Over the years, credit cards have become the most popular payment methods for online purchases worldwide. Although new payment solutions like PayPal or Dwolla and alternative payment methods such as Bitcoin are gaining traction, credit cards have established as default e-commerce payment method. This is particularly the case for international transactions – there is almost no way around credit cards for online merchants that want to sell international. In this article we take a closer look at the credit card payment ecosystem. The next article will focus on how to choose a merchant account and payment service provider.

How credit card processing works

Credit card processing involves several parties, the customer, the bank that issues the credit card to the customer (issuing bank), the merchant, the merchant bank (acquirer bank) and last but not least the credit card network (e.g. Visa, MasterCard or American Express). In most cases online merchants also use a 3^rd party payment service provider (PSP) that bundles a variety of payment methods and acts as a gateway that can connect to multiple acquiring banks and credit card associations. Furthermore a PSP can offer additional services such as risk management, reporting, fraud protection and multi-currency support.

To accept credit card payments online, merchants need to establish a merchant account at a bank that accepts card payments on behalf of the merchant. When the customer makes a purchase, the merchant passes the transaction information to his acquiring bank (1). The acquiring bank sends a request for authorization (2) to the credit card network that will forward (3) the request to the issuing bank of the customer. The issuing bank will check (4) and approve or decline (e.g. if the the card is reported stolen or the credit line is exceeded…) the transaction. The response is then forwarded to the merchant to complete the transaction. After a successful transaction the issuing bank will transfer the funds via the credit card network to the acquiring bank and debit the customer’s account. The acquiring bank will then deposit the funds to the account of the merchant. Usually the issuing bank keeps a percentage of the transferred funds as interchange fee and the acquiring bank charges a processing fee. If a PSP is used it will act as a gateway between the merchant and the acquiring bank.

Security

Online credit card transactions where the card is not physically present (CNP, card not present) are a prone to fraud. Usually (depending on the country) the liability of the customers is limited. Customers can initiate a chargeback by contacting their issuing bank (in case of fraudulent charges or other disputes) to reverse the transaction. In the end the merchant bears the chargeback risk. To reduce fraud, online merchants can request additional information such as the Card Security Code (CVV2) and/or secure transactions via 3-D Secure. 3-D Secure provides and additional level of security by requiring the user to authorize (e.g. via a password) each transaction. To ensure a minimal level of security and prevent data theft merchants that store, process and transmit credit card data must adopt the PCI DSS (Payment Card Industry Data Security Standard) standard. Small business that use a PCI-certified PSP and do not process credit card data on their own systems still have to complete a Self Assessment Questionaire (SAQ) to ensure PCI compliance.