To accept credit card payments using a point-of-sale (POS) or mobile point-of-sale (mPOS) solution, merchants need a business bank account, a merchant account and a payment gateway.
While business bank accounts are typically established with local banks or credit unions, merchant accounts are established with “acquiring institutions” (financial institutions, independent sales organizations, or member service providers) and require an underwriting process to allow businesses to accept credit and debit cards as payment. Merchant accounts are lines-of-credit, not deposit accounts, and so route funds to the merchant’s business bank account.
Payment gateways are software solutions that connect merchants to the payment processing networks—Apriva has a payment gateway and maintains relationships with 35 payment processers in North America, along with all leading wireless data carriers.
Apriva currently works with over 1,100 merchant acquirers and independent sales organizations (ISOs) across the United States and Canada.
The Payment Process
In brief overview, credit card purchase transactions comprise two phases: An authorization stage where the transaction is approved or declined at the point-of-sale, and a clearing and settlement stage where accounts are balanced and funds are disbursed.
- The customer presents a payment card to the merchant at a POS — could be an in-store POS terminal, an mPOS (or mobile payments) device, an unattended vending POS, an e-commerce website, a mail-order/telephone-order center, etc.
- The merchant submits a credit card transaction to the Apriva payment gateway via the POS’s network connection — this connection could be dial-up, IP/VPN, dedicated line, Wi-Fi, or wireless, depending on the POS system.
- The Apriva Gateway receives the secure transaction information and passes it via a secure connection to the merchant’s front-end processor.
- The merchant’s front-end processor submits the transaction to the association network — Visa’s VisaNet, MasterCard’s BankNet, etc. depending on the card brand presented by the customer.
- The association network routes the transaction to the customer’s issuing institution (the financial institution that provides the customer with a credit card account).
- The customer’s issuing institution approves or declines the transaction based on available credit, fraud checks, etc., and passes the transaction results back through the association network.
- The association network passes the transaction results to the merchant’s front-end processor.
- The merchant’s front-end processor passes the transaction results back to the Apriva Gateway.
- The Apriva Gateway stores the transaction results and passes it to the merchant’s POS system.
- The merchant receives the authorization response and completes the transaction: Either allowing the sale if approved, or ending the transaction if declined.
Note that no funds are exchanged during the authorization process, only data. Funding is a result of the clearing and settlement process, below.
Clearing and Settlement Process
- At the end of the transaction, end of the day, or whatever interval the merchant has set, the merchant batches the transaction receipts and submits to Apriva Gateway via settlement batch.
- Batched authorizations are passed to the merchant’s back-end processor for Settlement.
- The merchant’s back-end processor generates automated clearing house (ACH) files for merchant settlement and sends them to the merchant’s acquiring institution.
- The merchant’s acquiring institution submits settlement files to the various customers’ issuing institutions for reimbursement via the Interchange network, clearing the transactions.
- Once funds are routed from the issuing institutions, through the Interchange network (less interchange fees), through the merchant’s processor (less discount fees), to the merchant’s merchant account, the transactions are settled.
- A few days later, the merchant account funds the transactions to the merchant’s business bank account.
For U.S. merchants, payments taken with a Visa, MasterCard, or Discover will typically be deposited into the designated business bank account 2-3 business days after settlement. American Express typically takes 5 days.
Payment Card Industry’s Major Players
- American Express, Discover, JCB, MasterCard, and Visa
- Brand association member financial institution, bank, credit union, or company that issues, or causes to be issued, plastic cards to cardholders
- Own cardholder accounts, set credit limits, issue cards, manage fraud, etc.
- Also Issuing Agents that present cards to cardholders on behalf of larger issuing institution . . . small banks, credit unions, S&L, etc.
- Financial institutions and ISOs/MSPs licensed to provide payment services to merchants
- ISO is an Independent Sales Organization — not a bank — that resells payment services (sometimes called Merchant Service Provider or MSP)
- Also Acquiring Agents that sell bank card services to merchants
- Own and benefit from membership card, tied to issuing institution with card account
- Person or company who sells something to cardholders, tied to acquiring institution with a merchant account (which is actually a line-of-credit, not a deposit account)
- Acquiring agents sell bank card services to merchants; and
- Issuing agents that present cards to cardholders on behalf of larger issuing institution . . . small banks, credit unions, S&L, etc.
- Front-end processing involves authorization and data capture services and message connections via various communication networks to pint of sale devices
- Back-end processing provides financial accounting for acquirers and issuers, and prepares and submits clearing and settlement data into the Visa and MasterCard interchange networks
- Payment gateways (like Apriva)
- Processors communicate with payment gateway and issuing banks
- Value Added Resellers (VARs) — take existing product and add value with software, services, etc. tailored to a niche
A merchant must contract with an acquirer/ISO/MSP to accept payments. The fees they pay the acquirer/ISO/MSP are referred as discount fees, which can include interchange (below); processing fees such as basis points, additional per transaction, gateway fees, etc.; and additional assessments such as data breach insurance, statement fees, PCI fees, chargebacks, retrieval fees, etc.
Interchange fees are the percentage commission charged by the card brands to accept card payments. Interchange is paid by merchant, collected by acquirer/ISO/MSP, and distributed across the payments ecosystem. The actual rate varies by brand card used, credit or debit, how payment accepted (swiped, manually entered, card not present, etc.), merchant type (denoted by MCC because different merchants represent different degrees of risk), and published rates are updated twice a year.
Terminals and POS Hardware and Software
- Terminals — hardware device with software to capture and transmit card information for processing
- Dejavoo, Equinox (Hypercom), ExaDigm, FirstData, Ingenico, Intermec, MEI, Motorola, PAX, Psion Teklogix, Verifone, and others make dial/IP, wireless, and vending terminals
- Transactions can include credit, debit, EBT, gift cards, loyalty cards, checks, even cash management
- Peripherals — add-on devices for greater POS functionality, e.g., card readers, contactless readers, PIN pads, etc. from Anywhere Commerce, Daily Systems, ID Tech, and others
- POS software — examples include IBM ACE Supermarket system, MICROS restaurant POS, and Radiant’s Epsilon for petroleum solutions
- Dial-Up — leverages existing phone line, typically low cost but slower connection (need one line per terminal)
- Wireless — requires cellular service, ideal for mobile payments
- IP/VPN — leverages existing wired Internet connection, typically low cost and fast connection
- Wi-Fi — leverages existing wireless Internet connection, typically low cost and fast connection
- Dedicated (or Leased) Lines — typically more expensive, but very fast and effective for high-volume merchants
PCI, PCI DSS and PA-DSS
The major card brands of the Payment Card Industry (PCI) formed the Security Standards Council (SSC) in 2006. The SSC manages a set of security requirements called the PCI Data Security Standards (PCI DSS) to mitigate fraud by better protecting cardholder data. PCI DSS applies to any organization that comes in contact with payment card data, and compliance with the PCI DSS is enforced for banks, merchants, and service providers. The liability for breaches of PCI DSS compliance can include fraud losses, brand damage, lawsuit exposure, and government oversight, so understanding the standards and developing solutions that comply with them is critical to anyone integrating payment processing.
Apriva, as a service provider, maintains PCI DSS compliance.
There is also a set of requirements for software developers and payment application vendors collected in the PCI Payment Application Data Security Standards (PCI PA-DSS). PA-DSS was designed to help software vendors secure payment applications to protect storage of prohibited data, including the full magnetic stripe and the three- or four-digit security code (CAV2, CID, CVC2, CVV2) or PIN/PIN block found on payment cards.
For details on the current standards, please visit our Security 101 section or go to the PCI website at https://www.pcisecuritystandards.org