Card Payments for Dummies
JORIS LOCHY | August 18, 2021
At my current company Monizze, we issue social vouchers, like meal, eco and gift vouchers. These vouchers are consumed using a specific Monizze payment card via a physical terminal. As a result, I come into contact with card payments on a daily basis. Unfortunately, I am still far from being a card expert, but along the years I can say I have built up a good basic understanding of how a card payment happens. As I had to collect information from different sources to get this first good understanding, I thought it might be interesting to share my summary for "dummies" of how card payments work.
Become a contributor
First let us have a look at the card itself. A card is just a plastic carrier on which a design is printed. Afterwards a chip (an embedded microprocessor) is attached to the card, on which 1 or more applications can be deployed. A card with such a chip is often also called a smart card or an EMV card, with EMV an abbreviation for "Europay MasterCard VISA", which are the 3 companies that originally established this global electronic transaction standard. A card does not need to have a chip, some cards only have a bar code or QR code on them, while others have a magnetic stripe. Obviously an EMV chip card is more secure than those other models.
Most EMV chip cards today are Dual Interface chip cards. This means the card can be used in both contact (i.e. the card is put in the terminal to read the chip) and contactless (i.e. the card communicates via an NFC antenna with the terminal) mode.
This should not be confused with co-branded / co-badged cards, which exist quite a lot in Europe. As many countries still have their local payment method (like Bancontact in Belgium, Girocard in Germany, Cartes Bancaires in France, PagoBancomat in Italy, MultiBanco in Portugal…), most banks in those countries issue such a co-badged card, which supports both this local payment method and a more international payment method. E.g. in Belgium almost all debit cards are co-badged with Bancontact and Maestro (Maestro being an international payment method owned by MasterCard).
When fabrication of EMV chip cards starts, all cards are the same. Of course by printing the design on the card and personalizing the card (with the name, card number…) you get a specific card. Additionally there is a personalization of the EMV chip. On the chip the specific application(s) of the card is deployed, as well as the specific personal information. This personal information stored on the card consists of the card number (also called the PAN number = Primary Account number), the expiration date, a security code (also called CVV = Card Verification Value or CVC = Card Verification Code), a number of cryptographic keys and the list of CVM checks (CVM = Card Verification Methods). This list indicates which type of security check should be applied and can depend on the type of payment (e.g. contact versus contactless), what the terminal supports and the amount. E.g. the CVM list can indicate that a contactless transaction can be executed up to 50 EUR without asking for a PIN.
The cryptographic keys ensure the necessary security. E.g. they are used to calculate a cryptogram (based on one of the stored secret keys and the info of the transaction), which is sent along to the issuer. The issuer can then verify that the transaction message was not altered along the way by calculating itself the cryptogram and comparing it with the provided cryptogram. In the same way, it is possible to encrypt a PIN code and send it to the issuer for verification. The PIN code can be stored on the chip and verified by the chip directly. This so-called PIN offline verification is however only possible when the chip can be read by the terminal. In case of a contactless transaction requiring a PIN, card issuers usually work with PIN online, which means the PIN is sent in an encrypted way to the issuer, who verifies the correctness of the PIN, before authorizing the transaction.
The information on the chip of a card can also be virtualized. This means that instead of the card sending the NFC signal (in contactless mode) to the terminal, it is also possible that your smartphone sends out this signal (and emulates the card). This can be a specific app, using HCE (= Host Card Emulation), but this technique is only available on Android phones, as Apple does not give access to the NFC antenna. A more common technique is of course Apple Pay and Google Pay, where you onboard your card on the Apple/Google infrastructure and your smartphone emulates the physical card.
Now that we have clarified what the card does, it is good to have a look at how a payment works.
The first step is of course telling the terminal (POS = Point of Sales terminal) how much the customer needs to pay. This can be inputted directly on the terminal, but large retailers have of course an integration with their cash register (= ECR = Electronic Cash Register). This integration allows to pass immediately info like the amount, which card types can be accepted (cashier can select a specific payment method) and potential other reference information. Obviously, a lot of cash register systems exist (e.g. Lightspeed, Square, Casio, Toshiba…) and also a lot of protocols to integrate ECRs with terminals (e.g. VIC protocol) and finally also a lot of different terminals (e.g. Wordline, Ingenico, CCV, Adyen, SumUp, VIVA Wallet, Cetrel, Loyaltek…). All these differences make those integrations quite a mess.
The terminal will then read the card (contact or contactless) and determine which verification methods need to be applied. Once the verifications on the terminal are ok, the payment is sent to the Acquirer (often the merchant’s bank), which sends the payment to the Issuer (usually the bank of the card holder, which issued the card). This Issuer validates if the card is still active, if the PIN code is correct (in case of PIN online), if the customer is allowed to do a transaction at this merchant (e.g. card might be disabled for foreign transactions) and whether the customer has sufficient funds to execute the payment. In case of a positive reply, the payment is considered as successful, even though the actual settlement will usually happen later. This settlement consists of the acquirer requesting payment to the issuing bank, the issuing bank debiting the cardholder’s account and transmitting the money to the acquirer bank and the acquirer bank crediting the merchant’s account.the cardholder’s account and transmitting the money to the acquirer bank and the acquirer bank crediting the merchant’s account.
For the communication between the terminal, acquirer and issuer a "Payment Network", like VISA, MasterCard, American Express, UnionPay, Bancontact… is used. This payment network sets all the rules of how these different players should interact. Additionally there are multiple protocols of how terminals can communicate with the Acquirer, like CTAP, EP2, Nexo (EPAS), IFSF, STD70, ABI-CB (Italy)…, making it for international players very hard to support all local payment methods.
It is also important to understand the difference between a "Four Corner model" (also called a Four-Party scheme, Open Scheme or Open Loop payment model) and a "Three Corner Model" (also called a Three-Party scheme, Closed Scheme and Closed loop payment model). The first model is the model described above and is the most widely used. E.g. VISA, MasterCard and UnionPay use this model. In the second model ("Three Corner Model"), the issuer, acquirer and payment network are the same party. This means the payment network provides the card to the card holder and contracts with the merchant to configure/setup the terminal. Typical examples are Diners Club, Discover Card and American Express, but often also niche payment methods, like the social vouchers (e.g. meal voucher payments) of Monizze fall in this category (even though in many countries, social vouchers are also handled via an "Open Loop" model based on VISA or MasterCard).
As you can see a card payment involves a large number of parties. While cash registers and terminals are bought or rented by merchants and typically include also a monthly service fee, the other players are usually paid per transaction. The Acquirer will recover those transaction fees from the merchant through a "Merchant service charge". The Acquirer however keeps only a small part of this fee, as around 20% of this fee (the so-called scheme fee) is going to the payment network (e.g. VISA or MasterCard) and up to 70% (the so-called interchange fee) to the Issuer. Part of this interchange fee is often used in the form of rewards (e.g. cashbacks) to the customer, thus encouraging the card holder to use his card as much as possible.
Card payments are clearly undergoing a major transformation. On the one hand, there is a strong push towards a cashless society. This trend, strongly accelerated by the Covid crisis, increases the use of card payments. On the other hand, there is a trend to replace the physical cards by payments with smartphones. This includes the exponential rise of the use of Apple Pay and Google Pay, but also new payment techniques, often based on QR code scanning (like e.g. Payconiq in Belgium).
Additionally due to the aggressive take-over strategy of the 2 major American players (VISA and MasterCard) in the last decade, there is a strong feeling, especially in Europe, that there is need for more competition and a new European player. As a result, several large European banks are joining forces to create a European alternative. It is however doubtful that this new initiative will be successful, as new technologies and payment methods, like PSD2 Payment Initiation, SEPA Request to Pay (SRTP), instant payments, CBDCs… can likely give better (more frictionless and cheaper) alternatives to the traditional card payment schemes.