Credit card payment processing:
A guide for merchants
Credit card payments, online payments and mobile-optimized options will be increasingly important to merchants in the coming years. Are you offering customers the payment methods they prefer?
Read on for information about how we got here, how a credit card is processed, and industry/legal requirements your business must follow while taking credit card payments. Arm yourself with the know-how to help your business thrive.
The history of credit card processing
How did the use of credit cards begin and how has it evolved? Read on to discover the history of credit card processing, and how it became one of today’s most popular ways to make payments.
The first credit card was called a “courtesy card" and was used in the U.S. by many businesses like oil companies and hotel chains. The cards were issued to customers for purchases at their company outlets, like many store issued credit cards today.
The first widely accepted and used credit card was created in 1950. The idea, envisioned by businessman Frank McNamara, was a cardboard card that could be accepted by restaurants throughout New York. He came up with the idea after forgetting his wallet while attending a business dinner. The concept became the Diners Club Card – a charge card which required users to pay the bill in full at the end of each month.
The idea was a success and by 1951, the Diners Club had 20,000 cardholders. The American Express Company created its own credit card in 1958, which became the first of its kind used outside the United States. The same year, Bank of America released the first modern credit card in California, allowing consumers to carry their monthly balance forward from month to month for a small finance fee.
In 1966, the Bank of America’s BankAmericard expanded its reach to serve customers outside of California and Interbank Card Association (ITC), known today as MasterCard, debuted as a competitor.
In response to consumer complaints about the fast-growing credit card industry, a number of regulations were created in the late ‘60s and throughout the ‘70s.
- The 1968 Truth in Lending Act (part of the Consumer Credit Protection Act) was passed to standardize methods of calculating annual percentage rates (APRs).
- The Fair Credit Reporting Act was created to protect the use of collection and credit reporting data in 1970. Several other regulations came about throughout this decade that intended to benefit consumers who used credit cards.
BankAmericard was rebranded as VISA in '66-'67. One year later, a significant Supreme Court decision allowed banks to lend across state lines, charging fairly uniform interest rates no matter what state the borrower resided in. The ruling stated that the interest rate a bank could use would be the one allowed in the bank’s home state.
This was seen as a move toward deregulation, as it encouraged banks to relocate to states which had no interest rate caps. The allowance for uniform interest rates across the country made it easy for financial institutions to serve customers nationwide and popularized the use of credit cards. Learn how credit card technology has evolved over time from NPR's Planet Money.
Sears introduced the Discover card in 1983. This credit card offered purchase rebates, making it one of the first U.S. cards with a cash-back incentive. While brand alone was enough before this point to bring in customers, this reward system created stiffer competition. To entice new users, most major credit card brands started offering frequent flier miles, low-interest offers, sign-up bonuses and other incentives.
In reaction to the financial crisis, the Credit Card Accountability Responsibility and Disclosure (CARD) Act passed Congress in 2009 with strong bipartisan support. This act put limitations on the fees banks are allowed to charge, such as late and over-limit fees. Today, both VISA and MasterCard are accepted worldwide, and are run by boards made up of executives from their member banks.
How credit card processing works
Credit Card Processing Key Players and Terms
Acquiring Bank - A registered member of the card associations. The acquiring bank approves a merchant to accept credit card payments by evaluating the merchant's qualifications in underwriting and making a decision about the risk of approval. This risk can be shared with an Independent Sales Organization (ISO) or a Merchant Service Provider (MSP). Sometimes a merchant may not even be aware of which acquiring bank they use if the company worked exclusively with the ISO or MSP to obtain their merchant account.
Authorization - The first step in processing a credit card transaction. After credit card data is entered by the merchant (either by swiping/inserting/tapping a credit card at a terminal or typing card data into a payment form), the data is submitted from the payment software to the MSP/Acquiring Bank. They then route it through the card network to the issuing bank for an approval or denial.
Authorization Code - This is usually a six or seven digit number returned by the issuing bank in response to a card being processed.
Batching - The second step in processing a credit card transaction. At a time of the merchant’s choosing (usually at the end of their business day), all authorized transactions are transmitted together to the acquiring bank in order for the merchant to receive payment.
Cardholder - A person who obtains either a credit or debit bankcard from a bank that issues cards.
Card Associations - The main function is to be a governing body over banks, Independent Sales Organizations (ISOs), and Merchant Service Providers (MSPs) to provide credit card services to consumers and merchants. VISA, MasterCard, Discover and American Express make up the Card Associations. They decide on the standards that a merchant must meet to accept debit and credit card payments and the interchange fees associated with taking those card transactions.
Credit Card Network - A middle man in the credit card processing transaction, sending a card payment request and response between the acquiring bank and issuing bank. Functions as a part of the Card Associations.
Card Not Present (CNP) - A credit or debit card transaction where the card holder is not physically present, such as an online payment or a payment taken over the phone.
Chargeback - When a cardholder disputes a transaction with their issuing bank. The disputed amount is withdrawn from the merchant’s bank account until the matter is settled. The merchant is given 10 days to respond to the chargeback with proof of authorization. The merchant’s MSP or acquiring bank adds a chargeback fee to the merchant’s monthly billing statement.
Independent Sales Organization (ISO) - A third party company that has a relationship with a card association member in order to provide merchant services to businesses.
Interchange Fee - A charge paid by merchants to a credit card issuer and a card network as a fee for accepting credit cards.
Issuing Bank - The financial institution who approved the cardholder or consumer. The issuing bank receives the payment transaction request and sends back an approval or a decline.
Merchant - Any business. This could be a retail store who sells tangible goods or a business in a service industry, such as a hospital. A merchant accepts debit and credit card transactions as a form of payment.
Merchant Discount Rate - The rate charged to a merchant for payment processing services on debit and credit card transactions. This can be set up to be deducted daily from the processed transactions or can be deducted monthly in one transaction.
Merchant Service Provider (MSP) - This can be a department of an acquiring bank. For example, Bank of America offers merchant processing services. An MSP may also be a third party who works as a partner with an acquiring bank. Merchant service providers do the bulk of the work underwriting a new merchant before passing underwriting documentation to the acquiring bank.
Payment Management Solution/Payment Gateway - Provides a front-end solution for a merchant to accept card transactions. This software allows cardholder information to be entered and sent for an approval or a denial.
Credit Card Authorization Process
1. A cardholder makes a payment to a merchant, which can be done through a variety of methods:
- Card Present Transaction - The cardholder is physically present with their card and swipes, taps or inserts the card at a terminal.
- Card Not Present Transaction - The cardholder verbally gives the credit card data over the phone to a payment representative or via an IVR system.
- Card Not Present Transaction - The cardholder inputs the credit card data via an online payment screen.
2. The payment solution (gateway) sends credit card transaction information to the merchant's MSP or acquiring bank.
3. The MSP or acquiring bank sends credit card transaction information to the credit card network.
4. The credit card network sends credit card transaction information to the cardholder's issuing bank and requests payment authorization.
5. The issuing bank authenticates card information and if funds are available, sends an approval code or a decline message back to the card network. The issuing bank places a hold for the dollar amount of a payment on the cardholder's account.
6. The card network sends the approval (authorization code) or the decline message back to the MSP or acquiring bank.
7. The MSP or acquiring bank sends the authorization code or decline message to the merchant's payment software or gateway.
8. The cardholder's payment is made (if approved) and the payment software or gateway sends a receipt of payment to the cardholder.
How a Credit Card is Authorized
Batching and Funding Process
1. The merchant's payment software or gateway gathers all approved credit card transactions processed throughout the day and sends them to the acquiring bank or MSP in a batch. A batch is typically sent out at the end of the business day but a merchant can choose any time to close and send out batches.
2. The MSP or acquiring bank sends authorized transactions, included in batches, to the appropriate card network (VISA, MasterCard, etc.).
3. The card networks send each authorized transaction to the appropriate issuing bank.
4. The issuing bank debits or withdraws funds for each authorized transaction from the cardholder's account and sends the funds to the card networks, usually within 24 to 48 hours.
5. The card network then sends the funds to the acquiring bank or MSP. The card network charges interchange and network fees and subtracts those fees from the transaction amount prior to crediting the MSP or acquiring bank.
6. The acquiring bank or MSP will then deposit or settle the funds into the merchant's bank account. The acquiring bank or MSP charges a fee called the merchant discount rate (referred to as a daily discount rate) which may be deducted directly from the transaction. They also may deposit the total amount of each transaction and charge the merchant once a month for all the fees incurred during that time (monthly discount rate).
The merchant is responsible for paying the card network interchange and network fees through a daily discount or a monthly discount, depending on the merchant's agreement with their MSP or acquiring bank.
Credit Card Batching and Funding Process
Credit card compliance
Payment compliance is a subject that applies to every merchant. The many rules and regulations tied to payments can make it hard to understand what’s expected of your call center agents, office staff or business as a whole – especially if you’re unfamiliar with rules of the credit card payment industry.
To avoid fines while accepting credit cards, you must adhere to security compliance requirements created and enforced by the Payment Card Industry. There are additional considerations through the Electronic Funds Transfer Act (EFTA) and Regulation E if you also wish to accept debit cards.
The Payment Card Industry Security Standard Council (PCI SSC) is a global organization that regulates those involved with processing of credit card data in order to protect that data and keep consumers safe from fraud while making purchases with their credit cards.
The Payment Card Industry has created their own set of compliance rules to keep consumers safe while making credit card payments. Every merchant that accepts cards must follow PCI compliance guidelines to protect customers from data breaches and fraud. What level of PCI compliance responsibility you bear depends on a few different factors:
- How many payments you process per year
- Whether you store credit card data on your servers, or your credit card processor does this for you
- If sensitive card data is physically stored on the premises of your business
Payment processing service providers should be PCI compliant but keep in mind there are different levels of PCI compliance that impact how much a merchant is responsible for.
Choosing a credit card processor that is Level 1 compliant reduces the PCI burden your business carries. This means customer information remains secure and you can rest easy knowing you are following PCI compliance requirements.
PCI Compliance Levels
Electronic Funds Transfer Act (EFTA) and Credit Card Compliance
An Electronic Funds Transfer (EFT) is a transaction initiated through an electronic terminal, telephone, or computer, which debits or credits a consumer’s checking or savings account.
The Electronic Funds Transfer Act, which governs EFTs, says:
- A preauthorized EFT is one that is authorized in writing
- The writing must be signed or similarly authenticated
- The recipient of authorization must provide a copy to the consumer.
While the EFTA is often thought of in relation to ACH payments, it’s important to understand that if your business accepts debit cards, you must still follow the authorization requirements outlined in the EFTA.
Credit card processing fees
How much are credit card processing fees? Merchant credit card processing rates and fees can seem complicated. Especially when there are many softwares and businesses involved in moving the transaction through the process of authorization and funding (as demonstrated in the chart above).
In addition, each card network – MasterCard, Visa, American Express and Discover – can have fees specific just to them. Accepting credit and debit cards is a necessity for business, even if keeping these fees straight seems intimidating.
These are the common credit card processing fees and rates that may appear on your monthly merchant processing statements.
Common Monthly Credit Card Processing Fees
Interchange Rates and Fees (Pass-Through Fees) - Card networks, such as MasterCard and Visa, set their own rates and fees. This includes what is paid out to the issuing bank for accepting credit card transactions. All merchants must pay these fees, as they are non-negotiable.
You may see interchange fees itemized on your merchant statement at a percentage plus a flat, per-transaction fee (such as 1.99% + .25). If you are on a tiered pricing model, the interchange fee is wrapped into your tiered rates.
These rates and fees can change depending on your business and the type of card used. For example, rewards and corporate cards will have a higher interchange rate and fee than a debit card. These fees are not set by your merchant service provider.
Statement Fee - This is a fee generally between $5 and $15 a month to cover the cost of printing and mailing credit card statements. Some merchants offer electronic or paperless statements and opting in could save you from being charged this fee.
Monthly Minimum Fees - This is a fee that some merchant service providers charge if a merchant processes under the designated monthly volume.
PCI Service Fee - You may be charged this fee if a merchant provides you with PCI (Payment Card Industry) Compliance help from a third party. It is used to cover costs and ensure merchants are meeting the PCI requirements for taking credit cards.
PCI Non-Compliance Fee - If a merchant isn’t meeting PCI requirements like completing a Self Assessment Questionnaire or security awareness training (as stipulated by PCI guidelines) they may get charged a non-compliance fee. This fee is usually $10-$30 a month or higher. If you see this fee on your statement, call your merchant service provider to find out what steps you must take to become PCI compliant.
Occasional Credit Card Processing Fees
Address Verification Service (AVS) - For card not present merchants (those that take payments over the phone or online), you may get charged an AVS fee for each transaction. This fee is usually a low per transaction fee of around $0.05.
Voice Authorization Fee - Occasionally, you may get the message that Voice Authentication is needed to approve a transaction. If you do need to call Visa or any card network’s voice authorization center to verify information on a transaction, you will be charged $2-$3.
Request for Copy or Retrieval Request Fee - This is assessed when a consumer or their issuing bank requests a copy of a processed transaction from the merchant service provider to confirm its legitimacy. This is sometimes referred to as a soft chargeback. This fee is usually anywhere between $5-$30 and covers the cost to produce the documentation.
Chargeback Fee - When a consumer disputes a transaction, the money will be refunded to the consumer and you as the merchant will be charged this fee, usually $20-$40 per occurrence. As a merchant, you will have the opportunity to respond to the chargeback and prove the transaction was authorized, but you will still be charged this fee.
ACH Returned Item Fee or Non-Sufficient Funds (NSF) Fee - If you do not have enough money in your bank account to cover the monthly deduction of your merchant fees, you will be charged $20-$30.
Early Termination Fee - Most merchant service provider contracts require a commitment of at least a year – sometimes longer – when you apply for their service. If you cancel before this time commitment is over, you could be charged an early termination fee, usually between $100-$500.
Merchant Services Pricing
Effective rates - Understanding your effective rate gives you a snapshot of your total credit card processing fees. Merchants can find this information by dividing total credit card processing fees by the total dollar amount of all transactions.
Interchange Plus, Cost Plus or Pass Through - This pricing model is probably the most common. You are charged the interchange or pass through cost from the card networks (which is considered your wholesale cost), and the fees your merchant service provider adds, often referred to as a merchant discount fee (considered your mark up costs).
Your merchant service provider takes on the risk of providing you a merchant account and is ultimately responsible for any fraud that could occur. Your rate with the MSP will reflect the amount of risk involved with your industry. In fact, some merchant service providers will not approve a number of high risk industries. These fees are transaction based and are a percentage plus a flat per transaction fee (for instance, .50 + $.10).
This model can become more complex on your merchant services statement since interchange or wholesale costs fluctuate depending on several factors. If the card presented is a rewards card or if it is a swiped transaction versus a card-not-present transaction, these will impact your pricing.
If you have been processing credit cards for any length of time, it could be beneficial to have a merchant services cost savings analysis done. Companies that haven’t evaluated merchant rates in some time may be able to take advantage of better pricing than was previously available.
Credit Card Fees: Interchange Pricing Example
Tiered Pricing - This plan categorizes each debit or credit card transaction into one of three categories:
- Qualified -This is usually the lowest rate and is applied when transactions are swiped at a card-present terminal.
- Mid qualified -This mid level rate is applied when card numbers are typed into a system rather than swiped. This is usually the case with card-not-present transactions (online or telephone payments). Requiring an address and CVV code can help move a card-not–present transaction to a mid-qualified rate from a non-qualified rate, resulting in a significant savings on your merchant fees.
- Non qualified -This is the highest per-transaction rate applied. Reward and corporate cards fall into this category. Card-not-present transactions that fail to get an address verification will also get downgraded to this tier.
Credit Card Fees: Tiered Pricing Example
Zero Cost Processing - The zero cost pricing model for merchant services works by charging a special fee, (like a Technology Fee) to customers for the hardware, software and security costs associated with online transactions. This replaces the traditional merchant billing structure, helping merchants save on costs.
Before merchants choose this type of payment structure, companies should speak to their in-house legal counsel or compliance team to ensure it’s a feasible, legal, compliant option for your business type.
Credit card payment processing security
The majority of merchants and accounts receivable departments accept card-not-present credit card transactions. Unfortunately, these transactions are considered the most vulnerable to data security breaches.
The introduction of EMV technology has dissuaded criminals from scamming at card swiper terminals. This means they’ll now be focusing on fraud during card-not-present transactions.
It is imperative businesses understand the basics of secure payment processing to protect everyday business operations and sensitive customer data. Below are some ways to ensure credit card security.
Secure Data Storage Vault - It can be hard to know you’re securely collecting and processing credit card payments without help from a vendor. Small to medium sized businesses often don’t have the team or resources to adhere to PCI compliance and other security measures that come with handling and storing sensitive customer information.
PDCflow securely stores credit card data, reducing PCI scope within organizations. Don’t worry about exposing customers to a data breach if your system is not secure enough to serve this purpose – outsource data storage to simplify your responsibilities.
Payment Data Encryption - This is the process of turning information into encoded data in the computer system. If the data is somehow accessed, encryption makes it impossible to read without a decryption key.
Payment Data Tokenization - The process of credit card tokenization takes the credit card data and replaces it with a randomly generated placeholder. This placeholder (called a token) is of no value if accessed, which keeps consumer data safe.
Credit card payment processing: closing comments
Do you want to accept credit card payments and create a better consumer experience in your own organization?
PDCflow’s secure, compliant payment communication software can streamline your workflows and better satisfy your customers.
Security - Protect your customers from fraud and keep your company safe from data breaches. PDCflow encrypts and tokenizes all payment data and stores all information in a secure vault, so you don’t have to
Compliance - Reduce your company’s PCI scope with Flow Technology. When customers securely enter their own payment information, there’s no need for your staff to see, hear or store sensitive payment information.
Merchant Processing - PDCflow has relationships with several merchant service providers and can help you apply for a merchant account.
If you want to accept credit card payments, ACH payments or use email and text messaging to communicate with your customers, request a demo.