Payment Card Fraud Primer, Part One: How do Credit Cards Work? – DRAFT
My name is John O’Neill. I’m the head of Sales at Rippleshot and, like you, I’m frantically trying to stay current on the fascinating and frustratingly complex field of payment card fraud detection.
One thing that helps me tackle a really big subject — like, say fraud detection in the $6.5 trillion global card payments market — is to break it down into smaller topics. Instead of saying, “Today I’m going to become an expert on Data Breach Detection,” I say something like, “Maybe today I’ll figure out how the hell my Visa card works. And then I’m going to break for a latte.”
With that in mind, let’s take a look at the surprisingly intriguing history of payment cards.
The Surprisingly Intriguing History of Payment Cards
Our story begins, as it usually does, with an under appreciated scientist in a lab, dreaming of a better world. In our case, the scientist in question was IBM engineer Forrest Parry, and the better world he dreamed of was one where he could fix magnetic tape, the most common storage media at the time, to a plastic card. The year was 1969, and Forrest wasn’t having much luck.
After numerous failures he went home, dejected. He found his wife Dorothea ironing clothes, and he told her his troubles. There was just no way to reliably fix magnetic tape to plastic.
Dorothea, lifting her iron to get the wrinkles out of her husband’s shirt, said, “Why don’t you just melt it on?”
Intrigued, Forrest borrowed his wife’s iron and tried it. It worked. Dorothea had just invented the Magnetic Stripe Card, which over the next four decades completely revolutionized the way the world makes purchases, and enabled the proliferation of the global credit card industry — not to mention my entire career. Thank you, Dorothea.
Forrest Parry’s first magnetic stripe prototype. Despite multiple attempts,
Parry was unable to use this card to purchase Rolling Stones tickets
What’s so revolutionary about a strip of magnetic tape on plastic? For the first time, consumers had a way to share their banking information in a convenient and easily readable format. They no longer had to carry paper checks or large amounts of cash — one swipe of a card through a magnetic reader, and merchants had everything they needed to complete a purchase.
That’s Cool. But How to Credit Cards Make Payments?
Let’s start with a simple example. Imagine you’ve stopped at Jake’s Feed ‘N Gas in Carbondale, Illinois. While you’re filling the tank, you spot a special offer on Jake’s delicious, delicious 2-for-$1 ostrich tacos. You pull out your magnetic stripe payment card, and purchase a mouth-watering slice of culinary heaven.
What just happened?
The world’s first Magnetic Stripe credit card. Later innovations
included numbers, expiration dates, and moving that ugly stripe to the back
A lot of electronic voodoo in a very short period of time, that’s what just happened. But when you step back and look at it from a high level, it’s actually not all that complicated.
Card payment processing actually occurs in two stages: Authorization and Settlement. Because you want your delicious ostrich tacos immediately, and because Jake is willing to wait until end of day to receive his crisp new $1 bill, the former process is considerably faster than the latter. Let’s look at both.
What is Card Authorization?
All of us know the joy of buying tasty ostrich confections from a friendly gasoline vendor. Although we don’t always contemplate what happens behind the scenes (come to think of it, where ostrich tacos are concerned, it’s probably best that we don’t.) But where our money is concerned, it pays to understand the process.
When you hand your well-worn Nova Scotia Bank MasterCard to Jake’s sister-in-law Mable behind the counter, she slides it through a credit card terminal. What happens next is a rapid-fire electronic data exchange between about a half a dozen interested parties, much of which occurs over a private data network. Here’s what it looks like.
The magic of Payment Card Authorization consists of five distinct steps, all of which occur in fractions of a second:
- Mable delicately runs your MasterCard through the Jake’s Feed ‘N Gas Card Reader. The reader captures your banking particulars from the magnetic stripe, and transmits that data to the Bank Processor (or, in some cases, the bank that sold Jake his trusty card reader, known as the “Acquiring Bank.”)
- The bank processor identifies your payment card as a MasterCard issued by Nova Scotia Bank. It bundles the transaction information, and routes it through MasterCard’s private Banknet network to Nova Scotia Bank (The ‘Issuing Bank”) to be approved or declined.
- Nova Scotia Bank has your back. It responds by approving your taco transaction, after confirming the transaction information is valid, you have sufficient balance for the purchase, and that your account is in good standing.
- The Bank Processor sends an approval code to Mable’s card reader, to be stored in a batch file for later settlement.
- Delicious taco joy.
Huh. That Was Easy. What About Payment Card Settlement?
At the end of a long business day, Jake’s Feed ‘N Gas closes shop, and kicks off the process of settling up daily credit card charges. The credit card clearing and settlement process uses the same basic components (minus the delicious tacos).
- Jake presses the ‘Batch’ button on his card reader, sending a batch of approved card authorizations to his Bank Processor.
- The Bank Processor reconciles and transmits the batch of authorizations through Banknet (for MasterCard) and VisaNet (for Visa). It also deposits funds from those reconciled sales sales into Jake’s account, using an ACH (automated clearinghouse) debit, minus any processing fees.
- MasterCard debits your account at Nova Scotia Bank, and credits the Bank Processor for $1, minus interchange and network fees.
Why is This Information Helpful to Me?
I’m glad you asked. Understanding the basics of payment cards authorization and settlement tells you where your personal banking data — the critical information that is stolen in a breach — is transmitted and stored. In effect, it’s a map of data vulnerabilities.
In future installments, we’re going to use this information to explain the exact mechanism of payment card fraud. Stay tuned.
John O’Neill is the Vice President of Sales at Chicago-based Rippleshot. He received his Ph.D. in Chemical Engineering from the University of Illinois at Urbana-Champaign. He can be reached at firstname.lastname@example.org.