wwomans hands with phone and card

Rules for authorisation reattempts

New requirements for unsuccessful reattempts with Visa and Mastercard

If an e-commerce transaction is declined in your online store, this can have various reasons: most declined authorisations are due to insufficient funds, a missing authentication (3-D Secure required, CVV2 is wrong), suspected fraud or outdated card data. As a consequence, you then send multiple reattempts, hoping to eventually obtain the payment. The problem: Such reattempts make it difficult to detect true fraud. They also cause unnecessary traffic. And there is no guarantee that you get your money.

To improve this, the card organisations Visa and Mastercard have introduced detailed reason codes to provide guidance to merchants on if and when to send reattempts.

We compiled all relevant information for you below. Please read it carefully.

What do you have to do as a merchant?

In order to understand the actions expected from Visa and Mastercard and to avoid potential future fees related to reattempts, we advise you to:

  • check with your payment service provider how you will be receiving the new reattempt data
  • make sure to follow this guidance
  • adapt your reattempt strategy according to the new requirements

If you are not managing reattempts yourself, please get in touch with your payment service provider for support.

Details on the new mandate

Thanks to the new decline reason codes of Visa and Mastercard, it is now possible to differentiate declines due to fraud from declines due to a cardholder not having enough cash in his account or due to an issuer having technical problems at the time of authorisation. Having clear decline reason codes is key for detecting true fraud. It is also the basis for improving the payment landscape with new security standards and for developing products that help increase conversion and acceptance rates for e-commerce merchants.  

Visa and Mastercard have reviewed their response code logic to tackle two mutually dependent issues. On one hand, issuers have increasingly used a generic decline code in the past. On the other hand, merchants that could not obtain a successful authorisation at the first attempt are sending multiple reattempts, hoping to eventually obtain a successful authorisation. These can look like automated fraudulent attempts and are rarely successful.

The actions can be summarised as follows:

  • Do not try again, the card issuer will never approve
  • Try again later (maximum up to 10 times)
  • Card data is outdated. Obtain new card data before retrying

Merchants are required to follow the action indicated by the given decline reason and either do not retry or limit the number of reattempts to the maximum allowed.  

Best practices

Below you can find an explanation and recommendation on each guidance transmitted in the authorisation response.

  • Why is this happening?
    Issuers will never approve authorisation requests if, for example, a card was stolen, the card number is invalid, the account was permanently closed or the transaction is not permitted to the cardholder for any reason.
    Reattempts will never be successful.  

    What to do
    You must not send a reattempt.

  • Why is this happening?
    The cardholder may not have sufficient funds at the time, but may have funds a few days later. For example if an authorisation request is declined at the end of the month, it can be worth to try again in the next month. Also, it may be that the issuer has technical issues at the time but will be back working on the next day.
    Reattempts are likely successful later.

    What to do
    You may retry within the next 30 days. Worldline recommends to retry a maximum of 10 times.

  • Why is this happening?
    Card data might be outdated. This can happen especially with long-term subscriptions or pay-per-use services that have not been used in a long time.

    What to do
    Obtain up to date card data from the cardholder before launching a new authorisation request.

FAQ

  • A reattempt is defined as any authorisation request that is submitted for

    • the same merchant,
    • the same card number (PAN),
    • the same amount

    after the initial authorisation request has been declined within the last 30 days.

  • The counter of the reattempts "goes back to zero" after 30 days, meaning that you can try again. Just take into account that when the guidance indicates to update the card details before retrying, a new try without new credentials will not succeed.

  • If you run a business selling subscription models or pay-per-use models and you are using credential on file data to initiate transactions while the cardholder is not present (merchant initiated transactions, MIT), you are likely affected by these requirements. Evaluate your current reattempt strategies. If you are not managing these yourself, please inquire with your payment service provider.

  • Payment service providers connected to Worldline acquiring were asked to upgrade their systems in order to support the new requirements. If you have not yet been informed by your payment service provider, please check with them directly.

  • The guidance provided by Visa and Mastercard apply also for Consumer Initiated Transactions.

  • What we recommend is to apply the same logic or strategy for Visa and Mastercard and apply on both the same reattempt limit (10 times).

Contact us

Do you have further questions regarding the requirements? Then please contact our Customer Service via e-mail:
cs.ecom@worldline.com