Basic credit card processing participants include the cardholder, cardholder's issuing bank, merchant, merchant's acquiring Some industry publications include service providers, ISOs, and other agents in their definition of a merchant acquirer. Regardless of the term used, all participants require sponsorship by a member financial institution also known as the acquiring bank. bank, and the credit card association (e.g., Visa, MasterCard, Discover, AMEX, Diners Club).
Merchants wanting to accept card association-branded credit card sales payments must be sponsored by an acquiring bank that is a member of the credit card association. Merchants may maintain a settlement account with their acquiring bank, or settle via ACH transactions between the acquiring bank and the merchant's bank. Acquiring banks typically do not process their merchants' transactions directly so this function may be outsourced to a third-party service provider (merchant acquirer) that performs the data processing functions of authorization and clearing and settlement. Some merchant banks may also engage the services of an ISO or Member Service Provider (MSP) to solicit and sign up merchants and merchant transaction processing services. Regardless of the presence of such third parties, the credit card networks expect the acquiring bank to be the risk-controlling entity throughout the credit card process. This section will address risks from the acquiring bank's perspective.
The credit card transaction process is initiated when the consumer or merchant swipes the customer's credit card through a POS terminal. The credit approval and payment transaction processing is the same for card-not-present (mail order, telephone order, Internet sales) as they are for card-present transactions. Card-not-present retailers have additional authentication requirements. The terminal reads and electronically transmits the card number, purchase amount, and merchant ID via the appropriate credit card association network. The credit card association forwards the electronic transaction to the issuing bank or its designated processor to verify that the account is valid and that the customer has adequate credit to cover the purchase. The issuing bank responds back through the network with either an authorization or rejection. Once the merchant receives acknowledgement through the POS terminal, the sale is completed or rejected.
Generally, at the end of each business day, a merchant sends his or her daily charge activity in batch form to his or her acquiring bank or its designated processor who forwards the transaction information to respective credit card associations for clearing. Individual transactions are sent to the issuing banks for customer account processing and debiting of the cardholder's account. Settlement occurs through the card association with the transfer of funds from the issuing banks to the respective merchant's bank. The merchant's acquiring bank posts a credit of the net sales proceeds less interchange and charge-backs to the individual merchant account.
Figure 12: Diagram of typical credit card transaction Source: Nonbanks in the Payments System, 2003, page 24, Federal Reserve Bank of Kansas City.
As Figure 12 shows, the credit card process is a technology-driven payments process. The payment process relies almost exclusively on the effective application and monitoring of strong technology standards and practices to protect transactional data integrity and to mitigate operational risks across the entire payments network.
Operational and data integrity risks can arise from improper processing of bankcard transactions, inadequate internal controls, employee error or malfeasance, and other operational challenges inherent when processing within a multi-participant environment. To ensure these risks are mitigated, numerous technological and operational safeguards must be considered when assessing the acquiring banks' abilities to manage and control risks posed by merchants and contracted third-party payment processors.
A key mitigating factor to data integrity risk is the acquiring bank's responsibility to ensure that magnetic-strip data is not retained by merchants and third-party service providers. Many of the publicized data breaches have occurred because merchants and third-party service providers have retained customer sensitive data. Generally it is not acceptable for any participant to retain magnetic-stripe data on a post-transaction basis. Bankcard company rules prohibit-post transaction storage of full-track data (Track 1 and Track 2), CVV2/CVC2/CID/CAV, and, if applicable, the PIN block. CVV2/CVC2/CID/CAV are terms used by the various bankcard companies to refer to a unique check value that is printed on the back of the card and/or encoded in the magnetic strip. Track 1 and Track 2 data is encoded on the magnetic strip and contain information such as account number, cardholder's name, card expiration date, and service codes. Merchants and third-party service providers are allowed to store the cardholder's name, account number, and expiration date on a post-transaction basis as long as the information is encrypted, hashed, or truncated. Merchants and third-party service providers should have transaction data access protected using strong passwords and should have all data-access activity logged and available for independent review. Servers holding cardholder data should be hardened to minimize the risk of unauthorized access. Cardholder data should never be stored on a server connected to the Internet.
Historically, merchant responsibility for reporting a data breach has not been governed universally by any one entity, law, or set of guidelines other than bankcard company rules. In recent years, many states have passed legislation with various requirements for merchants reporting data breaches and various forms of financial liability.
Merchants relying on Web-based applications to conduct business should ensure that the applications are developed using IT industry secured-coding guidelines. All sensitive data transmitted via public networks must be encrypted using IT industry-standard encryption or higher. This also applies to all wireless transmissions, especially at the merchant retail level. Retail card payments containing sensitive customer information and processed using an unencrypted wireless transmission have been captured by fraudsters simply by sitting in the retailer's parking lot with a laptop computer.
Acquiring banks are ultimately responsible for any risks posed to the payment system by their sponsored merchants and third-party service providers. Management and the board of directors of all participants, including the acquiring banks, must have a clear understanding of the risk associated with acquiring activities and must understand their obligations under credit card association rules.
The credit card associations require acquiring banks to ensure that their merchants and third-party service providers comply with the Payment Card Industry Data Security Standards (PCI DSS). For third-party service providers and large merchants, PCI DSS compliance validation must be performed annually by a Qualified Security Assessor that has been approved by the PCI Security Standards Council. Smaller merchants must validate compliance annually through completion of a self-assessment questionnaire. It is not uncommon within the industry for a large number of merchants, and even some third-party service providers, to be in noncompliance with PCI DSS, potentially exposing their acquiring bank to reputation risk and financial loss from fraud, lawsuits, and fines. Additionally, issuing banks that use third-party service providers for transaction processing are required by the card associations to ensure that their providers are in compliance with PCI DSS.
There are six categories of PCI compliance security standards. PCI Security Standards Web site: www.pcisecuritystandards.org.
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
Requirement 5: Use and update regularly anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Test security systems and processes regularly.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security.
In addition to protecting cardholder information, the credit card payment process requires acquiring banks to maintain strong credit practices over their commercial customers (merchants). The credit risk incurred by acquiring banks is similar to that of ACH ODFIs in that the acquiring bank bears the financial obligation if the merchant fails to pay.
As with any line of credit, acquiring banks are responsible for ensuring credit screening of current and prospective merchants. The acquisition of new merchants is called "merchant boarding" and may be done by the acquiring bank or, more frequently, by a third party such as an ISO. The acquiring bank is responsible for due diligence of new merchants regardless of whether the bank or a third party performs the merchant boarding. The screening process should include physical inspection of premises; a credit history review; background check; and a review of business plans and operations, including projected sales volumes, chargeback activity, and type of sales (card-present or card-not-present). For online merchants, the screening process should include a review of Web site content and functionality. Additionally, phone, mail and Web-based merchants should be monitored closely to ensure no illegal or high-risk business activity is being conducted. Of particular concern are Web sites that present higher levels of repudiation rates which could result in higher levels of credit losses.
The main source of credit risk to acquiring banks are chargebacks resulting from cardholder disputes that merchants cannot honor. When the merchant is unable to pay its chargebacks due to bankruptcy or fraud, the acquiring bank must cover the chargeback and pay the issuing bank. Acquiring banks should manage carefully the merchant portfolio and employ appropriate underwriting, chargeback processing, and fraud monitoring.
The acquiring bank is also ultimately responsible for credit and fraud risks presented by merchant accounts acquired through ISOs or MSPs. The ISO or MSP cannot be a member of a credit card association but can represent an acquiring bank in a merchant relationship. Acquiring banks must register their ISOs or MSPs with the credit card associations, and a written merchant agreement must be in place outlining the relationship, roles, responsibilities, and liability of each of the parties - ISO or MSP, merchant, and merchant acquirer.
Acquiring banks have a number of options to monitor and control credit risks in order to minimize fraud losses at the merchant level. Acquiring banks should have reports providing information such as: average sale-ticket size for the business being conducted, chargeback level and frequency, inactive merchants, percentage of manually keyed transactions to total transactions, same dollar amounts in submitted batch, large number of even dollar-amount transactions, increasing percentage of declined or referred authorizations to total sales, and continuous or frequent zero balance in DDA accounts. These reports may also be useful for identifying potential money laundering red flags.
If an acquiring bank has concerns regarding a merchant, it has the ability to delay funding, install a front-end fraud monitoring system, acquire bank statements and credit reports, and visit the merchant's place of business. Acquiring banks can also require a reserve balance be held, generally as a percentage of credit card receipts, and it can require the merchant to purchase chargeback insurance.
Examiners should assess the actions the acquiring bank has taken to ensure third-party service providers, ISOs or MSPs, and merchants are protecting the bank's interest.
EFT/POS and Credit Card Networks