What is a Merchant-Initiated Transaction, and Why is it Considered Low Risk?
Published 08/09/2022
Originally published by TokenEx here.
Written by Anni Burchfiel, Content Marketing Specialist, TokenEx.
A merchant-initiated transaction is a payment initiated by the merchant instead of the cardholder. These transactions are initiated on behalf of the customer based on an agreement between the merchant and the cardholder. Unlike customer-initiated transactions, cardholder authentication is not needed to make a payment. Although these payments proceed without cardholder authentication or action, they are considered low-risk payments.
How do Merchant-Initiated Transactions work?
A merchant-initiated transaction must be agreed upon between the merchant and the cardholder. The payment must be made in exchange for a good or service, like a recurring service or a good they are paying off over time. Finally, the transaction must be initiated without action by the customer. After the initial agreement, the merchant is the one who takes action to charge the customer account.
The most common example of merchant-initiated transactions are subscription services. The cardholder initiates the transaction once, agreeing to continued payments through merchant-initiated transactions on their behalf.
Another common example of merchant-initiated transactions are pay back programs. A customer agrees to make continued payments towards a balance, whether that balance is paying for a good or service. The merchant then initiates the payments at the agreed upon cadence until the balance is paid, all without further action by the cardholder.
Merchant- Initiated Transaction Examples
Merchant initiated transactions have a wide range of use cases. All the following are examples of merchant-initiated transactions:
- Installment payments – Afterpay offers a “buy now pay later” service that allows customers to buy expensive items and pay for them over an agreed upon period.
- Recurring payments – A Netflix subscription is a recurring transaction where the merchant, Netflix, bills the cardholder monthly in return for Netflix’s services.
- Prepayments – A renter may decide to schedule rent payments before they are due and authorize their property owner to charge their account early.
- Reauthorization – A guest on a long vacation may authorize their hotel to split their payments into two or three payments, a payment authorized once by the guest, then reauthorized by the hotel afterwards.
- Delayed Charges – A charge where the services being provided now (like a hotel minibar) will be paid for after the cardholder has finished utilizing the service (once the minibar is examined and every late-night snack is billed to their card at triple their value).
- Penalty Charges – A guest does not show up to their hotel reservation, and the hotel enacts a no-show charge to penalize the guest for not using the agreed upon reservation (they have got to make back the fortune they would have charged for their minibar somehow).
Cardholder-Initiated Transactions vs Merchant-Initiated Transactions
Most transactions we are familiar with, or the ones we initially think about when we hear the word “transaction,” are cardholder-initiated transactions. These are all the transactions in which the cardholder is present and actively participating in the transaction. This can look like swiping a card at a register in-store or entering payment details online.
Merchant-initiated transactions and cardholder initiated-transactions differ based on which party takes action to trigger a payment.
A common question is whether card on file transactions are merchant-initiated transactions or customer-initiated transactions. Card on file transactions use payment details the cardholder has authorized the merchant to store in order to make purchases.
The answer is that card on file transactions can be either merchant initiated or cardholder-initiated transactions. A customer-initiated transaction will allow the merchant to bill the stored payment information when the customer authorizes a purchase. A merchant-initiated transaction will use the card on file to charge for an agreement between the merchant and the cardholder. The key factor in determining whether a transaction is cardholder-initiated or merchant-initiated is not how the transaction takes place but rather who initiates the transaction.
What makes Cardholder-Initiated Transactions Higher Risk and Merchant-Initiated Transactions Lower Risk
While there is a certain level of risk with any kind of transaction, merchant-initiated transactions are considered lower risk than cardholder-initiated transactions. This has to do with how “risk” is determined for transactions. Transactions that are more susceptible to fraudulent charges, or returns and chargebacks, are considered “high risk” transactions.
High risk transactions are often one of the following:
- First time customer transactions – First time customers have no history of successfully authorized transactions. They may have an unreliable payment method or may even be thieves testing randomly generated payment credentials.
- Card-not-present transactions – Card-not-present transactions are highly susceptible to hackers using stolen information.
- Manually entered transactions – In-store transactions where someone, either the customer or the teller, keys in the transaction manually is at high risk of chargeback fraud.
Because merchant-initiated transactions are preauthorized, and often recurring, these transactions have a much smaller chance of being fraudulent. Once a customer has authorized a recurring payment, the recurring merchant-initiated transactions are at much lower risk of fraud or chargebacks.
Merchant-Initiated Transactions: PSD2 Compliance
Currently under PSD2, merchant-initiated transactions are exempt from the SCA (Strong Customer Authentication) mandate.
The SCA was created to protect cardholders from fraudulent charges by requiring that all transactions are authenticated by at least two factors. These factors each come from a different distinct category:
- Something only the payer would know (like a PIN)
- Something only the payer has (like a mobile device)
- Something only the payer is (like a fingerprint biometric)
Strong customer authentication is enacted using 3DS; merchant-initiated transactions, however, are out of scope of SCA as they are a lower risk transaction type.
Merchant-initiated transactions are a low-risk payment method that benefits both the cardholder and the merchant. Their simple and secure structure enables them to authorize payments while remaining out of scope of more stringent mandates.
Related Articles:
The Evolution of DevSecOps with AI
Published: 11/22/2024
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024