Special thanks to Edina Kovács, who helped me write this post.
What is Partial Approval?
Typically, a card payment begins with authorization, where the acquirer asks the issuer whether the cardholder has enough money to pay for the goods or services. The issuer answers with a ‘Yes’ or ‘No’. When partial approval is enabled, the issuer has a third option and can reply with a lower amount than the amount expected by the acquirer. The partial approval brings new challenges to the issuers and the acquirers.
A typical use of the partial approval
Partial approval has been used at Automated Fuel Dispensers (AFD). Before refilling at an AFD, the cardholder must prove their capability to pay for the fuel. An AFD transaction begins with a fixed amount authorization request. The terminal has the amount programmed; the cardholder can’t change the authorization amount. A deadlock situation may happen if the cardholder has less money in their account than in the authorization request amount. The issuer system would reply with a ‘No’, and the cardholder would have no chance to restart with a lower amount. We can imagine what it would mean with an almost empty fuel tank if the fuel dispenser was far from cities. So, in this case, the issuer may reply with partial approval, telling the fuel dispenser the maximum amount the cardholder can pay. Fuel dispensers have been using this method for a while.
Technical aspects of the cards
To understand the changes in the card’s operation, we have to discuss the EMV payment approval process. After collecting the payment details, the terminal asks the card to create a cryptogram. This cryptogram tells the terminal and the issuer whether the card advises to approve the transaction or to decline it. At the same time, this cryptogram ensures that the critical values can’t be altered during the communication between the card and the issuer. The issuer replies with another cryptogram, and the terminal passes this cryptogram to the card. The card verifies the issuer-provided cryptogram, and based on this verification, the card makes the final decision about the approval or denial.
Usually, the authorization amount is an essential part of cryptogram generation. The card generates the cryptogram based on the amount entered on the terminal. When the card receives a cryptogram from the issuer generated using a different amount, the card considers the cryptogram fraudulent. The card must follow a particular flow in which the terminal receives the new amount from the issuer and passes this amount to the card, so the card uses this amount to verify the cryptogram instead of the original amount.
In the case of contactless cards, the situation is different. In this case, the card doesn’t receive the issuer’s cryptogram because the card has been removed from the terminal when the issuer’s reply arrives. However, the card maintains a log containing the authorized amount and other data. Although only a few issuers use the card log for any purpose, in this case, the amount inconsistency may cause problems.
Testing and certification requirements
Without going into the details of the card schemes, the partial approval function is considered by EMV to be a major change. EMV considers the addition or modification of a function as a major change. Although the card schemes may specify their own rules, they usually use the change classification of EMV. Both cards and terminals may require a certification renewal. We at CARDSPOT analyze our customers’ situation and optimize their certification roadmap to reduce compliance costs.
Host systems’ partial approval capability may require revalidation, too, because partial approval may impact the host systems, as we will see in the next chapter.
Contact Us for more information.
Amount alteration and the back-office systems
Authorization host systems developed before partial approval came into the picture were designed to require the authorization request’s amount to be identical to the authorization reply’s amount. These systems may consider the amount difference as an incorrect value because earlier, the issuer was required to echo the amount in the authorization reply message.
When the issuer supports partial approval, they may alter the amount if they use the response code indicating that the authorization request was partially approved. The acquirer host must also be prepared to accept and forward these approvals to the terminals.
The story continues after partial approval has been processed, and the authorization is finished. The acquirer will initiate the clearing process. In this process, the acquirer requests the payment from the issuer. The issuer should find the original authorization for every payment request. The systems try to match many values of the payment request with the original authorization request. However, the amount won’t match the authorization request but rather the authorization reply. The system that manages the clearing to authorization matching may need redesign.
The yellow light
A less technical aspect to consider is how the merchant will behave in case of partial approval. The merchant is used to binary decisions. The terminal displays a green light or a red light. The merchant hands on the goods paid or the service. After the introduction of partial approval, the merchant has to prepare for the yellow light. The yellow light warns the merchant that the cardholder has paid for some goods or services but not all. If the merchant doesn’t recognize that only some of the amount has been approved, then they may provide a full service paid partially.
Card schemes require the terminals to play the approval sound if the authorization is successful. Terminal vendors may ask if the approval sound should be played on the terminal in case of partial approval. Is there a warning sound alerting the merchant to take extra care of the amount? Hearing the approval sound, not watching the terminal’s display, the merchant may believe that the authorization was successful for the entire amount.
The yellow light may require more massive developments if the terminal is integrated with a cash register. The cash register is programmed for the approval and the denial cases. The interface between the terminal and the cash register must be improved with a partial approval message. Then, the cash register must let the cashier select another payment method to finish the payment process. And another one if the second payment was approved partially, too. Finally, the cash register prints the bill and the payment receipt. In a partial approval case, the cash register may need to print several payment receipts depending on the number of partially approved payment attempts.
The partial approval may lead to unusual situations. The cardholder’s payment is partially approved. The merchant may realize later that they provided a complete service for a partial payment. Then, the merchant may try to send an additional payment request, which the cardholder objects to, saying he paid the remaining part in cash.
It can be more challenging if partial approval is enabled at a self-service checkout. Even with good intent, the cardholder leaves the checkout area, not realizing that the payment still needs to be finished. Distinguishing between the fairs and frauds isn’t a piece of cake in this situation. The Chargeback office should be prepared for upcoming new situations, and issuers and acquirers should prepare their processes to figure out such cases without supporting fraudulent activities.
Legal questions of the partial approval
When replying with partial approval, the issuer discloses the cardholder’s balance. The merchant’s terminal displays the cardholder’s account balance, and this may be considered as the disclosure of sensitive personal information. Every country will decide how much the local regulations may support partial approval.
Are there business cases for partial approval?
With so many technical difficulties, does the partial approval have any business case? There may be. AFDs have already presented a case when partial approval helps the payment process.
Let’s consider the case of cafeteria cards. When the cardholder changes the employer, the new employer may have signed a contract with another cafeteria company. So, the cardholder needs to use the entire remaining amount. The cardholder inserts the card into the terminal or taps it. Without partial approval, the transaction will be either approved or denied. Then, the cardholder has to review their balance and remember it for the next payment. It may be complicated if the cafeteria card issuer applies regular fees. In this case, partial approval may help identify the last transaction.
Other cases may be considered for disposable pre-paid cards, too.
Contact Us and let us help you improve your systems in a compliant way.
- Photo by Igor Omilaev on Unsplash
- Image by Gerd Altmann from Pixabay
- Photo by Khamkéo Vilaysing from Unsplash
- Photo by Oliur on Unsplash
- Image by Arek Socha from Pixabay
- Photo by Sajad Nori on Unsplash
- Photo by David Guenther on Unsplash
- Image of Iván Tamás from Pixabay
- Photo by Wesley Tingey on Unsplash