I have been informed that some issuing banks return an empty field in the authorization response message despite the card scheme rules. What should my company do to address this problem?
It is worrying to know that some issuers return an empty data field in the authorization response message as this is in total disregard of the own card scheme rules. IATA is always interested to receive hard evidence of this kind of situation. Please
contact us and send all evidence you hold in order for us to show the card schemes that card issuers are sometimes as well in violation of the strict transactions standards, not only the airline merchant.
Will IATA Industry Memos distributed via email only cover indirect sales (IATA agents)?
No, we aim to share information and good practices about general payment issues that apply to all sales, both indirect and direct. As an example,
Resolution 890 demands that Agents collect CVV2 for first time sales to unknown customers and, in order to protect themselves, refuse to complete the transaction on an authorization approved despite a CVV2 mismatch. Airlines should verify that their GDS’s support the feature as it protects both the airline and the agent.
The authorizations requests go through GDS’s for IATA Agent transactions. As an Airline, should we contact GDS’s beside our acquirers?
Yes, you should ask GDS’s if they support CVV2 in the authorization request, AND if they pass on the CVV2 response code, alongside the approval code, in the authorization response they send to the Agent.
Airlines are required to take some actions based on the response received from the acquirers or processors. As an Airline, isn’t it more suitable to ask the agents and GDS’s to take instant actions in the authorization phase of transactions? In addition, will there be an action required from the agents?
Resolution 890 demands that the Agent does not complete the transaction on an approval with CVV2 mismatch. IATA is monitoring the presence of the CVVR response code in the RET files reported by the GDS’s. However we do not take further action if a sale was completed despite a CVV2 mismatch. The card fraud reports that an airline receives from its acquirers should show if there was a CVV2 mismatch. An airline should investigate when it receives a fraud chargeback if the Agent went ahead with the risky sale despite that clear warning. If the latter is confirmed, the airline should mention to the Agent it could have avoided the fraud and issued an ADM.
As an Airline and regarding CVV code, I have requested internally to get a report on the CVV data for the US market in order to identify the usage of the CVV field. I have been advised that CVV today is not a mandatory field for the Card Schemes. Is this true?
This is not exactly true, all merchants with Card Not Present (CNP) transactions are strongly invited to use CVV2 as part of the portfolio of fraud prevention measures they deploy. All cards in issue are expected to carry a CVV2. The only exceptions are lodged cards, where the Travel Agent usually knows the person making the booking.
It is very hard for us as an Airline to impose something that must come from card schemes. We definitely need card schemes and industry bodies (IATA, ARC) to establish the CVV field as mandatory.
Resolution 890 already stipulates that the Agent should not complete the transaction on an approval with CVV2 mismatch. Some issuers will not send an approval code with a CVV mismatch but unfortunately this is not a policy that the card schemes are ready to endorse globally.
What initiatives are resulting from the distribution of the IATA industry memos?
IATA is monitoring the presence rate of CVVR (CVV2 response code) in RET files in order to evaluate GDS performance in supporting it. We would like to build an industry fraud benchmark in partnership with the international card schemes in order to provide airlines with the ability to individually evaluate their fraud prevention performance. Part of it would hopefully show how much of the fraud is committed on an authorization approval code given despite the CVV2 mismatch.
Does IATA have standards for credit card rejects for web bookings? Where can I find these metrics?
As part of the Industry Fraud Prevention initiative, IATA has undertaken to procure a benchmark on industry fraud, chargeback and transaction success/failure rate with the help of the international card schemes.
The following 2 publications are the most targeted industry references on the topic of fraud and chargebacks:
- Visa Europe airline fraud prevention brochure (an airline fraud prevention officer can request a copy from
- CyberSource airline fraud survey, which focuses on airline Internet sales; please check page 11 for some
Is there any comparative data on global turnover to chargebacks within airlines?
This information does not exist today in a standardized way. The Industry Fraud Prevention initiative has undertaken actions to procure a benchmark of industry fraud, chargeback and transaction success/failure rate from the international card schemes. The CyberSource airline fraud survey, which focuses on airline Internet sales, shows some
Are there any local / global trends on aviation ticket fraud?
contact us to know about the airline fraud prevention forums you could join.
Are there any models of ticket fraud best practice?
IATA has just started sending series of best practice memos. The Visa Europe airline fraud prevention brochure is an industry reference – an airline fraud prevention officer can
contact us to get a copy, free of charge.
How does AVS (Address Verification System) work? Is there a link I should receive from VISA, MasterCard, American Express, etc. where I can enter the billing address?
No, AVS is not a link received from the card scheme, it’s a component of the authorization request you send out as a merchant. You need to contact your payment processor and your acquirer on how to support this. All airline central acquirers and global processors will of course support it.
Do we need the full credit card number for AVS?
Yes, the full card number is always part of the authorization request that will also contain AVS.
Is there a fee to use AVS?
IATA is not aware of any card scheme fee related to supporting AVS.