Has Visa Europe missed a trick

Whilst an automated response as you propose is what is desireable as it is cost effective both for the organisation and the end user,  sms is not secure as a response mechanism and is limited to 160 characters.

Regards

Jim KING  

You asked if VISA has missed a trick after you suggested that it seems ideal to send a SMS and wait for the cardholder to reply during an authorization request.

The answer to this is - NO, VISA has not missed this. 

Card Authorization requests are sent from the POS or card acceptor to the issuing bank (bank that issued the card) through a payment processor. Note that not all card transactions require authorization by the issuing bank. For chip and pin card payments, the floor limit, for example, can be 100 euros. What this means is that an authorization request is sent to the issuing bank only if the amount is over 100 euros. Floor limit for signature-based card transactions is lower. There are other rules that apply...

With a 4-party card scheme, a merchant bank also participates in this seamless process, which usually only takes seconds to complete. Most issuing bank's authorization systems are ported on a mainframe platform, some using CICS (also sometimes referred to as 'kicks').  

A user interface that might pause, stop or control the flow of a card authorization request does not exist and will not work because of business and technical reasons. 

You may consider these authorization requests as application transactions that are sent and queued to the issuing bank's authorization system for processing. Once a card authorization request is sent by the card acceptor (merchant), there is no stopping this seamless process. 

Thus, the process and system closest to what you described is a system that enables the cardholder to set limits prior to the card authorization request. This can be done via several interfaces (web, IVR, SMS or mobile). These 'limits' are then sent to the issuing bank's card authorization system where they are recorded. Once a card authorization request is sent by the card acceptor, the issuing bank's authorizations system then checks, matches and updates these 'limits' before it approves or rejects the authorization request.

In conclusion, VISA has not missed the system that you described since it will not work. It has, however, missed the system that I described since it is patented and VISA applied for the same thing, 13 months too late.

As well as the technical hurdles mentioned in the previous comment, there is the issue of the customer experience.  While an interaction that involves the customer receiving an SMS and sending a reply to confirm the transaction might be acceptable for internet transactions, it would be intolerable for POS transactions in the physical world.  Imagine standing at a busy checkout waiting for an SMS to arrive!  Since this would only happen for potentially fraudulent transactions it would also be unpredictable and confusing for the consumer.

Dear Peter, you've ignored a significant additional cost: assuming you're not proposing to hold up the online authorisation with SMS messages (as pointed out above the entire authorisation needs to complete on average in fractions of a second) it means you're suggesting that the cardholder should reply "YES" or "NO" after the auth, but before the transaction is settled (i.e. the Visa BASE II record is processed). Effectively you're giving the cardholder the ability to initiate a chargeback, which is an expensive, time consuming process as it requires the merchant to retrieve original source documents, and submit them (sometimes via fax).

Dear all,

Thank you for your comments, to which I thought I would respond. The option I suggest is not that SMS should be used to complete immediate on line authorisations.  I am proposing that the advent of full circle, two-way SMS will improve the service experienced by the customer and afford greater management and control for the bank or card company. The additional layer of fraud control prior to automatically cancelling or barring a card, avoids disruption to the customer’s daily routine and would be a great place for both the banks, and their customers to be.

Where a bank for example, would usually flag a potential fraudulent transaction by taking immediate action to bar the card, or request customer contact via a help desk, I propose the use of a text message to prompt the required information from the customer instead. As this communication would be automated into the workflow process, the bank itself can define the amount of time it is prepared to wait for a response from the customer before it continues with its standard practice. Furthermore, security requirements can be defined within the SMS process, and the bank can either escalate or close the workflow as it sees fit, based on the SMS response, or lack of one.

Crucially, this means that for the first time, a bank can securely integrate SMS into its customer management processes, including credit card options, account management, overdraft alerts, fraudulent warnings and much more. In turn, the customer is empowered to take appropriate action by SMS, a function many of us take as second nature, and the bank has the potential to make huge savings by removing some of the administrative burden, and also by potentially reducing fraudulent activity.

For consideration:

- Text message can often be delivered anywhere in the world within 60 seconds

- Nearly every mobile handset can be reached by SMS

- There is no need for training and no software download  required

- SMS is already fundamentally secure as a message will only ever go to the phone number it is sent to

- There is always a full audit trail of communications, including delivery receipts

- Text messages are admissible in a court of law

- Texts can be delivered in any language

Implementing a text messaging solution that guarantees the correct SMS response is delivered back to the original database record that issued the message, allows for a completed workflow transaction.

It’s all about the humble SMS - I say keep it simple!!

"While an interaction that involves the customer receiving an SMS and sending a reply to confirm the transaction might be acceptable for internet transactions..."

Not really, a card issuer does not have any control over how the card payment is accepted. Authorization requests for online card payments can be processed on a real-time or sometimes later via batch. So, this will also not work for card-not-present transactions. 

The first thing I learnt about retail payments is 'speed is essential'.

While premium SMS can be quick, it also has a premium fee.

I'm very happy to see Visa doing what they're doing, but not for the reasons you might imagine. I'm looking forward to them rolling out RFID too :)