We are a web development and hosting company. Recently a client has asked us to program the following scheme (this is a monthly DVD club so cards are charged monthly)

"[when a card expires] automatically advance the expiration date by 2 years and try the card again. If that doesn’t work, we’ll advance the expiration date by 3 years. If that doesn’t work, then we have to notify the customer"

Is there a PCI issue with this practice, or any other issue that we should consider that would make this practice something we do NOT want to program for the client?

"[when a card expires] automatically advance the expiration date by 2 years and try the card again. If that doesn’t work, we’ll advance the expiration date by 3 years

I don't see any PCI issues regarding this, this will most likley be a question between the merchant and their acquiring bank, and the acceptable the chargeback risk of the merchant.

The thing is however, the issuing bank put the expdate on the card for a reason (Although many Authorization Hosts do not match the expdate date, they only look at the expdate and if the expdate < the current date --it is an expired card. ) (But these are rules set by the issuing bank as well.) (Most issuing banks - want to increase credit cards receivables).

The biggest concern would be in a chargeback scenerio, The merchant might eat the charges, because the expdate didn't "match" between what was provided and what the issuing bank put on the card. on the other hand - you did get an authorzation from the issuing bank which the info that you provided. The risk is not dissimlar from a Forced Sale or POST auth without a pre-auth. the merchant assumes the risk if the issuing bank does not pay during the interchange/settlement process.

In some recurring transaction systems I've seen, expiry date isn't used or is ignored, once the initial payment has been authorised with the expiry date.

lyalc

If guessing the new expiry date is a short term/interim solution, fine. But isn't the merchant ultimately going to have to contact the cardholder to get the actual new expiry date? (I know I am regularly contacted by recurring billers to log on and update my card info as the expiry date approaches.)

Some processors support transactions for 'trusted' merchants that will provide the new expiration date for a card that has expired. I would work with your processor to see if you rate being 'trusted' for such service.

An ISP I used to work for many moons ago used to use this practice whereby we would get a list of expired cards each day and we would manually (at the time) advance 1yr, then 2yrs then 3yrs and then add 1 mth or 2 mths for each until it would go through.

I can't remember what the reasoning was why it was done manually at the time.

We ran into problems where some of the customers would be irate and surprised that their cards were charged because they had thought that by letting their credit cards expire and not notify us that they wanted to cancel their dialup accounts (when it was prevalent back in the infant Internet days!) that we would simply cancel them. We had about 10% chargebacks this way and considering that some chargebacks ding a fee of up to $25 per instance on top of the refunded amount to the customer, it was quite a costly process (esp if you factor in the employee's time wasted to administer this)...

Some processors support transactions for 'trusted' merchants that will provide the new expiration date for a card that has expired. I would work with your processor to see if you rate being 'trusted' for such service.

I just worked with implementing just such a system for a customer of mine. The brands offer this capability, and at least one major processor has a very nice merchant side implementation you can interface with.