Get to Know the Card Networks
No merchant needs to hear how popular credit cards are—with over 1,700 credit card transactions happening every second.
But as a merchant accepting credit card payments, understanding how the card networks function is essential to business operations. Knowing the intricacies of the card networks, like how transaction fees are calculated, can help manage costs. Accepting credit cards also means meeting PCI compliance requirements to avoid hefty fines.
This post will introduce the card networks, the leading players in the space, and get into how a payment network works.
Understanding the Credit Card Networks
Credit card networks connect the two parties involved in a credit card purchase: the card issuer and the merchant.
Card networks (Visa, MasterCard, American Express, and Discover) form the spine of the credit card payment network. These four brands facilitate the transfer of funds between the cardholder’s bank and the merchant’s bank. The ease with which credit card payments can now be initiated—contactless, tap-to-pay, or through a mobile device—can make it easy to overlook the complex payment network actually moving funds from account to account.
Each payment network follows a standardized protocol, handling authorization, clearing, and settlement to process a payment.
There are two types of credit card networks—open payment network and closed payment network—which treat card issuing differently.
Open Payment Network
Open payment networks allow other financial institutions to issue credit cards to customers. The two largest open credit card networks are operated by Visa and Mastercard, which helps explain why these two brands have nearly 75% of the credit card market share by purchase volume.
Open payment systems allow merchants to add integrations and partners that create a custom payment ecosystem. This is often what payment orchestration platforms offer merchants.
Closed Payment Network
Alternatively, in a closed payment network, merchants have a single gateway and acquirer that may not allow for the same integrations or partnerships. Discover, American Express and store-issued cards fall under the closed network model.
Economics of the Credit Card Networks
Processing fees will vary depending on a variety of factors. These types of fees are the most important factors to consider when deciding which payment networks to accept:
- Interchange Fee: The network that issued the credit card is who sets the interchange fee. The business pays the financial institution a fee whenever the credit card is used to make a purchase. The average interchange fee is 1.51% plus $0.10 per transaction.
- Assessment Fee: The credit card network charges this fee, which is applied as a percentage of the total transaction volume processed by the merchant. Average assessment fees vary from 0.13% to 1.0% of the transaction amount.
American Express charges higher fees because it acts as both the issuer and the network for its credit cards. Each transaction requires an increased workload, so those two payment networks charge higher fees.
Other factors impacting interchange fees are the Merchant Category Code (MCC), card type, and overall transaction volumes. Rates will shift based on the physical card being present or not. For example, with Visa or Mastercard:
- Card-present (retail): Approximately 1.51% + $0.10 per transaction.
- Card-not-present (e-commerce): Approximately 1.80% + $01.0 per transaction.
Merchants should continually review their fee rates and consider ways to minimize these costs, such as encouraging lower-cost payment methods, negotiating rates with their PSPs, or implementing measures to reduce their risk profile.
Security Measures of Credit Card Networks
In the early 2000s, the Payment Card Industry (PCI) introduced its Data Security Standards (PCI DSS): 12 requirements that card-accepting merchants must satisfy to process transactions on the card networks.
Failure to do so can result in fines or being banned as a merchant, rendering you unable to process payments or payment data with a major payment network.
Since its introduction, PCI DSS has been one of the most popular and respected data security frameworks in the world. As monthly card usage has exploded, many businesses are becoming PCI DSS compliant despite not having sufficient volume to make compliance mandatory.
Why? Because being PCI compliant tells a powerful story to the market that you take data security seriously.
PCI Levels
PCI Levels define the steps a merchant must complete and whether or not they need a third-party auditing service to stay in compliance. Although PCI Levels can vary, they are generally determined by the number of card transactions or the projected number of card transactions annually.
Here are merchant levels for PCI DSS 4.0 as an example—as the number of transactions rises, so do the requirements for establishing and maintaining compliance:
- PCI Level 4 Compliant: Less than 20,000 transactions per year.
- PCI Level 3 Compliant: Between 20,000 and 1 million transactions per year.
- PCI Level 2 Compliant: Between 1 million and 6 million transactions annually.
- PCI Level 1 Compliant: Over 6 million transactions per year.
The larger the volume, the greater the obligations—and the more compliance will cost. For example, a Level 1 organization requires an annual report on compliance by an independent Qualified Security Assessor (QSA). The report evaluates the 12 requirements and its 250 sub-requirements.
Find a complete overview of the 12 PCI DSS Requirements.
Tokenization of Credit Card Data
A token is a non-exploitable identifier that can take any shape, is safe to expose, and is easy to integrate. Developers and their applications can use previously-generated tokens to execute operations—without ever exposing the underlying data and reducing the risk of hacks or data breaches. Instead of using the sensitive data, developers and their applications will use previously generated tokens to execute traditional operations. This includes customer verification, generating documents, and even more importantly, submitting and closing transactions.
This tokenization process, in its simplest form, looks like:
- Sensitive data is entered into a tokenization platform.
- Tokenization platform stores the sensitive data.
- Tokenization platform provides a token to use in place of sensitive data.
A token is the core of the Basis Theory platform, enabling companies to remove the need to store sensitive data while still having the flexibility to operate their business. Basis Theory tokens enable a merchant to pass raw data through the platform while returning a non-sensitive token identifier for the merchant to reference within their own system.
Tokenization can be confused for encryption, although they are more different than they are similar. Choosing when to encrypt or tokenize comes down to the question of how often the data needs to be accessed. Encryption is best when a smaller number of systems need access to the data, whereas tokenization is best when the data is utilized by many players.
Tokens and tokenization use cases go beyond serving as a simple reference for raw data.
Here are two examples of how tokenization works in practice with Basis Theory:
Protecting PII
A company needs Personally Identifiable Information (PII) to generate and send tax documents to its employees. This company doesn’t want to go through the trouble of securing their employees’ data within their own system, so they use a tokenization platform for storing sensitive employee data. During onboarding, employees provide their PII via a form hosted on the company’s website.
Although the company hosts the website, the form uses an iframe that captures and sends PII to the tokenization platform.
Tokens are generated to represent the PII and sent back to the company for the team to use instead of the raw PII data. The company then uses the tokenization platform to process and generate the tax document, complete with the necessary sensitive information, all without the company worrying about compliance.
Avoiding PCI Compliance
This merchant needs to collect credit card information from its customers to process payments for its e-commerce website. Similar to the company mentioned above, it doesn’t want to build a compliant system if it doesn’t give it a competitive advantage. Additionally, it doesn’t want to be locked into a specific payment processor. It opts for a tokenization platform that can process payments with many payment processors.
When customers reach the point on the e-commerce site to enter payment information, an iframe is used to send sensitive credit card information to the tokenization platform. Tokens representing the customer's PCI information are sent back to the company. As soon as the customer takes action to purchase, the company makes requests with that customer’s tokens through a proxy that calls a payment processor to charge the customer’s payment method. This was all done without the company needing to comply with stringent PCI-compliant policies.
Building Your Own Payment Network
Merchants in 2024 should be creating a payment ecosystem that meets the expectations of what their customers and end users are asking for. High-risk merchants can de-risk their payment operations by building a payments stack with multiple payment service providers (PSPs) to accept credit cards, debit cards, bank transfers, and any other payment type.
Merchants working with multiple PSPs are building sophisticated routing techniques, called smart payment routing, ensuring the best PSP is selected for each transaction. This means a transaction is intercepted before any information is sent for processing and an algorithm to choose an appropriate PSP.
This algorithm could examine information such as the card issuing country, card type, and card brand. After a routing decision is made, the transaction is packaged and dispatched to the PSP.
If a transaction fails, a cascading payment strategy could be employed to automatically submit failed transactions to alternative PSPs in the hopes of a successful outcome.
Many merchants—especially in high-risk industries—seek partners who can keep them operational. We recommend choosing partners and service providers who can help you check off multiple items on your wishlist, like staying in compliance, scaling, and improving the user experience.
Deciding between a full-service PSP or a multi-processor approach? This post helps determine your best option.