By Ken Musante
Eureka Payments LLC
The thought of force posts takes me back to my issuing-bank days. Paper warning bulletins were sent weekly to all merchants. If merchants wanted to accept transactions above a specific dollar amount (called the "floor" amount), they had to either electronically authorize or manually check the warning bulletin to ensure the cards being used were not listed; otherwise they would be subject to chargebacks.
Today with electronic authorizations, the floor limit for nearly all merchants is zero, and every transaction is electronically authorized. So I thought it appropriate that Visa is set to change this practice. In the Dec. 14, 2017, issue of Visa Business News, Visa outlines its requirements to minimize merchant access to force-post functionality in an article titled "Acquirer Requirements to Control the Use of Force-Post Transactions."
Most merchants never need to force post an authorization with a sale. Force posts allow merchants to manually enter a previously obtained authorization and then force route the transaction through clearing and settlement. At the time the authorization is posted or forced with the sale, it is not validated. This means that whatever code is entered is accepted, and funds are debited to the issuer and credited to the acquirer. The system forces the original authorization and capture, and that information is submitted into interchange, regardless of whether it was authorized. Later, if that transaction is disputed, and if the authorization is not valid, the issuer may initiate a chargeback, and the merchant will not have recourse.
Through the years, as merchants have migrated to electronic authorizations and shortened delivery time, the need to force post transactions has radically diminished, yet acquirers still set up all merchants with that functionality. Most merchants do not even realize what a force post is, and fraudsters have leveraged that fact. Specifically, they have used the force-post process to perpetrate fraud through the following schemes:
Consequently, Visa decided to enforce a rule change to further limit the exploitation of this vulnerability. Effective Jan. 26, 2019, acquirers must grant force-post functionality as an exception and only if warranted by a given merchant's practices. All existing merchants not specifically approved to process force-post transactions must be systematically restricted from doing so. While the details have not yet been worked through, I suspect this will necessitate a full or partial reprogramming of terminals and an update from POS providers and gateways.
I do not foresee processors updating their systems, because some merchants will still require this service, so it cannot be systematically turned down at the processor. Some merchants legitimately need to obtain an authorization prior to the sale so that they can later pair or "force" the authorization and sale.
Think about a mail order merchant who is obtaining a custom part on behalf of a cardholder. Before the merchant hunts down and buys the custom part, he or she wants to ensure the cardholder has the funds available to buy. In that instance, the merchant would be wise to authorize the transaction and, upon shipping the part, pair the authorization and sale.
Going forward, acquirers will need to specifically review and approve merchants to have force-post capabilities. Additionally, they must document the merchant's need and monitor force-post activity to ensure it is not being abused.
I suspect this subset of merchants will be required to acknowledge some additional liabilities in order to have this capability turned on. And all of us will have to again reprogram or update our base of merchants. I encourage you to review Visa's "Acquirer Requirements to Control the Use of Force-Post Transactions" directly. If you do not have the document, which was not distributed publicly, ask your acquirer for a copy.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next