Auth API Validation Checks

This guide shows which validation checks Galileo performs on all incoming authorization requests and describes which corresponding fields Galileo sends via the Auth API webhook. If you are not using the Auth API, this guide still provides insight into how Galileo decides which response code to return.

With this guide you may also want to consider these resources:

The actual order of the checks may vary from what is shown here.

PAN validation

The PAN must exist in the Galileo system. If the PAN does not exist, Galileo returns one of these codes to the network and performs no further checks.

VisaAll OthersDescription
4614Invalid card number

For "Invalid card number" you do not receive an Auth API webhook message.

Card frozen

The "frozen" attribute of a card is independent of its status. An authorization request for a frozen card is always denied unless you configure settings for exceptions. See Affected transaction types in the Card Statuses guide for more information.

Galileo returns one of these codes for frozen cards.

MastercardVisaSTARAll OthersDescription
62786257Card frozen

Card validation

The card-validation checks help ensure that the card used at the point of sale is an authentic card and that an authorized cardholder is presenting it. The summary of card-validation results is in the validation_results object.

AVS check

See AVS-only checks in the Authorization guide for an explanation of these checks.

Galileo returns the result of an AVS check in the avs_result field. In the avs_data object, Galileo provides the information that it used to perform the check. If you have reason to believe that Galileo is not using the correct address for the account, you can perform AVS yourself and override Galileo's result. See AVS override in the Authorization Controller API guide for more information.

Galileo does not use AVS results to calculate a response code: Merchants decide how to handle each result. It is therefore possible for Galileo to return avs_result: N with response_code: 00, which means that there was no AVS match but the transaction is otherwise approved, because the account supports it.

If you do not want AVS checks for your product, such as for gift cards, set the NOAVS product parameter to return a "gift" value for avs_result. Merchants can decide whether to accept the result as success or failure and then proceed according to their business policies.

PIN

When a PIN is not provided, the transaction usually arrives at Galileo over credit rails and pin: N.

When a PIN is provided, the transaction usually arrives at Galileo over debit rails. These are the steps for validating the PIN. The actual order of the steps may vary from what is shown here:

  1. Galileo checks whether a PIN has been set for the card. If it has not been set, Galileo returns 55 (incorrect PIN) and pin: M.
  2. If a PIN has been set, Galileo checks whether PBLOK permits this type of PIN transaction. If it does not, Galileo returns 57 (transaction not permitted to cardholder) and pin: B (blocked).
  3. If this type of PIN transaction is permitted, Galileo checks whether the PIN has been locked after exceeding the number of failed PIN attempts. If it has, Galileo returns 75 (allowable number of PIN tries exceeded) and pin: L (locked). (The failed PIN count will reset to zero after the time specified in PBTIM.)
  4. If the PIN has not been locked, Galileo compares the provided PIN to the hashed PIN that Galileo has on record. If the PINs do not match, Galileo returns 55 (incorrect PIN) and pin: F.
    • Visa only. If there is a different kind of PIN error — Verification of current PIN failed during PIN update, error performing PIN update, or ATM transaction is missing the PIN — Galileo returns 86.
  5. If all checks are passed, the pin field contains Y (verified).
VisaAll OthersDescription
5555Incorrect PIN
86One of these PIN errors: Verification of current PIN failed during PIN update, error performing PIN update, ATM transaction is missing the PIN
7575PIN tries exceeded
Offline PIN

Some implementations of EMV chips permit card readers to validate PINs without contacting the issuer. With offline PIN validation, the chip contains a PIN block (encrypted PIN) that the card reader compares to the PIN provided on the keypad. The card reader includes the result in the authorization request message.

Galileo passes the summary of the result in the offline_pin field. This table shows which other fields will be populated according to the result.

offline_pinMeaningOther fields
YValidatedcardholder_verification_not_successful: false
FFailedcardholder_verification_not_successful: true
NNot presentis_emv: false
emv object not populated
EOffline PIN attempts exceededpin_try_limit_exceeded: true
PIgnored, because the transaction amount is less than a specified thresholdNone

The terminal_verification_results (TMV) object inside the emv object contains the results of the PIN verification. The raw field contains a value provided by the network, and the meaning of the value is different for each network. Galileo provides the interpretation of the raw field in the rest of the fields inside the TMV object.

In most cases, the card reader can verify the PIN using the chip, but if the PIN has been recently changed, the reader needs to contact the issuer for verification. When the card reader is requesting online PIN verification from Galileo, then online_pin_entered: true.

See Offline PIN for more information on offline PINs.

CVV

Galileo checks whether the CVV matches the hashed CVV in the Galileo system. There are three possible CVV values to match, depending on how the card information was acquired:

  • CVV1 — Embedded in tracks 1 and 2 of a magnetic stripe, it verifies that merchants have the physical card in their possession for card-present transactions.
  • CVV2 — Printed on a card, this three-digit number is used for card-not-present transactions.
  • CVV3 — This code is cryptographically generated by a contactless transaction and verified by the issuer. When this CVV does not match, Galileo returns arqc: F with the response code.
MastercardVisaAll OthersDescription
058205CVV1 violation
63N705CVV2 violation
051205CVV3 violation

3-D Secure

Some e-commerce sites add another layer of cardholder verification using the 3-D Secure protocol (3DS), which is a two-step authentication process that cardholders must pass at the time they attempt to make a purchase on a 3DS-enabled web site. The standard in general is facilitated by EMVco, and each card network has a branded implementation of 3DS:

  • Visa — Visa Secure
  • Mastercard — SecureCode
  • Discover — ProtectBuy

Galileo recommends that you obtain documentation from the networks to better understand how they implement 3DS. Galileo can also help you find out which jurisdictions require 3DS.

For 3DS to be successful, three entities must be participating in 3DS:

  • The merchant
  • The issuer
  • The cardholder

When a cardholder attempts to make a purchase on a 3DS-enabled site, the results of the authentication are passed in the authorization request, and Galileo includes them in the aav field and the ecommerce object. When the e-commerce site does not implement 3DS, is_ecommerce: false and the remaining fields in the ecommerce object are not sent.

You can implement 3DS in one of these ways:

  • Galileo offers an in-house 3DS validation solution (using an access-control server or ACS), as described in the 3-D Secure Access-Control Server guide.
  • Use the networks' on-behalf services.

The 3DS-related fields that Galileo relays in the Auth API message show the results of 3DS validation after it has been performed by the ACS or network. Galileo approves or denies transactions based on the validation results, and so these fields are provided for your information, not for your decisioning.

As you parse the ecommerce object remember that some combinations of values result in a liability shift from the merchant to the issuer. In general, successful 3DS authentication results in a transaction that the issuer cannot dispute. Consult the documentation from each network to see which results trigger a liability shift.

The AAVPV product parameter controls whether Galileo uses the validation results that it receives from the ACS or network when deciding whether to approve a transaction. Set this value to G when using Galileo's ACS. When this parameter is not set, Galileo does not use 3DS validation results for decisioning.

Transaction type validation

Galileo checks product and account settings to determine whether the transaction type is permitted to the cardholder. When any of the following items is true, Galileo returns these response codes:

STARMastercardVisaAll othersReason
57575757ATM withdrawals are blocked by account feature 9 or PBLOK.
57575757Point-of-sale (POS) transactions are blocked by PBLOK.
57575757Recurring transactions are blocked by BLKRI.
57575757Non-mobile-wallet transactions are blocked by account feature 20.
57575757Card-present transactions (except mobile wallet) are blocked by account feature 21.
57575C57Mobile wallet transactions are blocked by account feature 22.
57575757Card-not-present transactions are blocked by account feature 6.
5757N357Cash transactions are blocked by product settings.
5757N357Cashback transactions are blocked by CASHB.
5757N357Cash advances are blocked by account feature 10.
57575757Cash and POS transactions are blocked in this country.
57575757International transactions are blocked by account feature 8.
57030357Transactions with this MCC are blocked.
57575757Card loads are not allowed by product settings.
59595957Suspected fraud
05570505Card is in status X (waiting for emboss), Y (ready to activate), B (blocked) or O (operations hold).

Where there is an account feature blocking the transaction, you can call Set Account Feature to unblock the transaction type for that account. Where a product parameter or product settings block the transaction, you can ask Galileo to change the setting for the product.

Account validation

Galileo verifies that the account can support the transaction.

Card and account status

Galileo verifies that the card and account statuses are both N (normal, active). If they are not, Galileo returns response code 05 or the code that the networks have specified for a status:

Visa codes
Response codeCard or account status
46 (account closed)R (charged off)
Z (closed without refund)
C (closed)
L (lost)
S (stolen)
A (lost card waiting for sufficient funds)
Mastercard codes
Response codeCard or account status
51 (insufficient funds)Q (delinquent account)
57 (transaction not permitted)X (set to emboss)
Y (shipped, ready to activate)
B (blocked)
O (operations hold)
78 (invalid account)C (canceled)
R (charged off)
Z (canceled without refund)
D (disabled)
V (voided)
W (waiting for payment)

For lost or stolen cards, these are the response codes:

VisaAll othersReason
4641Lost card
4643Stolen card

Expiry date

For card-not-present transactions, the expiry date that the cardholder entered is in merchant_supplied_expiration_date. For card-present transactions the expiry data in the magnetic stripe is in track_expiration_date.

Galileo checks the expiry date against the expiry date in the Galileo system to ensure that the values match. Galileo provides the date that it has on file in expiration_date. If the dates do not match or If the expiration date has passed, Galileo returns this code:

NetworkCodeReason
All networks54Card expired or expiry date mismatch

Sufficient funds

If Galileo holds the account balance, Galileo checks the available funds in the cardholder account against the amount in trans_amount. The available funds do not include any holds, such as from previous unsettled authorizations. Galileo populates the available funds in the available_funds field in the amounts object. This value represents the account balance before the transaction is applied.

If you hold the account balance, Galileo automatically adds code 51 (insufficient funds) to the list, and then you must determine whether the account can support the amount in trans_amount, based on your records.

If the account does not contain sufficient funds, you can return 51 (insufficient funds). However, there are several ways to address insufficient funds without returning 51:

  • Overdraft — If you have set up overdraft, your account settings determine whether an ATM withdrawal can use overdraft (ODATM) and also whether the overdraft funds are moved at the time of authorization or settlement (ODTOR).
  • Real-time transfers — You move funds from a dedicated account into the cardholder account to cover the authorization amounts.
  • Partial authorization — If the merchant accepts partial authorizations (partial_supported: true), you or Galileo can return the amount of the authorization in partial_amount with response code 10.
  • If the request includes cashback, and you want to approve the amount minus the cashback, you or Galileo can return T7 (Pulse) or 87 (all others).
PulseAll othersReason
5151Insufficient funds (NSF)
1010Partial approval
T787Partial approval, no cashback

Velocity limits

Galileo checks whether the transaction violates velocity limits—whether the amount or number of transactions exceeds a threshold, for example. These velocity limits are determined at the time you set up your products. You can also arrange with Galileo to create account-level velocity controls (ALCs). (See Account-Level Auth Controls for more information.)

If trans_amount violates a velocity limit, Galileo returns these response codes:

All networksReason
61Exceeds withdrawal amount limit
65Exceeds withdrawal frequency limit

📘

Note

Authorization reversals can affect velocity limits depending on when they're performed. See Reversals and authorization limits in the Crediting Cardholder Accounts guide for more information.

Also see:

  • Overriding limits in the Authorization Controller API guide for information on overriding response codes.
  • Authorization workflow in Designing Authorization Controls to see how velocity controls are evaluated by the auth system.

Other checks

These other checks validate characteristics of the transaction not included in the previous categories.

Merchant validity

According to your product settings you can prohibit transactions with certain merchant types (per MCC) or by merchant ID. For ATM withdrawals in specified countries you can prohibit transactions at certain times of day. You can also arrange with Galileo to create account-level merchant controls (ALCs). (See Account-Level Authorization Controls for more information.)

If the MCC or merchant ID is prohibited, Galileo returns these response codes:

MastercardVisaAll othersReason
030357MCC blocked. The MCC is blocked at a product or account level.

Country

Galileo verifies that the transaction is taking place in a country that has not been blocked in your product settings. If the country has been blocked, Galileo returns these codes:

VisaAll othersReason
6205Restricted card

Fraud risk

Galileo compares the value that the network provides in risk_score with the value set in product parameters (BRSGE, BRSMC or BRSPU). If the risk score exceeds the threshold, Galileo returns the response codes below. (Risk scores are not returned when the transaction is an advice, because the transaction has already been acted on by the network.)

MastercardSTARVisaAll othersReason
63595957
04
Suspected fraud

If you are using Galileo's dynamic fraud rules engine or Galileo's Payment Risk Platform (PRP), any rule violations are reported in the rules_denied and rules_warned fields, provided you have the RULAP product parameter set. When the rule violations are sufficient to deny a transaction, Galileo returns 59.



Galileo Financial Technologies, LLC 2025

All documentation, including but not limited to text, graphics, images, and any other content, are the exclusive property of Galileo Financial Technologies, LLC and are protected by copyright laws. These materials may not be reproduced, distributed, transmitted, displayed, or otherwise used without the prior written permission of Galileo Financial Technologies, LLC. Any unauthorized use or reproduction of these materials are expressly prohibited.