System Operations - Edit Credit Card Integration Settings

1 Credit Card Integration
2 Authorising Cards
3 Types of Transaction
4 Security Checks
- 4.1 Auto Suspend Pending 3rd Man Authorisation
  - 4.1.1 Viewing Fraud Screening
5 See Also

Credit Card Integration

The minimum details required to authorise credit cards from within Khaos Control are:

Credit/debit card number (normally 16 digits, but can be more for some card types).
Expiry date (in the format mm/yy e.g. 06/08).

In practice other details are often required:

Card holders name (KhaosControl will fill this in for you based on the invoice contact, if possible).
Start date and Issue Number (usually only required for Maestro & similar cards).
CV2 digits (3 digits, or 4 digits for Amex).
Address & postcode of card holder (billing address).

As you enter card details into the sales order screen, Khaos Control will attempt to work out whether they are valid and indicate which details are required but missing based on the card type. You do not have to select the card type: Khaos Control can detect this based on the card number.

Authorising Cards

Cards can be authorised either from the sales order screen, or from the sales invoice manager ('Authorise Payment' stage). The sales order screen allows specific details (like the amount to authorise) to be controlled, whereas the invoice manager is designed to authorise multiple orders at once in a batch.

The amount to be taken can be calculated in one of three ways:

If the "Manual Payments" checkbox is set on the sales order, then each payment line needs an operator to type an amount in manually: the system will not suggest any amounts.
Otherwise, if the "Take Full Payment" sales order option is turned on in System Values, then when a payment is put onto the sales order, it will default to the total amount necessary to fully pay the order (minus any existing credits or payments if applicable).
Finally, if "Take Full Payment" is turned off then the card payment on the sales order will initially be created with a zero value. However, when the invoice reaches the "Authorise Payment" stage, the system will set the payment line to an amount necessary to cover the items being shipped (only!). This effectively results in charging for items as they are dispatched, potentially involving multiple payments per order. This does require authorising cards from the invoice manager.

Types of Transaction

There are three basic types of credit card transaction:

Authorisation: this verifies the card details with the bank, reserves the requested amount of money, and then the card acquirer will transfer the money during an overnight process. The bank provides an authorisation code ("auth code") to confirm that the transaction was approved.
Refund: this transfers money back from the merchants account to the card holder.
Note: this functionality will depend on your credit card provider and how credit card payment details are passed to Khaos Control.
Preauth: this transaction type initially goes through the same as an authorisation and returns an auth code if the transaction was approved; however, the money is not transferred overnight. At a later date, the merchant performs a "postauth" which instructs the bank to transfer the money which was originally reserved.

Preauths in particular can cause problems:

The reservation against the customers' account can expire, potentially in under two working days, in which case a full authorisation may need to take place again.
Since the preauth reserves money without actually taking it, preauthing unnecessarily can cause the customers' access to money within their account to be restricted.
Some card integration authorities (sagepay® in particular) support another transaction type which is called a 'Preauth' but which actually does not reserve any money on the customers account. When the merchant performs a postauth, sagepay® is actually performing a full authorisation again on your behalf. This does mean you do not need to worry about the reservation expiring; but there is no guarantee the money will actually be available any more.

Khaos Control will automatically attempt a post-auth if you try to authorise a payment line which was successfully preauthed earlier.

Security Checks

As well as the minimum required details, there are also optional security checks (primarily, address checking, AAV, and signature digit checking (CV2 / CVV) which can be performed when card details are sent to a bank. As the names suggest, the bank will verify the billing address for the card and the security digits, and let Khaos Control know whether the checks passed or not.

Khaos Control will automatically send the invoice address & postcode to your credit card integration account, when authorising a payment.

An important point is that the banks do not insist on having either of these details in order to authorise a transaction: they are solely there to provide additional security for the merchant. However, if a transaction turns out to be fraudulent, a merchant may be less likely to be held responsible if they can show they performed full security checks on the address & CV2 digits before authorising the order in question. Hence it is possible to take payment without having either billing address or CV2 details, if the merchant is willing to accept the increased fraud risk.

Despite this, some credit card integration firms, e.g. sagepay®, will themselves insist on certain details such as CV2 number being provided, so if your cards are being authorised via sagepay®, the CV2 number does become necessary. Generally address checks are still optional. In the case of some authorities like Commidea, Khaos Control has an option to insist on the first transaction against each credit card requiring a CV2 number, but subsequent transactions can be authorised without it.

This behaviour is particularly important when you consider that the banks normally insist on deleting CV2 numbers as soon as possible, i.e. after authorising the card. Khaos Control will automatically do this for you.

There are two main options for how to perform security checks:

Have the credit card authority (sagepay®, Commidea, Datacash, etc.) perform the checks on your behalf and automatically reject any "suspicious" transactions. In this case, anything which is approved and returns an auth code to Khaos Control is "safe", and everything else is rejected with no user action required.
In the case of potentially suspicious transactions (e.g. address checks failed), authorise the transaction anyway and provide an auth code, but have Khaos Control flag up the order for review so an operator can decide whether to despatch the order or not. This behaviour depends on the issuer returning the results of the security checks to Khaos Control so such transactions can be identified.

Auto Suspend Pending 3rd Man Authorisation

WARNING: The 3rd Man security check does not prevent you from taking the payment, however the order will remain in the Authorise Payment Stage of the Sales Invoice Manager if the score returned from the payment service provider is above that which you have specified in the card integration settings. If this is then deemed to be a genuine order/payment then an admin level user will be able to move the order to the next stage.

Khaos Control may be configured to prevent orders from passing the Authorise Payment stage if the associated payments do not pass the 3rd Man fraud screening offered by SagePay.

To enable this option a new "Fraud Screening" tab has been added to the [ System Operations | Edit Credit Card Integration Settings ] dialog in instances where the payment service provider of "SagePay v3 " is selected. This allows configuration of various parameters including minimum payment amount and credit score.

WARNING: It is necessary to add the VSP login details of a user account with reporting access to your SagePay account. Whilst the passwords entered on this dialog are securely encrypted, KCSL advise that this user account be restricted to reduce the potential for misuse.

When this option has been enabled the system will automatically check applicable payments against SagePay's fraud screen results any time an attempt is made to pass the associated invoice beyond the Authorise Payment stage. Where the results of this check indicate the order should be held, the invoice will remain in Authorise Payment.

	Orders imported from Amazon will have no fraud score. Please ensure that when you are setting up your Amazon card payment that the CT Account does not have the fraud screening option enabled. This might require creating a dummy CT Account for exclusive use of this channel.

Viewing Fraud Screening

The results of fraud screening can be viewed by right clicking the payment line from the [ Sales Order | Detail | Payment ] grid and selecting "View Payment Details", this loads the Payment Detail dialog.

It is possible from within this screen to attempt verification prior to Authorise Payment by clicking the "Verify" button, and also to override the fraud screen response by clicking the "Override" button.

	Admin permissions are required to override fraud screening.