7. Opayo servers request card authorisation

The Opayo servers format a bank-specific authorisation message (including any 3D-Secure authentication values where appropriate) and pass it to your merchant acquirer over the private banking network.

The request is normally answered within a second with either an authorisation code or a declined message. This is obtained directly from the issuing bank by the acquiring bank in real time.

While this communication is on-going, the customer is shown a page containing the text: “Please wait while your transaction is authorised with the bank.” Opayo handles all authorisation failures by replying to your site with a NOTAUTHED message and a blank authorisation code after three failed attempts. The first two failures return the customer to the card selection screen to try another card. If the acquirer does return an authorisation code, Opayo prepares an OK response to send back to you in Opayo redirects the customer to your website.

If AVS/CV2 fraud checks are being performed, the results are compared to any rulebases you have set up (refer to our Fraud Prevention Guide available on the Opayo website). If the bank has authorised the transaction and the card has failed the fraud screening rules you have set, Opayo will immediately reverse the authorisation with the bank, request the shadow on the card for the transaction to be cleared, and prepare a REJECTED response.

Some card issuing banks may decline the reversal, which can leave an authorisation shadow on the card for up to 10 working days. The transaction will never be settled by Opayo and will appear as a failed transaction in MySagePay, however it may appear to the customer that the funds have been taken until their bank clears the shadow automatically after a period of time dictated by them.

 

❮ Back to Issuing bank returns the customer to OpayoOpayo redirects the customer to your website ❯