On today’s online platforms, we face an extensive choice of (digital) payment methods, some of them fairly non-traditional (like blockchain-based payments), some having been around for a while (like credit card, direct debit, vouchers and gift codes). In some countries, payment methods that bridge the online and offline spheres of web shopping remain popular, too, such as cash-on-delivery. In others, BNPL and e-wallet-based payment flows are popular. This article will take a deep look into one specific form of online payment, though:
Card-Based Online Payments
These include all manners of payment cards such as Credit Cards, Debit Cards and Prepaid Cards. They may exist in purely digital form or have a physical equivalent. In any case, local banks issue the cards and they operate on the rails of international or domestic Payment Card Schemes.
In the following paragraphs, we will focus on credit card-based payment systems, presenting their basic flows and involved parties (like issuer, acquirer and so on). This article will examine in detail:
- What parties are involved in a typical online card-based payment transaction
- What’s behind various technical payment terms
- How a Three-Party and a Four-Party Card Model differ
- How typical online payment processes and chargebacks proceed
And go!
The Parties of Online Payment Processes: A Glossary
Understanding a payment process means understanding the relationships between all involved agents, technical facilitators and institutions. For card-based payments in e-commerce, those relationships will present themselves as so:
A customer, the Cardholder, closes a business relationship with a Merchant when buying goods or services from them. To collect the successive payment, the Merchant needs the customer’s card data. This data is passed on to the Merchant’s Payment Service Provider or Acquirer. They then send a request to the Cardholder’s Issuer through the Card Payment Network (Visa, Mastercard, etc.), the primary channel of data exchange between Acquirer and Issuer. Once the Issuer approves the transaction, the Merchant sends out the goods, while the Issuing Bank transfers the requested amount to the Merchant’s Payment Service Provider or Acquirer. In turn, the Payment Service Provider/Acquirer settles the amount against the Merchant’s banking account, after deducting the corresponding transaction fees.
A fair amount of payment lingo, right? Now keep in mind that many of those concepts go by differing terms that are used synonymously. Instead of Payment Service Provider, you might read Payment Processor, for example. A Card Scheme Network sometimes appears as a Licensor. And a Cardholder is, of course, a Customer, too.
Below, we go over each one of the mentioned parties in greater detail and try to include a few common alternate labels for each one. We cannot guarantee this list will be exhaustive, but it will provide a good overview of the topic.
Cardholder
Alternate labels: Customer, Client, Consumer, User, Buyer, Payer
A Cardholder is a person, who uses a credit card, debit card or the like to carry out a financial transaction. A Cardholder does not have to own the card privately – corporate credit cards exist. Any user has to be authorized to use the card, which is ensured by the financial institution (the Issuer) issuing it to a person – the private card owner or, in the case of corporate cards, the employee.
Merchant
Alternate labels: Acceptor, Retailer, Seller, Payee
The Merchant represents the other side of a payment transaction: The party which provides goods, services or information for the Cardholder to purchase. To accept the payment by a Cardholder, the Merchant must have a business relationship plus a designated Merchant Account with a Payment Service Provider or Acquirer.
Acquirer
Alternate labels: Acquiring Bank, Merchant Acquirer
Acquirers are financial institutions that enable Merchants to accept card payments via a specific Card Payment Network they are connected with. In most cases, the Acquirer role falls to a bank, but other financial institutions can also act as Acquirers.
The Acquirer is always linked to an Acquiring Bank, which manages and holds the bank account and funds of a Merchant. Acquiring Banks are responsible for the legal and commercial side of payment. That means they have to be aware of the potential risks of a relationship with a specific Merchant. Thus, KYB processes during onboarding and continuous transaction monitoring are a cornerstone of Acquirer client management.
Merchants and Acquiring Banks form a business relationship: The Acquiring Bank typically charges the Merchant with an agreed fee taken from the total transaction amount. This amount typically consists of a service fee for the Acquirer (i.e. for a Merchant Account, see below), an interchange fee for the issuer and a Card Scheme fee. Fee models may vary due to the choice of Acquirer – some demand fixed percentages, others offer volume-based rates, etc.
Also, all Acquirers have to be PCI DSS-compliant.
Merchant Account
Alternate labels: –
Merchant Accounts are stopovers for the money a Merchant receives from the Issuer before settlement. A Merchant Account’s purpose is to gather all such card payments before distributing the revenue (minus fees) to the Merchant’s regular bank accounts. This often happens in batches at specific settlement dates and fairly quickly (a few days up to a week after the payment has been triggered, depending on the accounting model).
Each Merchant Account comes with a special Merchant ID (MID). This ID is passed along with the payment information of the Cardholder to match and validate transactions during reconciliation.
Having an individual Merchant Account places the responsibility for handling chargebacks in the hand of the Merchant. If the merchant accepts the chargeback initiated by the customer, the money can move back through the same payment channel it came from. If the merchant considers the chargeback to be clearly unfounded, he can decline a chargeback and start a so-called representment. Many Acquirers set aside some of the Merchant’s funds in a security deposit – a lifeline, should the Merchant face customer backlash and chargeback requests piling up. In fact, many Acquirers set a chargeback limit – if that number is surpassed, the Acquirer could impose penalties or drop the Merchant as a client.
And that limit is just one of many rules a Merchant must adhere to when opening up a Merchant Account at an Acquiring Bank. Merchants go through an elaborate application process. It includes common KYB procedures as well as risk assessment. A Merchant Account can fall into a high-risk profile if the Merchant deals in large amounts, multiple currencies or risk-prone goods such as gambling or adult content, for example. The higher the potential risk, the more expensive the service fees for a Merchant Account will be.
Payment Service Provider
Alternate labels: Merchant Service Providers, Payment Provider, Payment Aggregator, PSP
Payment Service Providers are an alternative to traditional Credit Card Acquirers when accepting payments. A PSP is a financial institution or service company that enables a merchant to technically process a payment conducted via:
- Credit Card
- Debit Card
- Alternative Payment Method (i.e. EPS, iDEAL, Giropay, etc.)
In this role, Payment Service Providers authorize payments, transfer payment information and conduct settlement and clearance. Chargebacks have to be handled by the Merchants themselves, but PSPs offer them a Merchant Service Area, so they can deal with chargebacks more easily.
Just like with Acquirers, PSPs maintain Merchant Accounts to take in the money and then distribute it to Merchant Accounts. Payment Service Providers that also provide acquiring services hold the Merchant Account themselves. In cases where the PSP acts as a pure technical gateway, the Merchant Account is held by a partner Acquiring Bank. Whoever holds the Merchant Account is responsible for the related KYC process, be it the Acquirer or the PSP.
Competition in the payment industry is fierce. Therefore, the details of payment processing might vary across PSPs. Some obtain Acquiring licenses to act as Acquirers, too. Usually, PSPs are more expensive than classic Acquirers, though.
As a business owner, you should keep the following rule of thumb in mind: The longer the “payment chain”, the more expensive the payment process, as every provider wants to gain their share. So don’t settle for the first PSP you stumble across, but compare to find the one that fits your business best. We have compiled a list of relevant criteria for PSPs here.
Payment Gateway
Alternate labels: –
The Payment Gateway is the entrance for the Cardholder’s payment data, hence the name. It encrypts any sensitive payment information and orchestrates payments, routing them to the Acquirer or to a fitting Payment Service Provider respectively. In that, the Payment Gateway initiates the authentication and authorization processes of the payment.
The relations of a Payment Gateway to the Acquirer and Merchant can vary. In any case, a merchant account is always provided by the Acquirer. A Payment Gateway or PSP that does not provide acquiring services, but has partnered with an acquiring bank, needs to reference the correct merchant account with each transaction, so the acquirer understands where to credit the received funds. For Merchants, a Payment Gateway can act as a layer granting access to various Payment Service Providers.
Issuer
Alternate labels: Issuing Bank, Card Issuer
Issuers are financial institutions that produce and, well, issue the payment cards used by the Cardholders. Those cards in question could be Credit Cards, Debit Cards, Prepaid Cards, etc. Issuers are related to specific Card Payment Networks. But there are a few who are Acquirers at the same time, which can unwind payments at a rapid rate within a Closed Loop.
In addition, Issuers have to adhere to certain standards. The on-chip technology and security of credit cards as well the security around credit card data itself are subject to a broad range of strict industry standards. The PCI SSC defines those standards, while Merchants, Issuers, Acquirers, PSPs are required to comply if they want to process, transmit or store clear text credit card data. Compliance is controlled through annual on-site audits by an independent QSA (Qualified Security Assessor).
Payment Card Scheme
Alternate labels: Card Scheme, Credit Card Scheme, Credit Card Association, Card Payment Network, Licensor
Payment Card Schemes are associations that route financial transaction information between Acquires and Issuers, acting as the central agent in the communication between the two, passing payment data back and forth to enable the card transaction. Any payments conducted with respective cards are processed by the respective card scheme, following a specific set of rules and practices. All cards operate in adherence to PCI DSS (Payment Card Industry Data Security Standard). This standard is maintained by the Payment Card Industry Security Standards Council, formed by the different card schemes.
“Cards” is a fairly broad term here: Card Schemes can support credit cards, debit cards and even prepaid cards. They don’t issue those cards directly to Cardholders, though. Instead, banks and other financial entities enter memberships with a scheme. In exchange, they gain permission to give out cards that operate within the scheme to their customers. For example: If you have one credit card each from the German banks Volksbanken-Raiffeisen-Bank and Sparkasse, chances are, they both operate under the Mastercard scheme, so they show the Mastercard logo.
Card Scheme membership comes at a price, though. The schemes ask Acquirers to pay fees. Acquirers, in turn, pass those fees on to the Merchants: A small percentage (around 0,02 to 0,04%) of the payment amount is handed to the Card Scheme once the transaction takes place. This is not to be mistaken with the interchange fee that goes to the Card Issuer.
The most prominent Credit Card Schemes, which find international acceptance, are VISA and Mastercard. (Together, they amount to a market share of around 75% globally). Yet by now, many nations try to emancipate themselves from those schemes and establish their own. Take RuPay in India, Mir in Russia or UnionPay in China, for instance. The latter one has grown into the biggest Card Scheme on the planet – as of 2018, it issues 45% of worldwide payment cards. Europe has recently announced the European Payment Initiative (EPI), which wants to create a Europe-centric Card Scheme as well.
The Three Corner vs. the Four Corner Model
In addition to the distinctions above, interactions with Payment Card Schemes fit into one of two variants, regarding how transactions proceed on them.
The Four Corner Model
Alternate labels: Four Party Card Scheme, Open Scheme, Quadripartite Model
This is the classic type of Payment Card Schemes – and the type we will explore in more detail below. Transactions happening in this model feature all four payment parties we detailed above:
- Cardholder
- Merchant
- Acquirer
- Issuer
The Cardholder links to the Issuer here, just as the Merchant links to the Acquirer. Acquirer and Issuer connect via the Payment Card Scheme. If orchestration of payments is worthwhile, a Payment Gateway might also be involved.
The key factor of the Four Corner Model is that Acquirer and Issuer are completely separate entities. Either a PSP or Payment Gateway communicating with an Acquiring Bank or the Acquiring Bank itself acts as the nodal points of payment initiation. That means that they provide the interface that customers can use to initiate payments (i.e. online checkout page or point-of-sale device). The Card Scheme is responsible for providing interbank communication between the acquiring and issuing banks. Ultimately the issuing bank authorizes or declines the transaction.
This model is often called the Open Model, as other institutions may issue their own cards based on a scheme (compare the Sparkasse example above). With the next model, things look quite different.
The Closed Loop Model
Alternate labels: Three Party Card Scheme, Closed Scheme
In this model, the number of involved parties drops from four to three. Here, Acquirer and Issuer are one and the same.
This means that Payment Card Schemes of the Closed Loop Model don’t allow external entities to issue their own cards. Instead, they get the cards to hand out to their customers directly from the scheme.
Currently, this model is somewhat falling out of fashion. Diners Club, the first closed scheme credit card (really, the first credit card whatsoever) has switched to the Four Party Model in many of its areas of operation. Yet, closed scheme payments also have benefits: They are faster and no interchange fees accrue between Acquirers and Issuers.
Processing the Payment
The following step-by-step flow will give you an ideal overview of how a typical one-step sale credit card payment goes down. Please mind that this is very high-level. An actual payment process – especially one your business is confronted with – might have additional steps (like 3D Secure). Also, it might deviate in key aspects, especially if you use the two-step authorization/capture flow.
- The Cardholder initiates a purchase at a Merchant by passing through a checkout process. This requires the Cardholder to enter their card details, either on the Merchant’s on-platform checkout page or an external page presented by a Payment Gateway or a Payment Service Provider. Once the card details are entered successfully, the payment is triggered.
- From the Merchant’s platform, the transaction request (containing the relevant card data) is passed on to the Payment Gateway.
- The Payment Gateway passes the transaction data on to a suitable Payment Service Provider or Acquirer with which the Merchant holds a business relationship.
- The Acquirer validates the payment in question. In the case of not approving it, the Cardholder receives an error message via the Payment Gateway. In case of approval, the transaction proceeds further.
- The Acquirer passes the transaction data to the Payment Card Scheme.
- The Payment Card Scheme routes the transaction data to the Issuer to have it authorized by the Cardholder’s bank.
- The Issuer checks if the balance on the Cardholder’s account is sufficient. If so, the funds are authorized.
- The Issuer then sends a confirmation to the Payment Card Scheme.
- The Payment Card Scheme forwards the confirmation to the Acquirer.
- The Acquirer passes on the confirmation to the Payment Gateway via the Payment Service Provider / Payment Processor.
- The Merchant receives confirmation of the authorized funds.
Conclusion
In this article, we introduced you to the most commonly used online card payment terminology. However, we could only present a surface overview here. Payment is a more complex field than fits between the top and bottom lines of a blog article.
For example, we have just briefly touched on the subject of storing credit card data in a secure, PCI DSS-compliant environment. When you set-up a card payment system, it’s crucial to ensure that credit card data is protected.
Our payment orchestration platform Finergizer is designed to achieve the highest security standards. With the Vault Element, Finergizer tokenizes and securely stores sensitive credit card data in accordance with the PCI DSS regulations.
If you want to learn more about Finergizer and try the software yourself, head over to the Finergizer website. And if any more questions remain, don’t hesitate to contact us – we are planning, assessing and building payment systems for different businesses for over a decade now.