Inside Your Payment Card
A long long time ago there was a big animal that lived in this world called dinosaurs. When they lived the earth was a very different place. But we’re not gonna talk about dinosaurs, we gonna talk about the payment card, yes. your payment card.
The payment card is a card for cashless payment at retailers, internet stores, or for cash withdrawals at ATMs. It was issued by the bank when you created the bank account. Everyone has their own card payment, like a debit card or credit card. But do they know how the payment card is working? But first I want to share the payment card history
Payment Cards History
In the late 1880s when the US author name’s Edward Bellamy wrote about the concept of credit cards in his novel Looking Backward.
Then in the new century in 1914, Western Union provide some customers with a metal card, giving them deferred payment privileges. They call the card ‘metal money’ but it could only be used for purchase within the stores owned by the company. In the mid-1900’s a lot of financial institutes issued their own payment card like Diners Club, American Express. In 1966 Barclaycard issued the first all-purpose credit card. In 1987 the first debit card was launched in the UK and guess who is the first to issue the debit card? Barclays is the first financial institution that issued debit cards. Until now there are a lot of innovations like contactless cards etc.
Payment Card Adoption
The image above is the survey result from VISA consumer Payments trends in Southeast Asia in 2015. From the image above we can see that more than half of the population in South East Asia prefer using cards over cash. Led by Singapore with 76%, followed by Indonesia with 69%.
The reason why people use cards instead of cash is mostly its convenience and security. And some people feel so hassle carrying notes and wish for others to count cash
Almost half of the people in southeast Asia have more than 1 payment card. The factor why people have more than one card is because every card/bank has a different facility, like transfer to a bank from another country: cost-free and many more.
Inside Your Payment Card
Have you ever think what is actually inside your card payment? how can it do transactions in merchant? Actually, your payment card has the data inside it. Although all payment cards use different logos and colors, they have the same data element on them. Starting from the front.
Card Issuer Name
There will always be the name of the card issuers like a bank or card scheme.
EMV Chip
If you look at the image above there will be a yellow chip called EMV chip, the EMV chips help make the transaction more secure.
Primary Account Number
Across the middle of the card and the bigger one, there will be a 15 or 16 digit card number, which the payment industry call, the primary account number (PAN). The first 6 digits are the bank identification number (BIN). The BIN is unique for every bank.
Valid Thru Date
Some cards will have a valid from and valid thru date or just valid thru date only.
Card Holder Name
There will be a cardholder name you can request from your bank which name you want to write on your card.
Card Brand Logo
And the last is a logo from the card brand like master card, American Express, etc;
On the back of the card not much information as on the front. Only contain a magnetic stripe, a signature stripe, and the hologram.
The Magnetic Stripe
The magnetic stripe contains all the data on the front of the card and more in the digital form that can be read by the merchant’s equipment known as a track. Usually, a magnetic card has 2 tracks inside it. Track one is 80 characters long, and contains the primary account number, card holder’s name, expiration date, service code, and CVV. Track 2 is much shorter than track 1. It will be 40 characters that contain the primary account number, expiration date, service code, and the CVV
Card payment type
How many payment cards do you have? actually, I have more than 5 cards, but only have 3 types of cards payment which is: Credit card, Debit Card, and prepaid card. Those are the type of cards that are commonly used in our life. So what is the difference between them, I will explain it.
Credit Card
A credit card allows you to make purchases with borrowed money from the bank. As you made a purchase with your credit card, there will be a balance that needs to be repaid at the end of the month.
Debit Card
On the other hand. When you use a debit card, it will deduct the amount from your bank account
Prepaid Card
If you want to use a prepaid card you need to fund it first. You can use it in the department store, highway, or on MRT.
How Card Payment Card Works
Basically, in a card payment transaction there will be 3 participants minimum. Which are: the cardholder, the merchant, and the bank. The cardholder will be using the card to make a transaction. The merchant will get paid after the transaction success, and the bank will check whether the transaction is fraudulent or not and then transfer the money to the merchant, and deduct the money from the cardholder balance. As simple as that. But inside that, the process of card payment transaction will divide into four steps which are: Authorization, Clearing, Settlement, and Undo (chargeback, and refund)
Authorization
Authorization is the process of validating the data that send from the merchant and sending back the result of validation. In the payment card transaction process. The authorization happened when the merchant sends the card data from the cardholder’s card to the bank. How can the merchant read the card data? The merchant can read the card data by swiping the card through the point of sales system. Or with the EMV card reader if the card supports the EMV. Or maybe just tap to the card reader if the card supports the contactless transaction. After reading the card data the merchant will be using the data to make an authorization request. Which data are used in the authorization request? The authorization request will be using the data from track 1 plus merchant id, Merchant name, the amount, and possibly the encrypted value based on the pin.
The bank then checks the data and determines whether it’s a real or fraudulent transaction. And also check the balance if it was sufficient or not. The bank will send an authorization response to the merchant like accept or decline. For this process to happen, the merchant would have a relationship with every bank in the world that issued payment cards. But it will be so many banks to handle. So merchants will have a relationship with an acquiring bank (the bank that acquiring their payment card transaction). The acquiring bank will build relationships with every card issuing bank in the world. But it is also complicated. To build a relationship between acquiring bank and issuing bank. They need to make an agreement and contract that need a lawyer, and there is a hundred acquiring bank. To solve this problem, between acquiring a bank and issuing a bank there is a card scheme or card brands like VISA, master cards, and JCB. The card scheme connects all the acquiring banks with all the card-issuing banks.
Clearing & Settlement
In clearing each merchant sends a summary of all their day’s transactions to their acquirer, containing the primary account numbers of the card that make the transaction, the authorization reference, and the amount. Every acquirer then splits every merchant’s transaction into each card scheme. The card scheme then sends all the transactions to issuing bank together. The issuing bank then determines how much money they owe to the card scheme. This process is called settlement. The card scheme then sends the money to the acquiring bank, which separates it and sends it to the merchant. Some merchants get the fund the next day or maybe wait a few days based on the agreement between the merchant and their acquiring bank.
Undo
When a transaction goes wrong, like wrong card holder’s account, or wrong nominal, or the goods already sold. The cardholders must want to undo the transactions. There will be two-way transactions that can be undone. First, the merchant can refund the transaction
The merchant will send a similar message like an authorization request but doesn’t include sensitive information, just a PAN, cardholder name, expiration date along with the amount that is refunded. The issuer will send back a refund response to the merchant.
The second is the cardholder doing a chargeback. The transaction can be undone by the cardholder contacting their bank. Usually, they have to complete a form, The issuing bank sends a message via the card scheme to the merchant’s acquirer, requesting the money to be returned. The acquirer then contacts the merchant and asks them to prove the transaction was valid. If the merchant agrees to do the chargeback, the transaction is undone.
The PCI Standards
Have you ever wondered how can criminals turn stolen card data into cash? They did it in two ways, first, they took the stolen cardholder data to create clone cards to get cash out of ATMs. Or buying goods in shops or online shops with clone cards and selling those goods for cash. There are four types of criminals that are involved in turning card data into money. First, the criminals specialize in stealing card data from companies. The second is the data dealer who sells data. The third is the criminal who monetizes the data by creating a clone card. Last is the mule, the mule is the criminal who turns the cash into goods and then sells the goods to make money.
What type of data that the criminals need from the card? Basically, they need the entire content from track 1 of the magnetic stripe and the pin to make cash from the ATM. The PAN, expiration date, account name, and CVV2 to make transactions in e-commerce. Mostly they get the data when the payment is in an authorization state. When they get the data they can make the authorization request.
How do we stop the criminals?
we can stop the criminal from using our card data with the standard procedure that tells people how to protect their data. Every main card scheme like American Express, Discover, JCB, Mastercard, and VISA already has its own standard. But having five different sets of security standards was very confusing for the industry. So in 2006, the payment card industry security standards council was formed. It was formed by the five-card brands, American Express, Discover, JCB, Mastercard, and VISA. They make the PCI standards based on their standards There are basically five payment cards industry standards.
The first is Data Security Standard (PCI DSS). The PCI DSS protects cardholder data in organizations that store, process or transmit cardholder data, including merchants and service providers.
The PCI DSS consists of 288 logical and physical security requirements that cover six main areas. Which is, building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing the network, and maintaining an information security policy. If the merchant buys software that’s been validated to PA-DSS they will find it much easier to meet the requirements of PCI DSS.
Next Payment Application Data Security Standard (PCI PA-DSS). The PCI PA-DSS is a software development standard designed for the vendor that produces commercial software that involves clearing the payment transaction.
PTS (PIN Transaction Security) Standards protect cardholder pins wherever they are processed. The PTS has 3 main areas. The first is the Point of Interaction (POI). The POI is concerned with the manufacture and cryptographic key management of POI. The second is PIN, which is concerned with how the organization looked after the cryptographic key used for PIN encryption and PIN decryption. The last is the hardware security module (HSW). The HSW is used to manage and secure the cryptography keys used to encrypt and decrypted PINs in banks and payment service providers.
The Point-to-point Encryption standard (PCI P2PPE) describes how to encrypt the primary account number in POI devices and decrypt it in a service provider (or acquirer). It specifies the physical and logical controls for key management, the security of the decryption environment, and how the POI devices should be managed. The P2PE standard was developed so that merchants could buy solutions from the service providers, and know the solution had been assessed to a high standard and the cardholder data wouldn’t be accessible in the merchant environment.
The last is the card production standard. It is a set of physical and logical standards about how cards are manufactured, personalize, and distribute payment cards. Also how to send PINs to consumers.
With a lot of card types that you have, your wallet will be bulky. But if you using DANA, no need to worry, you can save your debit or credit card inside DANA app for up to 10 cards and you can use all the cards to pay the transaction. So easy and safe.
https://www.mckinsey.com/~/media/mckinsey/industries/financial services/our insights/accelerating winds of change in global payments/2020-mckinsey-global-payments-report-vf.pdf
