Let’s talk about Card Payment Processing

Unravelling the maze of the payment infrastructure

Published in

Product Coalition

14 min readMar 30, 2019

Apple announced its own credit card last week. Card payments are a commonplace now. Most of us use plastic to pay for various goods we buy online or at the retail stores. But not many really understand what happens behind the scenes when you swipe your card at a card machine (PoS) or why is it that your refunds take so much time. Here’s a low fidelity view on the topic.

The Basics

Multiple parties play their role in making every single card transaction possible. These parties essentially connect the buyer (cardholder) and the seller (the store owner) to make the money transfer possible between buyer account and seller account. Following are the major parties involved:

The Cardholder: The person who owns the card and wishes to use it for cashless purchases.
The Issuer: The bank with which the card holder maintains his account. This bank ‘issues’ the card to his customer and hence is referred as the Issuer.
The Merchant: The shopkeeper or the owner of online platform where you plan to buy any product or service is the Merchant.
The Acquirer: The bank with which the merchant maintains his account. This bank ‘acquires’ (i.e. partners or on-boards) the merchant by its sales and marketing efforts and hence is referred as the Acquirer.
The Card Network: Companies like MasterCard, Visa, American Express, RuPay, China Union Pay (CUP), Diners etc. These companies connect the Issuers and the Acquirers and relay transactions between them in case of Interbank transactions (i.e. when the cardholder and the merchant have accounts in different banks)
The PoS Provider: The manufacturer and supplier of the Point of Sale (PoS) card swiping machine that is used for transactions at retail stores. PoS providers partner with acquiring banks to enable acquiring side of the business.
The Payment Gateways: Think of payment gateways as virtual PoS providers. These are the guys that build interfaces where customers can select their preferred payment method (Net Banking/ Credit/ Debit Card/ UPI etc.) and input their card details for online transactions (also called Card Not Present i.e. CNP Transactions). Payment gateways help collect customer and card information to be relayed from merchant website to the acquiring bank.
Payment Processors: For the sake of simplicity, think of payment processors as technical arm of acquiring bank. These are the middlemen who do most of the information processing work from the point of collecting the information from PoS / Payment gateway to sending it to acquiring bank and further. Payment processors usually operate in background and a merchant looking for a payment gateway or a PoS set up for accepting card payment may not directly have to deal with payment processors as they usually partner with acquirers or payment gateways.

Now let’s quickly look at how these parties are connected in the payment chain and what roles do they play in processing a card transaction request.

Image 1: Transaction Authorization: Payment request & response flow

When you finalize on the items you wish to purchase and decide to pay using your card (either at the PoS machine or at the payment gateway), your card details are first collected by the PoS machine or the payment gateway. This information along with the authentication information passed (card pin/ OTP/ 3D secure password etc.), the transaction amount and the merchant details, is passed on to the acquiring bank.
The acquiring bank checks the card details to confirm if this an On-us or Off-us transaction. An on-us transaction is the one where issuing and acquiring bank is the same and hence there is no need to involve the payment network for inter bank communication.
If it happens to be an On-us transaction, the acquirer checks the incoming information to validate a) if the authentication information provided by the user is valid i.e. if the user is able to prove his identity by providing a correct pin/password b) if the cardholder’s account has enough funds required for the transaction c) if the card is not blocked or expired. These things are primarily checked among other details. Once all details are validated, the acquires approves the transaction and the same is communicated back to the merchant terminal (PoS/ Gateway).
If the transaction is an Off-us transaction, the acquirer passes on the transaction and card information to the network. The first six digits of any card number (i.e. the 16 digit numeric code printed on front side of every card) can be used to identify the issuing network and the bank. This number is called the Issuer Identification Number (IIN) or the Bank Identification Number (BIN). Basis the card BIN, acquirer sends the transaction to either of the networks (Visa, MasterCard, RuPay etc.).
The network identifies the bank to which it has issued a particular BIN, and routes the transaction and card details to that bank.
The issuing bank then checks the information to validate a) if the authentication information provided by the user is valid i.e. if the user is able to prove his identity by providing a correct pin/password b) if the cardholder’s account has enough funds required for the transaction c) if the card is not blocked or expired. Once all details are validated, the issuer approves the transaction and the same is communicated back to the payment network.
The payment network sends the authorization from the issuing bank back to the acquirer bank.
The acquirer bank sends the authorization further to the merchant via payment gateway or the PoS set up to complete the transaction.

Though, it might seem like a long process, all of it happens real-time (barring a few exceptions) in a span of few seconds. The acquirer’s payment processor facilitates the flow of information between all these middlemen.

All these intermediaries primarily operate on a revenue sharing model. For every transaction, there is a transaction fees usually varying between 2 to 3.5% called the Merchant Discount Rate (MDR). Out of (say) this 2%, a major share (1.7%) goes to the issuing bank and is referred as the Interchange Fees, around 0.1% is shared with the network as Assessment Fees and the remaining 0.2% is retained by the acquirer. Payment gateway adds its own Processing Charges on top of the MDR. In addition to these, there are other minor fee components charged and shared in the entire value chain.

The Not-so-Basic

What we discussed above was 1st leg of the transaction i.e. authorization. Authorization is just the approval or rejection of the transaction and does not involve real movement of the money between all these intermediaries. Though the transaction is reflected immediately on the cardholder’s account, the merchant gets his share of the transaction (i.e. transaction amount (-) MDR (-) Processing Charges) after the second leg of the transaction called Clearing and Settlement.

Technically, the authorization leg is also called BASE 1 and clearing/settlement leg is called BASE 2.

Merchant Settlement

The next step after authorization of the transaction is to pay the merchant for the sales. This process involves batching of the transactions, reconciliation, exception handling and fund transfer from acquirer to the merchant.

At the end of the business day, the merchant terminal creates a batch of all the transactions completed during the day and sends the same to the acquirer for reconciliation. The default status of the batch is considered to be ‘Open’. The batch contains the information of total transaction amount and the number of transactions. Let’s call this Batch MB-01.
Once the acquirer receives the merchant batch, it batches all its transactions for the merchant during the day and creates a batch in ‘Open’ state in its own system. Let’s call this Batch AB-01.The acquirer tries to match MB-01 & AB-01.
If the information is matched, acquirer sends a confirmation message to the merchant and both the parties update their batch statuses to ‘Closed’ reflecting a successful reconciliation or Batch Closure.
However, in case MB-01 & AB-01 are not matched and there’s a difference in transaction count in the two batches due to any sync issues, acquirer confirms batch mismatch to the merchant and updates status of its own batch to ‘Failed’.
If there are more transactions in the merchant batch MB-01, the acquirer logs the additional transaction on a new batch AB-02 along with all the matching transactions. This case primarily arises when there is an offline transaction sync issue i.e. due to network interruption merchant terminal approves a transaction without sending it for authorization to the acquirer/network and that transaction failed to sync later. Such transaction are called Offline Transactions and can be processed if agreed beforehand with the processor.
If there are more transactions in the acquirer’s batch AB-01, the additional transactions are not settled to the merchant. This case primarily arises when a reversal request fails to sync on the acquirer side there by reflecting one additional transaction at the acquirer’s end which has been reversed successfully by the merchant.
Once both the parties are on same page with regards to the number of transactions and the recon is successful, the acquirer credits the merchant’s account and submits the transactions to credit card network for settlement.

Acquirer and Issuer Settlement

After the acquirer has settled the merchant, it generates an outgoing settlement file for each payment network (MasterCard, Visa etc.) based on BIN numbers of the cards processed in authorization stage.
The network further breaks these files down into clearing files for individual issuing banks.
Issuing banks reconcile the clearing files shared by the network with the transactions they have already approved in the leg 1 i.e. authorization. Any mismatches are either force accepted or are handled by offline bank ops.
The network calculates the net positions, pays the acquirer bank and debits the card-issuer bank.
The issuing bank posts the transactions to customer accounts (called ‘presentment’) and bills them. The cardholders get their statements.

Reversals & Chargebacks

Reversals

Transaction reversals, also called refunds, are credit type of transactions to the cardholders. Transaction reversals primarily happen in two cases:

1. When the customer is unhappy with the purchase for any reason and wants to return the product, or

2. When the network connection is interrupted at any point in the transaction processing after the authentication and approval from the issuer — resulting in money being debited from the customer account but merchant not being apprised of the same. This is the case when transactions fails but money is still deducted from the customer account.

In 1st case, where customer requests for a refund, the merchant initiates the refund using the payment gateway/PoS, the gateway communicates the same to the issuer via the acquirer and the issuer finally credits the customer’s account with the amount.

The 2nd case usually, is handled in the clearing and settlement cycle. Since the successful acceptance of the transaction was not communicated to the acquiring bank or the merchant, there would be an authorized transaction count mismatch between the issuer and the acquirer. The additional transaction in the issuing system would be discarded after a certain number of business days and would not be billed to the cardholder.

Image 3: Reversal are executed primarily in cases of return of goods or when the transaction fails and the customer is debited.

Chargebacks

A chargeback is a customer protection mechanism. When a cardholder does not concur with any of the transactions on her statement, she can ‘dispute’ the transaction and ask for a credit. In such a scenario, the issuing back forwards the cardholder’s concern to the acquiring bank via the network. The acquiring bank advises the merchant to justify the sale with any validations he/she can. One of the examples of this could be a merchant copy of the transaction signed by the customer.

If the chargeback request is successfully challenged by the merchant, the credit request of the cardholder is dropped. Else, the cardholder wins the chargeback and successfully claims a full credit.

International Payments

How does an international debit or credit card work? And how is it different from a ForEx Card? Which currency is used for settlement between banks of different countries in the case of international transactions? There are three different currencies involved here:

Transaction Currency: This is the currency in which the transaction is performed. e.g. When India based ICICI bank’s international debit card is used at a US based Merchant’s terminal for spending say USD 50, the transaction currency is USD.
Billing/ Base Currency: This is the currency in which cardholder’s statement is generated. This is issuing bank’s domestic currency. e.g. When India based ICICI bank’s international debit card is used at a US based Merchant’s terminal for spending say USD 50, the billing currency would be INR and the INR equivalent of USD 50 would be presented on the statement.
Settlement Currency: This is the currency in which payment scheme/ network settles the issuer and the acquirer. Not all currencies are accepted as settlement currencies. Settlement currency is pre-decided between the issuer and the network. If USD is the agreed upon settlement currency, the settlement for the above USD 50 transaction would be in USD.

Now let’s take a couple of examples of domestic and international transactions using 1) An International Debit/Credit Card 2) A ForEx card.

International Card Transactions

An international card is nothing but a normal debit or credit card on which foreign currency transactions are also enabled by the issuing bank.

Image 4: Domestic & International transactions using Debit/Credit Card. Assuming issuer currency not accepted for settlements.

If this card is used for a domestic transaction, say an ICICI Bank’s card is used for purchase at an India based merchant, the transaction currency would be INR, the billing currency would also be INR as issuing bank ICICI’s domestic currency is INR and settlement currency would USD assuming the same is agreed between issuer and the network.
If this card is used for an international transaction, say an ICICI Bank’s card is used for purchase at a Dubai based merchant, the transaction currency would be AED — the local currency of the country, the billing currency would also be INR as issuing bank ICICI’s domestic currency is INR and settlement currency would USD assuming the same is agreed between issuer and the network.
For every foreign currency transaction done using an international card, a Cross Currency Markup Fees of around 3–4% is charged exclusive of taxes. The Exchange rate used for the transaction is rate prevailing at the time of merchant settlement.
If the cardholder wishes to check the equivalent billing currency amount at the time of transaction itself, Dynamic Currency Conversion (DCC) rate is used which is usually higher than the exchange rate used at the time of settlement.

ForEx Card Transactions

ForEx cards are also called Multi-wallet cards or Travel cards. These cards essentially helps the cardholder guard against exchange rate fluctuations. A forex card comes with multiple virtual pockets called ‘Wallets’. The cardholder can activate as many wallets as the currencies she wants to transact in.

Image 5: A forex card allows the cardholder to carry multiple currencies at a time loaded in the same card.

These wallets can be loaded from the issuers net banking facility and the exchange rate used is the one prevailing at the time of loading the wallet. Thus, forex cards help lock-in the exchange rates and prevents the card-holder against exchange rate volatilities.

Assume a cardholder’s domestic currency is INR and she wishes to undertake a business trip to Canada and Dubai. She will activate and load CAD and AED wallets in her ForEx card. So the card will have a total of three wallets now.

Image 6: Domestic & International transactions using ForEx Card. Assuming issuer currency not accepted for settlements.

If she wishes to make a domestic transaction, she will make the payment from the INR wallet. Here the transaction currency is INR, billing currency is INR and settlement currency is USD assuming the same is agreed between issuer and the network.
If she wishes to make an international transaction in Canada, she will make the payment from the CAD wallet. Here the transaction currency is CAD, billing currency is INR and settlement currency is CAD assuming CAD is an accepted settlement currency.
If she wishes to make an international transaction in Dubai, she will make the payment from the AED wallet. Here the transaction currency is AED, billing currency is INR and settlement currency is USD assuming AED is not an accepted settlement currency.
Given a need to make a payment in a fourth currency, that too is supported here. The transaction currency will be the local currency of the acquirer, the billing currency will be the local currency of issuer and the settlement currency will be the currency of default wallet used for the transaction assuming that currency is an accepted settlement currency.

Zooming In: Switching & Routing

Let us look at a slightly zoomed in view of the Image 1 shown earlier (authorization process) to understand with exactly happens when you use your card at any card reader.

The card reader essentially tries to read the card identity (card number, cvv etc.) and passes it along with the merchant id, transaction currency and amount to the acquirer. The pin you provide to authenticate the transaction is also passed from the card reader to the acquirer and to the subsequent intermediaries.

There are many types of communications that need to happen between these intermediaries though out the day. These communications may be for transaction authorization, reversals, offline advise or for the batch closure and reconciliation. It becomes critical to have a common messaging format connecting all these intermediaries to ensure successful communication and interoperability. The International Organization for Standardization defined a standard for systems that exchange electronic information initiated by cardholders using payment cards. This system, called ‘ISO 8583', outlines a structure which can be used by different parties to communicate successfully.

Now once all the parties have a common messaging format, there needs to a way to securely communicate the PIN entered by the cardholder at the terminal to the Issuer for authentication. This is done using the process called ‘PIN translation’ which ensure point to point encryption. The pin entered by the cardholder is encrypted by the terminal and passed on to the acquiring bank (Image 7). Assuming this transaction is initiated at an ATM, it reaches the ATM interface at the acquiring bank ‘Switch’ where a converter (Image 8) decrypts the input key and encrypts it into a new output key with the help of a Hardware Security Module (HSM). HSMs are the devices used for secured decryption and encryption of keys.

Image 7: Zoomed in view of acquiring bank switch & router. Shows multiple interfaces to connect with terminals and networks.

Image 8: Zoomed in view of a sample ATM Interface. Shows decryption and encryption of incoming key using HSM.

The output key is then sent to the router which identifies the payment scheme of the card, and again translates the key to a new output key to be sent to the network. This key translation at each node of the communication ensures that the PIN is securely validated by the Issuing bank which upon authentication of the cardholder sends an authorization code back to the acquirer via the network to the complete the transaction.

Reach out to me if you would like to discuss further on this topic. I am at bits.ankit@gmail.com | https://www.linkedin.com/in/a4ankit/ .