Payment is a vast domain. To design a payment gateway, one must understand the business and the terms (jargon) behind it. I strongly feel that before designing any system, one should understand the problems it is trying to solve. In this article, I am going to explain the traditional credit card transaction lifecycle, entities, security, and the protocols involved during the transaction lifecycle.
The primary entities involved in the card transaction lifecycle are as follows:
Customer
Merchant
Customer's Bank (Issuer Bank)
Merchant's Bank (Acquiring Bank)
Card Scheme/Network
Customer:
A customer is someone who has a bank account and a credit/debit card that he or she uses to exchange items with a merchant.
Merchant:
A merchant runs a business to sell the goods to customers and receives money back from the customer for the purchased goods. Merchant holds an account with the bank and he/she uses that bank (processor) to accept card payments.
Issuer/Issuing Bank (Customers bank):
Only banks or financial institutions can issue credit or debit cards to customers, and that is the reason it is called an "issuer bank," because it issues the cards to customers. When a customer swipes the card at the merchant POS (Point of Sale), then that transaction is routed through a secure card network (e.g., Visanet) to the issuer bank, and the issuer bank can either approve or decline the transaction depending upon the customer. The acquirer bank (merchant) settles the money with the issuer after the transaction completes (clearing and settlement process).
Acquirer Bank (Merchants bank):
An acquirer bank is just like any other bank or financial institution. It helps merchants to accept card payments and is also called a processor (it processes the merchant's transaction requests). Acquirer banks also provide POS terminals to accept card payments. The acquiring bank maintains the transaction acquiring infrastructure as well.
Card Scheme/Network:
A card scheme or network is a central payment network that can accept debit or credit cards to process payments (e.g., Visanet). Visa, Mastercard, American Express, and UnionPay are big players in the card scheme business. Banks and other official financial institutions apply for membership in the scheme to issue credit or debit cards to customers. Payment Card Industry Data Security Standard (PCI DSS) came up with 12 standards (requirements) for those handling cardholder data to ensure the security of the customer's card data. In simple words, a scheme is like a network that connects issuers and acquirers.
A credit card transaction process goes through multiple phases (legs):
Authorization
Clearing and settlement
Chargeback (Dispute case)
1. Authorization:
The first stage in a transaction's life cycle
The customer swipes the credit card that he got from a bank (Issuer Bank) at the merchant POS terminal for goods or services.
Merchant POS takes the request and sends the transaction details to Merchants Bank (Acquirer Bank aka Processor) in a different message format ISO8583.
The acquirer bank receives this request, does some security validation, and sends it to the issuer bank via Card Network (Scheme). The Card Network acts like a router and a registry server; it maintains all the information of issuer and acquirer banks and sends the authorization request to the issuer bank.
The Issuer Bank approves or declines the transaction request depending upon multiple factors like (is the card valid? Does the customer have enough credit? In the event of approval, the issuer bank puts the funds on hold (Authorization Hold).
The issuer bank sends back the successful authorization code response to the acquirer bank (Processor).
The issuer bank uses the card network to send the authorization code response to the acquiring bank over a TCP/IP connection with ISO8583 message format. Newer payment protocols are HTTP APIs over JSON/XML.
The merchant technically didn't receive any funds for the goods or services provided and has to wait for the clearing and settlement process, which happens at regular intervals of the day, and this whole process is called authorization.
2. Clearing and settlement:
When will the merchant get his money back for the goods he/she has provided to customer????
Merchants send all daily authorized transactions in a batch file using the Merchant POS terminal and send it to Merchants(Acquirer) Bank at the end of the day. Merchants with very large transaction data can send in multiple files instead of sending in one big file.
The acquirer bank (processor) checks all the transactions provided by merchants with their transactions list(reconciliation) and checks if there are any discrepancies. For all the clean transactions acquirer credits the amount to the merchant account for T-1 transactions if the clearing cycle is T+1, where T = Today.
Card Network(scheme) receives all the clearing files from different merchants and it sorts the files and sends them to the respective issuing bank. Schemes compute interchange fee and currency conversion charges (FX) (if applicable) and send one final transaction amount for the respective transaction and send the clearing file to the issuer.
The issuer bank also does reconciliation with their authorized transactions and releases the funds to the acquirer bank.
Let us take a look at different schemes and their clearing system
3. Chargeback (Dispute case):
Chargeback is a consumer protection tool that allows consumers to get their money back for fraudulent transactions by submitting the complaint (Dispute) to the respective issuer bank (Customers bank). Chargeback is different from a refund, a refund is like asking the merchant to refund the money back for the defective item, and if the merchant agrees he will refund back the money for the same. A chargeback case comes when the merchant is not accepting your request to refund the money back. For more info refer to this cnbc.com/select/what-is-a-chargeback/
Before ending this topic 👋, I would like to talk about the below questions which you might be having in your mind
What is reconciliation and why is it important?
What message format is used to exchange the messages?
How does the Issuer/Acquirer bank able to connect to Card Network?
What is reconciliation and why is it important ?
Reconciliation in simple terms, comparing your account balance for the day with the payment gateway transactions report for to check the income and expenses. Due to the penetration of online commerce, it's very tough to check the daily transactions coming from different sources, so maintaining separate software for doing the reconciliation will make your job easy for pay-in and pay-out flow.
What message format is used to exchange the messages?
All the request messages are exchanged between these systems in ISO8583 format and sent over TCP/IP Socket. Recent payment protocols are using HTTP over JSON/XML.
How does the Issuer/Acquirer bank able to talk to Card Network?
Mastercard/Visa provides a hardware/software called Mastercard Interface processor/Visa Access Network which helps in communication with Bank networks (Issuer/Acquirer) and this particular thing will be installed in the Bank datacentre just like a sidecar. It uses TCP/IP socket connection for the communication between these two networks.
Note: In this article, we discussed the payment transaction lifecycle of a credit card but this more or less looks similar to other payment modes.
Thanks bhai for the blog and special thanks for references