Providing your credit card number to a website for merchandise or online registration payment is common these days. I do still get the occasional phone call from a relative who gets nervous about typing in his or her card number for an online purchase, but for the most part online payments have been accepted for everybody except the hardcore Luddites. So how does typing in that credit or debit card number actually translate into a deduction from your bank account?
Finding a neat and tidy diagram summarizing the process is difficult. Just search “credit card processing diagram” and behold the many different levels of understanding represented. CyberSource and Authorize.Net both have easy-to-follow interactive diagrams outlining the process.
I chose this diagram from Merchantequip as it does a decent job simplifying the flow:
Step 1. The basic steps involved start with an “authorization”. The user supplies a card number, expiration date, security code, and address to the website.
Step 2. This data is submitted to the Payment Gateway/Processor and checked for accuracy. It is relayed to the Issuing Bank, and the user’s balance is checked to see if funds are available for the amount requested.
Step 3. If there are adequate funds in the account, the amount is reserved, and an “auth code” is issued and relayed back to the website.
Simultaneously, the address stored on file for the credit card is tested against the address the user provided. Oddly enough, this test is separate. This means the AVS (Address Verification Service) check can fail while the authorization was successful. In that case the user may be saddled with extra authorizations against his or her account. Recent regulatory changes allow those “pending” authorizations to be reversed.
Step 4. In our case, we send confirmation to the user so he or she knows the payment attempt was successful.
Step 5. All that has to occur just for the initial authorization–we still don’t have the money in our merchant bank account yet. That happens with what is called the “capture” or “settlement”. At SignMeUp, we perform nightly settlements. The auth code issued in Step 3 is used to capture the funds.
Step 6. The Issuing Bank transfers funds to the Merchant bank account.
So many steps have to occur for funds to be transferred from a user’s credit card to a merchant’s bank account. And the card brands (Visa, MasterCard, American Express, etc…) have strict rules in place governing how that card data can be handled throughout the entire process. In my example of the dubious relative above, their interests are well-governed by a set of regulations called the PCI DSS.
One irony I usually point out is that most credit card fraud still occurs on the paper side. Meaning things like stolen statements or lifted cards are more prevalent than somebody setting up a fake website to try and grab your card information. Most people think nothing of handing their card off to a waiter who takes the card out of sight to swipe it. I’m reminded of the old Citibank identity theft commercials from a few years back:
Matthew Allen, SignMeUp’s Senior Software Engineer – handling your credit card payments for the better part of a decade.