epluta3 at cox.net
Thu Apr 9 19:51:08 UTC 2009


---- Rob Townley <rob.townley at gmail.com> wrote: 
> On Tue, Apr 7, 2009 at 12:43 AM, Edward Pluta <epluta3 at cox.net> wrote:
> > I used to work at a large credit card processor in town. Not sure if I
> > remember much but, an authorization is done when the card is swiped to make
> > sure you have enough money available. When the ticket is actually presented
> > to VISA, AMEX, MC, whatever and run through the system and comes to the
> > issuer when it is posted.
> >
> > How the issuer (your bank) shows the money on their system, is separate from
> > the merchant system. If you pay a bill on Friday and the charge disappears
> > Sat. that is the issuer's fault (they said you were good for the money, so
> > should reserve the money until it posts or ages off). The merchant actaually
> 
> a telephone banker for a visa check/debit card bank told me (if i
> understood correctly) that the authorizations charges are dropped that
> night to prevent a checking account overdraft.  i did not understand
> that reasoning unless it specifically applied to very large hotel room
> deposits.  As i understood it, the practice of dropping the auth is by
> design.
> 
> So what happens when the harddrive crashes over the long weekend.  In
> a rush to bring the system back up Monday morning, the sysadmin
> restores the database but not the logfile of transactions.  That is
> just one scenario, i can imagine many other scenarios where programmer
> mistakes or sysadmin mistakes end up making charges not actually post
> after being authorized.   Most systems would have adequate redundancy,
> but there may be some choose to do things less expensively.
> 
VISA, or MC or diner's club or whoever is actually the clearing house so they have a record of all the transactions and take care of settlement. They are supposed to be a neutral third party. If  your bank (the issuer) says you have the money and approves the auth then the third party (VISA, MC, etc) is aware of it and is the one actually waiting for the ticket to post and trust me they are redundant as all get out. How the issuer notates your account after the auth is up to them. They have already said the account is good for the money. If it posts a couple days later and the money is not there you are still on the hood and the issuer has done you a disservice. My bank does not remove or adjust the auth until it actually posts, to avoid checking overages, but I can still go over by tipping to much on a Friday night, as I have only been authorized for n drinks, not the tip as well  ;>)

As I read that is does not really address your merchant side concerns. Typically, most retailers go through a vendor to handle their transactions since the protocols and methodology for working with the clearing houses is complicated and just not worth trying to do yourself. The last VISA manual I saw was nearly 400 pages, and that's just to work with VISA, never mind MC, AMEX, etc, most places simply can't afford that R&D and upkeep, its just cheaper to pay someone else to do it.  That being said most vendors have built in redundancy and the sysadmin/programmer error risk is pretty well mitigated. Also, most retail trans post same day, there is no need for a waiting period. If you buy a CD today, it posts tonight and the account settles. So there are no active auths waiting to post in the merchant system.

Most hotels I have stayed do not actually do anything with your card unless you charge the room to it, break a reservation late, or do some damage. I do believe there may be another mechanism, specific to that type of instance, where they verify an available balance (to cover a deposit) but do not do an auth, but I honestly don't know.

> > has three days (I believe, at least on VISAnet) to post the ticket. In the
> > frat boy example, if they caused no damage and payed for the room in cash,
> > they would just let the authorization fall on the floor and the money would
> > not be moved from the account. NO, businesses are not so stupid as to just
> > "forget" to post a charge.
> >
> > Once the actual ticket is posted the correct amount is removed from the
> > issuer to the merchant. That is how you can get gas and right afterward you
> > have a charge of $50 but only got $20 worth, or go out for dinner and spend
> > $50 on food, give a $10 tip but only $50 is charged to your account when you
> > get home. You are authorized for one amount, $50 in gas or for food, then
> > when it posts its for the correct amount, $20 in gas or $60 for dinner and
> > tip.
> >
> > Tickets now are all digital, some folks may remember when they had those
> > wierd swiper things they made imprints of the card in, same rules different
> > technology.
> >
> > There are a number of ways to request authorization, payment, chargeback,
> > etc for a card and all the players (VISA, MC, etc) have different rules and
> > protocols. Skimming the link you provided looks like a protocol for
> > interacting with the netfilling system, and not the rules for being a credit
> > card processor. Which is incredibly difficult.
> >
> > I have been up for far too long as well. Was there a question in there?
> 
> 
> 
<<snip>>



More information about the OLUG mailing list