MasterCard® Pre & Final Authorization Mandate This document describes the MasterCard® Revised Standards for Processing Authorizations and Preauthorizations
Last Updated: 12/15/2016
CyberSource Public December 2016
1
What is the mandate? This global mandate from MasterCard® affects all authorizations performed on MasterCard®, Debit MasterCard®, Maestro®, and Cirrus® transactions. MasterCard® has changed the definition of an authorization request from a single one-type-fits-all transaction to three different types of authorization, each with its own rules. These are known as “Pre”, “Final”, and “Undefined” authorizations. As of October 2016, an authorization for an amount greater than zero for merchants in all regions except Europe and Middle East & Africa should be coded as a preauthorization, final authorization, or undefined authorization. Merchants in the Middle East & Africa region must code authorizations as either preauthorization or final authorization from the same date. This mandate is an extension of MasterCard’s Europe region mandate. In the Europe region, merchants must continue to code authorizations as either preauthorization or final authorization. MasterCard has defined strict timelines to clear or reverse transactions based on authorization type. They have also introduced new fees to enforce these changes, which are intended to be passed to you by your Acquirer. See below for more information on the fee types and related effective dates as indicated by MasterCard. This information has been provided to inform you of the upcoming system impact; contact your Acquirer for clarification on the fees and the effective dates.
What does the mandate mean? Every MasterCard® transaction should be processed using one of the three new authorization request types; “Final”, “Pre”, or “Undefined” as described below: FINAL— Authorization amount is greater than 0. Authorization requests must be for an agreed final amount with the consumer (e.g. card present, retail). Authorization may no longer be cancelled after it is approved in full, except where there is a system failure.
Authorization must be submitted for clearing and settlement within 7 calendar days.
Capture value and currency must be the same as the authorization value and currency. Chargeback protection is for 7 days (calculated from authorization date).
PRE— Authorization amount is greater than 0. Authorization may be requested for an estimated amount when authorization amount is unknown (e.g., hotel, car rental, e-commerce, restaurants).
Authorization must be submitted for clearing and settlement within 30 calendar days.
CyberSource Public December 2016
2
Authorizations that are not captured must be reversed; otherwise, a new processing integrity fee will be applied to the transaction.
Chargeback protection is for 30 days (calculated from authorization date).
UNDEFINED— Authorization amount is greater than 0.
The final transaction amount may differ from the authorized amount. Authorization may no longer be cancelled after it is approved in full, except where there is a system failure.
Authorization must be submitted for clearing and settlement within 7 calendar days. Authorizations that are not captured should be reversed; otherwise, a new processing integrity fee will be applied to the transaction. Chargeback protection is for 7 days (calculated from authorization date).
MasterCard® has also introduced a new set of fees for these transactions: Processing integrity fee for final authorizations not meeting requirements—a fee for final transactions that do not meet the criteria as defined above. Applies in all regions. New processing integrity fees—as noted above, a fee for authorizations that are not cleared or reversed by an Acquirer within 30 calendar days of the authorization date for preauthorizations and within 7 calendar days of the authorization date for undefined authorizations. Applies in all regions except EU and Middle East & Africa Preauthorization fee—a usage fee for transactions coded as preauthorizations. Applies in EU and Middle East & Africa only. Processing integrity fee for authorizations with undefined finality—a fee for transactions that are not flagged as “pre” or “final”. Applies in EU and Middle East & Africa only. Fees will be levied by MasterCard® to the Acquirer, who will pass them directly to you. For details please contact your Acquirer.
Table 1
Fee
Region
Effective Date
Processing integrity fee for final authorizations not meeting requirements
All regions
New processing integrity fees
All regions except EU and Middle East & Africa EU and Middle East & Africa
Jan 2017 for Middle East & Africa June 2017 for all other regions April 2017
Preauthorization fee
CyberSource Public December 2016
3
Jan 2017 for Middle East & Africa
Fee
Region
Effective Date
Processing integrity fee for authorizations with undefined finality
EU and Middle East & Africa
Jan 2017 for Middle East & Africa
All regions—US, CA, EMEA, LAC, AP Notes: - Undetermined is currently not supported on all processors. - These rules, where applicable, are already in effect in the EU region.
Other Rule Changes Effective October 2016 Reversal Rule Change In all regions, authorizations must be reversed within 24 hours of a transaction cancellation or of a finalization of the transaction for an amount lower than the authorized amount. This requirement replaces the existing U.S. region mandate for reversals within 24 hours for cardpresent transactions, within 72 hours for card-not-present transactions, and within 20 days of the authorization date for T&E transactions. Chargeback Protection Timelines The issuer chargeback protection period for transactions is a maximum of 30 calendar days for MasterCard authorizations properly coded as preauthorizations and is 7 calendar days for all other MasterCard authorizations and for all dual message Maestro® and Cirrus® authorizations and preauthorizations. 15/20 Transaction Amount Tolerances MasterCard transactions at card acceptors in all regions that are chip/PIN, contactless, or card-notpresent will no longer benefit from the 20 percent tolerance between authorization and clearing for gratuities (except for signature-based tipping). The 20 percent tolerance for gratuities continues to be available for card-present transactions, which are neither chip/PIN nor contactless (signature based) and provided that the authorization is coded as a preauthorization (all regions) or as an undefined authorization (all regions except Europe and Middle East & Africa). For MasterCard transactions, T&E merchants in all regions will no longer benefit from the 15 percent tolerance between the authorized amount and the clearing amount. Incremental Authorizations The use of an incremental authorization as a means to associate multiple preauthorizations to a single clearing presentment is being extended to all merchant types. Scheme Reference Data CyberSource Public December 2016
4
CyberSource will perform MasterCard® Trace ID linking for you.
Where does the mandate apply? This mandate is global. Rules and fees vary by region.
When will the mandate come into effect? The mandate is effective starting October 2016. See Table 1 for the dates on which fees are indicated to be imposed by MasterCard to Acquirers in a given region.
How will the Mandate impact my business? You will need to make changes to your payment flows to comply with the MasterCard® revised authorization and preauthorization rules. If you are using any of the products listed below, you will be affected as indicated.
Gateway Processing For Gateway processing, you can flag MasterCard® transactions as a particular type based on the MasterCard defined rules for your region, as described in the sections above. This will be done in one of three ways: Option 1: Depending on the processor, CyberSource will provide a configuration option enabling you to flag all of your transactions as either “Pre”, “Final”, or “Undefined”. This will correctly indicate the transaction type and will enable you to continue processing without any code changes. Option 2: For greater flexibility, you will be able to flag each transaction as either “Pre” or “Final” by updating your CyberSource API to include the appropriate field(s). This option is only available to you if your processor supports this functionality. Code change will be required at your end. Option 3: Combining Options 1 and 2, CyberSource can set a flag for each transaction that can then be overridden by a transaction type included in the API request. This option is only available to you if your processor supports this functionality. Code change will be required at your end. CyberSource will not actively reject non-compliant requests, such as authorization reversal for a Final Authorization. The request will still be sent to the processor—it is your responsibility to ensure that you conform to the rules of the MasterCard® mandate.
Decision Manager If you use Decision Manager, you will need to review your payment processing flows to ensure compliance with the MasterCard® “Pre” and “Final” mandate. Scenario 1: For Decision Manager calls that are run separately and before the authorization, you can choose to flag the authorization request as a particular type, based on the definition described in the “What does the mandate mean?” section above.
CyberSource Public December 2016
5
Scenario 2: For a Decision Manager request that is combined with the authorization, or when Decision Manager is set up to run automatically when an authorization request is submitted, CyberSource recommends that you use the “Pre” flag. A “Final” flag is not suitable for use in this scenario, as Decision Manager can place the transaction into a Reject or Review state, depending on the configured rules, potentially causing the transaction to become non-compliant with this mandate.
Secure Acceptance: Web Mobile and Silent Order Post For Gateway processing via Secure Acceptance Web Mobile and Secure Acceptance Silent Order Post merchants can flag their MasterCard® transactions as a particular type, as described in the sections above. Depending on the processor, CyberSource will provide a configuration option enabling you to flag all your transactions as “Pre”, “Final”, or “Undefined”. This will correctly indicate the transaction type and enable you to continue processing without any code changes.
Recurring Billing MasterCard® transactions submitted via the CyberSource Recurring Billing solution can be flagged depending on your processor. CyberSource will provide a configuration option enabling you to flag all of your transactions as “Pre”, “Final” or “Undefined”. This will correctly indicate the transaction type and enable you to continue processing without any code changes.
Tokenization For Gateway processing with a secure Token, you can flag your MasterCard® transactions as a particular type, as described in the sections above. Option 1: Depending on your processor, CyberSource will provide a configuration option enabling you to flag all of your transactions as “Pre”, “Final” or “Undefined”. This will correctly indicate the transaction type and enable you to continue processing without any code changes. Option 2: For greater flexibility, you will be able to flag each transaction as either “Pre” or “Final” by updating the API call to include the appropriate field(s). This option is only available to you if your processor supports this functionality. Code change will be required at your end. Option 3: Combining Options 1 and 2, CyberSource can set a flag for each transaction, which can then be overridden by a transaction type included in your API request. This option is available to you only if your processor supports this functionality. Code change will be required at your end. Virtual Terminal Depending on your processor, CyberSource will provide a configuration option enabling you to flag all of your MasterCard® transactions as “Pre”, “Final”, or “Undefined”. This will correctly indicate the transaction type and will enable you to continue processing without any changes.
3-D Secure 3-D Secure transactions will not be affected by the mandate.
CyberSource Public December 2016
6
What will happen to transactions that are not flagged? Transactions not flagged as “Pre” or “Final”, will continue to be processed by your Acquirer, and will not be rejected or declined. However, based on the region and the characteristics of the authorization other fees may apply. Please contact your Acquirer to learn more about the fees.
Are there any changes to the settlement process? There are no changes to the way that transactions are settled by CyberSource or the Acquirer.
When can I get the Technical Guide? We are engaging with processors to get their specifications. Some Acquirer processor connections have not yet released their specifications. The CyberSource API fields to flag each transaction as either “Pre” or “Final” are as described below: Simple Order API To indicate whether an authorization is a final authorization or a preauthorization, include the authIndicator field in your authorization request. Field: authIndicator Description: Flag that specifies the purpose of the authorization. Possible values are 0 for Preauthorization and 1 for Final authorization SCMP API To indicate whether an authorization is a final authorization or a preauthorization, include the auth_indicator field in your authorization request. Field: auth_indicator Description: Flag that specifies the purpose of the authorization. Possible values are 0 for Preauthorization and 1 for Final authorization. Integration may commence as described; however, the fields may not yet be available to test until CyberSource deploys the relevant changes per processor. The CyberSource API fields to flag each transaction will be available at various times depending on the processor. For dates on which the API fields for your processor are expected to be available, contact CyberSource Customer Support or your dedicated Technical Account Manager.
Whom to contact? For further information and technical documentation related to the CyberSource implementation of this MasterCard® mandate, contact CyberSource Customer Support or your dedicated Technical Account Manager. Your Acquirer should be the main point of contact for details on any payment network mandate including this mandate.
CyberSource Public December 2016
7
