Credit Card Payment: The Wizard Behind The Curtain

Charles Mon
Charles Mon
Published in
7 min readMay 10, 2021
The Wizard of Oz

What happens 3 seconds behind the curtain?

When making a purchase online, it takes 1 to 3 seconds from the time you click the “Pay” button to the time it confirms that your purchase has been completed. That is a relatively short time, not even enough to pour a cup of coffee. Have you wondered what was happening behind the browser during those 3 seconds?

There are a few parties that handle your payment.

First, let’s look at a basic payment flow. To accept payment online, the merchant first needs a merchant bank account and a payment gateway solution. The financial institution that provides the merchant bank account is called the acquiring bank (a.k.a acquirer).

During check out, the merchant sends your order and credit card credentials to a payment gateway. Gateway is a secure online platform that collects and initiates your payment request. The gateway solution is usually provided by a third-party.

Even though it is not technically the same, you can imagine a gateway as the physical card terminal in a Brick and Mortar store.

Once the gateway provider processed your order, it forwards the payment info to the acquiring processor. Acquiring processor (a.k.a processor) is a payment processing solution provider for the acquiring banks. The information sent to the processor consists of the payment amount, credit card info, name, address, and all other technical details, such as transaction type (one-off or recurring), reference id, device fingerprint, etc.

After that, the processor will parse the request before forwarding it to the card network. The card network includes Visa, Mastercard, AMEX, etc., it will then route it to your issuing bank (a.k.a issuer). The issuer is the financial institution that issued your credit card.

After the issuer processing your payment, it will return a response through the same route, from the card network to the processor, to the gateway, and eventually back to your browser. If your bank approved the payment, the merchant would redirect you to a “Thank You” page. All of that only takes 1 to 3 seconds for the information to travel across the globe. It is pretty mind-blowing if you think about it.

Fun fact:
(i) To handle and store your credit card credentials, the solution providers and the financial institutions must be PCI DSS certified.
PCI DSS stands for Payment Card Industry Data Security Standard (PCI DSS). In order to integrate with a processor, the gateway provider has to prove its PCI status.

(ii) Discovery & AMEX have a closed-loop network. Where Discover & AMEX act as both acquirer and issuer.

(iii) A credit card payment can be classified as card-present (CP) and card-not-present (CNP). Making a purchase online is a CNP transaction while buying a coffee at Starbuck is a CP transaction. The payment flow is different between the two.

Payment flow with cardholder authentication

Now you understand the basic payment flow, let’s add one more thing to the equation, the cardholder authentication. If you shop online often, I’m sure you have seen the small verification window. The reason you see it is because the merchant opted to add this additional authentication step to make sure you are who you said you are.

3D Secure: On-Time Password Authentication

This authentication happens before the authorization flow, and the most common method is 3D Secure. A protocol operates using the interaction of three domains: requestor (merchant/acquirer) domain, issuer domain, and interoperability domain.

The card networks that support the protocol would maintain a directory server. For security measures, the card networks do not allow merchant/gateway directly access their directory server. Therefore, the gateway must integrate with a Merchant Plug-In (MPI) provider. The MPI provider will pass the authentication request to the directory server. The directory server will then interact with the access control server.

Often, issuers outsource the access control server to a third-party provider. Thus, another entity is involved in the process. Your issuer will then present that little window to you to request a one-time password (via SMS). Some banks may use their mobile app to push a notification to prompt cardholders to confirm the order.

If you fail the authentication, then the process stops there. Otherwise, the gateway will initiate the authorization flow as described earlier. The gateway will also send the authentication results with the payment request.

Fun fact:
(i) Card networks brand their 3D Secure protocol, you may have seen these labels in the authentication window.
- Visa — Verified by Visa
- Mastercard — Secure Code
- AMEX — American Express Safekey
- Discover — ProtectBuy

(ii) The later version of 3D Secure protocol is developed by EMVCo, a company owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa.

Merchants Decides Whether to Authenticate Cardholders
The merchant chooses whether to have the additional authentication as part of its checkout process. Why is it the merchant’s choice instead of the issuer’s choice to add the additional authentication?

Your credit card comes with zero-liability protection, meaning, if your card gets racked up with fraudulent charges, you are not responsible. The loss comes out of the merchant’s pocket.

However, if the transaction is authenticated, the liability shifts from the merchant to the issuer. If you report a fraudulent charge that was previously authenticated, the issuing bank would suffer the loss, not the merchant.

Now you might be thinking, why don’t merchants authenticate every transaction since it provides protection. Well, there are two things e-commerce merchants care about, (1) cart abandonment rate, (2) approval rate. For the former, the authentication adds friction to the checkout process. Each little friction contributes to more cart abandonment. When processing tens of thousands of transactions per day, the slight increase in cart abandonment rate could result in a substantial revenue loss.

Imagine a scenario where you’re hesitating about getting concert tickets for the weekend. Impulsively, you go for it. However, during the checkout, it asks for a one-time password sent to your phone. Now, since you have to get out of bed to get your phone in the living room, you instead close the browser and think to yourself, “forget about it!”.

To reduce cart abandonment, rather than authenticate every transaction, the merchant performs an analysis in the background to determine which ones are risky. Let say out of all the transactions in a given day, 10% are fraudulent. Using their sophisticated risk analysis algorithm, they automatically authenticate 20% of the transactions, the ones that have a higher risk score, catching most of the fraudulent transactions while adding minimal friction.

Fun fact:
(i) Starting Jan 1, 2021, the PSD2 SCA mandate (Strong Consumer Authentication) requires all electronic transactions within the European Economic Area to be authenticated.

(ii) The issuers make money through a percentage-based interchange fee on approved transaction amounts. If issuers view a transaction as low-risk, it often lets the authentication request flow through without challenging the cardholder. This is because challenging every cardholder could lead to cart abandonment and revenue loss. If the issuer chooses not to challenge a cardholder, the issuer bears the liability.

Now that you have a basic understanding of what’s happening behind the curtain, I hope you are truly amazed by the wizardry of those 1 to 3 seconds.

--

--