[olug] [OT] PCI authorize without actual posting

Edward Pluta epluta3 at cox.net
Tue Apr 7 05:43:42 UTC 2009


I used to work at a large credit card processor in town. Not sure if I 
remember much but, an authorization is done when the card is swiped to make 
sure you have enough money available. When the ticket is actually presented 
to VISA, AMEX, MC, whatever and run through the system and comes to the 
issuer when it is posted.

How the issuer (your bank) shows the money on their system, is separate from 
the merchant system. If you pay a bill on Friday and the charge disappears 
Sat. that is the issuer's fault (they said you were good for the money, so 
should reserve the money until it posts or ages off). The merchant actaually 
has three days (I believe, at least on VISAnet) to post the ticket. In the 
frat boy example, if they caused no damage and payed for the room in cash, 
they would just let the authorization fall on the floor and the money would 
not be moved from the account. NO, businesses are not so stupid as to just 
"forget" to post a charge.

Once the actual ticket is posted the correct amount is removed from the 
issuer to the merchant. That is how you can get gas and right afterward you 
have a charge of $50 but only got $20 worth, or go out for dinner and spend 
$50 on food, give a $10 tip but only $50 is charged to your account when you 
get home. You are authorized for one amount, $50 in gas or for food, then 
when it posts its for the correct amount, $20 in gas or $60 for dinner and 
tip.

Tickets now are all digital, some folks may remember when they had those 
wierd swiper things they made imprints of the card in, same rules different 
technology.

There are a number of ways to request authorization, payment, chargeback, 
etc for a card and all the players (VISA, MC, etc) have different rules and 
protocols. Skimming the link you provided looks like a protocol for 
interacting with the netfilling system, and not the rules for being a credit 
card processor. Which is incredibly difficult.

I have been up for far too long as well. Was there a question in there?

----- Original Message ----- 
From: "Rob Townley" <rob.townley at gmail.com>
To: "Omaha Linux User Group" <olug at olug.org>; "Perl Mongers of 
Omaha,Nebraska USA" <omaha-pm at pm.org>
Sent: Sunday, April 05, 2009 6:45 AM
Subject: [olug] [OT] PCI authorize without actual posting


> PCI for this convo isn't Peripheral Component Interconnect, but
> Payment Card Industry.  There should be a few pros on the list
> considering this is Omaha.
>
> There are authorizations to withdraw money and a few days later, the
> actual withdrawal - termed a post.  Pay a bill online Friday morning
> and it shows up Friday morning via your banks website immediately.
> Saturday, the transaction disappears from your online account.  Monday
> you wonder if you actually paid the bill.  Tuesday, it appears again
> and the money is actually withdrawn.
>
> Have any of you had low level experience with a merchant processing
> system platform?  gnucash may be an example, maybe.   My banker said
> that sometimes the authorization goes through, but the merchant system
> does not go back and do a successful post to actually take the money
> out.  I find that a little hard to believe - i mean there are bugs and
> then there is giving money away.  Capitalism makes that bug
> impossible.  The battery backup could die, but the transaction
> processing would fix it later, boss.
>
> Consider some frat boys renting a hotel room.  The hotel may require a
> credit card and request authorization to withdraw for a hefty room
> deposit.  This creates some kind of authorization number that usually
> goes unused.  The frat boys check out Sunday morning calmly thinking
> management won't notice the hole in the wall and the missing faucet.
> Sunday afternoon, the cleaning lady reports the damage.  Management
> cashes in that deposit authorization number, effectively converting it
> to a sale.
>
> I can see that authorizations and capturing a previous authorization
> would be two different steps, but nobody ever forgets that second
> step, right?  No website is that dumb, right?
>
> For more info, do a search for tran_type on the following page.
> http://secure.netbilling.com/public/docs/merchant/public/directmode/directmode3protocol.html
>
> i have been up far too many hours ... sorry for the rambling.
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
> 




More information about the OLUG mailing list