Search documentation:
	Help  Advanced
Published 05/13/2002

Chapter 1

Introducing Smart Authorization

This guide describes the features of the CyberSource Smart Authorization service and provides background information to help you implement Smart Authorization quickly and easily.

Note  CyberSource Smart Authorization is used in conjunction with CyberSource Payment Services to enable you to accept credit card payments while lowering your risk of credit card fraud. Readers of this guide should also read the CyberSource Payment Services Planning Guide.

Overview of Smart Authorization

CyberSource Smart Authorization, an optional enhancement to the CyberSource Payment Service, helps you to maximize your online sales while reducing the fraud risk associated with accepting credit card payments. Smart Authorization can also help save sales that you might otherwise have turned away.

Smart Authorization is very user-friendly and easy to implement. If you are configured to accept payments through the CyberSource Payment Service, you can take advantage of the unique capabilities of Smart Authorization immediately. There is no need to send in additional fields or change the code for submitting authorizations in any way.

A Smart Authorization transaction is very similar to a standard credit card authorization. When CyberSource receives your credit card authorization request, it is formatted appropriately and transmitted to your preferred processor. Simultaneously, transaction detail is routed to a powerful CyberSource fraud detection engine to quickly perform a detailed risk analysis. Smart Authorization tests are typically completed in less than a second.

Based on the results of the risk analysis, CyberSource may convert an "approval" received from the credit card processor into a decline in the authorization message provided to you. This would occur only when Smart Authorization tests indicate a high likelihood of fraud. This is the only scenario in which CyberSource would alter the authorization response provided by the credit card processor. Smart Authorization will never convert a "decline" received from a processor to an "approval."

In the event that CyberSource does convert an approval to a decline, CyberSource indicates this in the authorization response.

The following table shows how Smart Authorization's risk analysis affects the results of a credit card authorization.

Table 1 Effect of Smart Authorization on Credit Card Authorizations 

Processor Response	Smart Authorization Result	CyberSource Response
Approve	Low risk	Approve
Approve	High risk	Decline
Decline	Low risk	Decline
Decline	High risk	Decline

Many companies often turn away sales that were "approved" by the card issuer but that contained "partial match" or "no match" Address Verification Service (AVS) results in the authorization response. Unfortunately, these AVS results are often unreliable, since AVS does not evaluate the entire address. For example, AVS performs address matching only on the numeric digits of the address (that is, the street number and postal code). As a result, AVS results can lead you to believe that perfectly legitimate transactions are suspicious in some way.

In contrast, CyberSource uses powerful address validation technology that has been approved by the U.S. Postal Service. Smart Authorization analyzes the complete address and assesses the likelihood that it is legitimate and deliverable. Because this technology is so much more powerful and accurate than that provided by the card associations, we recommend that you ignore the AVS results in the authorization response. If Smart Authorization detects a "bad" address, it will return a risk factor code indicating this. For more information about risk factor codes, see Interpreting the Result.

The Smart Authorization service performs all of the following tests:

• Address validation - Is the address legitimate and deliverable?
• Geo-location data consistency - Is there a match between the physical address, the telephone number and the IP address provided by the consumer?
• Obscenities - Were any obscenities contained in the order form?
• Nonsense - Was any of the input nonsensical? For example, were there multiple numerals in the name field?
• Negative file - Does the credit card number, email address, or physical address match to a negative file you have created on CyberSource's servers?

If any of these tests indicate a high likelihood of fraud, CyberSource returns risk factor codes in the Smart Authorization response. The codes indicate which tests triggered so you can do follow-up analysis and, if desired, prompt the customer for information that may validate his or her identity or complete the order.

For a complete list of risk factor codes, see Interpreting the Result.

Implementing Smart Authorization

Because Smart Authorization is an enhancement to the CyberSource Payment Service, you must fully implement the CyberSource Payment Service before you use Smart Authorization.

If you already use the CyberSource Payment Service, it's easy to use Smart Authorization. Simply contact CyberSource Customer Support and request that we activate Smart Authorization on your behalf. We will make the necessary modifications on our systems. You are not required to make any coding changes.

To make best use of Smart Authorization, however, you may wish to program your systems to receive and interpret Smart Authorization risk factor codes. For a list of these codes, see Interpreting the Result. Actions that you take should be dictated by these codes.

You will also need to define practices and procedures for handling Smart Authorization results. CyberSource recommends that you consider placing Smart Authorization "declines" in pending status until the customer contacts you by phone or email. You can also use the Smart Authorization risk factor codes to prompt the customer for further information to validate their identity.

Note that Smart Authorization is intended to distinguish risky transactions from legitimate transactions. As with all risk management services, however, it sometimes indicates that a good transaction is bad, or that a bad transaction is good. You can always override the results of a Smart Authorization response. You have final authority.

Finally, to get the best results from Smart Authorization, it's important to get complete and accurate data from your customers. You should require your customers to provide primary email addresses issued by an Internet service provider (ISP) or employer, as well as actual phone numbers and legitimate names.