Part I: Magnetic Stripe Debit and Credit Cards


Part I: Magnetic Stripe Debit and Credit Cards

Chapter List

Chapter 2: Payment Card Processing



Chapter 2: Payment Card Processing

The last three decades witnessed major advancements in payment technologies. On one hand, the payment infrastructure was created. This infrastructure consists of highly reliable computer networks connecting automatic teller machines (ATMs) and POS terminals with powerful mainframe computers of financial institutions. On the other hand, new carriers of the customer's financial data emerged. The most common are the magnetic stripe cards and ICCs, also known as chip cards. These developments provided the framework for the electronic processing of payment transactions.

This chapter considers only the electronic processing of credit and debit payment cards implemented with magnetic stripes . For those impatient to discover the overall picture, Section 2.1 gives a quick, broad view on payment card processing. This landscape reveals roles of the acquirer, the payment system operator, and the issuer, and Section 2.2 highlights their attributions in the payment card processing. Many actors can play the role of a payment system operator. In many countries , national bank associations have created dedicated companies to run a national payment network. The most reputed actors, however, are the multinational card associations like Visa, MasterCard, American Express, Europay, Diners Club, Discover, and JBC, which provide global coverage of their payment card processing and have boosted the payment card to the status that it enjoys today. Section 2.3 explains the concepts of card association and brand, which are at the core of the card business. Section 2.4 explains the main features of credit and debit cards, highlighting the differences between these two payment card products. Starting with the Section 2.5, we move quickly to more detailed functionality. First, we discuss the content of the financial data that is embossed or printed on a payment card and stored on its magnetic stripe. The possibilities of reading this information at the point of service are also outlined. Section 2.6 describes potential attacks on payment cards, as well as the corresponding security protections available for this type of card. This security analysis highlights the limitations of the magnetic stripe cards, revealing the need for migrating to ICC implementations . Section 2.7 focuses on the processing performed by the terminal. The rest of the chapter deals with what is called the payment system backbone. Its functionality is described in terms of payment messages exchanged between the acquirer, the payment system operator, and the issuer to complete various transactions. The concepts of authorization, clearing, and settlement are explained; these are basic processes carried out by the payment system. It is important to stress that the processing in the payment system backbone does not change drastically for the credit/debit payment transactions carried out with ICC.

2.1 Payment card processing at a glance

We address this section to those impatient to have at a glance the overall picture of payment card processing. We have chosen for this purpose the cash withdrawal transaction at an ATM terminal. As with any quick, general view, the reader can benefit from a fast orientation to the topic of payment card processing, but not all the details will be visible.

The overall picture is split into two parts : Figure 2.1 shows the things people usually see when using a debit card for withdrawing money at an ATM; Figure 2.2 reveals the unseen part of the payment card processing, which is sometimes referred to as the network and back-office processing. The financial institutions, including banks, payment system operators, and card associations, are involved in the completion of this part of the processing for each transaction carried out with a payment card.

click to expand
Figure 2.1: Payment card processing ” things one can see.

click to expand
Figure 2.2: Network and back-office processing of payment card transactions.

On the backside of the debit card used for performing the money withdrawal, there is a magnetic stripe. It contains the financial data related to the cardholder in connection with an account kept with a bank. While passing this card through the magnetic stripe reader of the ATM, the financial data is read by the terminal and stored in its random access memory (RAM).

The cardholder is prompted to type in his or her personal identification number (PIN), which establishes the link between the user at the point of service and the legitimate cardholder. The cardholder is also prompted to type in the amount of cash to withdraw. After capturing this information from the cardholder, the terminal constructs the payment message. It contains the amount of the cash withdrawal combined with other information about the business environment at the point of service. This information includes but is not limited to the currency in which the amount is expressed , the identifier of the terminal, the date and time when the transaction took place, and the current serial number of the transaction performed by the terminal. The payment message also includes a cryptogram of the cardholder's PIN, which is the result of an encryption algorithm applied to the PIN.

At this point the processing performed by the ATM terminal ends, and the long journey of the payment message through the payment network begins. Figure 2.2 schematizes this journey to an oversimplified circuit composed of the acquirer, the payment system operator, and the issuer. It is important to notice that not all transactions at the point of service are directed on-line to the issuer for authorization. It could be that, after capturing the whole information from the card, the terminal has enough information for concluding the transaction off-line. In the case of an ATM money withdrawal, however, the issuer is usually involved on-line in the transaction for a better risk management. We will assume this situation for the remainder of this section.

The ATM terminal at the point of service forwards the payment message to the acquirer, which further submits the received message to an intricate electronic processing system. Several cooperating parties (the acquirer, the payment system operator, and the issuer of the payment card) participate in completing this processing. Payment messages are exchanged in real time or compiled in batch files following clearly established protocols. Each payment message conveys certain data elements depending on the scope of the processing. While the message is sent from one party to another, each party performs a predetermined set of transformations on the data elements contained in the message according to their business role in the payment system. The following steps roughly describe the processing.

The acquirer creates the authorization request. To this end, the acquirer adds to the payment message received from the terminal some data elements kept in its terminals database. These data elements include the location of the terminal involved in the withdrawal transaction, the type of terminal at the point of service and its capabilities, and the identification information of the acquirer node that creates the authorization request message. In addition, the acquirer translates the initial PIN cryptogram received from the terminal into a second cryptogram that can be deciphered by the payment system operator's secure module. The acquirer attaches the translated cryptogram to the authorization message.

The acquirer transmits the authorization message to the payment system operator's node in the payment network to which its acquirer host is connected. If the ATM withdrawal occurs in a foreign country, after receiving the authorization message, the payment system operator adds to it the actual exchange rate between the currency of the amount requested at the point of service and the currency used in the home country by the cardholder's issuer. Afterwards, the authorization message is directed to the destination node in the payment system operator's network, which is connected to the issuer host. It could be that the payment system operator performs a third conversion of the cardholder's PIN cryptogram using cryptographic parameters that are accessible to the secure module attached to the issuer host.

The issuer host is the final destination point for the authorization message. Based on the financial data in the authorization message, the account of the cardholder is identified. The cryptogram containing the PIN of the cardholder is deciphered in the secure module of the issuer host. This value is used to compute the PIN image control value, which is compared to a similar witness value stored in the cardholders' database since the personalization of the card. If the two values are equal, the issuer accepts the link between the user of the card at the point of service and the legitimate cardholder. Then, the issuer converts the cash amount in its own currency, using the currency exchange rate indicated by the payment system operator. If after deducting the amount requested in the transaction, the balance of the cardholder account is still higher than a floor limit (which could be either a negative value or zero), the issuer accepts the cash withdrawal transaction. Through an authorization response, the issuer host informs the acquirer about the approval or denial of the transaction. The acquirer instructs the ATM terminal at the point of service either to provide the required cash or to decline the transaction.