SciTech

How Things Work: Credit Cards

You press ?CREDIT? and swipe your card. You leave with $50 worth of groceries, and you haven?t had any cash on your person all day. The merchant knows he?ll get your $50, however. Likewise, you can order your textbooks from a web site, and your order can ship within minutes of it being received ? you don?t even have to have a checking account.
Credit cards and debit cards have had a pretty dramatic impact on our lives and the way we do business, especially since the advent of the Internet. Unlike some technology of which people are actively aware, credit cards and the infrastructure that supports them are invisible most of the time, so you might not even think about what happens when a transaction is authorized. Of course, that authorization hasn?t always been quite so instantaneous or secure.
The first universal credit card (as opposed to department-store credit cards which were only good at a specific store) was introduced by Diners Club in 1950. The story is that businessman and Diners Club founder Frank McNamara found himself without enough cash to pay for a meal, and he was inspired to invent the credit card after convincing the restaurant owner to take an IOU. In the early days, there wasn?t a massive computer and telecommunications infrastructure in place to handle credit card business, so transactions were performed primarily via an exchange of paperwork between merchants, credit card companies, and banks. As credit cards increased in popularity, so did credit card fraud; merchants needed some kind of payment guarantee before they let merchandise walk out the door.
The earliest form of point-of-sale (POS) credit card authorization was known as voice authorization. As the name suggests, this technique involves the cashier making a phone call to the merchant bank or acquiring bank ? the company that provides the merchant with the ability to process credit card transactions. Voice authorization is still used today in situations when a damaged card can?t be read by the magstripe reader, when a cashier suspects a card to be fraudulent, or by merchants who only make a few transactions every month. In the late ?60s this was the only way that credit cards operated, and as credit cards gained in popularity, checkout lines in department stores rapidly got out of hand. By 1970, nationwide networks for processing credit card transactions had been established to streamline POS credit card authorization. Phone calls were made from machine to machine, but the transaction still relied largely on a subsequent exchange of paperwork for the merchant to get their money.
These days, the card data are read from the magnetic stripe on the back of the card, and the only paperwork involved is the sales draft signed by the customer, yet the transaction still has two steps ? a legacy of 1960s technology. This is true even for transactions made on the Internet. Before you walk out of the store, your transaction has to be authorized to confirm the legitimacy of your card. In order for the merchant to receive payment for the transaction, it has to be settled, which usually occurs at the end of the business day for retail transactions. When your credit card is read by a POS terminal, your card number, expiration date, and transaction amount are transmitted to the retailer?s acquiring bank via telephone lines, a dedicated ISDN line, or an Internet connection. The acquiring bank?s computer can tell what type of credit card you have from your account number. American Express numbers start with 37, Diners Club with 38, Visa with 4, MasterCard with 5, and Discover with 6, for example. The account and transaction data are then transmitted over bank networks to the appropriate corporation. For bank cards like Visa and MasterCard, the data is forwarded again to the particular bank that issued your card. Your account information and available credit are then confirmed or denied, and the information follows the same path back to the retailer?s POS terminal in a matter of seconds. Authorization of an Internet transaction is similar its retail analog, only there?s frequently an additional step ? larger online stores usually have the capability to communicate directly with their acquiring bank, but smaller operations send their authorization requests via the Internet to a company known as an Internet payment gateway. The only function of a gateway is to receive securely-transmitted authorization requests over the Internet from online merchants and transmit it to the merchant?s acquiring bank via traditional methods, and vice versa. In either the retail or Internet scenario, all the transactions for a day are usually settled in a batch every evening ? the exception being Internet purchases for physical products that don?t get shipped on the same day ? and the funds end up in the merchant?s account at the acquiring bank. The acquiring bank makes money by charging the merchant a fee, usually around three percent, on every credit card transaction. The acquirer pays the card issuer a smaller fee, also based on the dollar amount of the transaction.
If you order merchandise over the phone, the process works a little differently. Because the product doesn?t get shipped immediately, there?s no immediate need for authorization. Merchants can authorize all of a day?s transactions in batch at the end of the day, so they don?t even need a separate phone line for credit card authorizations. Transactions are also settled in end-of-the-day batches, but not until after the product ha?s been shipped. Although authorizations are for a specific dollar amount, there is usually 10 to 15 percent leeway, so the settlement delay allows for the addition of things like shipping charges, which may not have been known at the time of authorization. The other difference between retail and phone, mail, or Internet transactions is that in the latter cases, when the card isn?t physically present, additional information is submitted with the authorization request, to help eliminate fraud. This usually includes the cardholder?s street address, ZIP code, and a three-digit number printed on the back of the card called a ?Card Verification Value 2,? ?Card Validation Code,? or ?Customer Identifier.? By requiring information not printed on the front of the card, these schemes make it harder to make a purchase with stolen information.
Despite all these safeguards, credit card fraud still happens all the time, so it?s important for credit card users to be careful. If you lose a card, report it to the card issuer immediately. Cut old credit cards into several pieces before discarding them. Make your telephone transactions from a land line rather than a cell phone. Perhaps most importantly, remember not to transmit your credit card information in an unencrypted e-mail message or enter it into websites that aren?t secure (the URL will say https:// rather than http:// if it?s secure).