Continuing from my last post dedicated towards explaining the common terminology used in payments world in terms of the participants and instruments, in this post I will focus on how a card transaction works. Back in 2005, after completing my B.Tech. in Mechanical Engineering, during my job interview with HDFC Bank, my super boss (then head of BSG retail) asked me, if I know how an ATM transaction works. I answered in negative and yet attempted to guess how it might work using logical reasoning coupled with my experience of using my ICICI Bank card at Canara Bank ATM installed in IIT campus. My answer was somewhat close to the reality. I will try to use similar language in this post in order for it to make sense to wider audience with no background in payments business.
In simple terms any payment involves debiting one account and crediting another. When you purchase any goods or services from a merchant and make a payment in lieu of same, it’s your account that needs to be debited and merchants account that needs to be credited. It can be a much simpler process when both the accounts are in the same bank, however when both the accounts happen to be in different banks, it becomes slightly more complex. In payments lingo, if the issuer and acquirer are same bank it is referred as OnUs transaction and is settled with-in the bank without involving the services of Interchanges. However when issuer and acquirer are different banks the transaction is referred as remote OnUs and OffUs by issuer and acquirer respectively. Such transaction are processed through Interchanges utilizing their connectivity with both banks and are settled via the same Interchange.
The primary function of the instruments both the parties hold, (in case of customer it’s the card plastic and in case of merchant it is typically the PoS device), is to identify the source and destination financial address i.e. account number and the bank. Most of you would be aware of something called IFSC code, well this code is nothing but a way to identify your bank-branch combination, when you are performing an NEFT or RTGS transaction (even IMPS Person to Account commonly referred as P2A, where you use account number instead of MMID as destination address uses the same). Similarly in card world there is something commonly called as BIN, short for Bank Identification Number. This BIN is a six digit number issued by Interchanges (Visa/MasterCard/RuPay) to participating issuing and acquiring banks. On your card it is the first 6 digits of your card number, while in case of merchants it is mapped to the PoS device. It is this BIN that helps interchanges identify source and destination banks in any payment transaction using cards.
When you present your card issued by Bank A at a merchant on-boarded by Bank B, the transaction follows following steps:
- PoS Machine reads the card information from the card
- In case of chip card the information is read from the chip when it is dipped inside the machine
- In case of magnetic stripe card the information is read from the magnetic stripe at the back of the card during swipe
- In case of NFC information is exchanged over the air during tap
- If you have heard of a company called Tone Tag, they use sound waves to communicate between your phone (which stores the card number) and PoS device.
- The information read by the PoS device typically contains Customer Name, Card Number, Expiry of the plastic, CVV (a three digit secure code) and PIN Block (wherever applicable)
- PoS device connects to the acquirer and sends the information to their central system
- Acquirer system identifies from the BIN, which interchange the card belongs to and sends it to respective interchange
- The interchange from the BIN identifies the issuing bank and send the transaction to the issuer
- The issuer authenticates the card using the information captured by the PoS device
- Upon successful authentication issuer authorizes the transaction based on the status and availability of balance in the account
- At this stage issuer debits the customer’s account and parks the credit in a designated account marked for interchange settlement
- The result of authentication and authorization is communicated back to the interchange in the form of response code
- Interchange passes on the response to the acquirer
- Acquirer communicates the same forward to the PoS device
- PoS device displays the message on the machine display and merchant concludes the transaction accordingly
- Merchant uses the PoS device to claim the money from the acquirer
- At this stage acquirer credits the merchant by debiting the designated account marked for interchange settlement
- Acquirer send the claim file to interchange with details of all the transactions across all issuers
- Interchange splits the file as per issuers and sends the files to respective issuers to receive the funds for transaction performed on interchange’s network by customers of the issuer
- Each interchange has a designated settlement banker. Every issuer and acquirer has to open account in this bank, which is used to settle transactions between participating banks
- Issuer debits the designated settlement account, to fund the interchange account in the designated settlement bank
- Interchange debits the issuer account in settlement bank and credits acquirer account in that bank
- Acquirer uses the fund received in the account in settlement bank to round off the settlement account in their book
Step 1 to 12 are called authorization and 12 to 17 are called settlement. Authorization steps are performed online real time while settlement is completed through file exchange. When you hear someone say it’s DMS, short for dual message settlement, this is what they are referring to.
When you are using the card at a website or mobile app, there is one additional step you all perform that is 2nd Factor Authentication with most common form being used in India being a one time password (OTP) delivered to your registered mobile phone. This is done because in online world there is no encrypted key pad, as available on a PoS device. Since PIN needs to be protected with certain encryption standards, which are difficult to implement on a website, as an alternate when the transaction hits the Interchange, they refer to a mapper maintained at their end to find the authentication url of the issuing bank and make a call to that url. At this point the issuing bank takes control of the transaction and triggers an OTP to cardholder’s mobile number, which is then validated on the web-page of the issuing bank. On successful authentication like this other authorization steps are performed. Such transactions where card plastic is not used at the time of transaction are called CNP (card not present) transactions.
I hope this gives most of you a fair idea about how card transactions are performed and the role multiple entities play in the process along with the flow of money. In next part I will cover the various security and safe-guards that are in-built at various steps in entire process to protect the customers and merchants from various frauds.