6 June 2018

Have you ever wondered how card payments are processed at the point of sale? Have you ever paused to think about how the interaction between your POS system and the Chip and PIN device works, how authorizations are managed, and what information is shared between the systems?

Have you ever laid awake at night worrying about whether your payment system is PCI DSS-compliant? Whether it’s to satisfy your curiosity or to ease your concerns, hopefully this blog will answer some of the main questions you have.

First of all, it is worth stating that the card payment process is complex, so you’d be forgiven for not being completely au fait with all the ins and outs. It involves a number of different parties in every transaction, some weighty security protocols, and a good helping of digital tech magic.

Which, luckily for all of us, ensures the whole process runs automatically and glitch-free, most of the time.

The parties involved

There are five participants involved in every card transaction:

  • The cardholder making the purchase
  • The merchant selling the goods or services
  • The acquirer, a third party service provider who processes card payments on behalf of the merchant. The acquirer usually provides the Chip & PIN device, and is responsible for the transaction’s authorization, settlement and transfer of funds.
  • The card scheme, the organization which provides the credit or debit service according to specified card scheme rules. Visa, MasterCard and American Express are all examples of card scheme operators.
  • The issuer, the bank or building society which provides the card to the cardholder, and is responsible for releasing funds once a purchase is authorised.

Some card scheme operators, for example American Express, also act as acquirers and issuers, requiring both cardholder and merchants to have a direct relationship with them.

The card payment cycle

The easiest way to understand the card payment process is to outline a 10-step cycle which starts with the cardholder presenting a card and ends with them receiving a receipt confirming the transaction has been completed. It looks something like this:

  • 1. The customer indicates that they wish to pay by card at point of sale.
  • 2. The merchant initiates the payment process on the Chip & PIN device, which includes inputting how much is due to be paid.
  • 3. The customer inserts their card, or presents it for contactless payment.
  • 4. Information about the transaction, including the amount owed, is sent to the acquirer.
  • 5. The acquirer issues an authorization request to the card scheme.
  • 6. The authorization request is forwarded to the card issuer.
  • 7. The decision to accept or decline the authorization request is sent back from the cardholder’s bank to the card scheme.
  • 8. The card scheme forwards this decision to the acquirer.
  • 9. The acquirer passes it on to the merchant.
  • 10. If the payment has been accepted by the cardholder’s bank, the merchant completes the transaction and prints a receipt for the customer.

The role of POS equipment

In practice, so many of these steps are automated that they seem to blend seamlessly into one another. We all know from experience that the whole process from presenting our card (step 3) to payment being authorized and the transaction being completed takes mere seconds. Nonetheless, this is the process every card transaction goes through.

Modern POS systems also mean most cycles are automated from step 2 onwards. Once the merchant has scanned item prices and the customer says they want to pay by card, the merchant simply selects card payment on their POS screen and lets technology do the rest.

The POS will communicate with the Chip and PIN device to send it the total owed and initiate the process. Similarly, the Chip & Pin device will tell the POS system the outcome of the transaction so the back office system can be updated.

If you are wondering about PCI DSS compliance (the international regulatory standard which governs security of card transactions), that is all automated within the system, too.

All payment details, i.e. the cardholder’s account numbers, card numbers, PINs and name, are encrypted at the Chip & Pin device. Only the card issuer – the customer’s bank – has access to the encryption key to validate these details. All other parties simply pass on requests, apart from when the acquirer arranges transfer of funds to their client, the merchant.

But the principle is, no one sees the private card details of the customer apart from their own bank. Similarly, no data about the payment details are communicated with the POS equipment.