Plastic Cards from Magnetic Stripes to Apple Pay: How Payment Industry Changed Over 70 Years
Do you know how your bank card operates? How is security of transactions ensured? And why a wrong amount of money can be deducted from your card when paying for goods abroad? These questions were answered by Dmitry Kochelaev, an ITMO graduate and the head of development at Solanteq, a company specializing in innovative payment solutions, in his open lecture for the Open Fintech series at ITMO University. Here are the keynotes.
In order to get to the bottom of how the payment industry works, we first have to determine the meaning of these three fundamental terms:
Issuer: financial institution, most often a bank, which issues cards or other means of payment.
Acquirer: financial institution which is responsible for accepting the payment. For example, all POS machines and ATMs are connected to a financial institution which in this case acts as an acquirer.
IPS: international payment system such as Visa, Mastercard and others.
What kinds of payment systems are out there?
On the whole, payment systems can be divided into three different categories: international (for example, the aforementioned Visa and Mastercard), national (for example, Mir, established by the Central Bank of Russia in 2017), and, lastly, local, which usually aren’t financial tools as such.
International payment systems (IPS). It’s interesting to note that today, all remaining IPS are either represented by US payment systems or rather specific payment systems like Unionpay International, which is, while on one hand international, bases practically all of its transactions in China. There are also national payment systems that managed to breakthrough to the international market, such as the Japanese JCB. By tally of transactions, Mastercard remains to be the world’s leading payment system.
National payment systems (NPS) exist in over 35 countries. Pretty much every European country has its own NPS, so the Russian National Payment Card System and the system Mir aren’t our local invention, but rather a reverberation of an international practice. Some of these NPS are exclusive to their specific country and aren’t trying to expand, but others are and sometimes successfully manage to establish themselves on the global level.
What’s the point of an NPS? First, it allows for independence from international payment systems. It so often happens that IPS dictate rigid requirements to national banks, the conducting of transactions, the type of equipment used and the suchlike. But apart from that, IPS develop in the direction they themselves consider necessary. They don’t always care about small local markets. The direct consequence is that there are no services that would truly meet the needs of local markets. NPS, on the other hand, know their local markets, and thus have better hold on the situation. For example, China actively uses payments via QR code, which doesn’t exist in Visa, Mastercard or many other systems.
Second, it allows for the reduction in commission fees. National processor by definition operates smaller amounts of data, which is beneficial for national banks in that NPS lays out lower tariffs for the servicing of cards within the banks. Third, it allows for conducting the payments in the national currency.
Local payment systems. More often than not, these aren’t about the money. For example, this group of payment systems comprises petrol cards issued for individual people or legal entities (in other words, these are cards you can only use to pay for your petrol at petrol stations), as well as many loyalty cards and lunch cards to be used at specific shops and restaurants. These transactions operate not money but rather services you could get for that money.
What are different types of plastic cards?
The story of plastic cards began in the 1950s, when the first magnetic-stripe cards were launched. The standard of how magnetic stripes are coded was also created then and there by the company IBM. But after a (granted, rather long) while, a range of problems with magnetic stripes emerged. First, it’s highly prone to wear and tear, second, it’s really easy to duplicate, and this literally could be done at home, lastly, it’s rather limited in terms of how much data it can store.
What data does the magnetic stripe carry?
The magnetic stripe has three tracks onto which data is coded. The card number, most often made of 16 digits, doesn’t only serve as the card’s unique identifier but also allows to determine by which bank it was issued. The first six digits of the card number represent the so-called Bank Identification Number, or BIN. Banks get these BINs from payment systems, and larger banks can have a lot more than one BIN. The last digit is the check digit calculated via the Luhn algorithm (hence its another name, Luhn Digit), and it makes sure that the card number is impeccably correct. All this dates back to the time when the magnetic stripe was the only payment tool used and its reading was only conditionally secure.
The reading of a magnetic stripe normally leads to the reading of all the data needed for a transaction to be conducted. The first track (and this was the only track present on the first cards) lists the card number, name of the cardholder, the card’s expiry date and a service code, or the three digits that define what kind of operations that specific card supports: whether it’s only PIN operations or operations that require verification by signature, whether it’s international or local and so on. Apart from that, the track includes additional data that aims to ensure security (though only to its best abilities): a Card Verification Code (CVC) and Card Verification Value (CVV). Also stored on this track is a PIN Verification Value, which is a sort of a code derivative.
What sets the second track apart is that it doesn’t indicate the name of the cardholder. Why? It was eventually established that due to its data storage density, the first track doesn’t read very well and thus goes duff pretty quickly. Having pondered the solution to this problem, specialists decided that the second track should back up the first with the same information bar the cardholder name, as it’s not that integral to the carrying out of the transaction.
Why is there a risk that your card won’t be read in the US?
Nowadays, it’s the second track that’s most often used in transactions. But there are still nuances to that. This industry was born in the States, and there are still a lot of old devices in circulation in there. That’s why for a long time, they’ve been keeping to the practice of primarily using the first track, and more than that, are still using it now. But the banks issuing cards in Europe or Russia often leave out the first track altogether. And that’s where sometimes problems arise from when you’re trying to pay with your card stateside.
There is also a third track, but it isn’t used by the payment systems at all. Instead, its usage is freely defined by the issuer and network where the card is applied in. Apart from that, this track is also re-recordable. Some banks try to employ it to store loyalty IDs or co-branding, but on the whole this technology became extinct with the invention of a chip that allows for the recording of data in the normal format.
How are transaction conducted?
It all begins when your card is swiped against a POS machine. Or, as is the case with chip cards, inserted into a POS machine, or held to the POS machine if the card is fitted with a contactless chip. After that’s done, the machine reads your data and sends it to the host acquirer (i.e. the bank accepting the payments). Having received the transaction, the acquirer establishes the payment system the card belongs to based on the card number and special BIN tables, and sends this transaction onwards to the payment system in question. Using its own BIN tables, the latter identifies the issuer the card belongs to, and directs the transaction their way. If the acquirer and the issuer are the same bank, the payment system step is left out.
The issuer, in its turn, conducts all the ensuing procedures necessary, from security checks to establishing if there is at all any money left on your bank account, and blocks the money. The whole process is called authorization, because at that point, money isn’t deducted, but only blocked. They will remain blocked until the authorization is retracted or a financial rendering is received, which is done offline. Each day, the acquirer rolls all the transactions it received into a so-called clearing file and send it to the payment system. This is done without sorting all these transactions based on each specific issuer bank.
Upon the reception of all these clearing files, the international payment system sorts them based on the issuer bank and sends them to these banks. Having received the financial rendering, the issuer matches these with the appropriate authorization, retracts the blocking and conducts the real deduction of payment.
Why do you get charged less when paying with your card abroad?
This happens because international transactions are typically conducted in a stable currency. For example, when you authorize 100 euros, the money is frozen on your bank account at the exchange rate of the day. In a day or two, the bank debits your account and takes the money at the exchange rate of the day when the debit is made. That’s why when paying in a different currency you usually pay a different sum of money compared to the original price. In fact, you are usually changed less, because when making an authorization banks include a special commission fee which they only block but never charge.
How secure are credit card transactions?
If we look back to the early days of credit cards, the situation with security was far from good. You only needed to know a card number, a CVV/CVV2 code or a PIN code for offline transactions. And that’s all. After a while, the problem of stealing someone’s credit card information became so widespread that banks started issuing chip cards instead of magnetic strip ones.
Why are chip cards safer?
When inserted into a cash machine, the chip is activated and can perform certain cryptographic operations. By this, the card confirms the transaction, that is it makes a cryptogram based on the transaction data and sends this cryptogram to the cash machine along with the transaction. The host then checks this cryptogram and, in turn, forms a return cryptogram, which is checked by the credit card. This protects your card from being copies and prevents the man-in-the-middle attack when someone interferes in the operation.
Tokenization: popularity of Apple Pay and Android Pay
In 2015, the Apple Pay technology was introduced. The service keeps customer payment information private from the retailer by replacing the customer’s credit or debit card number with an alternative tokenized number. Just like a card number, this is a 16-digit number generated for each transaction.
Why has this technology become so popular? The thing is that for the acquirer, this is the same contactless payment as if you used an ordinary credit or debit card, and if your bank supports this technology, you can pay with it in any credit card machine that supports contactless payments.
How does the system work? An acquirer simply receives a transaction from the credit card machine, understands by BIN what kind of payment system it is, and sends the transaction there. The payment system also carries out detenokenization. Thus, the system is convenient for the issuer as well: all they have to do is to maintain the initial tokenization cycle.
“Open Fintech” is a course of lectures spilling the light on how we as everyday consumers make purchases, manage finances, and decide on investments. The six-part series will allow you to learn about the ins and outs of the payment industry, how its decisions are made, and what changes await it in the future. Held on March 28, the second lecture in the series will be dedicated to “Authentication and securitization of internet payments. E-Commerce. 3D Secure 1.0, AVS. 3D Secure 2.0”. Ilya Dubinsky, CTO of the company Credorax, one of the fastest-growing transborder acquirer in the European Union, will share about what happens to your bank card details as they travel through the internet wilderness and to the depths of bank systems, and how banks can ensure security of online payments.