Find out what goes on behind the scenes to complete a transaction when you use a debit or credit card online.
When you buy online using a card, the payment appears to be instantaneous – you enter your card number, expiry date and your card security code, and the transaction (hopefully) completes.
These are the key stakeholders involved in your purchase.
When you make your purchase, you - the cardholder - are the first step in the process. You enter your card and address details, giving permission for money to be debited.
However, retailers usually won’t actually handle your payment information themselves, instead signing up to a payment service provider and/or acquirer scheme that does this for them.
The payment service provider replaces the role of a card reader terminal in a physical shop.
It does this by providing a secure payment website page for you to enter your card details and security information.
Payment service providers are able to present the MasterCard SecureCode/Verified by Visa page to improve security where the retailer has requested this.
Retailers typically pay a set-up fee and a per transaction fee to their payment service provider.
Payment service providers sometimes also perform the role of the acquirer and this is reflected in their charges.
Unless their payment service provider also has an acquirer function, retailers will also have to pay for an acquirer to process card transactions on its behalf.
The acquirer is responsible for receiving transaction details once they’ve been collected by the payment service provider.
It then passes them through the card scheme and to the issuer.
The card scheme, for example Visa, MasterCard or Maestro, controls the operation and clearing of card payments, following the individual card scheme’s rules.
The card scheme will pass the transaction details from the acquirer to the issuer, authorising the debiting of your bank account or credit card account.
This authorisation is then passed on to the acquirer, which in turn credits the retailer’s bank account.
The card issuer is the bank or building society that provided you with your debit or credit card.
It’s responsible for debiting funds from your account to pass to the card scheme.
To prevent fraudulent transactions, online merchants can opt for one, or several, of the following security options with their payment service provider:
This checks whether the billing address provided by the buyer is the same as the address on file with the credit or debit card provider.
If the addresses don’t match, the transaction will be declined.
This is also known as the card verification value (CVV).
The CSC is usually the last three numbers printed on the back of the card, but individual card schemes have their own CSC arrangements - American Express, for example, uses four numbers printed on the front of the card.
Because the CSC is only printed on the card itself, by providing it the cardholder is confirming that they physically have the card in their possession.
Fraud screening services may be provided by the acquirer, the payment service provider, or a third party provider.
These services use advanced fraud detection technologies, such as pattern recognition, to spot suspect transactions and give the retailer the option of declining the transaction.