Payments 101: Card Networks & Transactions
Blog Article Published: 03/09/2022
This blog was originally published by VGS here.
Written by Kenneth Geers, PhD, Information Security Analyst at VGS.
Accounting is one of the oldest professions, as evidenced by financial records four times older than the Great Pyramids of Egypt. “Tally marks” etched into the thigh bone of a baboon 20,000 years ago were a form of “correspondence counting.” Of course, these earliest forms of accounting were slow, were far from secure, and didn’t travel.
In the internet era, fintech architects use similar methods to accomplish similar goals, but on a much grander scale. Today, card networks are lightning-fast: Visa’s network can process over 65,000 transactions per second. They are secure: American Express (AmEx) guarantees you will never pay for something you did not buy. And the cards they process are accepted everywhere: how else can I attend the opera in Milan, buy a suit in Shanghai, take a cruise down the Amazon, and pay for everything with the same plastic rectangle (or set of numbers online)?
So how exactly does it all work? Let’s take a quick trip through the card networks to find out.
A card network is an association of issuing banks and acquiring banks that process payment cards of specific brands.
- Offers and distributes branded payment cards to consumers
- Sets a cardholder’s ability to purchase
- Manages offers and rewards
- Approves (or declines) purchase requests
- Processes card payments on behalf of a merchant
- Enables a cardholder to access funds via credit or debit
All players in this ecosystem – consumers, merchants, and banks – communicate via a dedicated card network.
- When a customer enters their card number on a website and clicks “Pay Now,” they are asking the issuing bank to loan them money for the purchase.
- Information about the buyer and their intended purchase is sent to the acquiring bank (or its delegated processor).
- The acquiring bank then requests payment authorization from the issuing bank via the card network.
As you can imagine, cybercriminals target card networks every day, wherever they find potential security vulnerabilities. Thus, card networks take numerous countermeasures to combat fraud.
First, the issuing bank verifies a card’s validity based on its number, expiry date, available funds, billing address, and more. Logic plays an important role: is it reasonable that this consumer wants a $5,000 coat? Geolocation plays a role: has this cardholder ever been to Tokyo? Having a correct billing address and Card Security Code (CSC) is not enough. Sometimes, the card issuer will contact the cardholder by email or telephone to request personal verification via challenge questions and may demand the use of multi-factor authentication (MFA).
One of the key technologies that card networks leverage to protect communications and cardholder data is tokenization, which is the systematic process of replacing original, sensitive information with a non-sensitive placeholder value called a token. Tokens are randomly generated and have no intrinsic value on their own. Tokens can only be “de-tokenized” or mapped back to the original sensitive data via the original tokenization platform. Tokens may or may not have the same format as the original data.
When an issuing bank decides whether to approve or decline a transaction, a response is sent to the acquiring bank, then the merchant. Other delegated intermediaries may include a payment service provider, payment gateway, or payment processor. If the issuer approves the purchase, the merchant will receive authorization, and the customer will obtain a receipt to complete the sale. If a transaction appears fraudulent, the issuer will decline it and may place a temporary hold on the card. After all, the issuer does not want to get stuck with a bill for something the cardholder did not want – or cannot afford.
To make the right decision quickly, a card network must get all parties to sing from the same sheet of music. The basic transaction approval process should take only a few seconds when that happens. Then, all approved authorizations are routed via the card network for clearing and settlement at the end of each business day. At that point, issuing banks place a hold for the amount of each purchase on the cardholder’s account.
Once the issuing bank receives a final confirmation of a successful transaction, it transfers the funds to the acquiring bank, less an “interchange fee,” generally within 1-2 days. The issuing bank also posts the transaction information to the cardholder’s account, and the cardholder receives a billing statement which they are legally obligated to pay in full. The acquiring bank then credits the merchant’s account for the purchase price, less a 2-5% “discount fee” for its service.
In the US, there are four major credit card networks: American Express, Discover, Mastercard, and Visa. The largest and best-known, Visa and Mastercard, are simply credit card networks; they connect merchants with their customers’ financial institutions and are called “open networks” because they allow many different types of financial firms to participate. AmEx and Discover are credit card issuers and credit card networks; they process transactions and approve purchase requests. These companies are “closed networks” because fewer firms can participate in the network.
Ultimately, every card network’s goal is the same: to create a secure, fast, easy-to-use, and reliable way for cardholders to make purchases so that they can win consumer trust and increase participation in their network!
Trending This Week
#1 What are the Most Common Cloud Computing Service Delivery Models?
#2 How ChatGPT Can be Used in Cybersecurity
#3 Understanding Identity and Access Management IAM and Authorization Management
#4 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
#5 101 Guide on Cloud Security Architecture for Enterprises
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.