What happens during a card transaction, from the time the transaction is initiated until funds are debited from the cardholder’s account and credited to the merchant’s account? How is the information exchanged between the different participants for the successful completion of a card transaction? This article will provide answers to these questions and other relevant information to help you understand how things work. I recommend you to read it carefully.
A card payment takes place in two main steps:
- the first step is the phase where the cardholder initiates the transaction and authenticates himself to confirm the transaction. Note that a transaction may or may not require online authorization (it is explained later). In the following, we assume that an online authorization is needed.
- The second step is the debit of funds from the cardholder’s account in favor of the merchant. Card payments can be considered as guaranteed pull transactions.
These two steps are explained in detail in the following paragraphs. A Card Present transaction with Chip PIN authentication will be considered, but all the steps except the payment initiation are valid for Card Not Present transactions as well.
1- Payment initiation
The merchant enters the amount to be paid by the customer or displays it automatically on the POS (Point of Sale) Terminal. The customer inserts his card into the POS Terminal, which is equipped with a chip-reading device, to start the transaction. After recognition of the card, the POS selects the application to use for the card if there are several applications installed.
As next step comes to the authentication of the card itself. That is achieved through asymmetric cryptography. Each card contains a certificate that is stored in the chip during manufacture. It is a security feature to make it difficult to copy the card. This process should be distinguished from cardholder authentication which happens later.
After successful card authentication, the restrictions and validity date checks are performed. The aim is to make sure that the card has not expired and can be used to make payments. If a check fails, the transaction stops immediately. If all goes well, the cardholder is prompted to enter his PIN and thus authenticate. He can make a maximum of three attempts. After the third erroneous attempt, the transaction is stopped and the merchant may keep the card.
The next step is related to risk management: Is the card systematically authorized? Is the amount of the transaction above the authorization threshold (this is the threshold beyond which an authorization must be requested from the issuing bank)? Is the card number on the list of blocked cards? In case of an affirmative answer to the last question, the transaction stops. If not, an authorization request can be sent.
Remark: When a request for authorization is not necessary, the POS Terminal gives the authorization to the cardholder without sending the authorization request to the issuer, his bank: it is an offline authorization. When the authorization request is sent to the issuer, the result is an online authorization. In France, it is estimated that only 20% of card payments are subject to online authorization. Offline authorization is given for almost 80% of transactions. But this is a French specificity. In almost all other countries, an online authorization is systematically performed during a card payment.
2- Authorization Request
The authorization request is first transmitted from the merchant to the acquirer, the merchant’s bank. This request includes information about the merchant submitting the request and the card involved. Upon receipt of the request, the bank routes it to the Acquiring Authorization Server (AAS) which will carry out checks on the merchant and his contract.
3- Authorization Request
The AAS will then send the authorization request to the issuer through:
- either a national network (like e-RSB in France) if it is a national flow (Card issued in the same country)
- or an international network if it is an international flow (Card issued in a different country)
The AAS uses the IIN (Issuer Identification Number) to route the authorization request to the issuer. After receipt and identification of the request, the Issuer Authorization Server (IAS) will first do some checks on the card, then on the customer account and finally on the account balance:
- Authenticity and validity of the card (card number, PIN code, expiry date, etc.)
- Account Control (Existence, Open / Close, Block, etc.)
- Balance check: Available balance takes into account authorized overdrafts and credit reserves
- Limits Checks (monthly, weekly): Limit amounts depend on card types and terms negotiated with the customer.
- Fraud control is most often based on behavioral analysis
Note: If the cardholder’s bank and the merchant’s bank are the same, then no need to go through a network, since the AAS and the IAS are at the same bank that acts as both acquirer and issuer.
4- Answer Authorization
The response to the authorization request may be :
- a positive answer (with authorization number) – In this case, the transaction amount is reserved (not available to the cardholder anymore) to be paid during the settlement mentioned in point 8 below,
- a refusal if one or more checks have failed,
- a request to make a voice call (the merchant must phone the issuing bank which holds the cardholder’s account for the authorization),
- Issuer not reached (Communication with the IAS was not possible. It could not be reached).
- forbidden card (the card is blocked)
The response is transmitted from the IAS to the AAS via the same network as the request.
5- Answer Authorization
Upon receipt of the response, the AAS will still do some processing before forwarding the final response to the Merchant. In some cases, the AAS may send a different response to the merchant than the one sent by the IAS. It is the AAS’s response that will determine whether the payment will eventually be accepted or not.
In any case, when the transaction is accepted, the POS Terminal issues a receipt in two copies: one for the customer and one for the merchant. Each one is supposed to keep his own copy and the merchant may have to keep it for several years for compliance reasons.
Here it is worth mentioning that the entire authorization process typically takes 2 to 3 seconds. Pretty amazing when you consider all the steps that we have analyzed!
6- Transaction Notification
The issuer may inform the cardholder immediately that an authorization request has been processed in relation to a transaction with his card. In the notification, the issuer provides information like amount (or equivalent amount if it is in foreign currency), merchant and location. In general, there is a message requesting the cardholder to block the card if he is not the originator of the transaction. These notifications have been very useful to combat fraud or limit their harmful consequences.
Now let’s go back to the merchant store. All payments made are saved in the POS terminal’s memory. All the transaction records are transmitted to the Acquirer after a manual action or automatically according to a frequency set in the device. It is the batch processing that triggers the second part of the flow exchanges between the different actors of the 4-party scheme (or Four Corner Model).
7- Batch processing (card transactions)
The batch processing aims to deliver card transaction records to the acquirer. It is initiated by the merchant from the POS Terminal. It is the acquirer who downloads the transactions. The batch processing can be triggered manually or automatically. For the automated option, the merchant defines the frequency and the trigger times via a configuration on the POS Terminal. Generally, the merchant transmits the transaction records in 24 to 48 hours. The card network defines a maximum period of days, after which the transactions may be rejected for a late submission.
The batch processing of card transactions takes place in several stages:
Step 1: Open and set up the communication link with Acquirer’s systems
Step 2: Transmit the transaction records to the Acquirer: a file contains a set of transactions with the same currency, the same type of payment, the same acquirer, but several issuers)
Step 3: Check the amounts exchanged between the POS Terminal and the Acquirer’s systems during the transfer. This phase is called reconciliation.
Step 4: Complete the delivery and close the communication
Remark: It is possible to send each transaction record individually to the acquirer. But merchants almost never do that because it is repetitive, time-consuming and costly (There is a fee for each batching request). So batch processing saves precious time and money.
8- Exchanges, Clearing and Settlement
The first phase of this step is to debulk the transactions received from the different merchants and bulk them according to specific criteria like the dates or the Clearing system. The bulked transactions are now transmitted through interbank systems to the different card issuers:
either by the national clearing system if it is a domestic transaction and the possibility exists
or by the card network otherwise
These transaction exchanges can occur many times during the day. The related clearing and settlement can happen once or many times during the day, depending on the clearing systems and card network rules. If you want to get a deep understanding of clearing and settlement, I strongly recommend you to read related articles on this blog.
The interbank system (national clearing system or card network) generates the debit instructions and transmits them to each issuing bank (or its direct participant). After receiving the funds from the issuers, it generates the credit instructions to credit the acquirers’ accounts and notifies them about the credits.
9- Debit notification / Reporting
The cardholder’s bank debits his account after receipt and correct processing of the card transaction messages received from the interbank exchange network. This information goes back to the cardholder via his account statement and/or other means as agreed between the bank and his client.
10- Credit notification / Reporting
The bank of the merchant credits his account after confirmation of credit from the interbank exchange network. In case of rejection of one or more transactions, the corresponding amounts are not credited to the merchant’s account. This information goes back to the merchant via his statement of account and/or other means as agreed between the bank and his client.
Note: Credit on the merchant’s account may take place after the batch processing and before the interbank exchanges. In this case, the account is credited under reserve for potential rejections that may occur during the clearing. In case of rejection or dispute, the credited account will be debited.