How credit card processing works


How credit card processing works

What happens when you click the 'buy' button?
What goes on when you click that 'buy' button? (Image via Papdan.com)

Credit cards are everywhere these days, but few people know what happens after a card is used online (or swiped at a store).

In this post, we’ll peel back the covers and take a closer look at what happens the moment you swipe a card (or use it online), as well as the different players involved in getting the transaction done.

I’ll keep this simple, like 5th grade level simple.

Getting a credit card

Before buying with a credit card, you need one. That’s the part where you walk to a bank and fill in a lot of forms. These are technically known as issuing banks (or just "banks" really) and examples include HSBC, Citibank and Al Rajhi. There's a lot of them, certainly more than any other type of bank involved in the card transaction.

Part of the reason for this is that issuing banks actually make the largest cut from each credit card transaction that gets processed. They basically have to go out and find customers that are willing to use their credit cards (and extend credit to them), so I guess they do deserve some of that share. Onwards.

Using the card on a website

OK, so now that we’ve got a credit card .. it’s time to use it. Let’s say you head over to souq.com and see a really nice pair of shades that you think would look great in (always) sunny Dubai. You type in your card details (card number, expiry date and CVC) and hit the big green Pay button. You immediately get a message on your phone that the payment is processed.

But what really happened under the covers? Let's dive in.

Step 1: The payment gateway

Firstly, this card information is immediately sent over to a ‘payment gateway’ (the one that this particular online merchant deals with). The payment gateway is just a server that connects to the different card networks (Visa, MasterCard, American Express, etc.) and saves you the hassle of having to integrate directly with every payment method on the face of the planet. There are plenty of them, and Stripe or Payfort are examples.

They also (ideally) provide nice APIs that make the payment process clean and simple. If it weren’t for gateways, you might have had to construct your own low-level frames to speak the same language the card networks operate in (which is not pretty).

OK, so first stop is the payment gateway .. then what?

Step 2: The card networks

The next step is to send the information over to the ‘card networks’ (basically Visa and MasterCard here in the region). It turns out that you can’t just wake up one morning and decide you want to connect to Visa and MasterCard ... you have to do it through a bank. You can think of card networks as networks that connect a bunch of banks together... if you wanted to connect to the card network, you would have to go through a participating bank.*

As a merchant, the bank that you connect to is called an “acquiring bank” or just an “acquirer”. These are banks that are allowed to process credit card transactions, and will also serve at the connection that your payment gateway uses to send messages to the card networks. Examples of acquiring banks include Network International and Mashreq Bank in the UAE.

Once connected to the card network, a message is sent to the ‘issuing bank’ (the bank that issued the credit card used to make the purchase).

* There are actually ways to connect to card networks without going through a bank (CyberSource is a notable exception). However, in the majority of cases this rule holds true.

Step 3: The issuing bank

The issuing bank basically gets a request that says “There’s this guy with card #XXX that wants to buy stuff for $100 .. You OK with that?”. The bank then checks for a few things, like:

  • Is the card number still valid?

  • Does the card have enough credit to make the purchase?

  • Is this card authorized to do online transactions?

Sometimes, the issuing bank gets all paranoid and just decides to block online transactions because they don’t like them (this happens in places like Bahrain and Saudi Arabia).

In some other cases (certainly in the UAE), they ask for additional verification in the form of a password or code sent via SMS. This is called “3D Secure” in the business, and is done by many issuing banks in the region. If the code or password is correct, life moves on. If not, the transaction is killed.

Whatever the response, it’s sent back as a response to the payment gateway.

Before joining White Payments in 2014 Yazin Alirahayim worked at two startups. Before that, he had spent five years at GE, most recently as Global Finance Simplification Leader. He graduated 1st class honors with a BSc in computer engineering from the University of Bahrain.

Thank you

Please check your email to confirm your subscription.