cardspayment

Back to Basics, How Card Payments Work

Card payment is like the most fundamental way of payment now, after cash indeed. As a start, I am trying I this article to go through the technical aspects of ...

By Ahmed Abdelhamid
Credit cards and payment technology

Card payment is like the most fundamental way of payment now, after cash indeed. As a start, I am trying I this article to go through the technical aspects of the card payments, and explain them as much as possible.

First, let's refresh some definitions:

  • Primary Account Number (PAN): Which is the card number. This consists of 14-16 digits that identify your card in any payment transactions. Indeed, it is considered sensitive data and shall not be disclosed, and always encrypted.
  • Bank Identification Number (BIN): It is the first 6 digits in the PAN. With the first number, it identifies the card network. For example, Visa starts with 4 while MasterCard starts with 5. The remaining 5 digits identify the issuing bank. Since April 2022, length of BIN has become 8 digits by Visa and MasterCard due to the new standard.
  • Card Network Interface: Every acquirer and issuer has a device with hardware and software provided by the card network to be able to be a member and communicate with the card network. In MasterCard, it is called MIP (MasterCard Interface Processor). In Visa, it is called Visa EAS (Extended Access Service). This device is hosted in the acquirer and issuer data centers, but more or less managed by the card network and part of it.
  • Core Banking System: From Gartner, is the back-end system that processes daily banking transactions and posts updates to accounts and other financial records. An interesting topic is different systems and capabilities in a typical bank, which we can go through later.
  • Payment Switch: The system that interfaces with and manages ATMs and PoS, and handles the authorisation and routing of payment transactions to the upstream banking systems.
  • Card Management System (CMS): The system that manages the whole lifecycle of the card, starting from issuing to blocking..etc. It manages even the integration with card printing systems. This is besides maintaining the ledger and transactions of all different card types, except debit cards in some cases. Many companies provide such solutions, and they include in most cases both the payment switch and card management capabilities in a one solution.

In this article, we will go through the flow where the banks acquirer and issuer handle directly transactions with merchants and users, without any third parties in between. We will start in this article with the classical on-prem architecture which has been around for decades.

Flow Without Payment Processors

Card Payments Flow

In this flow the acquirer banks acts as the payment processor. In this case, ATMs and terminals at merchants stores are provided and managed by the acquirer banks. The merchant has agreement with the acquirer bank to lease these terminals. These terminals are configured to connect to the acquirer bank payment switch. Let's go through this flow:

  1. The terminal reads the card information using any method, we will come to that on later articles, swipe, NFC..etc. The terminal (PoS or Point of Sale) encrypts the sensitive card data, creates an ISO 8583 message, and sends it to the acquirer bank payment switch. This is referred to as P2H communication (PoS to Host).
  2. The payment switch decrypts the sensitive data in the message (PAN) and checks the BIN number in the card PAN.
    1. If it is the same bank, in this case, the acquirer bank will act as an issuer bank as well, the transaction is completed in the acquirer bank systems with the core banking or the card management system without going to the card network.
  3. Based on the BIN, the payment switch decides which card network interface to forward the message to, it can be Visa or Mastercard..etc. Communication between the payment switch and the card network interface is still done using ISO 8583. This is referred to as H2H (Host to Host) communication.
  4. Communication between the acquirer card network interface to the card network to the issuer bank card network interface is considered part of the card network.
  5. The card network checks the BIN and decides which issuer bank to forward the message to. The destination is the card network interface managed by the card network inside the issuer bank premises.
  6. The card network interface in the issuer bank receives the message, and forwards it to the bank payment switch.
  7. The bank payment switch validates the PIN and does other checks on the balance:
    1. If it is a credit card, balance is checked by calling the card management system, which can be the same system as the payment switch. Ledger of credit card is maintained in the CMS. Transaction is checked and posted to the ledger of the CMS. 
    2. If debit card, balance is checked by calling the core banking. Ledger of the debit card is the mirrored by the ledger of the bank account. Transaction is posted to the core banking system if valid. This can still be ISO 8583 or it can be REST APIs or Web Services exposed by the core banking systems.
  8. The payment switch then returns the response all back to the the terminal through the exact same path using the same protocols used on the request direction.

Still many topics are to be discussed even in this basic flow, like encryption, ISO8583, types of terminals, third parties and payment processors...etc. In the next post, we will explain more the role of payment processors, as acquirer and issuer processors, and payment gateways.

Atm icons created by Pixel perfect - Flaticon

← Back to Blog Get in Touch