How Do Credit Card Payments Work for Merchants?
When most people think of credit card payment processing, they think of a card scheme, which is a payment network that uses cards, like Visa or Mastercard. But completing a successful credit card transaction in seconds involves a series of actions and an entire ecosystem of players that merchants should understand.
The Credit Card Payment Processing Ecosystem
Common Credit Card Payment Processing Terms and Definitions
Visa, MasterCard, American Express and Discover are among the largest card schemes, also referred to as card networks or card brands.
Visa and Mastercard are both open networks and actively encourage banks to issue their cards to consumers and to acquire or accept transactions using cards. There is no direct relationship between the card schemes and card holders. Issuing and acquiring banks must follow the operating regulations created by the card networks. There are fines for non compliance that acquirers pass on to merchants. The card schemes collect fees from acquirers who are reimbursed from merchants.
Amex is a closed network. It acts as the card issuer and the card acquirer and has a direct relationship with the consumers and the merchants.
Discover has a hybrid model, issuing the cards directly to consumers, but allowing banks to act as acquirers to settle directly with the merchants.
An issuing bank issues credit cards to consumers on behalf of the card networks (Visa, MasterCard). Issuing banks front the funds to merchant accounts when someone pays with a credit card. This carries a degree of risk – If a cardholder defaults the issuing bank takes part of the hit, which is why they charge a per-transaction fee.
The acquiring bank deposits funds from credit card sales into a merchant’s account. An acquiring bank or “merchant bank” manages and underwrites the merchant account that enables the merchant to accept credit and debit cards. In doing so, the bank carries the same risk as issuing a line of credit and is ultimately on the hook for any consumer disputes should a merchant that they sponsor go out of business.
Acquiring and issuing banks do not have the infrastructure to connect directly to a payment network. A third-party payment processor connects the merchant and the financial institutions to authorize transactions and facilitate the transfer of funds. The functionality and value added services offered by payment processors can differ significantly.
Credit Card Payment Gateway
Integrating directly to a single payment processor is difficult. In many cases a company will leverage multiple payment processors and will need to maintain certification. A payment gateway provides a single interface that connects with multiple processors and also offers other value-added services, including tax calculation, payment tokenization, hosted payment pages, mobile SDK, 3D Secure, and fraud management to minimize PCI scope.
Payment Service Provider (PSP)
Payment Service Providers work with merchants and acquiring banks to simplify and manage the entire payment process – with many having their own gateways. By offering merchants software and APIs to collect and manage their payments efficiently, merchants can improve the payment experience for their customers. There are also additional benefits to working with a Payment Service Provider including security, currency processing and transaction reporting.
Rapyd is an example of a payment service provider. By giving merchants access to cards and alternative payment methods in 100+ countries, Rapyd provides a comprehensive solution to grow sales globally.
An Overview of the Payments Process
The card scheme transfers the card transaction information from the acquiring bank to the issuing bank and then moves the payment to the acquirer to confirm the payment. Here is an overview of the steps involved.
1. Credit Card Payment Authorization
Authorizations permit/deny a cardholder from paying with a credit card. Cardholder information is sent to the acquiring bank/processor for routing through the card network, to the cardholder’s issuing bank for approval. The transaction is approved or declined once the required checks have been made – validation of the transaction information, the cardholder has the funds for the purchase and the account is in good standing. The response is relayed back and stored pending settlement. The length of the authorization hold depends on the issuing bank’s policy (7 days for AMEX, 30 days for Visa and 10 days for Discover).
3D Secure Payment Authorization
3D Secure (3Ds) is a form of Strong Customer Authentication that provides an additional security layer for online credit and debit card transactions. During the transaction, customers complete an additional verification step with the card issuer. 3D Secure is required in Europe, but optional in the US. 3DS payments are covered by a liability shift to the issuer.
2. Capture Requests
When the merchant wants to initiate the collection of payment for their goods or services, they then perform a capture in real time when the authorization takes place or they can do it later when they have shipped the product. Throughout the day capture requests are sent to the gateway, held and submitted to the acquiring processors in one batch each night usually right before midnight.
During settlement, the funds are moved via ACH from the issuing bank to the acquiring bank.
This is the stage where the merchant actually receives payment into their bank account with another funding request via ACH from the acquiring bank to the merchant bank. If a merchant has their deposit account at the same bank as their merchant account, then next-day funding is possible.
PCI – How the Credit Card Industry Regulates Itself
Every merchant that accepts credit cards is required to be PCI compliant. There are a number of factors that influence what is involved in achieving and maintaining compliance. Merchants are assigned a PCI Level based on their transaction volume.
This level determines their validation requirements.
Merchants must complete a Self Assessment Questionnaire based on the extent to which they handle, processes and/or store cardholder data. This explains why hosted checkout is so valuable. If you don’t touch, process or store card data or serve any card collection forms – your scope and PCI responsibilities are significantly reduced.
For a detailed overview of merchant PCI compliance responsibilities and instructions, read our article, Understanding PCI Compliance.
Government Regulation – Merchant Impact and Requirements
The Revised Payment Services Directive (PSD2) is a European regulation that governs electronic and non-cash payments. It includes a mandate for payment service providers to implement strong customer authentication (SCA) for online payments and online banking transactions when both the issuing bank and acquiring bank/PSP are located in the European Economic Area. Before an issuing bank can authenticate a transaction, the cardholder must provide two out of three factors:
- Something only the user knows
- Something only the user possesses
- Something the user is
3-D Secure 2.0 meets SCA requirements. For merchants who would like to avoid 3D Secure or another form of SCA for some transactions, there are a few exemptions.
- One leg out transactions: If either the Issuing Bank or Acquiring Bank/PSP is outside of the European Economic Area.
- Low value: transactions under EUR 30
- Low risk / transaction risk analysis (TRA)
- Recurring transactions with exact same amount
- Whitelisted merchants or trusted beneficiaries
- Secure corporate payments
How Credit Card Payment Processing is Priced
Merchants pay the different parties for the services they provide during payment processing.
- The issuer gets paid by taking a percentage of each sale, this is called the interchange and it can vary based on the industry, sale amount, and type of card used
- The merchant bank charges a markup fee, based on the industry, amount of sale, monthly processing volume, etc.
- The credit card association (Visa, MasterCard, etc.) charges a fee, called an assessment
- The payment processor charges a fee for processing every transaction in addition to fees for setup, monthly usage or account cancellation
- Often these charges are combined into a single simplified price for merchants
Drive Sales Globally By Letting Customers Pay Their Way