What happens when you swipe your credit card at the checkout counter or insert it into the chip reader (also known as “dipping”)? What about when you tap its digits into an online field?
A lot. More than you imagine, probably. Each and every electronic transaction is a delicate ballet between cardholders, merchants, and a host of intermediaries. This dance is repeated billions of times a day, all across the world, and forms the basis of the global economy. Without a secure and reliable system for transmitting payment information electronically, our lives would be vastly different.
Most people don’t think about the intricacies of electronic payments. Most of the time, they don’t need to. But electronic payment systems are fallible – they’re prone to technical glitches, human error, and attacks by malicious outsiders. When something goes wrong, well-informed consumers should have some idea why – or, at least, they should have an idea of who’s involved and who may be to blame. Armed with that knowledge, consumers dealing with lost funds or fraudulent transactions can cut to the chase faster and, hopefully, resolve those unpleasant situations nary the worse for the wear.
Don’t worry. There are a lot of players involved and a ton of technical wizardry involved, but you don’t have to be a computer genius to follow along.
Major Parties to Credit Card Transactions
To truly grasp how electronic payments work, you need to know who’s behind them. There are five key parties to a typical electronic card transaction:
- The Buyer: This is you – the person who swipes, dips, or enters credit card information at the start of a transaction. If you have an electronic payment card, you’re a buyer.
- The Merchant: This is the person or company that sells what you’re buying. When they receive your credit card information, they set in motion the chain of events that lead to your payment being processed. All merchants have a unique identification number that ensures accuracy throughout the rest of the process.
- The Acquirer: The merchant pays the acquirer (often called the merchant acquirer, for clarity) to route payment card information to the correct parties, and to ensure that funds are deposited into merchants’ accounts once each transaction is complete. The acquirer has the ability to do this on a large scale and in near-instantaneous fashion. Acquirers are typically major banks or financial institutions – for instance, Wells Fargo, U.S. Bank, and Bank of America all function as merchant acquirers. They often provide merchants with the software and hardware necessary to accept payment cards, and may provide day-to-day management for merchants’ business accounts, though some contract with third parties to manage this aspect of the relationship.
- The Issuer: The issuer, also known as the issuing bank, manages credit or debit card accounts on behalf of buyers. They approve and extend lines of credit (for credit card accounts), distribute payment cards, and bill customers for purchases they make.
- The Network or Association: The network, also known as the association, serves as a clearinghouse and backer for member institutions (acquirers and issuers) and their customers. Within the electronic payment world, the network’s relationship to acquirers and issuers is roughly analogous to McDonald’s relationship to its franchisees. The network supplies a recognizable brand, ensures that transactions are processed correctly, set guidelines and qualification requirements for member institutions, and mediate disputes between parties to transactions executed using their networks. They also set the interchange fees charged during payment processing. (Interchange fees compensate the issuer and network for their respective roles in the electronic payment process. Without them, credit card transactions would be free, but the parties involved would have no incentive to execute them in the first place.)
The Credit Card Payment Process
So, how do the major parties to a credit card transaction execute their delicate dance? Here’s an overview of the important steps to a successful transaction, courtesy of CreditCards.com.
The authorization process confirms that the buyer has more than enough funds on hand, or enough breathing room before hitting their credit limit, to complete a transaction. This reduces the risk of the merchant handing over goods for which the buyer can’t actually pay. Authorization unfolds as follows:
- The customer provides card information to the merchant, whether by swiping or dipping in person, or providing digits online or over the phone.
- The merchant’s payment processing terminal electronically sends the card number, transaction amount, and merchant ID number to the acquirer.
- The acquirer routes the information to the customer’s issuing bank. This serves as a request to authorize the transaction for the specified amount.
- The issuing bank checks that the customer has adequate funds or credit. It also checks for red flags, such as near-simultaneous in-person transactions in distant locations, that may indicate the transaction is fraudulent.
- If sufficient funds or credit are present, and the transaction does not appear to be fraudulent, the issuer sends an authorization code through the network to the acquirer.
- The acquirer authorizes the transaction and informs the merchant.
- The merchant provides the requested product or service to the customer.
Authorization merely confirms that the customer has enough funds or credit to purchase the requested product or service. Money doesn’t actually change hands during this process – and won’t until the funding step.
Once authorization is complete and the merchant hands over the requested goods or service, the customer has no further role to play in the process. But the transaction is far from finished – batching is the next step in the process:
- Throughout the business day, the merchant electronically stores payment information for each authorized transaction. Each day’s set of stored transactions is known as a batch.
- At the end of the business day, the merchant sends the batch to the acquirer. The acquirer temporarily holds the batch in its own secure, electronic system. Since acquirers typically have thousands of individual merchant clients, they may store multiple batches according to their own needs and schedules.
Once the acquirer has the merchant’s batch in hand, the clearing process can begin. For the intermediaries, this is the fun part, because they finally get paid.
- The acquirer sends the batch to the card network or association.
- The card network or association requests payment for the transaction from the customer’s issuer.
- The issuer deducts a transaction fee from the total transaction amount. According to Forbes, transaction fees are directly tied to the interchange fees published by card networks. Interchange fees, and thus transaction fees, typically amount to 1% to 3% of the transaction, depending on the card network. The issuer keeps the lion’s share of this fee and shares a small amount (effectively, a franchise fee) with the card network.
- The issuer routes the net amount through the card network to the acquirer.
The fourth and final step in the transaction is funding. This is the part where the merchant receives funding for the transaction – or, in most cases, for all the transactions in the pertinent batch.
- The acquirer subtracts its discount rate from the transaction amount. The discount rate serves as the acquirer’s payment for its part in the transaction. Like transaction fees, discount fees are directly tied to interchange fees. They account for a smaller proportion of the transaction amount – typically less than 1%.
- The acquirer sends the remainder to the merchant’s business account, and the transaction is complete from the merchant’s perspective.
- The issuer sends the customer a bill for every transaction executed during the billing period, including the transaction in question. It’s the customer’s responsibility to honor the cardholder agreement and pay the bill.
Though the typical electronic card transaction is authorized and the customer out of the picture within seconds, the entire four-step process (up to merchant funding) can take several business days to complete. Of course, it can take a month or longer for the customer to actually pay the issuing bank.
1. Mobile Wallets and Contactless Payments
Most consumers today can’t remember a time when credit cards weren’t ubiquitous, but there was indeed a time in the not-too-distant past when paper was more common than plastic.
The payment landscape continues to change, in fact. Though still not as common as traditional credit card payments, mobile contactless payments are increasingly popular and seamless. As smartphones get even better and more merchants see value in contactless acceptance, the move toward mobile payments is likely to accelerate.
Technologically speaking, mobile contactless payment is revolutionary – but logistically, it’s not. Contactless payment occurs within the basic electronic payment framework described in this post, with some important differences that improve (but, of course, don’t perfect) transaction security.
Different contactless payment vendors take different approaches to security. The two most widespread are virtual cards and tokenization.
The popular Google Wallet contactless payment system, which lets you send and receive payments from your smartphone, uses the virtual card approach. According to Google, Google Wallet creates a special MasterCard or Discover debit card number for each customer. This number functions as a real card, issued and backed by a real bank, but bears no resemblance to the cardholder’s actual payment card number.
Whenever the customer initiates a transaction, Google “pays” with the virtual card number. The virtual card sends payment information to the merchant and completes the rest of the process, from authorization through funding. The merchant never sees the cardholder’s real payment card numbers, which are stored on a secure Google Wallet server and available only to Google. After the transaction goes through with the virtual card number, Google charges the real card for the appropriate amount.
Apple Pay uses tokenization. Under this system, Apple Pay creates a unique, one-time identification number (known as a “device account number,” or DAN) whenever the customer initiates a new transaction. The DAN, which is different for every transaction, takes the place of the customer’s real card number, so that it is not transmitted electronically and is never visible to the merchant. Once the DAN is received by the acquirer, the rest of the transaction proceeds as normal.
For consumers concerned about privacy, one advantage of the tokenization model is the lack of record-keeping within the payment system itself. In other words, Apple Pay does not keep its own records of the credit card payments that it facilitates. By contrast, Google Wallet does keep complete payment records, just as a regular bank or credit card issuer would.
2. Card Not Present (CNP) Transactions
Card not present (CNP) transactions present another set of challenges for the actors in the electronic payment drama.
A CNP transaction occurs whenever the purchaser’s payment card is not physically present at the merchant’s point of sale. Common examples include online transactions, wherein the purchaser types the card’s digits into a (hopefully) secure field, and over-the-phone transactions, where the purchaser keys in or verbally states its digits. Pay-at-the-pump gas purchases are a hybrid case, because while the card is physically present, there is no human attendant to verify the user’s identity.
CNP transactions are less secure than in-person and mobile contactless transactions. According to Mobile Transaction, a United Kingdom-based mobile payments provider, 64% of all UK credit and debit card fraud stems from CNP transactions, costing £245.8 million in 2014. Criminals prefer to use stolen cards in CNP transactions because it’s easier to mask one’s identity when one is not face-to-face with a merchant, there’s no risk of being asked for identification during the transactions, and the protections afforded by EMV (chip-and-PIN) don’t apply.
Due to the heightened security risk, merchants are advised to take additional precautions when accepting CNP transactions. There are also some practical differences between CNP and in-person transactions.
Authorization procedures differ for certain types of CNP transactions.
- Recurring Transactions: Recurring CNP transactions (such as monthly insurance payments) are automatically authorized in advance. The transaction can still be declined if the customer has insufficient funds or credit.
- Transactions That Require Shipping: Authorization is normally good only for the day on which the transaction is initiated and expires once the transaction is batched and sent off. However, when the merchant is required to ship goods, as is the case with many e-commerce transactions, the authorization remains in effect for longer – sometimes as long as seven days.
Merchants typically use special verification (authentication) protocols to reduce the risk of fraud in CNP transactions. Card networks such as Visa and MasterCard recommend using all three of these protocols:
- Password-Protected Verification Software: Just as financial institutions require customers to provide passwords when logging into online banking portals, major card networks increasingly use proprietary software that identifies cardholders based on unique passwords known only to them. Under these schemes, which include Verified by Visa and American Express SafeKey, the cardholder must register with the card network and create a unique password. Whenever they initiate a purchase with a participating merchant, they must enter this password to confirm their identity. Participation is not automatic – cardholders must take the time to register, and merchants must sign up for the service. However, participating merchants are less likely to be held liable for fraudulent transactions, so the incentive for vendors is clear.
- Card Verification Value (CVV): The three- or four-digit code found on every credit card is known as the “card verification value,” or CVV. The CVV code is not encoded in the card’s strip or chip, nor is it indicated by the 15- or 16-digit number on the card face. By requiring the buyer to enter the CVV code, the merchant ensures that the buyer actually has the card in their physical possession.
- Address Verification Service (AVS): AVS checks address details provided by the cardholder with the accurate address information on file with the card issuer. For instance, when an online merchant asks a buyer to provide a complete billing address, the AVS system checks the street number and ZIP code against the issuer’s information. If the numbers don’t match, the transaction may be declined. Pay-at-the-pump card readers use a form of AVS when they ask for ZIP codes.
It’s amazing how much happens after you swipe, dip, tap, or punch in your credit card. The largely behind-the-scenes procedures described in this post occur billions of times per day, in every corner of the world.
The complexity of electronic payment systems underscores their fragility. Were the financial institutions and card networks that facilitate electronic payments ever to drop offline en masse, the global economy would immediately grind to a halt. Smaller-scale crises, such as fraudulent transactions and data breaches by sophisticated hackers, occur on a near-constant basis. Financial institutions and credit card networks spend billions to reduce the frequency and severity of these incidents, but eradicating them completely is a distant dream – at best.
Maybe it’s best not to dwell on what makes the economy go round, after all.
Have you ever thought about what actually happens when you swipe or dip your credit card?