How Does Payment Processing Work?

Payment processing describes the series of steps that take place allowing one party to deliver money to another in return for goods and services, normally via a credit card. In the physical world, people buying and selling things often simply exchange physical cash, which is, if not especially secure, at least simple: one party hands the other banknotes, the other supplies the desired item. Payment processing, however, involves several different participants and a number of discrete, distinct, and sometimes complicated steps.

Which Entities are Involved in Payment Processing?

When transacting a sale with a credit card, the entities involved are:

• The buyer, who provides their credit card information (either by typing it into a form, swiping it in a physical machine, or similar)
• The merchant who accepts the credit card information with the intent of charging it in return for providing goods or services
• The payment service provider (PSP) to whom the merchant sends the credit card information in order to execute the transfer of funds from the buyer.
• The card network (e.g. Visa, Mastercard, etc.) to which the PSP provides the credit card information and request for funds.
• The customer bank from which the card network requests authorization to take funds from the buyer to provide to the merchant.
• The merchant bank, which holds the merchant’s account and receives the funds from the customer bank once a transaction has been authorized and closed.

How does the Payment Processing Procedure Actually Work?

First the merchant must obtain an authorization code from the customer bank, which confirms the bank is willing and able to supply the requested funds; then the merchant must close the transaction by requesting to close the authorized transaction.

Getting the authorization is the complicated part. It consists of the following steps:

1. The buyer makes their credit card details available to the merchant.
2. The merchant may run some basic security checks on the details it has received (e.g. ensures they have a valid card number or CVV code), then delivers those details to a PSP partner (some merchants may have only one, others may have agreements with a range of PSPs).
3. The PSP runs additional sophisticated security checks on the credit card details to combat potential fraud; assuming all is well, the details are passed to the relevant card network.
4. The card network runs yet more security checks to avoid fraud, then, assuming no problems are detected, presents the deal to the customer bank.
5. The customer bank makes the determination of whether this transaction should be approved, based on both the availability of funds or credit for the buyer, and on the credibility of the requesting merchant. Assuming all is well, an authorization is issued to the card network.
6. The card network passes the authorization back to the PSP, which in turn passes it back to the merchant, which now knows it can complete the transaction.

Note that at the end of this process, the merchant technically is only in possession of an authorization, not the funds they expect to be delivered to them. On a regular basis - generally daily - either the merchant or, increasingly, their PSP will gather up all the unclosed authorizations, pass them back through the same series of players, at which point the customer bank will transfer the approved funds to the merchant bank. In principle, unclosed authorizations can expire, resulting in the merchant being unable to acquire the expected funds - but this is a rare occurrence.

What is an Authorization Hold and why Might it be Needed?

Often, the authorization received by the merchant is no more than an indication that, all things being equal, the deal will be successfully closed. In instances where the merchant requires certainty, they may request an authorization hold, which, if granted, reserves the requested amount of funds from the buyer’s funds so that they are sure to be available when the merchant goes to close the transaction. The example most consumers are familiar with is the pre-authorization provided to hotels and car rental companies: the vendor doesn’t yet know exactly how much they are going to charge, but they want to be sure that at least a bare minimum amount is available when the time comes.

Authorization holds provide security for the merchant, but they are not only not well-loved by consumers, they also carry an additional process burden: card networks and customer banks do not look favorably upon merchants that do not close out authorization holds in a timely manner, and are especially likely to impose penalties if consumers raise chargebacks for them (a chargeback is when a consumer asks the card issuer, rather than the merchant, to reverse a charge).

How Payment Processing Can Work Most Efficiently and Effectively 

With the high volume of entities that participate in each payment processing transaction, efficiency and effectiveness can often be at odds with one another!

One of the largest resource hogs of the whole process is regulatory compliance: every entity that participates in the payment processing procedure must adhere to the PCI-DSS standard, which governs the collection, storage, and handling of personally identifiable information (PII) on behalf of consumers. Keeping as much of one’s payment system out of scope as possible is always desirable, as it keeps the cost of regulatory compliance low; this is why most merchants choose not to store PII on their own servers, but rather outsource the collection and storage of this information to either full-service PSPs (also known as aggregators) or to third-party tokenization providers.

Similarly, the most efficient way to transact business with credit cards for a merchant is to use a single PSP, which may provide a broad array of services, from PII collection and storage to security systems to currency conversion services for global deals. However, committing to a single PSP leaves merchants with a dangerous single point of failure: if that one PSP suffers an outage, goes out of business, or even opts to close its relationship with the merchant, disaster can hit all at once.

Larger merchants, therefore, will opt to contract with more than one PSP so that they can eliminate the single point of failure, and at the same time take advantage of different rate cards to optimize their cost to process payments.