From a consumer perspective, making a credit card payment at a business usually consists of two basic steps: swipe your card and enter your PIN, or signature. It’s a simple, straightforward process. But what consumers may not realize, is that a lot is going on behind the scenes of a payment transaction. Add in secure payment technologies that help protect cardholder data, and the process and number of technologies involved in a two second payment authorization can seem complex. Let’s break it down.
To better understand how a secure credit card payment works, it helps to have a basic understanding of the various entities involved in authorizing a payment transaction.
Credit card associations—these are the big companies that collectively own the credit card and set the rules, including Visa, MasterCard, American Express, and Discover.
Acquiring bank (acquirer)—these institutions are the go betweens that pass transaction requests and authentication data from the merchant to the card associations and back. Data touches at least one, if not several acquirers during the authorization process.
Issuing bank—this is the financial institution that issues the credit card to the cardholder. The card may be a Visa card, but issued by Wells Fargo, or Chase for example.
Merchant account providers (processors)—these companies manage the credit card processing account for merchants. They often partner with an acquirer on the back end to facilitate the technical aspect of payment processing, while the merchant account provider, or processor, handles the front end of customer support and account management. However, sometimes the merchant account provider is also the acquirer and will handle the back end as well.
The card transaction process
When a payment card is swiped or key entered into the POS or payment terminal, the card information is transmitted to the payment processor (acquirer) and on to the card associations (Visa/MasterCard). The card associations then pass the request onto the issuing bank. The issuing bank makes sure the card hasn’t been flagged as lost or stolen, confirms available credit or funds and sends an authorization or decline code back to the card association who then passes it onto the acquirer. The acquirer then communicates the authorization or decline back to the merchant and the sale is complete (or declined).
A secure credit card payment utilizes encryption to mask the credit card data before it enters the POS system or terminal, and is sent to the issuing bank for authorization. When point-to-point (also known as end-to-end) encryption is used, the actual card data never touches any part of the system or authorization process. Instead, an encryption key in the POS system or terminal intercepts the card information as it’s being entered, and replaces it with masked characters that have no value without the decryption key. When the encrypted data reaches the issuing bank’s decryption key, it is decrypted in a secure environment, and processed for authorization. When the issuing bank sends it back as an authorization or decline, it is sent back through their encryption key, and transmitted as meaningless characters once again.
When point-to-point encryption is used, the data is never in the clear in full text for even a split second. If a merchant’s POS system is breached by data thieves, the “data” they steal will be meaningless to them, without the decryption key used by the issuing bank. This significantly reduces the risk that merchants face with regard to fines, penalties, and reputation loss as a result of a data breach.
Contact Vantiv for more information about how to protect your cardholders’ data with encryption, and reduce your breach risk.