The Seedy Underbelly of Credit Card Transaction Processing
Yes, that’s right, many stores that you have purchased items from on the Internet don’t check your address – just your credit card number, expiration date and the security code printed on the card itself. They do this because many of their customers fail to enter their credit card information correctly the first time. Some physical goods suppliers on the Internet use the billing address as the shipping address if you are buying physical products, which stops a decent amount of fraud, but certainly not all of it. So, why don’t they check your address?
It all goes back to how our archaic, pre-Internet banking and credit card systems operate. As a merchant, typically when you charge a customer credit card, you perform something called a AUTH+CAPTURE. The AUTH places a hold on the money and the CAPTURE retrieves the money from the customer’s credit card.
There is no way to check the customer’s credit card address before performing an AUTH. You MUST, at a bare-minimum, perform an AUTH per credit card charge. Some services let you do the AUTH and CAPTURE separately, some do not. When you perform an AUTH, even if you don’t perform a CAPTURE, a hold is placed on the money that you requested via the AUTH. This hold usually lasts for 3-4 days, but can sometimes last up to a month.
This means that if your customer enters their address information incorrectly on a $20 purchase, and tries 5 times to fix it (5 AUTHs total), there would be $100 worth of holds (5 * $20 == $100) on their account. Since an increasing number of people use debit cards these days, this is real money you’re placing a hold on for your customers, possibly for up to a month. The really bad news is that, even when we void these charges, our customers would still have to spend hours on the phone to get these AUTH holds disabled at their bank.
Some merchants that properly check your address information do a 2-stage AUTH process. The first AUTH places one cent on hold for your credit card and if the AUTH comes back with your address being valid, the second step is to perform an AUTH+CAPTURE on the total amount for your credit card. The one cent AUTH charge, needed to validate your address without placing a large hold on your money, is dropped after 4-30 days.
If this sounds like a really stupid hack meant to work around a fundamental security issue with how credit cards are handled online, it is. It is an awful hack, but at least it is better than not checking to see if your billing address is valid.
This is but a peek into the banking and credit card operations nightmare that many merchants have to deal with on a daily basis. There are more credit processing procedures that are considerably more harmful to customers than the sorry state of address verification. These procedures, while not always intentional, push merchants to become less and less transparent about their operations.