Rules for authorisation reattempts

Rules for authorisation reattempts

New requirements for unsuccessful reattempts with Visa and Mastercard

If an e-commerce transaction is declined in your online store, this can have various reasons: most declined authorisations are due to insufficient funds, a missing authentication (3-D Secure required, CVV2 is wrong), suspected fraud or outdated card data. As a consequence, you then send multiple reattempts, hoping to eventually obtain the payment. The problem: Such reattempts make it difficult to detect true fraud. They also cause unnecessary traffic. And there is no guarantee that you get your money.

To improve this, the card organisations Visa and Mastercard have introduced detailed reason codes to provide guidance to merchants on if and when to send reattempts.

We compiled all relevant information for you below. Please read it carefully.

What do you have to do as a merchant?

In order to understand the actions expected from Visa and Mastercard and to avoid potential future fees related to reattempts, we advise you to:

  • check with your payment service provider how you will be receiving the new reattempt data
  • make sure to follow this guidance
  • adapt your reattempt strategy according to the new requirements

If you are not managing reattempts yourself, please get in touch with your payment service provider for support.

Details on the new mandate

Thanks to the new decline reason codes of Visa and Mastercard, it is now possible to differentiate declines due to fraud from declines due to a cardholder not having enough cash in his account or due to an issuer having technical problems at the time of authorisation. Having clear decline reason codes is key for detecting true fraud. It is also the basis for improving the payment landscape with new security standards and for developing products that help increase conversion and acceptance rates for e-commerce merchants.  

Visa and Mastercard have reviewed their response code logic to tackle two mutually dependent issues. On one hand, issuers have increasingly used a generic decline code in the past. On the other hand, merchants that could not obtain a successful authorisation at the first attempt are sending multiple reattempts, hoping to eventually obtain a successful authorisation. These can look like automated fraudulent attempts and are rarely successful.

The actions can be summarised as follows:

  • Do not try again, the card issuer will never approve
  • Try again later (maximum up to 10 times)
  • Card data is outdated. Obtain new card data before retrying

Merchants are required to follow the action indicated by the given decline reason and either do not retry or limit the number of reattempts to the maximum allowed.  

Best practices

Below you can find an explanation and recommendation on each guidance transmitted in the authorisation response.


Contact us

Do you have further questions regarding the requirements? Then please contact our Customer Service via e-mail: