6 June 2018

by Lisa SMITH, Account Manager AURES UK

Have you ever wondered how card payments are processed at point of sale? Have you ever paused to think about how the interaction between your EPOS system and the Chip and PIN device works, how authorisations are managed, and what information is shared between the systems?

Or have you ever lay awake at night worrying about how you can be sure whether your payment system is PCI DSS-compliant?

Whether it’s to satisfy your curiosity or to ease your concerns, hopefully this blog will answer some of the main questions you have.

First of all, it is worth stating that the card payment process is fairly complex, so you’d be forgiven for not being completely au fait with all the ins and outs. It involves a number of different parties in every transaction, some weighty security protocols, and a good helping of digital tech magic.

Which, luckily for all of us, ensures the whole process runs automatically and glitch-free. Most of the time.

The parties involved

There are five participants involved in every card transaction, as follows:

  • The cardholder making the purchase.
  • The merchant selling the goods or services being bought.
  • The acquirer, a third party service provider who processes card payments on behalf of the merchant. The acquirer usually provides the Chip & PIN device, and is responsible for arranging the transaction’s authorisation, settlement and transfer of funds.
  • The card scheme, the organisation which provides the credit or debit service according to specified card scheme rules. Visa, MasterCard and American Express are all examples of card scheme operators.
  • The issuer, the bank or building society which provides the card to the cardholder, and is responsible for releasing funds once a purchase is authorised.

Some card scheme operators, for example American Express, also act as acquirers and issuers, requiring both cardholder and merchants to have a direct relationship with them.

The card payment cycle

The easiest way to understand the card payment process is as a 10-step cycle which starts with the cardholder presenting a card and ends with them receiving a receipt to say the transaction has been completed. It looks something like this:

  • 1. The customer indicates that they wish to pay by card at point of sale.
  • 2. The merchant initiates the payment process on the Chip & PIN device, which includes inputting how much is due to be paid.
  • 3. The customer inserts their card, or presents it for contactless payment.
  • 4. Information about the transaction, including the amount owed, is sent to the acquirer.
  • 5. The acquirer issues an authorisation request to the card scheme.
  • 6. The authorisation request is forwarded to the card issuer.
  • 7. The decision to accept or decline the authorisation request is sent back from the cardholder’s bank to the card scheme.
  • 8. The card scheme forwards this decision to the acquirer.
  • 9. The acquirer passes it on to the merchant.
  • 10. If the payment has been accepted by the cardholder’s bank, the merchant completes the transaction and prints a receipt for the customer.

The role of EPOS

In practice, so many of these steps are automated nowadays that they all seem to blend seamlessly into one another. We all know from experience that the whole process from presenting our card (step 3) to payment being authorised and the transaction being completed takes mere seconds. Nonetheless, this is the process every card transaction goes through.

Modern EPOS systems also mean most cycles are automated from step 2 onwards. Once the merchant has scanned or input items / prices and the customer says they want to pay by card, the merchant simply selects card payment on their EPOS screen and lets technology do the rest.

The EPOS will communicate with the Chip and PIN device to send it the total owed and initiate the process. Similarly, the Chip & Pin device will tell the EPOS system the outcome of the transaction so the back office system can be updated.

If you are wondering about PCI DSS compliance in all of this – the international regulatory standard which governs security of card transactions – then that is all automated within the system, too.

All payment details, i.e. the cardholder’s account numbers, card numbers, PINs and name, are encrypted at the Chip & Pin device. Only the card issuer – the customer’s bank or building society – has access to the encryption key to validate these details. All other parties simply pass on requests, apart from when the acquirer arranges transfer of funds to their client, the merchant.

But the principle is, no one sees the private card details of the customer apart from their own bank or building society.

Similarly, no data about the payment details are communicated with the EPOS system.