Chapter contents

How does a card payment work?

A card payment is carried out in two stages: authorisation and settlement. The cardholder enters her card details to pay for something she bought online. The retailer/merchant takes the card and transaction information, processes it and asks for authorisation from the acquiring bank which submits this information to the card network. 

The request is then sent to the card issuer - who either approves or declines the operation. This response is forwarded by the network to the acquiring bank and from there to the merchant, who completes the transaction. 

Clearing and settlement

The payment process then enters its second stage: clearing and settlement. The merchant forwards the receipt of the transaction to his bank. His account is credited. The bank submits the details to the card network, which settles the transaction by paying the bank and charging the card issuer account. 

The card issuer posts the transaction to the account of the holder and sends her the monthly statement reflecting this transaction and any others that took place in that time period. The process cannot be completed if the merchant hasn’t set up a merchant account with a bank, which allows his company to accept online card payments.

What is a card scheme?

There are two types of scheme - closed and open. 


Closed schemes are run by operators like American Express (AmEx) and Discover. They are characterised by the issuing and acquiring bank being the same entity, so there are only three parties in the scheme: the card-holder, the merchant and the card issuer.

Без названия (6).png

Open schemes are much more common, particularly outside of the USA. The main brands are Visa and MasterCard. As the name implies the scheme is open to any issuing bank to join as long as they comply with the rules of the scheme. There are therefore four parties in this scheme: the card-holder, the issuing bank, the merchant and the acquiring bank.

Free Understanding Online Fraud Guide

What is an issuing bank?

The card issuer is the bank whose name you see at the top of your card and is simply the bank that issues the card to to the card-holder. Issuing banks provide credit and debit cards to clients through card associations like Visa and MasterCard. In the case of online payments, the issuing bank sends payments for online purchases made with its cards to the merchant. It also sets credit limits. 

What is an acquiring bank?

Acquiring banks are members of card schemes that enable retailers to accept online card payments for their products and services. The retailer gets the card information from the buyer and asks for payment authorization from the acquiring bank, which is responsible for passing it on to the card network. 

What is a merchant account?

A merchant account is a bank account set up specifically to receive card payments. It is also referred a Merchant ID and is often provided by your payment gateway as part of their service. Note that the gateway is not the actual merchant bank but resells their service. Regardless of whether you contract directly or through a payment gateway, you are obliged to operate under the rules of the card schemes. 

What is a payment gateway?

Gateways are e-commerce service providers that provide the ability for an online business to take card payments. There are many players in the market each with different technical, commercial, geographic, currency or vertical capabilities. Working out which is right for you business from a cost, reach and capability perspective is an important task. 

What are dynamic descriptors on transactions?

A dynamic descriptor is a type of billing descriptor. This is set up when the company opens a merchant account. The concept refers to how its name appears on a card statement. A dynamic descriptor makes it possible to include more details of the transaction on the statement, which can include a shortened version of the merchant’s name, a brief description of the service or product the company offers, and the phone number.

Where does liability sit in online payments?

The liability sits entirely with the e-commerce merchant. Card-not present transactions (a term for online card payments) means that there are different security measures available for merchants. Merchants are obliged to take reasonable measures to prevent fraudulent transactions. If not, a chargeback occurs and the cost is borne by the merchant. Often, this means losing the value of the goods or services as well as the cost of the transaction, plus a fine. There is an option to shift the liability back to the scheme, known as 3D Secure. 

What is 3D Secure?

3D Secure or 3DS is a form of user authentication. Card-holders have to create an additional password for their card that they will be prompted to enter whenever they want to buy something from a participating merchant’s website or app. As the name suggests, three parties are involved in this scheme. They are the merchant, the acquiring bank and the card issuer. 3D Secure offers merchants liability cover for authenticated transactions. The acquiring bank typically will not penalise the merchant for a chargeback where 3D Secure is in place. There are a number of important considerations for companies contemplating 3DS however. To learn more about when it's best to use 3DS, visit 'Choosing the right fraud prevention strategy for your business'. 

  • 3DS on the web has a significant negative impact on conversion as it adds an extra, taxing step for users right at the point of purchase.
  • 3DS for mobile has usability issues that can damage conversion even more significantly.
  • The implementation of 3DS varies between banks. Not all users go through 3DS and your liability shift is therefore not fully comprehensive.
  • Breaching certain limits on 3DS will result in the bank not honouring the liability shift or even shutting down the merchant account if too many transaction are deemed fraudulent .