How credit card processing works
What is payment processing?
Payment processing is the series of steps that occur between your point of sale and the money deposited into your bank account. Types of payments include:- Cash
- Debit card
- Credit card
- Check/electronic check
- Gift card
All of these methods have various steps involved in their respective payment processes. Here, we’ll focus on credit card processing specifically.
What is credit card processing?
Credit card processing is how purchases on credit cards are approved and completed. The process has multiple steps because, unlike cash, a credit card must be verified by several organizations before it can be used. With cash transactions, no action is required to ensure it is a valid payment. Credit cards are more complicated because credit is borrowed money, and credit card users are limited in how much spending they can do with their cards. There are several actors involved in the process.
Who is involved in credit card processing?
For a customer to obtain a credit card, a few steps and qualifications are involved. Credit is money borrowed from a lender, typically an issuing bank. So, whenever the credit card is used, it must go through a few actors to be approved. Here, we will describe each of these actors and their role in the transaction. It is important to understand each of these actors to know where the fees involved in credit card processing come from and why they vary. These actors are:
- Cardholder
- Merchant
- Acquiring bank
- Card association
- Card issuer
- Payment processor
Customer/Cardholder
Merchant
Acquiring bank
Card association
- Visa
- Mastercard
- American Express
- Discover
- China UnionPay
- JCB
Card issuer/bank
The card issuer is the customer’s bank. This is where the transaction can be ultimately approved or denied. A transaction can be denied if the customer has insufficient funds or an overdue balance, for example. If the card transaction is approved, the money earned in the sale will come from this bank and go to the acquiring bank.
Payment processor
All of these transactions occur through the payment processor, a vendor that handles payment information and takes it to each of these steps for authorization, authentication, settlement, and funding. The payment processor is a tool that works in the background to make sure the payment information gets to each place it needs to be along the process.
How does credit card payment processing work?
The payment process is a ping-pong of transactions through each of the actors.
Step 1: Authorization
- The customer uses their credit card to purchase from the merchant.
- The payment processor takes the credit card information and sends it to the acquiring bank.
- The acquiring bank forwards this information to the card association for the credit card used in the sale.
- If the card is valid, the card association will approve the payment and request authorization from the card issuer (the bank). The information passed along in this request includes:
Step 2: Authentication
In this stage, the card issuer runs the payment information and, using fraud protection tools, verifies that the card is valid and not being used fraudulently. There are a few different types of fraud checks, but in this stage, it is done by checking that the security code and billing address provided with the card are correct.
- The card issuer receives the authorization request from the card association.
- The card issuer checks for adequate funds, accurate billing address, and security code.
- Depending on these details, the card issuer can approve or decline the transaction. This decision is sent back to the merchant in the opposite order from which the request came: from card issuer to card association to acquiring bank to merchant POS system.
- Once the authorization is received, the card issuer places a hold for the amount of money spent on the cardholder’s bank account.
- The merchant provides the cardholder with a receipt or proof of purchase for their transaction.
- The POS system holding the day’s purchases will collect all the payment information and send it in a batch to be authenticated.
Step 3: Settlement/Funding
The settlement stage is where the funds are finally transferred to the merchant’s acquiring bank with an interchange fee. Funding is the final stage that occurs when the funds eventually land in the merchant’s bank account. We will cover the fees later on, but here are the steps in which this settlement takes place:
- The merchant sends all approved authorizations to the acquiring bank via the payment processor.
- The acquiring bank sends this information to the card association(s) involved.
- Each approved transaction is sent to their corresponding card issuer, who can approve or deny the payment.
- The approval and denial statuses are sent back to each recipient in the chain and ultimately the merchant.
- Merchants send their batches of authorized (approved) transactions through their payment processor down the chain.
- Card associations then communicate the necessary fees to the banks.
- The card issuer charges the cardholder’s bank account for the transaction amount.
- Finally, after a couple of business days, the card issuer transfers those funds to the merchant bank, which deposits the funds into the merchant’s business bank account.
Is special equipment needed to process credit cards?
A merchant account
Payment processor/credit card processing company
POS system
It’s possible to get all-in-one
How long does credit card processing take?
Fraud checks
Another example of this is if the card is used in a different state, the card issuer may decline card use for suspected fraud. A delayed fraud check occurs during the transaction period after the sale has been made and can account for some of the time between the point of sale and the funds being received by the merchant bank.
Batching
Are credit card payment processing systems secure?
EMV
To keep your customers’ data secure, you should invest in an EMV reader or ensure that the POS system you are investing in has this. This way, you can prevent fraud on your merchant account, ensure customer security, and avoid expensive liability issues.
PCI
If someone comes into your small business and spends a large amount of money on a fraudulent card, you will be forced to pay that money back to the issuer, which can be a big hit for your company. Instead of losing valuable time and revenue, follow this compliance and protect yourself and your customers. Your merchant service should be PCI compliant, meaning they follow these 12 requirements:
Build and protect a secure network
- Install and maintain a firewall to protect your cardholder data
- Avoid vendor-supplied defaults for passwords or security questions.
Next, when it comes to the servers, applications, and any other operating systems you use, many will come with username and password default options. Merchants and credit card processors who are PCI compliant will make a customized system to keep their passwords and private information secure.
Protect cardholder data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
This data will be encrypted, rendering it unreadable to outsiders (like hackers), but leave some information so that it is still identifiable for your reference. An example of this is having the last 4 digits of a card number on an order form, but hiding the rest.
The same thing is done with data used in open or public networks, so if your customer makes an online purchase, their information is protected similarly.
Manage system protections
- Protect all systems against malware and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
Create strong access-controls
- Restrict access to cardholder data on a need to know basis.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
To do this, you can assign unique IDs to each person who logs into a POS system or computer with this stored information. That way, if there is a leak or security breach of some kind, the activity can be traced back to someone.
The last requirement requires cameras to monitor any physical areas that may store personal data. So, in addition to protections on your operating systems and so on, as a small business owner you should be aware of where you’re keeping confidential data and make sure these areas are appropriately protected.
Monitor and test networks regularly
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
Lastly, maintain an information security policy
Maintain a policy that addresses information security for all personnel. The final requirement requests that you perform annual security training with all employees to cover:
- Security policies
- Risk assessments regarding critical assets, threats, vulnerabilities
- User awareness training
- Employee background checks
- Incident management
PCI compliance is a hefty and important security measure to follow. It is a complex standard, but following it and using systems/software that are compliant will ensure that your small business is in the best, safest hands possible–especially when managing customer credit card information.
Credit card processing fees and costs
Now that we’ve covered security, credit card payment processing, and the basics of what precisely this processing is and why it’s important, we can dive into the costs. There are a handful of different types of fees that you should be aware of as you begin to accept credit card payments. Some of them are connected to each transaction, and some depend on the type of card you run. We will cover transaction fees such as:
- Merchant discount rates
- Interchange fees
- Assessments
As well as recurring fees including:
- Monthly minimum fees
- Statement fees
- Batch fees
- Monthly/annual fees
Transaction fees
Transaction fees are charged with each of your transactions, as the name suggests. These fees are taken to pay card associations in exchange for their service. So, these fees are mandatory to accept credit cards. You can’t take a credit card as payment without paying these fees with each swipe, tap, or manual entry. These are calculated generally in two ways:
- By percentage: a certain rate, which can be anywhere between 1-3% of the transaction, is charged to the merchant account
- By fixed amount: the provider charges a set amount per transaction regardless of how much money is spent
There is not just one cut-and-dry transaction fee, however. There are merchant discount rates and interchange fees, which are similar, but they differ in who receives these fees. It’s important to understand this difference to see where your money is going after each credit card transaction is completed.
Merchant discount rates
Interchange fees
These fees are calculated based on the losses companies suffer to credit fraud and credit card authorization costs. The rates can change annually or semi-annually. Simply put, the more expensive a card is for the credit company to maintain it, like with rewards options and cash-back offers and so on, the more expensive the interchange fee is.
Altogether…
Now, we’ll cover recurring fees, which is where these players in the transaction process make their profits.
Recurring fees
Monthly minimum fee
Batch fee
Monthly or annual fee
Credit card processing chargebacks and risk holds
Chargebacks
First, you can protect your business by using a payment processor that is PCI compliant and highly secure. If your business provides a service rather than a product, it’s smart to have a contract prepared that details where your customer’s money is going.
Along these lines, it’s good practice to always provide excellent customer service and make sure your customers are aware that any issues can be resolved in-house before taking them to the bank.
And within the business, if you have an EMV (chip) reader and are EMV compliant, the chargeback liability falls on the cardholder. Otherwise, you’ll be the one responsible. On top of this, ensure that your employees are versed in security measures and how to spot fraudulent activity.
Holds
To prevent a risk hold from being incorrectly placed, it’s important to be as accurate as possible when setting your limits. If a risk hold is placed incorrectly, once the transaction is validated, you’ll have a chance to correct that approved limit to ensure the ordeal doesn’t happen again.
Ready to get started processing credit cards in your business?
Heartland is the point of sale, payments and payroll solution of choice for entrepreneurs that need human-centered technology to sell more, keep customers coming back and spend less time in the back office. Nearly 1,000,000 businesses trust us to guide them through market changes and technology challenges, so they can stay competitive and focus on building remarkable businesses instead of managing the daily grind. Learn more at heartland.us.