Hotel credit card authorization form 2017 change

Hotel and lodging industry must update best practices due to 2016 and 2017 changes in Visa and MasterCard rules. Cardholder authentication and multiple authorization indicators are two key components of change. Hotels that comply will maximize profits and security. Noncompliance will result in higher credit card acceptance fees due to penalties, increased declines, reduced profits, and new chargeback risk.hotel credit card authorization formFor those still using paper credit card authorization forms, few are in compliance with Visa Core Rules 5.4.2.5 Prohibition against Requiring Cardholder or Account Data – US Region.

“A US Merchant or its agent must not: Request the Card Verification Value 2 data on any paper Order Form.”

Authorization validity is front and center to the 2017 rules changes. Merchants used to get and authorization, and settle it later at checkout. Now merchants must send the correct transaction types and link them all together with a unique identifier:

  1. The ESTIMATE (Visa) or UNDEFINED (MasterCard) indicator is sent when the final settlement amount is unknown. The customer must be informed that it is an estimate as well.
  2. INCREMENTAL authorization is obtained when the original authorization expires or to increase the amount on hold.
  3. Final Authorization says this is the final transaction.

TIP: Merchants need 3-D Secure (Verified by Visa, MasterCard SecureCode), a global cardholder authentication standard for card absent transactions, to maximize profits and compliance for card not present transactions, which is only available with customer initiated transactions: hosted pay page, digital payment request, online booking. Paper forms don’t create a digital record tied to the credit card, and cardholder authentication is not possible, as defined by the card brands. It’s also not possible to comply with the rule by key entering data into any desktop terminal.

The unique transaction transaction identifier can be a point of breakdown in the process. For example, the events manager obtains a paper credit card authorization form. The first charge is a deposit; the second charge is at the end of the event; a third charge occurs after assessing damages to a room. In each case, the amount is key entered into the payment processing terminal. Since there is no transaction identifier tying them all together, the authorizations are invalid and the ISSUER is within their rights to chargeback for invalid authorization, example Visa reason code 72.

There are so many nuances to the rules, and changes needed in the payments ecosystem, hotels should not assume existing partners have completed the required updates to comply. Technology that can automatically manage the authorization and settlement process- not the old way, but with all the new rules changes- requires a sophisticated payment gateway. Like EMV, there will be vendors that struggle to adapt.

For compliant solutions that can be used standalone or integrated, improving your customer experience, contact Christine Speedy, 954-942-0483.

Reference materials:

  • MasterCard® Pre & Final Authorization Mandate by CyberSource, December 2016.
  • Visa Core Rules October 2016.
  • MasterCard Revises Standards for Processing Authorizations and Preauthorizations by Vantiv December 2016.
  • MasterCard Transaction Processing Rules, November 2016.

See merchant bulletins – downloads for links to many resources.

Lodging Authorization Rules Change 2017 – Chargeback Prevention Tips

online booking credit card fraudIn October 2016, Visa quietly announced sweeping changes to rules for card not present transactions in the lodging industry. With online booking technology updates, hotels can increase profits by complying with the new rules, including for guaranteed reservations. Failure to comply may significantly increase financial risk.

A core concept is valid “authorization”, which impacts merchant rights and potentially credit card processing rate qualification. An invalid authorization equates to a no authorization. Card issuers will be within their rights to use reason code 72 and chargeback, or ACH, the funds from merchant bank account on the next settlement day, for failure to comply with the rules. This is a significant change, as in the past, hotels would respond to cardholder initiated disputes, a completely different scenario, and win a good portion of them.

What’s a valid authorization? It’s mostly described in Special Authorization Request Allowances and Requirements. Key elements:

  • Stored credential– rules for storing and what associated data is required on file and what is submitted with transaction- same transaction ID required for all after initial approval
  • Estimated Authorization– indicator as to whether the authorization is an estimate or is final is sent with transaction. Authorization is valid for 31 days. (Originally 14 days, but subsequent bulletin released to change it.)
  • Incremental authorization  – must use same transaction ID as estimate, and submit with incremental authorization indicator
  • Visa now groups transaction types into ‘customer initiated’ and ‘merchant initiated’. For card not present, a transaction is only considered customer initiated, if Verified by Visa is used. Verified by Visa (VbyV) is their brand name for the global 3-D Secure cardholder authentication protocol for card not present transactions.

Updated Checkout Flow For Online Booking:

  • Opt-in to no-show policy, terms and conditions
  • Authenticate cardholder
  • Authorize with the estimate indicator
  • Deliver email confirmation with the policy
  • Incremental auths with same Trans ID only.
  • Close transaction by day 31; partial reversal same transaction ID if applicable.
  • If ticket closed, open new estimated auth.

KEY DATES

  • Effective through 13 October 2017: In the US Region, for Car Rental Merchants, Cruise Lines, and Lodging Merchants, the Merchant must use the Incremental Authorization Request indicator and the same Transaction Identifier for all Authorization Requests.
  • Effective 14 October 2017 Transaction initiated with an Estimated Authorization
  • Verified by Visa cardholder authentication protects lodging merchants immediately from “it wasn’t me” card not present fraud.

Without hotel action to update online booking in advance of the October dates, financial exposure for prior months may be significant.

Christine Speedy, authorized CenPOS reseller provides universal payment processing solutions to maximize merchant profits and mitigate risk across multiple sales channels. To get a CenPOS account and your booking engine compatible plugin contact Christine at 954-942-0483.