PSD2 in Simple Language

PSD stands for Payment Services Directive. Unlike most regulations that people in the card payment industry are familiar with, these are not scheme rules (rules created by Visa, MasterCard, AMEX, etc.), but European legislation. This is why merchants cannot negotiate their way out of compliance, as sometimes is possible with scheme rules. This is a law.

PSD1

The ‘2’ means this is the second such law. The first one was implemented in 2007. It provided the legal foundation for an EU single market for payments, to establish safer and more innovative payment services across the EU. The objective was to make cross-border payments as easy, efficient, and secure as ‘national’ payments within a Member State.

One stipulation was that any payment method would have to be available across the union. The end of purely national payment schemes, such as Laser in Ireland, was a result of this. Other ‘national’ payment schemes survived by going co-branded. Essentially this meant that they would keep their brand, but use the infrastructure of Visa or MasterCard to process payments.

Also part of the legislation was a cap on pricing. This was done by limiting the ‘interchange’ fees for consumer cards to 0.3% for credit cards and 0.2% for debit cards. You can read more about the costs of card payments elsewhere on this site.

PSD2 is about more than making payments safer

As mentioned PSD2 is the second European law dealing with payments. Like the first one, it is a very comprehensive set of laws, and the main aim is the loosen the stranglehold that Visa and MasterCard have on the card payments market. It introduces concepts such as Payment Initiation Services and Account Information Services. In both cases, banks are compelled to open their systems and share their data with third parties, who, it is hoped, will start offering competing services to card payments, especially bank-to-bank transfers.

There is also increased consumer protection in the legislation. One component of this, but by no means the only one, is SCA. Strong Customer Authentication means that any payment needs to be accompanied by proof it is the owner of the card who is making the payment and not someone who just happened to get hold of the card number.

This burden of proof is quite strict; it requires two separate pieces of information to be submitted. And the card number itself is not one of them!

The information allowed as proof falls into three categories:

  • Something only the cardholder knows, such as a PIN or password.
  • Something only the cardholder has, such as a phone or token.
  • Something the cardholder is, such as a thumb print.

So, what does this mean in practice?

There are quite a few scenarios, which I will go through one by one.

The customer is physically present.


To keep things simple, you should only accept two types of payment:

  • Contactless payments
  • Payments confirmed by Chip and Pin

Any other process, such as swiping a card or entering the card number manually, could lead to the payment being declined. I am saying ‘could’ because, in the end, the bank that issued the card to the cardholder has the final say. But to be safe, you should limit yourself to contactless and Chip and Pin.

The Issuer has final say

Within the bounds of the law, it is the issuers who decide to accept or decline any payment. They are completely free to make their own decision, and neither the cardholder, the merchant, the merchant’s bank, or even the scheme has any say in this. And they don’t even have to tell you why. As a matter of fact, the algorithms they use would be considered commercially sensitive. Hence the fact that most transactions that are declined get the “05” decline code: a generic decline.

 
Contactless payments are for low values only. In most countries, this means up to €50. You should be aware though that if someone has used their card for 5 subsequent contactless payments, or for subsequent payments for a total value exceeding €150 the law mandates that the payment is secured by Chip and Pin. If your terminal is set up for it, it will ask for the card the be inserted and a PIN entered. If it isn’t, it will decline the transaction. You should in this case advise the customer to retry with Chip and Pin. Once a card has been used for a payment using Chip and Pin it will ‘reset’ and it can again be used for up to 5 contactless payments/a cumulative number of contactless payments not exceeding €150.

A Chip and Pin payment is for all other payments, only limited by the amount allowed or available on the card. This is the safest form of payment, as any claim by the cardholder that it was not them who made the payment will be rejected.

The myth of a guaranteed payment

A Chip and Pin transaction will protect a merchant against a claim of a cardholder that it was not them who made the payment. But a cardholder might still contest a payment (chargeback) on the basis that the service was not provided/did not meet expectations, etc.

 
This is a simplified overview, and there are exceptions, but in principle, you should not take a payment by swiping a card or manually entering the card number if the customer is physically present. Only use the two accepted methods described above.

The customer is on the phone.

In this case it acceptable to enter the card number in your terminal or booking system to take a payment. What you have to ensure though is that the transaction is correctly processed as a MOTO transaction. MOTO stands for Mail Order/Telephone Order. The former hardly exists anymore, but the second one is still very popular.

The following differs from terminal to terminal, but when manually entering a transaction in your terminal, the first option is almost always to select the type of transaction. This is where you have to choose MOTO. When staff is rushed, they often choose the first option, typically a standard sale. This will lead to this transaction being flagged as a PKE, or Pan Key Entry. On average a quarter of these get declined, and this rate is rising. And you might be liable to fines from your processor. You should therefore choose the MOTO option.

If you are using a booking system instead of a physical terminal, you should contact the provider of this system to ensure they flag transactions correctly.

Choose the correct transaction type for telephone orders

You should contact your terminal provider to get instructions on how to choose the MOTO transaction type and train your staff on how to do this.

And talk to your booking system provider.

 

The customer is making a payment on your website.

As with payments where the customer is physically present, there is a separate process for low-value and high-value transactions. However, to keep things simple, I advise you to always use 3D Secure. This is basically the equivalent of the PIN for transactions when the customer is present.

3D Secure and losing sales

Initially 3D Secure meant the customer had to know their password. Often they did not and would abandon your shopping cart. Nowadays, however, in most cases, the cardholder gets sent a code to their mobile. This had led to much-improved acceptance levels.

 
It is important to make a distinction between authentication and authorisation. The former means the customer successfully proves it is them who is giving approval to the payment. The latter is the decision of the cardholder’s bank to approve the transaction.

If you process a transaction using 3D Secure the following might happen (this is again a simplified overview):

  • The 3D Secure process (authentication) fails. Although in some small number of cases this might be caused by a technical issue, in the majority of cases it is because the cardholder did not put in the correct password/PIN. You should never proceed with such a transaction.
  • The authentication is successful, but the transaction is declined. As per above, this is because the issuer decides not to accept it. This might be because there are not sufficient funds on the card, but it could be any other reason.
  • The transaction is accepted. And because of 3D Secure, the merchant is protected against disputes if the stated reason is that the cardholder claims it was not them who agreed to the transaction. As per above though, there might be other reasons though that 3D Secure does not protect against.

Some notes on 3D Secure:

Sometimes the issuer might decide to accept the transaction without invoking 3D Secure, especially when the transaction value is low. In industry jargon, this is described as “Attempt Acknowledged”. The merchant is protected against disputes if the stated reason is that the cardholder claims it was not them who agreed to the transaction. As per above though, there might be other reasons.

There are different versions of 3D Secure. The original system is now called version 1. To complicate things, there is no version 2. Instead, there is a version 2.1 and a version 2.2. Version 1 is still the most popular and is still being accepted. But it is being phased out, with both Visa and MasterCard announcing that support for the system will end in October 2022. If you have not yet moved, start planning to do so. Your Gateway will be able to advise but be aware that some development work will be required.

 
Merchent Initiated Transactions (MIT)

All of the transactions mentioned above have one thing in common: the cardholder is there (physically, on the phone, or in front of their computer) to give his or her consent to the payment. Therefore these are called Cardholder Initiated Transactions. The other main category is Merchant Initiated Transactions (MIT). As the term indicates, these are transactions where the merchant is processing a transaction, without the cardholder being around in any shape or form. An example of this is a hotel processing an additional bar charge after the customer has already departed. They can also be system generated, for example for a utility bill or subscription.

Often it is thought that every transaction using a saved card (mostly referred to as a ‘token’, but officially a ‘Credit on File’) is a Merchant Initiated Transaction. This is however not the case for so-called “one-click” transactions.

Credit on File (COF) transactions

Credit On File (COF) is just a fancy way of saying you have saved the card details of your customer in your system.

Transactions, where a customer places an order on a website and decides to use a previously processed card (the COF), are Customer Initiated Transactions, as the customer is at their computer, assenting to the transaction. This means they will have to be processed using 3D Secure.

 
How to deal with real Merchant Initiated Transactions is quite complex if you want to do it correctly. I will explain below what I believe the best approach is.

In the vast majority of cases, this process is online, so this is what I will focus on. You will have to speak to your e-commerce gateway and booking system/accounting system provider to implement this.

Getting Customer Agreement

You MUST have an agreement from your customer to save their card details, for what type of charges you can use them for, and for how long you are going to keep their details. You must specify these in your Terms & Conditions, and get confirmation from the cardholder that he or she has accepted these (ticking the box).
 
 

T&C’s and Chargebacks

Schemes will look for proof of agreement by the cardholder for the payment according to their rules. These take precedence over your Terms & Conditions and as such referring to these will not automatically win you chargebacks. But they are taken into consideration, for example for no-show transactions. You will have to prove the customer’s acceptance of YOUR Terms & Conditions though. Acceptance of those of an intermediary such as booking.com is not acceptable.

 
Customer Authentication

If you are taking a payment, and as part of that process (offer to) save the customer’s card details, you should already be doing this, as per the web order process above.

If you are not taking a payment, for example if you are taking only a booking, you will still need to do a customer authentication. You can do this by processing a “zero value” transaction. This process works exactly the same for a normal transaction, and the cardholder will have to go through the 3D Secure process. Because the value is zero, there will obviously no reservation on the customer’s card and no funds will move.

The Reference Number

In both the above scenarios, the authorisation needs to be slightly different, in that it needs to tell the acquirer, card scheme, and issuer that you are saving card details for future use for a MIT. The issuer will respond by providing you with a reference number, which you will need to save (which is where your booking or accounting system provider comes in).
 
 
 
 
 
 
 
 

You are now set up.

Raising a MIT payment

You can only raise a payment for the reasons outlined and for the period agreed in the Terms & Conditions. The payment needs to be raised via your booking or accounting system. Terminals do not support raising MITs. The transaction again is slightly different in that it needs to contain the reference number and tell the acquirer, card scheme, and issuer that this is a MIT. Your ecommerce gateway should support this.

Examples of MIT are: subscription payments, no show payments in hospitality, payments following express checkouts, delayed delivery payments, payment for damage/fines/tolls in car rental, etc.

Summary of Transactions

Chip and PIN transaction

Chip and PIN (EMV in industry-speak) will give you liability shift for claims of fraud and are seen as the most secure.

Swiped transaction

Payment is made via “swiping” the card through the card reader of the terminal.  This transfers the card number and other data from the magnetic stripe on the card to the terminal.

This type of transaction is not compliant with SCA, has no liability shift, and will be more and more declined. 

GooglePay, AndroidPay or ApplePay transaction

These are wallets in which the card of the customer is saved. As such these are ‘normal’ card transactions. Instead of a PIN, the customer authenticates themselves via a biometric: a fingerprint or the face.  Most issuers limit the amount you can pay via these wallets, but it is expected that these will be increased over time. 

Contactless transaction

But with limitations. These are*:  a maximum of €30 per transaction, €150 for total subsequent transactions, and a maximum of 5 subsequent transactions regardless of value. 

*Due to COVID-19, the limits have been temporarily increased. 

If these are exceeded, your terminal should not decline the transaction, but ask for a Chip and PIN. There are however still many older terminals around which do not support this, and they will decline the transaction.

Contactless PIN transaction

Although not yet widespread,  it is expected that more and more cards and terminals will support contactless PIN. In this case, the cardholder taps their card and enters their PIN without having to insert the card. These transactions will allow much higher transactions to be processed. 

Ecommerce  transactions, including Card-on-File/One-click transactions

As per above, 3D Secure is now mandatory, and as such these transactions are compliant. This is also why increasingly transactions without 3D Secure (‘Unsecure’ transactions) will be declined. 

Note: transactions using 3D Secure version 1 will be supported until October 2022. After this date, they will no longer be accepted. You will have to prepare for moving to version 2.1 or 2.2 before this time.  

PKE transaction

A Pan Key Entry transaction is a transaction where the merchant records the card details and processed the payment at a later stage by entering the card manually.  

This is no longer compliant and these transactions will be increasingly declined. Instead, Merchant Initiated Transactions should be used. 

MOTO transaction

A Mail Order/Telephone Order transaction is a transactions where the customer gives their card details over the phone. As per above, provided correctly flagged, these are compliant.

As many merchants are not ready yet for Merchant Initiated Transactions, many have switched to using MOTO for these transactions. Whilst not correct, this is currently tolerated by the schemes. 

Merchant Initiated Transactions

This has been extensively discussed above. Properly implemented these transactions are compliant. 

Final Notes

These rules and regulations sound and perhaps are cumbersome. But there is a good reason for them. The fastest-growing part of the payments market is e-commerce. These payments are however also the most fraud-sensitive. A customer who becomes a victim of fraud, will probably not buy online (or via a app) again. If that becomes widespread, merchants will suffer. It is therefore in everyone’s interest to make transactions as safe as possible. Because we all know that prevention is better.

3DS Explained

When you are paying in a shop with a credit or debit card, you will be asked to insert your card into the terminal and enter your PIN. This PIN is stored on the chip on your card and the terminal will compare the PIN entered with the PIN stored. This way it proves that it is the cardholder who is making the payment and not someone who has ‘found’ the card. This is why it is so important that you NEVER share your PIN with anyone.

If you are buying online, you obviously cannot insert your card into a terminal. Instead, a system called 3D Secure was developed. It was started by Visa as ‘Verified by Visa’ but was adopted by most other schemes: Mastercard (‘SecureCode’), Discover (‘ProtectBuy’), JCB International (‘J/Secure’), and American Express (‘SafeKey’).

How it works

When you enter your card number, in the background a message is sent by the gateway* to a server hosted by the relevant scheme. This server keeps a database of all issuers who participate in 3D Secure and the website they host to support it. If the issuer is not participating, the server will respond with an ‘Authentication Attempted’ message (see below). If the issuer is participating, the server will return the website address.

The gateway* will now redirect the cardholder from the merchant website to the website address provided. This is the website that the issuer has nominated for the 3DS process. In many cases, the issuer has outsourced this to a third party. This is why you often see a name you don’t recognise, for example, Arcot.

When the cardholder is redirected, information is also posted to the website in the background, which allows the website to recognise the cardholder, and to know how much and to whom the payment is for. Because the issuer knows the cardholder’s phone number (it is their customer after all) it will send a PIN to this number. The cardholder enters this number on the website. This allows the issuer to compare the two and know that it is their cardholder who is looking to make a payment.

The result of this comparison is sent back to the requesting gateway*.

The merchant can now decide if they want to proceed to authorisation or not.
 
 
 
 
*Depending on the integration method chosen by the merchant, this can be a message sent by the merchant via the gateway, or the process can be fully handled by the gateway. Merchants cannot send a message directly.

To Proceed or Not to Proceed.

Depending on the outcome, the merchant is liable for a fraudulent chargeback or not.

It is important to note that 3D Secure only protects against fraud. It does not protect against chargeback for other reasons, e.g. customer claiming not to have received goods, etc. Also, some card types are excluded from even fraud protection – even if they have gone through the process. This is the case for most commercial cards.

 
The below table gives an overview of possible outcomes, what it means for you, and recommended action.

Payment Methods

There are 3 basic ways of getting paid, cash, paper (cheques, postal orders, etc.) and digital (direct debit, bank transfer, card, or wallet).

The first two have the disadvantage of being physical, which means there is a high cost of processing involved, risk of losing payments, etc. Especially for CNP situations, these payment methods are not really fit for purpose.

We will focus on the last category. There are 6 subcategories. We are for now excluding virtual currencies such as BitCoin as this currency is currently more an investment product as a payment method.

Cards

There are a handful of international card schemes: VISA, MasterCard, American Express, ChinaUnionPay, Diners/Discover, and JCB. Most of these schemes offer both Credit and Debit cards.

CUP is the biggest scheme but is hardly used outside China (although a lot of Chinese tourists are using it). JCB is mostly a Japanese card and Diners (incl. Discover) mostly US. American Express is also a card that is stronger in the USA than outside, but can be of interest because it is popular among business users/high spenders. In European markets, VISA and Master Card dominate.

Outside China, Visa dominates transaction volumes, due to their large market share of cards issued, accounting for $3.273 trillion dollars in spending in 2010. The next largest payment network is MasterCard, which processed $2.047 trillion dollars in 2010.

Spending on the Visa network accounted for 52.4% of global payment volume in 2010, compared to only 32.8% for MasterCard, and 11.2% at American Express. Discover placed a distant fourth place, accounting for 1.7% of spending.

American Express users spend over $7,714 per year, per card, which far exceeds spending on any other network. As a basis of comparison, Visa users spend only $1,725 per year, per card.

Sources:

  • http://www.nerdwallet.com/blog/credit-card-data/credit-card-transaction-volume-statistics/
  • http://www.moroku.com/the-war-in-crimea-will-weaken-visa-and-mastercards-market-share-even-further/

Local Card Schemes

These card schemes are usually debit only, and were designed with point-of-sale and ATM use in mind – that is, they were devised in a pre-internet world, and as a consequence may not be ideally suited for use in a card-not-present environment. SEPA legislation has meant that these local schemes are now co-branded with one of the international schemes, though transactions processed via the international schemes may not achieve the preferential interchange rates.

Some schemes have completely closed down (e.g. Laser in Ireland) and have typically been replaced by VISA and/or MasterCard Debit cards.

RTBT

A Real-Time Bank Transfer (RTBT) is an electronic transaction that transfers funds directly from the customer’s bank account to the merchants’ account in real-time. The customer is redirected to their bank’s website (or a third party website which facilitates such transactions) where they authenticate the transaction by entering their account details and some kind of transaction authorisation number (TAN), often generated from a secure device. In many cases the customer does not divulge their account details to the merchant, minimising the risk of those account details being compromised. As such, this kind of transaction is inherently secure and deemed to be a low risk of fraud. Additionally, many of these payment methods do no support “chargebacks”, which makes them very attractive to merchants. An RTBT may offer “multi-bank” support, allowing a merchant to accept transactions from customers of multiple different banks, or they may be “mono bank”, which means that specific payment methods must be implemented for customers of specific banks.

Wallets

An eWallet is essentially an account into which customers may deposit funds, and which can be used directly to purchase goods or services. In this sense, eWallets function in a similar fashion as Real-Time Bank Transfers, with real-time authorisation of the availability of funds. Like RTBT methods, the customer’s account details are not shared with the merchant, and so the details are seen to be inherently secure. This significantly reduces the risk of fraud.

The main advantage of eWallets over RTBTs is that RTBTs are often created for use in a specific market or country, whereas e-wallets are generally designed with international use in mind.

Direct Debits

A Direct Debit is a transaction in which the customer provides their personal account details to the merchant, and issues a mandate to the merchant to withdraw sufficient funds to cover the cost of that transaction. An electronic direct debit differs from a traditional direct debit in that no paper mandate needs to be signed – permission can be given by phone or over the internet. No verification of fund availability takes place, and because the account details are shared with the merchant, those details are open to compromise. As such, these payment methods are deemed to be at a high risk of returns due to lack of funds and are frequently exposed to fraud. Customers can chargeback transactions that have been attributed to them, and so merchants must take care to manage these risks. Despite these limitations, this method of payment is the preferred method of payment in the German market.

Offline Payment Methods

All payment methods discussed so far are initiated online: the customer provides details of a payment instrument to the merchant at the time of purchase, often with some real-time verification of the details and the availability of funds. Offline payment methods – where the customer fulfills the transaction after the order has been placed – are still popular across many markets, and in fact dominate in some key markets (for example, Germany and Poland). Offline payment methods fall into a number of categories:

• Traditional, paper-based payment methods are still widely used – examples include payment by invoice, payment by cheque, and payment by postal order.
• Cash on delivery is also a preferred payment method in many markets – in its simplest form, the customer pays cash to the driver who makes the delivery. However, more sophisticated versions exist – for example, in Germany, many postal and courier services will arrange a kind of “escrow” delivery service, where delivery will be held until the customer confirms that the payment has been completed.
• Offline credit transfers are also popular: the merchant provides the customer with their bank account details when the order is placed, usually accompanied by some kind of reference number for reconciliation. The customer then fulfills the order by transferring the funds directly to the merchant’s bank account either at a branch or via phone or online banking. The merchant will not ship the goods until the funds have been confirmed as received.

Choosing Payment Methods

The criteria you should use to decide on which payment methods are best for you are:

1. Markets
2. Type of payment
3. Cost
4. Risk
5. Reconciliation.
6. Other factors

Markets

First of all, markets mean countries. A Payment Processor has market information on most European countries and can advise you what the prevalent payment methods are in a particular country. For example, the UK market is dominated – at least for now – by cards and direct debits. But in The Netherlands, you will need to offer iDeal as well, as this payment method has a dominating position in on-line payments.

Sometimes there is a lot of confusion about payment methods in a particular country. For example, in France, there is a national payment system called Groupement des Cartes Bancaires using the “Carte Bleue” brand. In practice, however, virtually all cards issued in France are co-branded with Visa or MasterCard.

Markets may also mean the socio-economic group you are targeting. For example, if you are targeting a youthful audience, they might not have credit or debit cards, but might have a PayPal account. This is for example the case for merchants who sell digital downloads to mobile phones.

Type of payment

Different payment methods are more or less suitable for different types of payments. All payment types support one-off payments. But what about other requirements?

The main one here is recurring payments. If your business is subscription or renewal based, you will need a reliable and cheap solution for taking these – it is still hard to beat direct debits. However, there is a hardcore of users, estimated at approx. 10% will not use Direct Debits, so you will have to offer at least another alternative.

If you have repeat business from the same customers, and you have web-based customer accounts, your payment methods have to be able to offer one-click payment solutions to make payments as easy as possible to ensure you maximise this repeat business.

Other merchants need an easy and reliable method for returning payments to their customers.

Cost

We will go into much more detail about the cost for cards later. When comparing payment methods, however, the following generalisations can be made:

Although cost is important for everyone, it becomes even more so if the ATV of your product or service is low.

Risk

We will be talking about fraud later. But again it is possible to make a general statement as to how much risk is associated with various payment methods.

Note: risk is defined as the chance of non-payment, including chargebacks, etc.

For some companies, risk is more of a factor than others. If you ship physical goods with a high ATV or vouchers you are a bigger target for fraud than if you are dealing with low ATV products or services or products such as insurance. How payments are taken is also important: online payments are riskier compared to call centre payments.

Reconciliation

Esp. larger organisations need to be able to reconcile all payments quickly and easily with a minimum of errors. Process flows need to be in place and ideally, data will be available immediately to logistics/distribution, finance, and customer service operations.

Payment methods and their providers need to be able to provide the information you need. If you increase the number of payment methods you offer, this will also increase the effort required for reconciliation and associated reporting and cost.

Local payment methods often require a local bank account or even a local presence; this again will increase your administrative burden and cost.
You will, therefore, have to balance the part of the payments market you wish to cover versus the complexity and cost of reconciliation.

Other factors

A number of other factors that are important here are:
• Your offer of payment methods needs to be clear, your websites easy to use.
• Where possible you will want single solutions – robust, supportable and upgradeable.
• Solutions need to be compliant with regulation, whether in-house or 3rd party.
• Ease of integration, coupled with focused support from 3rd Parties
• Future proofing to ensure that the mobile and tablet technology can be delivered as integral to core business systems

Why accept cards?

• More convenient for customer and merchant – less cash handling
• Spontaneous sales, increased volume/value
• Displaces cheques – lower handling costs and security
• Speeds throughput at Point of Sale – faster turnover
• Makes sales over internet and phone possible
• Guaranteed funds and security of settlement
• Simpler back-office reconciliation and control; substantially reduces back-office costs

Card Payment Process Flow

Payment card processing (whether using a debit or credit card) is the process of reserving and taking funds from a cardholder’s card and crediting the merchants’ account with these funds. The merchant can carry out this process by sending transactions through a payment service provider i.e. A Payment Processor.

When taking payments by credit or debit card, two kinds of transactions are defined by the banking industry and the card schemes:
• Card Present Transactions
• Card Not Present Transactions

Most cardholders will be familiar with the more traditional Card Present (CP) transactions. CP transactions are those where the cardholder is present with their physical credit or debit card. To complete the sale the card is inserted into a card terminal to read the customer’s data from either the magnetic strip or the chip-and-pin device. In many countries, CP transactions require that a secret pin code be entered to authenticate the transaction, or alternatively the customer is required to sign a receipt to authenticate a transaction. The customer may be asked to produce identification to prove that they are in fact the cardholder. Because the customer is physically present with their card, and have authenticated their transaction either by entering their pin number or signing for the transaction, the transaction is considered to be largely non-repudiable, i.e. the customer cannot easily claim at a later date that they did not authorise the payment to be taken from their card. This information is provided for training purposes. This booklet does not deal with Card Present Transactions

Card-Not-Present (CNP) transactions are all those transactions where the customer is not physically present with their card, and it is these kinds of transactions that A Payment Processor exclusively deals with. CNP transactions can come in a variety of different forms:
• Internet (or E-Commerce) transactions
• Mail Order transactions
• Telephone Order transactions
• Fax Order transactions

In all of the cases described above, the customer provides their card information, but at no point is the card itself produced. Because the cardholder is not physically present with their card, it is not possible to confirm the identity of the customer using any of the means described above (although there are alternative means which can be used, and which are discussed later in the document). Merchants, therefore, need to be particularly careful when processing CNP transactions because, in the event of fraudulent use of a card, the legitimate cardholder can repudiate the transaction.

Stages

The stages of a card transaction are outlined below – A Payment Processor, as a payment services provider, are primarily concerned with the authorisation and batching stages of the process. However, it is important to understand all parts of the process, as questions may arise from customers on any or all of the elements below.

• Authorisation: The cardholder pays for the purchase and the merchant submits the transaction to the acquirer (acquiring bank) via a payments services provider such as A Payment Processor. The acquirer verifies the credit card number, the transaction type and the amount with the issuer (Card-issuing bank) and reserves that amount of the cardholder’s credit limit for the merchant. An authorization will generate an authorisation code, which the merchant stores with the transaction.

• Batching: Authorized transactions are stored in “batches”, which are sent to the acquirer. Batches are typically submitted once per day at the end of the business day. If a transaction is not submitted in the batch, the authorization will stay valid for a period determined by the issuer, after which the held amount will be returned back to the cardholder’s available credit. Some transactions may be submitted in the batch without prior authorizations; these are either transactions falling under the merchant’s floor limit or ones where the authorization was unsuccessful but the merchant still attempts to force the transaction through. (Such may be the case when the cardholder is not present but owes the merchant additional money, such as extending a hotel stay or car rental.)

• Clearing and Settlement: The acquirer sends the batch transactions through the card schemes (Visa/Mastercard etc.), which debits the issuers for payment and credits the acquirer. Essentially, the issuer pays the acquirer for the transaction.

• Funding: Once the acquirer has been paid, the acquirer pays the merchant. The merchant receives the amount totaling the funds in the batch minus either the “discount rate,” “mid-qualified rate”, or “non-qualified rate” which are tiers of fees the merchant pays the acquirer for processing the transactions.

• Chargebacks: A chargeback is an event in which money in a merchant account is held due to a dispute relating to the transaction. Chargebacks are typically initiated by the cardholder. In the event of a chargeback, the issuer returns the transaction to the acquired for resolution. The acquirer then forwards the chargeback to the merchant, who must either accept the chargeback or contest it. A merchant is responsible for the chargeback only if she has violated the card acceptance procedures as per the merchant agreement with card acquirers.

Authorisation

Card Authorisation is the process by which the customer’s card details are validated for correctness, and where their account is checked to ensure that there are sufficient funds to complete the transaction. Card authorisation is a complicated business, and the process of authorising a card transaction involves the input of a number of different stakeholders. When processing a card transaction through a Payment Processor, the card details are sent first to your acquiring bank, then to the customer’s card issuing bank via the card schemes. Despite the complexity of each transaction, the authorisation process itself is completed in real-time and takes no longer than 3 to 4 seconds to process.

Note: The card authorisation process is distinct from the transaction settlement process, in which transactions are actually funded.

When authorising a credit or debit card transaction, a number of key card details are used to identify the customer. These are:
• The Credit Card Number
• The Card Expiry Date
• The Card Security Code (the three or four-digit code usually located at the back of the card)
• Any Address Data provided for Address Verification (where supported, mainly UK based)

The Credit Card Number itself may be any length from 14-19 digits. The first six digits of the card number are known as the BIN or Bank Identification number – this identifies the card type (e.g. 4 for Visa and 5 for Mastercard) and the bank that issued the card. The Card Expiry Date is always in the form of MMYY. The Card Security Code (variously referred to as the CSC, CVV, and CV2) is usually three digits long and located on the back of the card. American Express cards have a four-digit CSC number which is located on the front of the card.

It should be noted that the only information guaranteed to be used in the authorisation of a card transaction is the Credit Card Number. The expiry date is usually, but not always, checked. The Card Security Code may be checked, but providing an incorrect Card Security Code will not always result in a card being declined. While A Payment Processor requires that a cardholder name be entered to complete every transaction, this information is gathered for reconciliation purposes only and is not used in any way in the authorisation process itself. The name provided by the customer may not match the name present on the card itself.

The diagram below shows the transaction flow for a standard credit or debit card transaction, outlining each of the key stakeholders in turn.

The card authorisation process is outlined below:

1 The Cardholder makes a purchase via the Merchant’s website. To pay for the purchase, the Cardholder enters key card details that identify their account.
2 The Merchant passes the customers’ card details to A Payment Processor for processing
3 A Payment Processor process the card details provided to the acquiring bank, the financial institution with which the merchant has signed a merchant services agreement. The acquiring bank checks that the transaction is allowed under the conditions of that agreement
4 The card details are processed, via the Card Schemes, to the bank that issued the customer’s card, the issuing bank. The issuing bank is identified based on the BIN Range of the card number provided. The Issuing Bank is the only authority who has access to the customer’s bank account details. The customer’s card details are validated, and the customer’s account is checked to determine if there are enough funds to cover the cost of the transaction. If the details are correct, and there are sufficient funds to cover the transaction, an authorisation code is returned to A Payment Processor granting authority to draw down the funds at a later date. A hold is placed on the funds on the customer’s account to prevent the account from being overdrawn.
5 The Transaction Result, and Authorisation Code (where applicable), are returned by A Payment Processor to the merchant. The transaction is now ready to be settled and funded.

Settlement

Settlement is the process of taking the money that has been reserved on the cardholder’s card at the authorization stage and crediting it to the merchants’ account. Gateways send the transactions to the merchants acquiring bank in a settlement file on behalf of the merchant. This instructs the acquiring bank to debit the cardholders’ card and credit the merchants’ account with the authorisation amount.
There are 2 types of settlement that the merchant can use
Automatic settlement
This is where Realex will automatically settle the transaction on behalf of the merchant. The transaction is automatically put into an open batch once the transaction is authorised.

Delayed settlement

This is where the merchant wants to decide on when to settle the transaction. This may be because they want to check they have the goods in stock before debiting the funds from the customer’s card. The merchant can manually settle the transaction by using the Realex transaction management tool RealContol or they can settle it remotely via XML, sending the message from their own system for example. Once the transaction is manually settled it is put into the merchants’ open batch for the day. The merchant must settle the transaction manually within 28 days of the authorization. However, some acquirers might charge additional fees for “late” settlements.

A batch will be opened when an automatic settlement authorization is sent in from the merchant or when the merchant settles a delayed transaction. An open batch will be created for each Bank Merchant ID that the merchant is processing authorization through. Open batches are closed at 12 midnight for most acquirers and put into the bank’s settlement file. The settlement file is delivered to the bank the following morning. The following diagram shows the transaction flow from authorization to settlement for 2 merchants processing through the same acquiring bank: 

The following matrix shows the main Irish and UK acquirers and typical cut of time (note: taken from A Payment Processor).

Transaction Funding

Transaction Funding is the process by which funds for an authorised transaction are transferred from the customer’s bank account to your bank account. This is handled entirely by your acquiring bank – once the batch file has been delivered, A Payment Processor plays no further part in this process.

Timeline of an Authorisation

How long is an authorisation valid?

If you make a card sale via a standard authorisation (called “final authorisation) you should settle and the end of the same day.

Pre-Authorisations are valid for 30 days (MasterCard) or 31 days (Visa).

There are however exceptions, such as Maestro (7 days).

This means you can use an authorisation code received from an issuer for this period of time and still get your funds. After this period, your settlement request will fail.

How long are funds reserved?

The reservation will be used once the settlement is made.

If no settlement is made, reservations will be released much earlier than the period for which authorisations are valid. This is decided by the issuer.  Most issuers let reservations expire after 7-10 days. Some however keep a reservation for up to 21 days. 

If you settle late, you might incur late settlement fees, which can be quite expensive.

That is why using pre-authorisations are often the better way if you know you are not going to settle within this time-frame. Pre-authorisations also carry a fee, but not as much as the late settlement fee.  So:

  • A standard authorisation is the cheapest and should be used if you expect to settle immediately
  • A pre-authorisation is cheaper if you know you are not going to be able to settle immediately
  • If you don’t know when you are going to settle, you will need to analyse how often your settlement is within or outside the limit and you will have to calculate which option is most beneficial

Can you reverse a reservation on a card?

Pre-authorisations can be reversed, but final authorisations cannot.

Issuers are often prepared to reverse a reservation if they receive a letter from the merchant. You would need to furnish this to the cardholder who can present this to his bank. Not all issuers are prepared to do so though, and this is obviously a very time-consuming process. 

Pre-Authorisations

Merchants should authorise and settle for exactly the same amount. If they do not know the exact amount, they should use a pre-authorisation . A pre-authorisation is basically an estimate of the amount the merchant believes will be owed at the end of a transaction. 

This is very common in hotels, where on top of the room rental food and drink bills might be added. A merchants should analyse their trading history to estimate this additional cost. The pre-authorisation should then cover both the known cost (for the booking of the room) and the estimated additional cost.

However, only expected cost should be included in the estimate. To prevent reserving unnecessary reservations on a card,  it is not allowed to add costs that might arise, ‘just in case’. (For example for potential damage to a room).

Topping Up

If the amount pre-authorised does not suffice for a growing bill, for example, if the guest is running up an ever-increasing bar bill, the original pre-authorisation should be topped up. 

Topping up will NOT extend the term of the original authorisation for an additional 30/31 days. The total amount can be settled in one transaction using the original authorisation code and other mandatory data. In theory, you can top up a pre-authorisation as many times as you require. The increments do require customer authorisation OR a field called TRAN ID linking the top-ups to the first authorisation (you should talk to your gateway and/or booking system provider).

Settlement

A pre-authorisation should be settled within 24 hours of the end stay of the guest (I am staying with the hotel example here). The settlement must be for a lower or the exact amount of the pre-authorisation.  If lower, the remaining amount of the pre-authorisation must be reversed, so the reservation will be removed from the card.  You should never settle for a higher amount.

Fees

Pre-authorisations do attract additional fees, which is the reason why you should use normal authorisations if you do know the exact amount as it will reduce fees.

 

Who is Who

An overview of the different participants in the payments process. 

Merchants

This is you. You must have a Merchant Services Agreement with an acquiring bank with which a Payment Processor is certified as a Payment Services Provider.  Also, the merchant will require the technical infrastructure to allow them to connect to the A Payment Processor Service.  

Technology Enablers

A merchant will require the technical infrastructure to allow them to connect to a Payment Processor Service.  That technical infrastructure may be in-house, but frequently merchants will be using third-party software or services. 

The integration with a third party is driven by merchant/customer demands on a case by case basis, but no contractual arrangement (other than an NDA) exists between A Payment Processor and the third parties.  A Payment Processor employs a co-operative strategy with the third parties who enable the technology between A Payment Processor and its merchant base. 

Because of its large client base, A Payment Processor has much existing integration with third parties such as shopping carts, industry platforms, IVR solutions, etc. We can provide you with overviews of these on request.

It should also be considered integrating your payment solution with your business system. By merging payment processing with business solutions merchants can automate payment reconciliation with accounting, logistics, etc., cutting down on data entry and eliminating human error.

Gateways

To process card payments a merchant needs access to acquirer’s systems. Acquirers will however not let anyone simply connect to them; it is necessary to go through a certification process. This process does not only cover the sending of real-time requests (such as authorisation request which check if the cardholder has sufficient balance on their card) but also the submitting of daily batch files (settlement files) which instructs acquirer to move funds from the cardholder’s account to the merchant’s account.

The process of certification is complex, time consuming and expensive: they take on average 3 months.  And as rules continuously change or new services are developed, there are regular re-certifications required.

As this is simply not possible for a merchant, a gateway does this for them.  Not only can the merchant take advantage of the scale of the gateway (spreading the certification cost), gateways will typically also certify in multiple acquirers. As the biggest cost in card processing sits normally with the acquirer, this provides the merchant with an opportunity to switch acquirer without having to do a new integration via a technology enabler.

In the Card Not Present space, the Payment Processor is the dominant player in the Irish market.  In the UK, thanks to a combination of direct sales and white label solutions provided under the Global Payments and Elavon brands, A Payment Processor is also one of the leading providers.

Card Acquirers

What is acquiring?

  • Acquiring is a risk-based business provided to merchants enabling them to accept plastic cards through various channels
  • Provides Value-Added Features (VAS) -Gift Card, Electronic Bill Payment, DCC – that generate/share additional merchant revenue
  • Authorisation, clearing and settlement (ACS) of international credit, charge and debit cards both domestically and globally
  • Acquiring covers Point of Sale (POS) and Card Not Present (CNP) transactions, also in some nations ATM
  • Provides Operational services to support processing of cards efficiently and smoothly
  • Meets merchants’ needs to accept a form of electronic guaranteed payment for goods/services

It is important to distinguish between your acquiring bank and the bank with whom you have your account. In most cases, they are not the same. Elavon, First Data Merchant Services, Global Payment, and WorldPay are all independent acquirers. But even AIB Merchant Services is a separate organisation compared to AIB Bank (and is actually owned 51% by First Data). You can – for example – use Elavon as the acquirer and have your bank account with Bank of Ireland (although not every acquirer works with every bank).

An acquiring bank (or acquirer) is a bank or financial institution that processes credit or debit card payments on behalf of a merchant. The term acquirer indicates that the bank accepts or acquires card payments from the card-issuing banks within an association. The best-known (credit) card associations are VisaMasterCardDiscoverAmerican ExpressDiners ClubJapan Credit Bureau and China UnionPay.

An acquiring bank enters into a contract with a merchant and offers it a merchant account called a Merchant Services Agreement. The arrangement provides the merchant with a  line of credit. Under the agreement, acquiring bank exchanges funds with issuing banks on behalf of the merchant, and pays the merchant for its daily payment-card activities.  The acquirer will provide the merchant with a MID (Merchant ID). Each MID is linked to one bank account (but multiple MIDs can be linked to the same bank account).  You might need multiple MID because you will need to distinguish between transaction types (the fee you pay to acquirer will differ per type, more about that later).

  • Card Present: A Card Present (or Retail) transaction is one where the debit/credit card used is physically in the presence of the merchant. These types of transactions would normally be processed using a physical terminal supplied to the merchant by their acquiring bank and would be accompanied by chip & pin technology. The merchant would usually be able to avail of a much lower per-transaction rate from the bank as the risk associated with card-present transactions would generally be perceived to be much lower than in other environments. A Payment Processor does not provide support for Card Present transactions. A merchant cannot process through Realex using a MID reserved for card-present transactions
  • MOTO: Mail Order/Telephone Order transactions are a type of Card Not Present transaction. The card details are provided to the merchant via mail or by phone. A merchant may use a MOTO MID for processing transactions via the Online Terminal or the Virtual Terminal (or for their own, remotely integrated MOTO system) but may not use this for E-Commerce transactions
  • ECOM: E-Commerce transactions are another type of Card Not Present transaction. In this case, the application is for E-Commerce transactions – where customers enter their own card details via a website, without the intervention of the merchant. E-Commerce transactions would generally be considered to be high risk (relative to card-present transactions) and so carry a high per-transaction rate from acquiring bank. E-Comm MIDs can be used to process MOTO transactions – however, if the customer intends on processing a large volume of MOTO transactions, they may be better off applying for a separate mid (which may come with a better per transaction rate from the bank)
  • Recurring: Recurring transactions are transactions where the merchant charges his customer on a regular basis, e.g. for membership or subscription. Repeat business where the customer regularly buys from the same merchant, is not recurring business, however. There are different rules per acquirer, but most acquirers require the first transaction of the series to be treated as a standard transaction and do require recurring transactions to be flagged as such. In most cases, you will be able to avail of better rates for recurring transactions as they are considered less risky.

Acquiring banks accept the risk that the merchant will remain solvent. The main source of risk to acquiring a bank is fund reversals. These can be voluntary refunds from the merchant to the cardholder or chargebacks. Due to the high amount of risk acquiring banks are subject to, it is them who will be responsible for ensuring the merchant is PCI compliant, will require security checks such as 3Dsecure, and will often require minimum balances to be kept in the merchant account.

Most acquirers also work with a Merchant Category Code. This is a four-digit number that classifies your business by the type of product or service it sells. This code also can have an influence on the rates you pay and might mean that additional rules get applied. E.g. for MCC 6012 merchants are required to send in additional information with their authorisation requests.

The main acquirers in the UK and Ireland are AIB MS, Elavon, EVO Payments, WorldPay, Barclays, First Data MS, Global Payments, Lloyds. Of not are also EMS Card and Amex.

Card Schemes

A Payment Processor enables eCommerce merchants to process card payments with acquiring banks.  Acquiring banks themselves are members of Card schemes, who regulate acquiring and issuing side of the business.  The schemes are broken into two areas, debit and credit card schemes.

A Payment Processor is not a member of the VISA or MasterCard schemes but can act as an agent to process VISA and MasterCard transactions into scheme members i.e. acquiring banks.  However, a Payment Processor is still required to comply with the regulatory environment i.e. the Payment Card Industry – Data Security Standard (PCI-DSS).  The standard is aimed at protecting the card schemes brand by ensuring that any entities that process or store card data are following security guidelines as laid out under PCI. But more about that later.

Card Schemes are the owners of a payment scheme, into which a bank or any other eligible financial institution can become a member. By becoming a member of the scheme, the member then gets the possibility to issue or acquire the transactions performed within the scheme.

In Europe, the introduction of the Single Euro Payments Area has brought big changes.  SEPA stands for the Single European Payments Area.  The intention is to harmonise bank systems throughout the Eurozone so as to make cross-border payments easier and eventually to facilitate Eurozone banking from a single account in any one country.  The Card Payments Directive provides for legislation to be enacted in all the EU countries in order to facilitate Eurozone banking. No national debit card scheme will operate in one country – a national debit card scheme must exist throughout the Eurozone or not at all.  This is why schemes such as Laser, Switch, and Solo have disappeared and VISA and MasterCard have introduced their own debit cards.  In some countries, local debit schemes still exist, but these tend to be “co-branded” with either VISA or MasterCard.

Not all acquirers support all card schemes. VISA and MasterCard are always covered, for example, AMEX is often not available via acquirer. In such cases, the merchant will have to get a Merchant Services Agreement directly with the scheme. 

Card Issuers

A card issuer is a bank or credit union that offers credit or debit cards. The card issuer makes the credit limit available (where applicable) to cardholders and is responsible for sending payments to merchants for purchases made with cards from that bank.

Data Protection Regulator

There is another regulator to which all participants must comply, the national data protection legislation.  Because A Payment Processor stores customer data, they are classified by the Irish Data Protection Commissioner as a Data Processor.  Many merchants are Data Controllers. A Payment Processor can give you advice on the main areas you would have to look into.

Choosing a Gateway

What are the main deciding factors for choosing the right gateway for your business?

Cost

Overall transaction processing fees consist of acquiring fees (which include fees for the card schemes and card issuers) and gateway fees. It should be noted that the cost resulting from gateway fees typically account for the smaller part of this cost.
• The gateway fee as % of your cost can simply be calculated by taking the Payment Processor’ flat fee and Average Transaction Value (ATV) over the past 12 months
• Depending on the Debit/Credit card split, how international your business is, and other factors, acquiring fees can be complicated. The base fees are 0.2% for debit cards and 0.3% for credit cards, but the Acquirers fees come on top of this and you will pay substantially more for international payments.

Reliability / Availability

A Payment Processor must recognise that availability of payment processing is of paramount importance for all merchants who operate and sell in the real-time authorisation environment. You should, therefore, choose a payment gateway with world-class availability figures and comprehensive DR. You will be looking for 99.99% uptime or higher.
Independence & Multi-Acquirer Setup
An all-in-one acquiring/gateway agreement can seem quite tempting. However, looking at the choice strategically, having a gateway agreement that is tied to acquiring creates an obvious interdependency, gives no flexibility, and reduces the merchant’s negotiation power.

As an independent gateway, a Payment Processor allows the merchant to connect into several major acquirers in the UK and Ireland (see also above).
This gives the benefit of being able to switch acquirers without having to go through a new integration. Or a merchant could have a multi-acquirer setup; a Payment Processor can provide this with only one single integration.

Service – Account Management

When everything is working fine, you might be tempted to go for the cheapest provider. It is however when something goes wrong that you find out if you are with the right provider. Apart from that, you should look for a gateway provider that keeps you informed on new payments industry developments and is in regular contact to ensure that any developments on your side are matched with capabilities on the side of your provider.

Security & Compliance

The security of data is an obvious requirement when considering any provider who will support your operations. In the electronic payments industry, PCI DSS is the industry standard that all operators must attain compliance.

A Payment Processor must comply with PCI DSS Level 1, the highest level of PCI compliance.

A Compelling Product Offering

To best meet the needs of its merchants, a payment gateway must provide a range of services and features and support for the right channels.

Call centres are expensive to run but if you have one you do need to offer the opportunity for clients to place an order and pay there and then. As there are substantial PCI implications of taking card numbers over the phone, you might consider taking payment via a solution that allows the customer to enter their card in their phone. A Payment Processor has several partners who offer such solutions.

To save cost, many clients are now moving their customer to pay via IVR or online; which is fast and effective. IVR is, of course, more suitable for customers who are paying an invoice rather than shopping and paying, for which online payments are more suitable.

Especially in sectors where payment is made for purchases on a spur, or for payments taken by your mobile staff, payments taken via tablets and mobiles are becoming more and more important.

Finally, it is possible to take the customer out of the payment loop altogether if you would introduce recurring payments. Storage of card details brings you to the highest level of PCI compliance requirements. When using a third party you should however ensure you have agreed that you can get your card back if and when required and at what cost. Furthermore, you should ensure that card details can easily be updated and maintained and that old data is periodically removed. Finally, more and more processors are also offering a scheduler service.

Integration Options

Most payment processors now offer:

  • Fully independent solution, where the merchant keeps control over all parts of the process but does accept PCI liability. Your systems communicate to the processor via API’s, which are however different from processor to processor.
  • Hosted pages, where the payment processor takes over some of the PCI liability. The merchant does lose full control, but more and more pages are customisable and this also has the advantage that new services are integrated by the processor all the time, which you as a merchant can than easily integrate into. Some merchants prefer to use an iFrame.

In both cases, you should ensure that your and the processor’s pages are fully mobile compatible. For call centres we also increasingly see that they use the same online page as that which is presented to customers on the web.

There are variations on the hosted solution, such as iFrames, which will allow you to keep your URL visible.

Choosing Your Acquirer

Definitions

Inter-regional Transaction

A transaction where the Issuer of the card used is located in a different Visa/MasterCard Region to that of the Merchant.

Intra-regional Transaction

A transaction where the Issuer of the card used is located in the same Region as that of the Merchant.

Domestic Transaction

A transaction where the Issuer of the card used is located in the same country as the Merchant.

Acquiring license

Acquirer requires a license from card schemes before they may acquire merchants in a certain region

Qualified Rate

Acquirer offers rate based on certain criteria is met. i.e. ecomm trans is 3D Secure/AVS/CVV, CP transaction is authenticated by pin etc. If this criteria is not met an exception charge is applied. Majority of acquiring banks can not check in real time if transaction is qualified.

Interchange Plus

A method of pricing, merchant is charged basic interchange rate of transaction + a set BPS or cent/pence.

Blended Rate

Same rate is offered across multiple card types/regions/channels.

Multicurrency acquisition

Multicurrency Acquisition means the processing and acquisition of transactions in multiple currencies

Pan-European Licence

Acquirer can acquire merchants any country as per card scheme list of countries covered. i.e. UK Acquirer can acquire Non-UK domiciled entity.

Cross-Border Acquiring

If a merchant operates in more than one European country they could have a MSA with one bank that enables them to accept cards in several countries as opposed to having a MSA with a acquirer in each country. Whether or not the merchant can achieve domestic interchange rates in their countries depends on acquiring bank’s platform. In some cases Cross Border Acquiring Restrictions means acquirer can only acquire ‘International Merchants’ (those that operate in a minimum of 3 countries in Europe region.

Introduction

An acquiring bank:
• is a licensed member of MasterCard, Visa, American Express or Diners that screens and accepts Merchants into its bankcard program, processes transactions, and completes financial settlement for them
• acquires transactions performed using a credit/debit card issued by a bank other than itself
• accepts risk for each Merchant that is included in its bank program
• must carefully weigh up the risk against the potential profit for each merchant application
• must pay both the card issuer and the relevant card scheme from any fees charged to the merchant

The bank accepts or acquires credit card payments from card-issuing banks within one or more associations. The best-known (credit) card associations are Visa, MasterCard, American Express, Diners, Japan Credit Bureau, and China UnionPay.
An acquirer supplies a merchant account that allows a merchant to accept credit card payments. From the merchant, account money can be directed to a bank account at the merchant’s bank.

Acquirer pays interchange fees which are fixed rates set by the card associations, and which vary by the type of card used and where the card was issued versus where the merchant is located. These interchange fees provide the income for the card issuer. Acquirer also pays scheme fees, which are dependent on volume processed. This is one of the reasons why there is a strong trend towards consolidation in the market.

Acquirers earn their money by marking up the interchange fees, or by charging a fixed rate (either an amount, which would be more typical for debit cards) or a percentage, which would be more typical for credit cards). In the latter case the estimate of the mix of cards and country of origin are important, as an incorrect estimate could mean that acquirer would lose money.

Acquiring Banks assume much of the risk in the credit card processing network because merchant accounts are a line of credit and not a holding account like a current account. In the event a merchant becomes insolvent, and suffers fraud or chargebacks, acquiring bank suffers the loss if the funds cannot be recovered either from the merchant or the customer. For this reason, most Acquiring Banks require any individual/entity wishing to accept credit cards to undergo a credit check and/or supply financial data before establishing a merchant account.

Card associations typically consider a participating merchant to be a risk if more than 1% of payments received result in a charge back. Visa and MasterCard levy fines against acquiring banks that retain merchants with high chargeback frequency. To defray the cost of any fines received, acquiring banks are inclined (but not required) to pass such fines on to the merchant.

Leading European Acquirers are ConCardis, First Data, Credit Mutuel, Banque Populaire, BNP Paribas, Swedbank, Global Payments, Credit Agricole, Barclays and WorldPay. The main Irish and UK acquirers are:
1. Allied Irish Bank Merchant Services – a joint venture between AIB Bank and First Data Merchant Solutions
2. American Express
3. Bank of Ireland – offers its merchant service through EVO Payments
4. Barclays Merchant Service
5. Bank of Scotland – offers its merchant service through First Data Merchant Solutions
6. Clydesdale Bank – offers its merchant services through WorldPay
7. Elavon Merchant Services
8. HSBC – HSBC offers its merchant services through Global Payments
9. Lloyds Banking Group Merchant Services – partly owned by First Data Merchant Solutions
10. Ulster Bank/NatWest/RBS – offer their merchant services through WorldPay
11. Santander – Santander offers their merchant service through Elavon
12. WorldPay Business Services
13. Yorkshire Bank – offers its merchant services through WorldPay

Acquirer Licences

For an acquirer to be able to sign up merchants for their MasterCard and Visa transactions a license from the card schemes in the relevant country or region is required. Historically, for this to take place, an acquirer has needed to have a presence in each country concerned. This enabled a license from the card schemes to be obtained and with it the relevant settlement BINs (Bank Identification Numbers) against which transactions are cleared. These BINs are loaded onto acquiring platforms for this purpose.

This BIN is visible on your credit card: it is the first 6 digits. This is why you are allowed to store the first 6 digits of the card number; the BIN is really handy because it can help you tell what type of card it is and who issued it. To be able to do the latter, you will need BIN files. Unfortunately, there is no 100% accurate BIN file available anywhere; please talk to us if you require more information.

If the bank did not have a presence in a certain country, an alternative way of obtaining BINs is to form a partnership with a bank in the country or countries where the acquirer wishes to do business. For example, Streamline has such a relationship with ANZ, the result of which is that Streamline has ANZ BINs domiciled in Australia and New Zealand set up on Streamline.

For a merchant, this is relevant, because it can make a difference in the fees to be paid as will be explained below.

Global license

Airlines are the only industry that can avail of global acquiring.

Pan European license

Visa and Mastercard versions of Pan European covers different countries. A Pan-European license does not mean the acquirer can offer domestic rates in every European country.
Cross Border Acquiring

If a merchant operates in more than one European country they could have an MSA with one bank that enables them to accept cards in several countries as opposed to having an MSA with an acquirer in each country, this is known as cross border acquiring and the banks are known as cross-border acquirers.

Card Schemes have cross-border acquiring programs that enable these banks to offer merchants a single contract covering multiple European countries, as per Visa and MasterCard respective European countries.

The merchant avoids the complexity and expense of separate contracts in each country.

The benefits of cross-border acquiring are:
1. Streamline operations – This type of centralised acquiring means no need for separate terms of business, separate settlement periods and complicated behind-the-scenes reconciliation. It streamlines the merchant’s operations and saves administrative costs.
2. Benefit from increased choice – Merchant will have increased choice and commercial freedom to select an acquiring bank outside their domestic market. This could be particularly useful if acquiring bank has specialist services or expertise that you can’t find in your own market i.e Gaming.

A cross border licence does not necessarily mean the merchant can achieve domestic rates, acquirer must build domestic rate tables into their platform.

Example of Cross Border Acquiring – Avis.

Avis had an MSA with an acquirer in each country that they were present in. In approx. 2000 they moved to Barclays whose cross border acquiring services replaced the local acquirers.

Multicurrency

The term ‘multicurrency’ is applied to a merchant who accepts transactions in a currency or currencies other than the currency of the country that they are domiciled or registered in. Settlement to the merchant may also be in a currency other than their local currency. Settlement may be on a like-for-like basis (between the currencies which acquirer supports), e.g. euro transactions settled to the merchant in euro. Alternatively, settlement may be on a cross-currency basis, e.g. euro transactions settled in Sterling. With a cross-currency settlement, the acquirer generates additional revenue through the exchange rate used in the conversion process.

Another term that is used is ‘cross border’. This applies to a merchant whose transactions originate outside of the merchant’s country.

Multicurrency Acquisition

Multicurrency Acquisition means the processing and acquisition of transactions in multiple currencies.
Key sectors requiring a facility outside a single country are:
1. International Airlines – this is still the only trading sector where acquiring can be done on a global basis
2. Car Hire and Hotels – although worldwide businesses, unlike airlines, the card schemes still do not allow global acquisition.

Merchant Services Agreement

It is a contract that sets out the terms and conditions of an agreement between the Merchant and the acquirer. It is a standard contract for most SMEs but custom for corporate merchants. Sets out all terms of the contract for example
• Bonds
• Pricing
• Other Fees
• Card Types
• Currencies
• Commerce Type (e.g. MOTO, ECOM, etc.)

The MSA includes details on funds transfer (when) and settlement, either gross (full amount) or net settlement (minus the fees). Before an MSA is issued, an in-depth analysis is required by the acquirer. Because of the higher complexity and often higher risk, and MSA for a corporate client can take months, whereas for most SME’s it would be weeks. The acquirer needs to set its fees very accurately as it needs to be competitive but if set too low, the acquirer will lose money; and also take into account any risk they take on. If the risk is higher, fees are higher, a (large) bond may be required and settlement times might be longer.

Risk

Crucial to the maintaining of a positive balance over time is the limiting of reversal of funds; Rebates/Refunds voluntarily initiated by merchant and chargebacks forcibly initiated by the cardholder.

Chargebacks are the biggest risk to any acquirer as they could potentially be at risk for up to 6 months of transactions. Example:
• Merchant X comes out with a new product for €30
• During the first-month sales are over €100,000
• To build on momentum Merchant X decides to spend all their cash on a Marketing campaign
• Several days later they find out that the original product has a bug in it and needs to be replaced
• As they do not have the cash they simply apologise to the cardholders and say they won’t be able to honour the warranty that was included
• The cardholders call their banks and issue chargebacks
• Acquiring bank attempts to debit the merchant but there are insufficient funds
• Acquiring bank is liable

To offset risk, merchants are often asked to have a minimum balance in the account with the acquirer.

Fees

The majority of Merchants may not be aware of different price plans that are available as acquirers tend to ‘hide’ their ability to offer alternatives to basic pricing such as interchange plus as it reduces margins. Not all acquiring platforms can support more complex pricing models, many can support basic pricing only. Newer platforms can offer more flexible pricing.

The main pricing models available are:

Blended Rate; single Rate for both credit (2-5%)and debit Cards (€0.17-€0.30). It is the most basic and costly option for the Merchant MSC rates are priced for each product – credit & debit and split by card scheme. Acquirer builds their margin into the MSC rates and takes the risk based on pricing assumption. Any downgrades, merchant errors, etc. are absorbed by acquirer

Discount Pricing; known as 2-tier (CNP) or 3-tier (CP), based on 2 or 3 rates: Qualified, Mid-Qualified (CP) and Non-Qualified. Qualification depends on type (e.g. ECOM), region (e.g. domestic) and security measures implemented (3dsecure/AVS/CVN) and rates are higher for non-qualified transactions.

Premium Products; Acquirers price products based on the various card type and scheme fees for products that attract high interchange rates are passed onto the merchants. Examples include premium products, commercial cards, business cards etc.

Interchange Plus; cheapest option for merchants, generally only available to larger clients. It is transparent but complicated and not offered by all acquirers. It will take a lot of managing by acquirers. Actual interchange fees and assessments are passed at a cost to the merchant with acquirer applying a fixed mark up to each transaction and usually a per-transaction fee. E.g. 0.3% (30 basis points) + €0.10 per transaction. Interchange plus pricing passes the specific interchange rate determined by the acquirer along with scheme fees and acquirer margin. Some acquirers e.g. Lloyds Cardnet charge the scheme fees and margin as one fee rather than isolate the two categories

As well as the transaction fees many MSA will include additional fees; often Merchants may not know about these until it is too late and they receive additional charges.
• Monthly Minimum
• Exception charges
• Cardholder Service Fee/Maintenance Fee
• Annual/Quarterly Fee
• Early Termination Fee
• Batch/Settlement Fee
• Processing Cost, each Acquirer must maintain and develop secure connections to the other players in the transaction life cycle. The cost of this is factored into any MSA
• Scheme Fee, this is an assessment fee that the Merchant must pay to the Scheme network that processes the transaction. This is usually 0.0925% for Visa and 0.095% for MasterCard
• Chargeback Fee

In summary:

Interchange

Interchange is the fee paid between the issuing and acquiring banks every time a Visa/MC card is used. It should not be confused with the fees paid by merchants to their banks.
Following a transaction, the merchant’s bank pays a fee to the cardholder’s bank. This helps banks share the costs of issuing Visa/MC cards and the cost of signing up merchants to accept those cards.

Interchange enables cardholders, merchants and their banks to participate in the transaction process.

Interchange fees apply only to the purchase part of the transaction, not refund.

Interchange fees depend on many factors:

Then there are also qualifying factors, one of the most important is timeliness.
1. Timeliness checks is one of the most crucial factors for interchange qualification with any delays by the merchant or acquirer processor having an impact on the level
2. The number of days can vary within MCC e.g. Airline where up to 15 days is allowed between the transaction date and file submission date.
3. In the UK, the time period for submission is 3 business days rather than 4 business days like other markets and therefore it is important that acquirers submit files in accordance with the reduced time period
4. The time period is determined between the transaction data – authorisation or clearing date that is used to populate the correct field – and the clearing submission date
Another factor is errors. MasterCard tends to reject transactions, which will then have to be resubmitted. If the data is incorrect, Visa does not reject the interchange qualification record but will downgrade the transaction normally to the worse rate. Visa will provide details of why items have been downgraded and acquirer will need to alter their processing platform accordingly

Other factors are:
• The presence or absence of magnetic stripe data
• The submission of enhanced transaction data
• A merchant’s card turnover and transaction volume

As mentioned above, location is an important factor in determining the interchange fees:

Inter-regional Transaction

A transaction where the Issuer of the card used is located in a different Visa/MasterCard Region to that of the Merchant.

Intra-regional Transaction

A transaction where the Issuer of the card used is located in the same Region as that of the Merchant.

Domestic Transaction

A transaction where the Issuer of the card used is located in the same country as the Merchant.

Notes:
1. Not all countries offer domestic interchange i.e. Malta . Maltese merchants are charged Intra-regional rates in their own country. . Pan-european means can acquire non-uk domiciled entity. Does not mean they can offer domestic. Acquirer would have to add interchange rates to platform.
2. Spain – Spain have high domestic interchange rates. It is difficult for external acquirers to enter Spanish market due to bilateral agreement between Spanish acquirers and Spanish issuers. The high domestic interchange rates are prohibitive for acquirers who do not have an issuing arm in Spain. What acquirer loses in the deal the issuer gains, this is not a problem if FI has both acquiring presence and issuing presence in Spain. On a side note, domestic interchange rates are split by MCC.
3. In France, acquisition is directly linked to banking activities and therefore acquiring banks are competing for the main banking activities of the merchants, not simply their card or transaction processing business. In the UK acquirers are in direct competition with each other often on a purely acquiring basis.
4. In some countries the domestic Interchange may be higher than Intra rates.
5. Appropriate rates must be used in each region. i.e. intra rates cannot be used instead of domestic to achieve better rate in cases where intra is lower than domestic.
6. Visa and MasterCard publically display their interchange rates.

Interchange by country can be found on webpages referenced below.

  • http://www.visaeurope.com/aboutvisa/overview/fees/interchangefeesbycountry.jsp
  • http://www.visaeurope.com/aboutvisa/overview/fees/interchangefeelevels.jsp
  • http://www.mastercard.com/us/company/en/whatwedo/interchange/Country.html

Based on the transaction types you process, you might be charged higher or lower fees.

Card Present: A Card Present (or Retail) transaction is one where the debit/credit card used is physically in the presence of the merchant. These types of transactions would normally be processed using a physical terminal supplied to the merchant by their acquiring bank, and would be accompanied by chip & pin technology. The merchant would usually be able to avail of a much lower per transaction rate from the bank as the risk associated with card present transactions would generally be perceived to be much lower than in other environments. A Payment Processor do not provide support for Card Present transactions. A merchant cannot process through Realex using a MID reserved for card present transactions

MOTO: Mail Order/Telephone Order transactions are a type of Card Not Present transaction. The card details are provided to the merchant via mail or by phone. A merchant may use a MOTO mid for processing transactions via the Online Terminal or the Virtual Terminal (or for their own, remotely integrated MOTO system) but may not use this for E-Commerce transactions. Rates for MOTO tend to be higher than card present, but lower than E-Comm.

E-Comm: E-Commerce transactions are another type of Card Not Present transaction. In this case, application is for E-Commerce transactions – where customers enter their own card details via a website, without the intervention of the merchant. E-Commerce transactions would generally be considered to be a high risk (relative to card present transactions) and so carry a high per transaction rate from acquiring bank. E-Comm mids can be used to process MOTO transactions – however, if the customer intends on processing a large volume of MOTO transactions, they may be better off applying for a separate MID (which may come with a better per transaction rate from the bank). Using tools to offset risk, such as 3DSecure, often means you can avail of reduced rates.

Scheme Fees

• Both card schemes use the fees generated to contribute towards local market activities designed to increase both usage and acceptance.
• Any item which is not processed by the scheme will not attract a processing fee but will attract a brand fee as defined by the card scheme.
• Depending upon the volume processed by acquirer, it is possible that an acquirer will move the between the tiers.
• Typically, acquirers will review their tiers on a quarterly basis as part of a pricing review to ensure the correct rate fees are being applied to merchant.

Acquirer Margin

All acquirer costs – risk, processing, staff, operating costs etc and profit margin need to be included in acquirer margin which can be charged either as a flat fee per transaction, a percentage of value or as a fixed monthly sum
• Based on an interchange plus plus pricing, acquirer needs to generate revenue in their margin to cover a variety of fees,
• These fees typically cover operational and processing services along with risk management and acquirer profit margin.
• There are a number of approaches that are taken with acquirer margin and is the only area where the merchant and acquirer will negotiated.
• Acquirers may change their approach for merchants that fall into high risk segments in order to protect their risk exposure.
• For example, an acquirer may want to charge a % rate for high risk merchants e.g. Airlines
• This could include a mixture of a flat fee per transaction along with retained funds on account