Skip to main content

Card payments for dummies


At my current company Monizze, we issue social vouchers, like meal, eco and gift vouchers. These vouchers are consumed using a specific Monizze payment card via a physical terminal. As a result, I come into contact with card payments on a daily basis. Unfortunately, I am still far from being a card expert, but along the years I can say I have built up a good basic understanding of how a card payment happens. As I had to collect information from different sources to get this first good understanding, I thought it might be interesting to share my summary for "dummies" of how card payments work.

First let us have a look at the card itself. A card is just a plastic carrier on which a design is printed. Afterwards a chip (an embedded microprocessor) is attached to the card, on which 1 or more applications can be deployed. A card with such a chip is often also called a smart card or an EMV card, with EMV an abbreviation for "Europay MasterCard VISA", which are the 3 companies that originally established this global electronic transaction standard. A card does not need to have a chip, some cards only have a bar code or QR code on them, while others have a magnetic stripe. Obviously an EMV chip card is more secure than those other models.

Most EMV chip cards today are Dual Interface chip cards. This means the card can be used in both contact (i.e. the card is put in the terminal to read the chip) and contactless (i.e. the card communicates via an NFC antenna with the terminal) mode.
This should not be confused with co-branded / co-badged cards, which exist quite a lot in Europe. As many countries still have their local payment method (like Bancontact in Belgium, Girocard in Germany, Cartes Bancaires in France, PagoBancomat in Italy, MultiBanco in Portugal…​), most banks in those countries issue such a co-badged card, which supports both this local payment method and a more international payment method. E.g. in Belgium almost all debit cards are co-badged with Bancontact and Maestro (Maestro being an international payment method owned by MasterCard).

When fabrication of EMV chip cards starts, all cards are the same. Of course by printing the design on the card and personalizing the card (with the name, card number…​) you get a specific card. Additionally there is a personalization of the EMV chip. On the chip the specific application(s) of the card is deployed, as well as the specific personal information. This personal information stored on the card consists of the card number (also called the PAN number = Primary Account number), the expiration date, a security code (also called CVV = Card Verification Value or CVC = Card Verification Code), a number of cryptographic keys and the list of CVM checks (CVM = Card Verification Methods). This list indicates which type of security check should be applied and can depend on the type of payment (e.g. contact versus contactless), what the terminal supports and the amount. E.g. the CVM list can indicate that a contactless transaction can be executed up to 50 EUR without asking for a PIN.
The cryptographic keys ensure the necessary security. E.g. they are used to calculate a cryptogram (based on one of the stored secret keys and the info of the transaction), which is sent along to the issuer. The issuer can then verify that the transaction message was not altered along the way by calculating itself the cryptogram and comparing it with the provided cryptogram. In the same way, it is possible to encrypt a PIN code and send it to the issuer for verification. The PIN code can be stored on the chip and verified by the chip directly. This so-called PIN offline verification is however only possible when the chip can be read by the terminal. In case of a contactless transaction requiring a PIN, card issuers usually work with PIN online, which means the PIN is sent in an encrypted way to the issuer, who verifies the correctness of the PIN, before authorizing the transaction.

The information on the chip of a card can also be virtualized. This means that instead of the card sending the NFC signal (in contactless mode) to the terminal, it is also possible that your smartphone sends out this signal (and emulates the card). This can be a specific app, using HCE (= Host Card Emulation), but this technique is only available on Android phones, as Apple does not give access to the NFC antenna. A more common technique is of course Apple Pay and Google Pay, where you onboard your card on the Apple/Google infrastructure and your smartphone emulates the physical card.

Now that we have clarified what the card does, it is good to have a look at how a payment works.

The first step is of course telling the terminal (POS = Point of Sales terminal) how much the customer needs to pay. This can be inputted directly on the terminal, but large retailers have of course an integration with their cash register (= ECR = Electronic Cash Register). This integration allows to pass immediately info like the amount, which card types can be accepted (cashier can select a specific payment method) and potential other reference information. Obviously, a lot of cash register systems exist (e.g. Lightspeed, Square, Casio, Toshiba…​) and also a lot of protocols to integrate ECRs with terminals (e.g. VIC protocol) and finally also a lot of different terminals (e.g. Wordline, Ingenico, CCV, Adyen, SumUp, VIVA Wallet, Cetrel, Loyaltek…​). All these differences make those integrations quite a mess.
The terminal will then read the card (contact or contactless) and determine which verification methods need to be applied. Once the verifications on the terminal are ok, the payment is sent to the Acquirer (often the merchant’s bank), which sends the payment to the Issuer (usually the bank of the card holder, which issued the card). This Issuer validates if the card is still active, if the PIN code is correct (in case of PIN online), if the customer is allowed to do a transaction at this merchant (e.g. card might be disabled for foreign transactions) and whether the customer has sufficient funds to execute the payment. In case of a positive reply, the payment is considered as successful, even though the actual settlement will usually happen later. This settlement consists of the acquirer requesting payment to the issuing bank, the issuing bank debiting the cardholder’s account and transmitting the money to the acquirer bank and the acquirer bank crediting the merchant’s account.the cardholder’s account and transmitting the money to the acquirer bank and the acquirer bank crediting the merchant’s account.

For the communication between the terminal, acquirer and issuer a "Payment Network", like VISA, MasterCard, American Express, UnionPay, Bancontact…​ is used. This payment network sets all the rules of how these different players should interact. Additionally there are multiple protocols of how terminals can communicate with the Acquirer, like CTAP, EP2, Nexo (EPAS), IFSF, STD70, ABI-CB (Italy)…​, making it for international players very hard to support all local payment methods.

It is also important to understand the difference between a "Four Corner model" (also called a Four-Party scheme, Open Scheme or Open Loop payment model) and a "Three Corner Model" (also called a Three-Party scheme, Closed Scheme and Closed loop payment model). The first model is the model described above and is the most widely used. E.g. VISA, MasterCard and UnionPay use this model. In the second model ("Three Corner Model"), the issuer, acquirer and payment network are the same party. This means the payment network provides the card to the card holder and contracts with the merchant to configure/setup the terminal. Typical examples are Diners Club, Discover Card and American Express, but often also niche payment methods, like the social vouchers (e.g. meal voucher payments) of Monizze fall in this category (even though in many countries, social vouchers are also handled via an "Open Loop" model based on VISA or MasterCard).

As you can see a card payment involves a large number of parties. While cash registers and terminals are bought or rented by merchants and typically include also a monthly service fee, the other players are usually paid per transaction. The Acquirer will recover those transaction fees from the merchant through a "Merchant service charge". The Acquirer however keeps only a small part of this fee, as around 20% of this fee (the so-called scheme fee) is going to the payment network (e.g. VISA or MasterCard) and up to 70% (the so-called interchange fee) to the Issuer. Part of this interchange fee is often used in the form of rewards (e.g. cashbacks) to the customer, thus encouraging the card holder to use his card as much as possible.

Card payments are clearly undergoing a major transformation. On the one hand, there is a strong push towards a cashless society. This trend, strongly accelerated by the Covid crisis, increases the use of card payments. On the other hand, there is a trend to replace the physical cards by payments with smartphones. This includes the exponential rise of the use of Apple Pay and Google Pay, but also new payment techniques, often based on QR code scanning (like e.g. Payconiq in Belgium).
Additionally due to the aggressive take-over strategy of the 2 major American players (VISA and MasterCard) in the last decade, there is a strong feeling, especially in Europe, that there is need for more competition and a new European player. As a result, several large European banks are joining forces to create a European alternative. It is however doubtful that this new initiative will be successful, as new technologies and payment methods, like PSD2 Payment Initiation, SEPA Request to Pay (SRTP), instant payments, CBDCs…​ can likely give better (more frictionless and cheaper) alternatives to the traditional card payment schemes.

Labels:

Comments

  1. SunTec Business Solutions17 September 2021 at 07:23

    banking application software
    Personalize products, offers, pricing and loyalty programs; prevent revenue leakage and ensure regulatory compliance with a billing solution.

    ReplyDelete

Post a Comment

Popular posts from this blog

Transforming the insurance sector to an Open API Ecosystem

1. Introduction "Open" has recently become a new buzzword in the financial services industry, i.e.   open data, open APIs, Open Banking, Open Insurance …​, but what does this new buzzword really mean? "Open" refers to the capability of companies to expose their services to the outside world, so that   external partners or even competitors   can use these services to bring added value to their customers. This trend is made possible by the technological evolution of   open APIs (Application Programming Interfaces), which are the   digital ports making this communication possible. Together companies, interconnected through open APIs, form a true   API ecosystem , offering best-of-breed customer experience, by combining the digital services offered by multiple companies. In the   technology sector   this evolution has been ongoing for multiple years (think about the travelling sector, allowing you to book any hotel online). An excellent example of this
46 comments
Read more

Are product silos in a bank inevitable?

Silo thinking   is often frowned upon in the industry. It is often a synonym for bureaucratic processes and politics and in almost every article describing the threats of new innovative Fintech players on the banking industry, the strong bank product silos are put forward as one of the main blockages why incumbent banks are not able to (quickly) react to the changing customer expectations. Customers want solutions to their problems   and do not want to be bothered about the internal organisation of their bank. Most banks are however organized by product domain (daily banking, investments and lending) and by customer segmentation (retail banking, private banking, SMEs and corporates). This division is reflected both at business and IT side and almost automatically leads to the creation of silos. It is however difficult to reorganize a bank without creating new silos or introducing other types of issues and inefficiencies. An organization is never ideal and needs to take a number of cons
6 comments
Read more

RPA - The miracle solution for incumbent banks to bridge the automation gap with neo-banks?

Hypes and marketing buzz words are strongly present in the IT landscape. Often these are existing concepts, which have evolved technologically and are then renamed to a new term, as if it were a brand new technology or concept. If you want to understand and assess these new trends, it is important to   reduce the concepts to their essence and compare them with existing technologies , e.g. Integration (middleware) software   ensures that 2 separate applications or components can be integrated in an easy way. Of course, there is a huge evolution in the protocols, volumes of exchanged data, scalability, performance…​, but in essence the problem remains the same. Nonetheless, there have been multiple terms for integration software such as ETL, ESB, EAI, SOA, Service Mesh…​ Data storage software   ensures that data is stored in such a way that data is not lost and that there is some kind guaranteed consistency, maximum availability and scalability, easy retrieval and searching
26 comments
Read more

IoT - Revolution or Evolution in the Financial Services Industry

1. The IoT hype We have all heard about the   "Internet of Things" (IoT)   as this revolutionary new technology, which will radically change our lives. But is it really such a revolution and will it really have an impact on the Financial Services Industry? To refresh our memory, the Internet of Things (IoT) refers to any   object , which is able to   collect data and communicate and share this information (like condition, geolocation…​)   over the internet . This communication will often occur between 2 objects (i.e. not involving any human), which is often referred to as Machine-to-Machine (M2M) communication. Well known examples are home thermostats, home security systems, fitness and health monitors, wearables…​ This all seems futuristic, but   smartphones, tablets and smartwatches   can also be considered as IoT devices. More importantly, beside these futuristic visions of IoT, the smartphone will most likely continue to be the center of the connected devi
16 comments
Read more

Neobanks should find their niche to improve their profitability

The last 5 years dozens of so-called   neo- or challenger banks  (according to Exton Consulting 256 neobanks are in circulation today) have disrupted the banking landscape, by offering a fully digitized (cfr. "tech companies with a banking license"), very customer-centric, simple and fluent (e.g. possibility to become client and open an account in a few clicks) and low-cost product and service offering. While several of them are already valued at billions of euros (like Revolut, Monzo, Chime, N26, NuBank…​), very few of them are expected to be profitable in the coming years and even less are already profitable today (Accenture research shows that the average UK neobank loses $11 per user yearly). These challenger banks are typically confronted with increasing costs, while the margins generated per customer remain low (e.g. due to the offering of free products and services or above market-level saving account interest rates). While it’s obvious that disrupting the financial ma
7 comments
Read more

PFM, BFM, Financial Butler, Financial Cockpit, Account Aggregator…​ - Will the cumbersome administrative tasks on your financials finally be taken over by your financial institution?

1. Introduction Personal Financial Management   (PFM) refers to the software that helps users manage their money (budget, save and spend money). Therefore, it is often also called   Digital Money Management . In other words, PFM tools   help customers make sense of their money , i.e. they help customers follow, classify, remain informed and manage their Personal Finances. Personal Finance   used to be (or still is) a time-consuming effort , where people would manually input all their income and expenses in a self-developed spreadsheet, which would gradually be extended with additional calculations. Already for more than 20 years,   several software vendors aim to give a solution to this , by providing applications, websites and/or apps. These tools were never massively adopted, since they still required a lot of manual interventions (manual input of income and expense transaction, manual mapping transactions to categories…​) and lacked an integration in the day-to-da
5 comments
Read more

Beyond Imagination: The Rise and Evolution of Generative AI Tools

Generative AI   has revolutionized the way we create and interact with digital content. Since the launch of Dall-E in July 2022 and ChatGPT in November 2022, the field has seen unprecedented growth. This technology, initially popularized by OpenAI’s ChatGPT, has now been embraced by major tech players like Microsoft and Google, as well as a plethora of innovative startups. These advancements offer solutions for generating a diverse range of outputs including text, images, video, audio, and other media from simple prompts. The consumer now has a vast array of options based on their specific   output needs and use cases . From generic, large-scale, multi-modal models like OpenAI’s ChatGPT and Google’s Bard to specialized solutions tailored for specific use cases and sectors like finance and legal advice, the choices are vast and varied. For instance, in the financial sector, tools like BloombergGPT ( https://www.bloomberg.com/ ), FinGPT ( https://fin-gpt.org/ ), StockGPT ( https://www.as
2 comments
Read more

Can Augmented Reality make daily banking a more pleasant experience?

With the   increased competition in the financial services landscape (between banks/insurers, but also of new entrants like FinTechs and Telcos), customers are demanding and expecting a more innovative and fluent digital user experience. Unfortunately, most banks and insurers, with their product-oriented online and mobile platforms, are not known for their pleasant and fluent user experience. The   trend towards customer oriented services , like personal financial management (with functions like budget management, expense categorization, saving goals…​) and robo-advise, is already a big step in the right direction, but even then, managing financials is still considered to be a boring intangible and complex task for most people. Virtual (VR) and augmented reality (AR)   could bring a solution. These technologies provide a user experience which is   more intuitive, personalised and pleasant , as they introduce an element of   gamification   to the experience. Both VR and AR
10 comments
Read more

Low- and No-code platforms - Will IT developers soon be out of a job?

“ The future of coding is no coding at all ” - Chris Wanstrath (CEO at GitHub). Mid May I posted a blog on RPA (Robotic Process Automation -   https://bankloch.blogspot.com/2020/05/rpa-miracle-solution-for-incumbent.html ) on how this technology, promises the world to companies. A very similar story is found with low- and no-code platforms, which also promise that business people, with limited to no knowledge of IT, can create complex business applications. These   platforms originate , just as RPA tools,   from the growing demand for IT developments , while IT cannot keep up with the available capacity. As a result, an enormous gap between IT teams and business demands is created, which is often filled by shadow-IT departments, which extend the IT workforce and create business tools in Excel, Access, WordPress…​ Unfortunately these tools built in shadow-IT departments arrive very soon at their limits, as they don’t support the required non-functional requirements (like high availabili
15 comments
Read more

Deals as a competitive differentiator in the financial sector

In my blog " Customer acquisition cost: probably the most valuable metric for Fintechs " ( https://bankloch.blogspot.com/2020/06/customer-acquisition-cost-probably-most.html ) I described how a customer acquisition strategy can make or break a Fintech. In the traditional Retail sector, focused on selling different types of products for personal usage to end-customers,   customer acquisition  is just as important. No wonder that the advertisement sector is a multi-billion dollar industry. However in recent years due to the digitalization and consequently the rise of   Digital Marketing , customer acquisition has become much more focused on   delivering the right message via the right channel to the right person on the right time . Big tech players like Google and Facebook are specialized in this kind of targeted marketing, which is a key factor for their success and multi-billion valuations. Their exponential growth in marketing revenues seems however coming to a halt, as digi
12 comments
Read more