CREDIT CARD PAYMENT PROCESSING: A GUIDE FOR MERCHANTS
A brief history of credit card processing, how a credit card is processed and what merchants need to know about compliance, fees and security.
“Consumers prefer to pay with plastic, debit or credit,” according to Bankrate.com’s chief financial analyst, Greg McBride. This statement might only seem true to consumers anecdotally, but it’s by no means unfounded.
One recent study cited the bulk of consumers surveyed are now making most of their payments by credit card or debit card -- 33 percent and 44 percent, respectively.
A 2017 U.S. Bank survey also discovered that of those asked, over 50 percent reported carrying cash less than half the time.
Based on this information, using credit cards for purchases is obviously a widely-accepted trend. Along with the change in the forms of payment people use, there has been a shift in the places and ways they are making those payments.
A 2016 Annual Billing Household Survey found that consumers prefer to make payments directly to a biller’s website. However, 33 percent have even paid a monthly bill on their mobile phone -- a 22 percent increase from the previous year! Many consumers, even if they haven’t yet made a payment on their mobile phone or via a text message, are aware of the technology:
With all this evidence, it’s apparent card payments, online payments and mobile-optimized options will be increasingly important to merchants in the coming years.
Read on for information about how we got here, how a credit card is processed, and even legal requirements your business must follow while taking credit card payments. Arm yourself with the know-how that will help your business thrive.
HISTORY OF CREDIT CARD PAYMENT PROCESSING
How did the use of credit cards begin and how has it evolved? Read on to discover the history of the credit card, and how it became one of today’s most popular ways to make payments.
The first use of credit cards, as outlined by Encyclopedia Britannica, was in the form of a “courtesy card.” These began being used in the U.S. by many businesses like oil companies and hotel chains. The cards were issued to customers for purchases at their company outlets, like many of today’s store issued credit cards.
The year 1950 saw the creation of the first credit card to be accepted by multiple businesses and widely used by customers. The idea, envisioned by businessman Frank McNamara, took the form of a cardboard card that could be accepted by restaurants throughout New York. This idea was spurred one evening after he forgot his wallet while attending a business dinner. His concept, which became the Diners’ Club Card, was technically that of a charge card, since the bill had to be paid in full at the end of each month. The idea was a success and by 1951, the Diners Club had 20,000 cardholders.
The American Express Company created its own card in 1958, which became the first of its kind used outside the United States. The same year, Bank of America released the first modern credit card in California, allowing consumers to carry their monthly balance forward from month to month for a small finance fee. One of the last credit card innovations of this decade came in 1959, when American Express released the first plastic card.
In 1966, the Bank of America’s BankAmericard expanded its reach to serve customers outside of California. This is the same year competition for the company appeared in the form of the Interbank Card Association (ITC) -- known today as MasterCard.
The late ‘60s throughout the ‘70s saw a number of regulations created in response to consumer complaints about this fast-growing industry. For instance, in 1968 the Truth in Lending Act (part of the Consumer Credit Protection Act) was passed to standardize methods of calculating annual percentage rates (APRs). The Fair Credit Reporting Act was created to protect the collection and use of credit reporting data in 1970. Several other regulations were came about throughout this decade intendedward to benefit consumers who used credit cards.
In 1976-77, BankAmericard was rebranded as VISA. One year later, a significant Supreme Court decision allowed banks to lend across state lines, charging fairly uniform interest rates no matter what state the borrower resided in. The ruling stated that the interest rate a bank could use would be the one allowed in the bank’s home state. This was seen as a move toward deregulation, as it encouraged banks to relocate to states which had no interest rate caps. The allowance for uniform interest rates across the country made it easy for financial institutions to serve customers across the country, and helped to expand and popularize the use of credit cards.
Learn how credit card technology has evolved over time from NPR's Planet Money.
The Discover card was introduced in 1983 by Sears. This credit card offered purchase rebates, making this one of the first U.S. cards with a cash-back incentive. While brand alone was enough before this point to bring in customers, this reward system created stiffer competition. Frequent flier miles, low-interest offers, sign-up bonuses and other incentives were now being offered by many card brands in order to sign up new users.
In reaction to the financial crisis, the Credit Card Accountability Responsibility and Disclosure (CARD) Act passed Congress in 2009 with strong bipartisan support. This act put limitations on the fees banks are allowed to charge, such as late and over-limit fees.
Today, both VISA and MasterCard are accepted worldwide, and are run by boards made up of executives from their member banks.
HOW A CREDIT CARD IS PROCESSED
Because credit cards are now a common form of payment, most people are familiar with how to use one. But what steps does that payment go through to get those funds where they need to go?
Here are the key players involved in processing a credit card transaction, and the steps of that credit card transaction, from start to finish.
Acquiring Bank - A registered member of the card associations. Approves a merchant to accept card transactions by evaluating the merchant's qualifications in underwriting and making a decision about the risk of approving the merchant. This risk can be shared with an Independent Sales Organization (ISO) or a Merchant Service Provider (MSP). Sometimes a merchant may not even be aware of who their acquiring bank is, since they worked exclusively with the ISO or MSP to obtain their merchant account.
Cardholder - A person who obtains a bankcard, either credit or debit, from a bank that issues cards.
Card Associations - Main function is to be a governing body over banks, Independent Sales Organizations (ISOs), and Merchant Service Providers (MSPs) in order to provide credit card services to consumers and merchants. VISA, MasterCard, Discover and American Express make up the Card Associations. They decide on the standards that a merchant must meet in order to have the ability to accept debit and credit card transactions and the interchange fees associated with taking those card transactions.
Credit Card Network - A middle man in the credit card processing transaction, sending the card payment request and response between the acquiring bank and issuing bank. Functions as a part of the Card Associations.
Independent Sales Organization (ISO) - A third party company that has a relationship with a card association member in order to provide merchant services to businesses.
Issuing Bank - The financial institution who approved the cardholder or consumer. Receives the payment transaction request and will send back an approval or a decline.
Merchant - A business, whether it is a retail store who sells tangible goods or a business in a service industry, such as a hospital who charges for medical services. A merchant accepts accepts debit and credit card transactions as a form of payment.
Merchant Service Provider (MSP) - Can be a department of an acquiring bank, for example, Bank of America offers merchant processing services. It could also be a third party who works as a partner with an acquiring bank. An MSP does the bulk of the underwriting of a new merchant before passing underwriting documentation to the acquiring bank.
Payment Management Solution/Payment Gateway - Provides a front-end solution for a merchant to accept card transactions. This software allows cardholder information to be entered and sent for an approval or a denial.
Credit Card Authorization Process
1. A cardholder makes a payment to a merchant, which can be done through a variety of methods:
The cardholder is physically present with their card and swipes or inserts the card at a terminal. (Card Present Transaction)
The cardholder verbally gives the credit card data over the phone to a payment representative or via an IVR system. (Card Not Present Transaction)
The cardholder inputs the credit card data via an online payment screen. (Card Not Present Transaction)
2. The payment solution/gateway sends the credit card transaction information to the merchant's MSP/acquiring bank.
3. The MSP/acquiring bank sends the credit card transaction information to the credit card network.
4. The credit card network sends the credit card transaction information to the cardholder's issuing bank and requests a payment authorization.
5. The issuing bank authenticates the card information, and if funds are available sends an approval code or a decline message back to the card network. The issuing bank places a hold for the dollar amount of the payment on the cardholder's account.
6. The card network sends the approval/authorization code or the decline message back to the MSP/acquiring bank.
7. The MSP/acquiring bank sends the authorization code or decline message to the merchant's payment software/gateway.
8. The cardholder's payment is made (if approved) and the payment software/gateway sends a receipt of payment to the cardholder.
Batching and Funding Process
During the batching and funding process, the merchant sends all approved transactions in a batch in order to have the funds deposit to their bank account (usually within 24 to 48 hours).
1. The merchant's payment software/gateway gathers all the transactions processed throughout the day that came back with an approval code, and sends them to the acquiring bank/msp in what is referred to as a batch. A batch is usually sent out at the end of the business day, but a merchant can usually choose anytime to close and send out the batch.
2. The msp/acquiring bank sends the authorized transactions included in the batch to the appropriate card networks, such as VISA or MasterCard.
3. The card networks send each authorized transaction to the appropriate issuing banks.
4. The issuing bank debits or withdraws the funds for each authorized transaction from the cardholder's account and sends to the card networks (usually within 24 to 48 hours).
5. The card network then sends the funds to the acquiring bank/msp. The card network charges interchange and network fees, and subtracts those fees from the transaction amount prior to crediting the msp/acquiring bank.
6. The acquiring bank/msp will then deposit or settle the funds into the merchant's bank account. The acquiring bank/msp charges a fee called the merchant discount rate, which may be deducted directly off of the transaction (referred to as a daily discount rate). Or may deposit the total amount of each transaction and charge the merchant once a month for all the fees incurred during that time (called a monthly discount rate).
The merchant is responsible for paying the card network interchange and network fees either through a daily discount or a monthly discount depending on the merchant's agreement with their msp or acquiring bank.
CREDIT CARD PAYMENT PROCESSING COMPLIANCE
Payment compliance is a subject that applies to every merchant. Unfortunately, the many rules and regulations tied to making and taking payments also make it hard to understand what’s expected of your businesses -- especially if you’re unfamiliar with the ins and outs of the card payment industry.
If you want to avoid fines while accepting credit cards, you must adhere to security compliance requirements created and enforced by the Payment Card Industry. There are additional considerations through the Electronic Funds Transfer Act and Regulation E if you also wish to accept debit cards.
The Payment Card Industry has created their own set of compliance rules to keep consumers safe while making credit card payments. Every merchant that accepts cards must maintain PCI compliance to protect customers from data breaches and fraud. What level of PCI compliance responsibility you bear depends on a few different factors:
- How many payments you process per year
- Whether you store credit card data on your servers, or your processor does this for you
- If sensitive card data is physically stored on the premises of your business
Choosing a payment processor that is Level 1 compliant takes most of the PCI burden away from your business. This means your customers’ information remains secure, and you can rest easy knowing you remain in compliance.
An Electronic Funds Transfer (EFT) is a transaction initiated through an electronic terminal, telephone, or computer, which debits or credits a consumer’s checking or savings account.
The Electronic Funds Transfer Act, which governs EFTs, says:
- A preauthorized EFT is one that is authorized in writing
- The writing must be sign or similarly authenticated
- The recipient of authorization must provide a copy to the consumer.
While the EFTA is often thought of in relation to ACH payments, it’s important to understand that if your business accepts debit cards, you must still follow the authorization requirements outlined in the EFTA.
CREDIT CARD PAYMENT PROCESSING RATES AND FEES
Merchant processing rates and fees can seem complicated. Especially when there are many softwares and businesses involved in moving the transaction through the process of authorization and funding (as demonstrated in the chart above).
In addition, each card network -- MasterCard, Visa, American Express and Discover -- can have fees specific just to them. But as an accounts receivable business where taking payments is your primary goal, accepting credit and debit cards is a necessity, even if keeping these fees straight seems intimidating.
Our goal is to assist you in understanding the fees and rates that may appear on your monthly merchant processing statements. Your merchant processor charges you for each transaction, but keep in mind that they in turn are paying the card networks and the card issuing banks what is commonly referred to as an interchange.
Common Monthly Credit Card Processing Fees
Interchange Rates and Fees (Pass-Through Fees) - Card networks, such as MasterCard and Visa, set their own rates and fees. This includes what is paid out to the issuing bank for accepting credit card transactions. All merchants must pay these fees as they are non-negotiable.
You will sometimes see these itemized on your merchant statement at a percentage plus a flat per transaction fee, such as 1.99% + .25. If you are on a tiered pricing model, the interchange fee is wrapped into your tiered rates. These rates and fees can change depending on your business and the type of card used. For example, rewards and corporate cards will have a higher interchange rate and fee than a debit card. These fees are not set by your merchant service provider.
Statement Fee - This is a fee generally between $5 and $15 a month to cover the cost of printing and mailing credit card statements. Some merchants may offer electronic or paperless statements, and opting in may be able to save you from being charged this fee.
Monthly Minimum Fees - This is a fee that some merchant service providers charge if a merchant processes under the designated monthly volume.
PCI Service Fee - If a merchant provides you with PCI (Payment Card Industry) Compliance help from a third party such as Trustwave, you may be assessed this fee. It is used to cover costs and ensure merchants are meeting the PCI requirements for taking credit cards.
PCI Non-Compliance Fee - If a merchant isn’t meeting PCI requirements like completing a Self Assessment Questionnaire or security awareness training (as stipulated by the Payment Card Industry regulations), the merchant could get charged a non-compliance fee. This fee is usually $10-$30 a month, but can be higher.
The purpose of this fee is to encourage merchants to take the steps needed to be PCI compliant. If you see this fee on your statement, call your merchant service provider to find out what steps you must take to become PCI compliant.
Early Termination Fee - Most merchant service provider contracts require a commitment of at least a year -- sometimes longer -- when you apply for their service. If you cancel before this time commitment is over, you could be charged an early termination fee. These are usually fairly substantial, from $100-$500.
Occasional Credit Card Processing Fees
Address Verification Service (AVS) - For card not present merchants (those that take payments over the phone or accept payments online), you may get charged an AVS fee for each transaction. This fee is usually a low per transaction fee of around $0.05.
Voice Authorization Fee - Occasionally, you may get the message that Voice Authentication is needed to approve a transaction. If you do need to call into Visa or any card network’s voice authorization center to verify information on a transaction, you will get charged around $2 - $3.
Request for Copy or Retrieval Request Fee - This is assessed when a consumer or their issuing bank requests a copy of the processed transaction from the merchant service provider to confirm the transaction is legitimate. This is sometimes referred to as a soft chargeback. This fee is usually anywhere between $5 - $30 and covers the cost to produce the documentation.
Chargeback Fee - When a consumer disputes a transaction, the money will be refunded to the consumer and you as the merchant will be charged this fee, usually anywhere from $20 - $40 per occurrence. As a merchant, you will have the opportunity to respond to the chargeback and prove the transaction was authorized, but you will still be charged this fee.
ACH Returned Item Fee or NSF Fee - If you do not have enough money in your bank account to cover the monthly deduction of your merchant fees, you will be charged this fee. Generally ranging from $20-$30.
Merchant Services Pricing
Interchange Plus or Cost Plus or Pass Through - This pricing model is probably the most common. You are charged the interchange or pass through costs that the card networks charge (which is considered your wholesale cost), and the fees your merchant service provider adds, often referred to as a merchant discount fee (considered your mark up costs).
Your merchant service provider takes on the risk of providing you a merchant account and is ultimately responsible for any fraud that could occur. Your rate with the MSP will reflect the amount of risk involved with your industry. In fact, some merchant service providers will not approve a number of high risk industries. These fees are transaction based and are a percentage plus a flat per transaction fee, for instance .50 + $.10.
This model can become more complex on your merchant services statement since interchange or wholesale cost can fluctuate depending on several factors. If the card presented is a rewards card or if it is a swiped transaction verses a card not present transaction, these will impact your pricing.
Tiered Pricing - This plan categorizes each debit or credit card transaction into one of three categories:
- Qualified -This is usually the lowest rate and is applied when transactions are swiped at a card-present terminal.
- Mid qualified -This mid level rate is applied when card numbers are typed into a system rather than swiped. This is usually the case with card not present transactions (online or telephone payments). Requiring an address and CVV code can help move a card not present transaction to a mid qualified rate from a non qualified rate, resulting in a significant savings on your merchant fees.
- Non qualified -This is the highest per transaction rate applied. Reward and corporate cards are going to fall into this category. Also, card not present transactions that fail to get an address verification will also get downgraded to this tier.
CREDIT CARD PAYMENT PROCESSING SECURITY
The majority of merchants in accounts receivable departments and businesses accept credit cards that are considered card not present transactions. Unfortunately, these types of transactions are considered the most vulnerable to security breaches.
According to US Payments Forum, the introduction of EMV technology has dissuaded criminals from scamming at swipers. This means they’ll now be focusing on fraud during card not present transactions. The study, published in March 2017, predicted CNP fraud would increase in the U.S. to $6.4 billion by 2018.
PCI Compliance - The Payment Card Industry Security Standard Council is a global organization that regulates those involved with processing of credit card data in order to protect that data and keep consumers safe from fraud while making purchases with their credit cards.
PCI compliance is a big concern for merchants who want to continue processing credit card payments without fines or risk of their services being discontinued. With the increase in transactions that take place digitally, it’s important to provide a secure environment for consumers to make credit card payments.
Payment processing service providers should be PCI compliant, but keep in mind there are different levels of PCI compliance which can affect how much a merchant is responsible for in maintaining their compliance.
Encryption - This is the process of turning information into encoded information in the computer system, so that it cannot be read if accessed without the key needed to decrypt it. Many companies encrypt data for security purposes.
Tokenization - The process of credit card tokenization takes the credit card data and replaces it with placeholder information. This placeholder (called a token) is of no value if accessed, which keeps consumer data safe.
Data Vault - A physical vault is a highly secure place to store items of great value. A digital vault serves the same function for information stored digitally. Some payment processors offer to store sensitive credit card data for you, so you don’t have to worry about exposing your consumers to a data breach if your system is not secure enough to serve this purpose.