Most people have a payment card, whether it's a debit or a credit card. We use them every day to pay for products and services, including daily cappuccinos and supermarket meal deals. As these cards are electronically linked to an account, the data on them is used to authenticate the cardholder with embossed, magnetic, smart and contactless card capability. These days, most cards include all of the following features:
- An embossed card will help a transaction to be processed manually. The magnetic stripe contains data that is accessed with the card is swiped through a reader.
- Smart cards feature an embedded authentication chip for chip and PIN transactions.
- Contactless chips enable the cardholder to pay by tapping the card on the payment terminal.
The back of the card contains the magnetic authentication strip and the security code, otherwise known as CVV2, CSV, CSC, CID or CAV2. These are the last three digits underneath the strip. For American Express cards, the security code is a four-digit code on the front of the card. These types of data must never be stored.
On the front of the card is a 16-digit primary account number (PAN), the cardholder name and expiry date. This data is known as cardholder data and can be stored as long as the PCI DSS requirements are complied with.
How is cardholder data stored, processed and transmitted?
- Cardholder: The cardholder pays for a product or service using a payment card.
- Merchant: Through a payment terminal or gateway (service provider), the merchant sends the transaction to the acquiring bank for processing.
- Acquiring bank: The acquiring bank connects and processes transactions.
- Card scheme: The card scheme sends an authorisation request to the issuing bank.
- Issuing bank: The issuing bank authorises or declines the request and sends it back to the card scheme.
- Card scheme: The card scheme receives a response to the authorisation request and sends to the acquiring bank.
- Acquiring bank: The acquiring bank processes the response and sends the merchant via the terminal or gateway (service provider).
- Merchant: The merchant receives an authorisation message that will determine whether the payment from the payment card is accepted or denied.
Imagine you're paying for a meal deal from a supermarket (chicken salad, a bottle of water and a pack of mints because there's garlic in the salad). You go to pay with your Mastercard. When you tap your card to pay, it conveys information about the purchase to the card reader. This is called the point of sale system. The account information is captured and securely sent to the supplier. The retailer acquirer asks Mastercard to get authorisation from the customer's issuing bank. Mastercard then submits the transaction to the issuer for authorisation. The issuing bank authorises the transaction and routes the response back to the retailer. The issuing bank route the payment to the acquirer and finally, the retailer's acquirer deposits the payment into the retailer's account. If you have mobile banking, you'll see a few hours later that your balance has gone down (probably by £3.50 unless the chicken salad was one of the luxury items and not included in the deal).