how credit card processing works - woman holding credit card machine

How credit card processing works

Friday, January 03, 2014
Nowadays, most consumers use credit cards for the majority of their purchases. While transactions themselves are fast and straightforward, it is important to understand how credit card processing works because payment processing is one of the highest costs a business owner will face. By understanding the picture of how processing functions, you can understand the benefits of accepting credit card payments, the fees that come along with credit card processing, and how to use your payment processing system most efficiently and securely for your small business. Here, we will discuss the difference between payment processing and credit card processing, how processing happens step-by-step, necessary security measures you need to follow in order to protect yourself and your customers, credit card fees, and what all this means for you as a small business owner.

What is payment processing? 

Payment processing is the series of steps that occur between your point of sale and the money deposited into your bank account. Types of payments include:
  • Cash
  • Debit card
  • Credit card
  • Check/electronic check
  • Gift card

All of these methods have various steps involved in their respective payment processes. Here, we’ll focus on credit card processing specifically.

What is credit card processing?

Credit card processing is how purchases on credit cards are approved and completed. The process has multiple steps because, unlike cash, a credit card must be verified by several organizations before it can be used. With cash transactions, no action is required to ensure it is a valid payment. Credit cards are more complicated because credit is borrowed money, and credit card users are limited in how much spending they can do with their cards. There are several actors involved in the process.

Who is involved in credit card processing? 

For a customer to obtain a credit card, a few steps and qualifications are involved. Credit is money borrowed from a lender, typically an issuing bank. So, whenever the credit card is used, it must go through a few actors to be approved. Here, we will describe each of these actors and their role in the transaction. It is important to understand each of these actors to know where the fees involved in credit card processing come from and why they vary. These actors are:

  • Cardholder
  • Merchant
  • Acquiring bank
  • Card association
  • Card issuer
  • Payment processor

Customer/Cardholder

This one is straightforward. The customer using the credit card to make a purchase is the cardholder. However, with a credit card processor (also called merchant services) that can accept multiple payment options, cardholders don’t necessarily need to have their physical card to make payments; they can use their mobile device or mobile app to pay. Similarly, a cardholder can use their credit card to make online purchases if your business has a webshop with e-commerce capabilities. Sometimes credit card purchases can be made over the phone, too.

Merchant

The merchant (you!) is the second actor in the transaction. The business receiving payment via credit card is the actor in need of credit card processing, whether the purchase is made in-person or online/over the phone.

Acquiring bank

The acquiring bank is, in other words, the merchant bank. The merchant bank is where your funds are kept, and after a purchase is made, authorized, and accepted, the merchant bank deposits the funds into your business bank account. The credit card payment arrives at this acquiring bank, but before your bank can accept the payment, the payment information has to make a couple of other stops.

Card association

A card association, or credit card network, is the organization that determines who, when, and how a credit card can be issued and used. The acquiring bank passes the credit card information to the card association of the used credit card. If a customer uses a Visa card, for example, the card information is sent from the acquiring bank to Visa for verification. The card association also determines interchange fees, which we’ll address later. Examples of card associations include:
  • Visa
  • Mastercard
  • American Express
  • Discover
  • China UnionPay
  • JCB

Card issuer/bank

The card issuer is the customer’s bank. This is where the transaction can be ultimately approved or denied. A transaction can be denied if the customer has insufficient funds or an overdue balance, for example. If the card transaction is approved, the money earned in the sale will come from this bank and go to the acquiring bank.

Payment processor 

All of these transactions occur through the payment processor, a vendor that handles payment information and takes it to each of these steps for authorization, authentication, settlement, and funding. The payment processor is a tool that works in the background to make sure the payment information gets to each place it needs to be along the process. 

How does credit card payment processing work?

The payment process is a ping-pong of transactions through each of the actors.

Step 1: Authorization

In the authorization step, the credit card payment is processed through a series of approval requests from acquiring bank to the card association to the card issuer.
  1. The customer uses their credit card to purchase from the merchant.
  2. The payment processor takes the credit card information and sends it to the acquiring bank.
  3. The acquiring bank forwards this information to the card association for the credit card used in the sale.
  4. If the card is valid, the card association will approve the payment and request authorization from the card issuer (the bank). The information passed along in this request includes:

Step 2: Authentication

In this stage, the card issuer runs the payment information and, using fraud protection tools, verifies that the card is valid and not being used fraudulently. There are a few different types of fraud checks, but in this stage, it is done by checking that the security code and billing address provided with the card are correct.

  1. The card issuer receives the authorization request from the card association.
  2. The card issuer checks for adequate funds, accurate billing address, and security code.
  3. Depending on these details, the card issuer can approve or decline the transaction. This decision is sent back to the merchant in the opposite order from which the request came: from card issuer to card association to acquiring bank to merchant POS system.
  4. Once the authorization is received, the card issuer places a hold for the amount of money spent on the cardholder’s bank account. 
  5. The merchant provides the cardholder with a receipt or proof of purchase for their transaction.
  6. The POS system holding the day’s purchases will collect all the payment information and send it in a batch to be authenticated.

Step 3: Settlement/Funding

The settlement stage is where the funds are finally transferred to the merchant’s acquiring bank with an interchange fee. Funding is the final stage that occurs when the funds eventually land in the merchant’s bank account. We will cover the fees later on, but here are the steps in which this settlement takes place:

  1. The merchant sends all approved authorizations to the acquiring bank via the payment processor. 
  2. The acquiring bank sends this information to the card association(s) involved.
  3. Each approved transaction is sent to their corresponding card issuer, who can approve or deny the payment.
  4. The approval and denial statuses are sent back to each recipient in the chain and ultimately the merchant. 
  5. Merchants send their batches of authorized (approved) transactions through their payment processor down the chain.
  6. Card associations then communicate the necessary fees to the banks.
  7. The card issuer charges the cardholder’s bank account for the transaction amount.
  8. Finally, after a couple of business days, the card issuer transfers those funds to the merchant bank, which deposits the funds into the merchant’s business bank account.

Is special equipment needed to process credit cards?

Payment environments and POS systems vary, but here are the bare minimum tools you need to get started in your payment processing:

A merchant account

To accept credit cards, you will need a merchant account. This type of bank account accepts customer payments made by credit, debit, and gift cards. You may not have one set up yet if you are new to credit card payments. 

Payment processor/credit card processing company

We mentioned before that a payment processor is a vendor in charge of taking the payment information and passing it along to the banks and credit card companies involved to run the processing of the transaction. These processors also calculate interchange fees. There are different options, but it is important to know that the payment processor is not always included in the POS system that you choose.

POS system

The POS system you use for all of your payment processing should include a terminal for card usage, whether tapped, inserted, swiped, or used remotely. 

It’s possible to get all-in-one

Every business needs a payment processor to accept credit cards and promise your customers security in handling them. A merchant account provides this service, and your POS system is the tool that the transactions are made through. It’s possible to purchase all three of these tools together with an all in one POS system. 

How long does credit card processing take?

The card transaction and approval part of the process only takes a few seconds once the card is used; however, it could be up to three business days before the funds are transferred to your business account. This happens for several reasons. 

Fraud checks

First, the issuing bank will leave the transaction pending to ensure it’s not fraudulent. This is called a delayed fraud check. The first approval of a card use also checks for fraudulent spending but looks for more blatant fraud right away. For example, suppose a card is used online and the wrong CVV code is entered. In that case, the card will be denied by the card association immediately, recognizing the credit card as “invalid.” 

Another example of this is if the card is used in a different state, the card issuer may decline card use for suspected fraud. A delayed fraud check occurs during the transaction period after the sale has been made and can account for some of the time between the point of sale and the funds being received by the merchant bank.

Batching

Another reason for this delay is batching. When a business accepts many card payments in one day, rather than sending each separate payment to be processed individually, they’re sent in batches. So, all of the payments that need processing can be sent at once.

Are credit card payment processing systems secure?

Of course, as a business owner, you want to ensure your customers’ privacy and safety when it comes to their payment information. Your business must follow several different security measures to protect your customers' data. 

EMV

EMV card processing is the chip technology used to prevent fraud and is named after the three card associations that created it: Europay, Mastercard, and Visa. The chip has been proven vastly more secure than magnetic strip cards for several reasons, the biggest being that they are impossible to copy. In contrast, a card's magnetic strip can be lifted using fraudulent card readers and duplicated.

To keep your customers’ data secure, you should invest in an EMV reader or ensure that the POS system you are investing in has this. This way, you can prevent fraud on your merchant account, ensure customer security, and avoid expensive liability issues.

PCI

PCI stands for Payment Card Industry compliance, and it details security standards that businesses must follow. This compliance was created by the PCI Security Standards Council (PCI SSC), and following it can save your business thousands of dollars in lost income due to credit card fraud. You might also see it referred to as the Payment Card Industry Data Security Standard (PCI DSS).

If someone comes into your small business and spends a large amount of money on a fraudulent card, you will be forced to pay that money back to the issuer, which can be a big hit for your company. Instead of losing valuable time and revenue, follow this compliance and protect yourself and your customers. Your merchant service should be PCI compliant, meaning they follow these 12 requirements:

Build and protect a secure network

  • Install and maintain a firewall to protect your cardholder data
  • Avoid vendor-supplied defaults for passwords or security questions.
Firewalls are the first line of protection you can get. Firewalls work by restricting network traffic, meaning they block out hackers and other potential risks from entering your system.
When properly configured, any credit card data that passes through your system will be secure.

Next, when it comes to the servers, applications, and any other operating systems you use, many will come with username and password default options. Merchants and credit card processors who are PCI compliant will make a customized system to keep their passwords and private information secure.

Protect cardholder data

  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
These are the most crucial PCI requirements. This means that when it comes to your customers’ confidential information, like credit card data, a PCI compliant merchant service will know what data to store, where it is located, and how long it must be stored. 

This data will be encrypted, rendering it unreadable to outsiders (like hackers), but leave some information so that it is still identifiable for your reference. An example of this is having the last 4 digits of a card number on an order form, but hiding the rest. 

The same thing is done with data used in open or public networks, so if your customer makes an online purchase, their information is protected similarly.

Manage system protections

  • Protect all systems against malware and regularly update anti-virus software or programs.
  • Develop and maintain secure systems and applications.
These requirements have to do with regularly maintaining antivirus software. PCI compliance requires that these softwares and programs are updated and used on a regularly.

Create strong access-controls

  • Restrict access to cardholder data on a need to know basis.
  • Identify and authenticate access to system components.
  • Restrict physical access to cardholder data.
These requirements are self-explanatory. Private cardholder information can be restricted on a need to know basis, meaning there are certain moves you can make to ensure that only the people who must have the data can get to it. For PCI DSS, need-to-know is a key concept.

To do this, you can assign unique IDs to each person who logs into a POS system or computer with this stored information. That way, if there is a leak or security breach of some kind, the activity can be traced back to someone. 

The last requirement requires cameras to monitor any physical areas that may store personal data. So, in addition to protections on your operating systems and so on, as a small business owner you should be aware of where you’re keeping confidential data and make sure these areas are appropriately protected.

Monitor and test networks regularly

  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.
PCI compliant merchant systems should involve regular maintenance on both physical and wireless networks. Compliant systems will check all systems for the correct audit policies and ensure they are working every day, free of anomalies. These requirements also involve regular vulnerability scans and penetration tests to ensure that your systems are secure and untampered.

Lastly, maintain an information security policy

Maintain a policy that addresses information security for all personnel.  The final requirement requests that you perform annual security training with all employees to cover:

  • Security policies
  • Risk assessments regarding critical assets, threats, vulnerabilities
  • User awareness training
  • Employee background checks
  • Incident management

PCI compliance is a hefty and important security measure to follow. It is a complex standard, but following it and using systems/software that are compliant will ensure that your small business is in the best, safest hands possible–especially when managing customer credit card information.

Credit card processing fees and costs

Now that we’ve covered security, credit card payment processing, and the basics of what precisely this processing is and why it’s important, we can dive into the costs. There are a handful of different types of fees that you should be aware of as you begin to accept credit card payments. Some of them are connected to each transaction, and some depend on the type of card you run. We will cover transaction fees such as:

  • Merchant discount rates
  • Interchange fees
  • Assessments

As well as recurring fees including:

  • Monthly minimum fees
  • Statement fees
  • Batch fees
  • Monthly/annual fees
Last, we will give you the basics of credit card processing chargebacks and holds. Of course, depending on the merchant services provider that you use, these fees may vary slightly. It’s always important to keep an eye on your monthly bill to ensure you are not paying too much or billed the wrong amount for your credit card processing.

Transaction fees

Transaction fees are charged with each of your transactions, as the name suggests. These fees are taken to pay card associations in exchange for their service. So, these fees are mandatory to accept credit cards. You can’t take a credit card as payment without paying these fees with each swipe, tap, or manual entry. These are calculated generally in two ways:

  • By percentage: a certain rate, which can be anywhere between 1-3% of the transaction, is charged to the merchant account
  • By fixed amount: the provider charges a set amount per transaction regardless of how much money is spent

There is not just one cut-and-dry transaction fee, however. There are merchant discount rates and interchange fees, which are similar, but they differ in who receives these fees. It’s important to understand this difference to see where your money is going after each credit card transaction is completed.

Merchant discount rates

Merchant discount rates are a rate that the merchant is charged in exchange for using a card association’s services. It is the amount that a merchant pays to the payment processor for taking the high risk of processing the transaction. The merchant discount rate also includes the interchange fees, which is the amount paid to the card issuer, determined by the rate set by the card association. 

Interchange fees

This is a fee paid to the bank, called interchange. Interchange is a process created by Visa and Mastercard to help banks fund their credit card programs. An interchange fee is an amount paid by the merchant acquiring bank to the card issuer. These fees are set by the credit card companies, so each company might have a slightly different fee. The fees also vary depending on the purchase, so for example, a credit charge made at a grocery store will come with a different interchange fee than one made for a plane ticket. 

These fees are calculated based on the losses companies suffer to credit fraud and credit card authorization costs. The rates can change annually or semi-annually. Simply put, the more expensive a card is for the credit company to maintain it, like with rewards options and cash-back offers and so on, the more expensive the interchange fee is. 

Altogether…

If the interchange rate is 2% on a $100 transaction, the fee on that transaction is $2.00.The processor pays that $2 fee to the bank that issued the credit card. The processor recovers from this cost by charging the merchant a fee. The merchant ends up with $98. So, you can look at this as just one “transaction fee” when you consider all of the moving parts as a loop. 

Now, we’ll cover recurring fees, which is where these players in the transaction process make their profits.

Recurring fees

Credit card associations also make a profit off of businesses, in addition to having their expenses covered by transaction fees. These are not required fees to accept payments via credit card (like transaction fees). Instead, they are fees that appear for various other reasons, which we’ll detail here so that you can be aware of what charges are occurring on your monthly statement.

Monthly minimum fee

Monthly minimum fees are charged by the merchant services provider if the number of transactions within a month doesn’t meet their monthly minimum thresholds. It is essentially the minimum amount that you’ll pay for processing transactions. If this amount is exceeded, you won’t be charged. If you don’t reach this minimum, your provider will charge you the difference between your processing fees and this minimum amount.

Batch fee

Depending on the payment processor you use, you might be charged for sending batches of credit card transactions. These are also known as settlement fees, daily closeout fees, and batch capture fees. The alternative is paying to process each payment individually, so in the long run, this is typically a more affordable option. If this is a fee you’re faced with, there should only be one batch fee per daily batch sent).

Monthly or annual fee

Annual and monthly fees are different from the monthly minimum fee. Rather than needing to pay for the amount of transactions you process, this fee covers the payment processing services. Some are charged on a monthly basis and others come annually. The fee and its regularity depend on the payment processing service you enlist for your business needs.

Credit card processing chargebacks and risk holds

Nobody wants to have to face an unexpected financial issue, especially if it means that your small business loses money as a result. As frustrating and nerve-wracking as fraudulent transactions can be for the cardholder, it can be even more dangerous for a small business to deal with the cost. We’ll explain chargebacks and risk holds to you here, so you’re prepared for any potential fraud or risks that occur in your transactions.

Chargebacks

A chargeback was created as a security measure to protect cardholders whose cards have been stolen or otherwise fraudulently used. If a cardholder disputes a charge made on their account, their bank will issue a reversal of funds, and often this means that your business will have to pay the chargeback. It’s a challenging position to be in as a small business and have to pay the money back that you spent your time and resources earning, so here are some things to keep in mind to avoid chargebacks, or at least high penalties, as much as possible.

First, you can protect your business by using a payment processor that is PCI compliant and highly secure. If your business provides a service rather than a product, it’s smart to have a contract prepared that details where your customer’s money is going. 

Along these lines, it’s good practice to always provide excellent customer service and make sure your customers are aware that any issues can be resolved in-house before taking them to the bank.

And within the business, if you have an EMV (chip) reader and are EMV compliant, the chargeback liability falls on the cardholder. Otherwise, you’ll be the one responsible. On top of this, ensure that your employees are versed in security measures and how to spot fraudulent activity.

Holds

A risk hold makes sure that transactions aren’t fraudulent. When you set up your merchant services, you’ll figure out an approved limit that can be spent on your goods or services in one transaction. Then, if any purchase exceeds this limit, a risk hold will be placed so that the funds from the transaction won’t go through until documentation is provided to prove it’s valid.

To prevent a risk hold from being incorrectly placed, it’s important to be as accurate as possible when setting your limits. If a risk hold is placed incorrectly, once the transaction is validated, you’ll have a chance to correct that approved limit to ensure the ordeal doesn’t happen again. 
 
Overall, credit card processing is a tricky, complicated, dry matter to wrap your head around. But after learning the basics, we hope that you feel confident in accepting credit card payments at your small business.

Ready to get started processing credit cards in your business? 

Heartland is the point of sale, payments and payroll solution of choice for entrepreneurs that need human-centered technology to sell more, keep customers coming back and spend less time in the back office. Nearly 1,000,000 businesses trust us to guide them through market changes and technology challenges, so they can stay competitive and focus on building remarkable businesses instead of managing the daily grind. Learn more at heartland.us.