Credit card innovations

Dr. Tu Le
IBT, University of Economics and
Law, HCMC, Vietnam
 Learning objectives
 Understand evolution of credit card
 Understand how credit card system is
different from others
 The origin of credit card
networks
 Checks (and e-checks/ACH) is not an
optimal payment solution for time-critical
transactions
– Settlement is not real time
 Alternative forms of instant cashless
transactions?
– Solution: Use bank’s money !^-^!
– Banks can temporarily front the purchase.
 How was the credit card born?
 First Credit Card was
– Diner's Club in the 1950's.

 The first generation of the Diners Club card

– Toward primarily business meals and entertainment uses
 The second generation
– Make this arrangement electronic
 A credit card is a revolving line of credit to use at
any time for any purchases.
 Visa and Mastercard
 Visa
– Bank of America step into the game
– Built an alliance of banks and a communication
network – “Visa”
 Mastercard
– A competing alliance of banks in the western states
built a competing communication network –
“Master”
 An Europay, Mastercard and
Visa (EMV) Card?
 A credit or debit card with an embedded
microchip and associated technology designed
to enable secure payment at compatible (POS)
terminals.
 Just like magnetic-stripe cards, EMV cards are
processed for payment in two steps:
– Card reading
– Transaction verification
 Magnetic strip on CC (the account number
and expiration date) - not encrypted at all;
 When, it is swiped on terminal processor and
card number transmitted along the card
network; ripe for skimming
 How an EMV Card works!
 Magnetic Stripe cards store the credit card
number, expiration date, not encrypted at all.
 When the Chip is added to the card - the
chip is essentially a tiny little computer it
does a key exchange with the chip enabled
terminal (Tokenization) to a random number.
This gets transmitted to the issuer bank
 Chip Card
 A debit or ATM card that has a chip on the
front and the traditional magnetic stripe on
the back
 An EMV card (a chip-and-PIN card or
smart card,
– A special computer chip to store card account
data.
– The chip creates a unique transaction code that
cannot be reused.
 A CHIP Credit Card
– Contains a IC (integrated circuit chip)
– A tiny little computer that does a key
exchange - account number exchanged in
terminal with a random number
– You now insert the card instead of swiping
How EMV technology works?
 Used for Physical Transactions not so
much for online.
 Must have chip card physically scanned
to enable.
 Customer has to be there at the time.
The stakeholders in a credit card
transaction?
 1. The receiving merchant
 2. The Consumer
 3. Consumer's Bank (ISSUER)
 4. Merchant's Bank (AQUIRER)
 5. Electronic Communication Network
 6. CC Processor's
– affiliated with incumbent financial institutions
– fintech startups
 Credit Cards further explained
 Banks extends revolving line of credit to customer
 Guarantees real-time availability of funds to
merchant
 Build a real-time messaging network to
communicate this guarantee
 Bills customer later & bears all default risks
 Charges merchants for these costs
 Trust of the bank is the paramount in this
case!!!
 Credit Card Network
Advantages
 Efficient, near instant transaction
clearance
 Merchants are sure to receive there
money - Financial Transaction Risk
reduced
 What are the value added services CC
give for consumers?
– Dispute resolution mechanism
– Advanced fraud detection using machine
learning & Big Data techniques
– Revolving credit lines providing short term
financing
– Rewards programs to increase loyalty
 Drawbacks of Credit Card
System?
 Security
– The front end (consumer side) rather than
the back end (banks side- strong security
there)
– Card Numbers are easy to duplicate as
magnetic strip on card is not encrypted
– Online Risk: Merchants decide how to
store your CC information
 Limited customer base
 Why certain merchants do not take
credit cards?
– Expensive to merchants: 2-3% fees
– Investment in card processing hardware &
software; terminals cost and subscription
fees
– Merchants do not get much in return
 For example
 Recall
 Problem with the Checking System?
– Settlement is not in Real-Time
– This is the same issue with ACH system
 Digital wallets is one way to speed this
process up.
 Credit card is another way to solve this
problem.
 ACH Network Summary
 An ACH payment allows businesses to
receive an electronic payment directly from a
buyer’s checking account
 Large numbers of ACH transactions from
multiple sources are batched and then
processed together.
 ACH payments can be processed as one-
time payments, or set up on a recurring
billing schedule.
 ACH payment
 An ACH payment is different from an ACH (direct) deposit
 Two ACH payments
– ACH Debits pull/withdraw funds from your customer’s account
– ACH Credits push/send funds from your customer’s account to
yours.
– ACH-type payments occur at the domestic level, with each
country operating separate networks.
– The National Automated Clearing house Association (NACHA)
sets the operating rules for the ACH Network,
– The actual processing of transactions is ultimately handled by
The Clearing House Company (NAPAS?).
– Banks, credit unions, merchant account providers, and all other
participating entities must also abide by the NACHA rules.
 ACH vs. Paper Checks
 Advantages to converting to ACH acceptance
– Save time
– Save paper, ink, fuel, and other resources
– Increased security
– Increased on-time payments with recurring ACH
billing
– An electronic record generated
– Know the status of the transaction faster
ACH vs credit cards & debit
cards
 Advantages to ACH payments over credit and
debit card payments:
– Lower cost to process
– Convert your recurring customers to a less
expensive processing method
– Reduce declined recurring payments due to
expired card information
– Harder for customers to chargeback
– Shorter period for customers to initiate
chargebacks
– Consumers acquisitions
– Less fraud exposure
 How to setup ACH?
 A merchant account provider or credit
card processor
 A business bank account provider
 A dedicated ACH processor
 An all-in-one processor + payment
gateway (e.g. Stripe)
 An accounting software provider QBO;
 Three main ways of proceeding checking
account payments via the ACH Network
– Check Scanner/Imager Or Reader
– Check Scanner/Imager Or Reader
– Website Payments
 How long does ACH take to settle
– ACH transactions are batched three times per
day
– Same-Day ACH
 Process and settle virtually all ACH payments on
the same day.
ACH vs Wire Transfer
 The main advantages of ACH over
wire transfer:
– Free for customers
– Less expensive for merchants
 How is this CC processing
different than ACH network?
 No batch processing with a CC terminal
 Every message is routed in Real-Time like
a cell phone network.
 Batch Processing vs. Real-Time
Processing
 ACH vs Credit Card Network

 Risk of fraud is another area of concern regardless

of the payment type.
 Uses of the ACH payment
system
 Bank treasury management departments sell
this service to business and government
customers
 Business-to-business payments
 Direct debit payment of consumer bills
 Direct deposit of payroll, Social Security and
other government payments, and tax refunds
 E-commerce payments
 Federal, state, and local tax payments
 Non-immediate transfer of funds
between accounts at different financial
institutions
– When a real-time transfer is required, a
wire transfer using a system is employed
 History of ACH and credit
cards
 The ACH was conceived in the early 1970s
 A credit card network is the company that
provides a communication system between a
merchant and an issuer
– Some credit card networks are issuers
– Not all credit card networks issue credit
 Visa, Mastercard, American Express and
Discover are the major credit card networks
 Neither Visa nor MasterCard actually issue
any credit cards themselves
– The interest rates, rewards, annual fees, and all
other charges are issued by your bank
 Three types of cards:
– Debit cards,
– Credit cards
– Prepaid cards.
Roles and fees business model
 Acquirers - customer bank
– provide fund settlement services & maintain merchant
accounts;
 Processors get the last piece of the pie
– Accept, process & relay payment requests
– Provide hardware\software solutions for payment
acceptance
– Low entry barriers
 Most Fin-tech innovators (like Square, Stripe, Paypal)
in the credit card space act as independent
processors
 Credit card business model
 Card networks set overall processing
fees (but do not get the biggest share)
– Negotiate fee divisions with issuers &
acquirers
– Provide & maintain communication network
hardware & protocols
– Low marginal costs for each additional
transaction
– High fixed costs-> high barriers of entry
(mobile networks)
 Why is Merchant Acceptance of Credit
Card Payments not widely liked?
 Issuer Interchange fee: 215 BPS
 Acquirer Fee: 15 basis points
 Network Fee: 15 basis points
 Processing Fee: 5 basis points
 Total Fees: 2.5%
 RISK!!!
 Who is taking the biggest Financial
Risk in a credit card transaction?
 What is the most important piece of
information in a credit card transaction?
– Card Number
– Expiration Date
– 3 or 4 digit CVC (Card Verification Code)
also known as control codes on back of
card.
Hacker!

 Security at the bank level is much higher

– Client account information is a core asset of any bank
 Vulnerabilities mainly happen at the front end
 The banks and the networks have a lot less control
– The Paytech innovators come in
 Account numbers can be easily stolen called
skimming
– Chip Cards with EMV technology
 Hacker!

 Card information could also be stolen from the

merchants
– If they're weakly encrypted there.
– The new technology solution to address this risk is
called network site tokenization.
 What about Online Sale
Vulnerabilities?

 EMV does not address vulnerability of

online transactions
 What is Tokenization?
 Tokenization is a service
– Takes the role of encrypting (one way
encryption) and protecting the account
information out of the hands of the merchants,
– Shifts them to a more specialized provider called
a token vault.
 The vaults
– First provides a one-way encryption
function
– Turns this number into a completely different
and random number all together.
– Only this number (token) is stored on the
merchant sites
 Only the token vaults have the decryption
keys to turn them back into the plain
numbers.
 A"Token" in CyberSecurity?
 A process by which the primary account
number (PAN) is replaced with a surrogate
 Hard tokens (Hardware token)
– Physical devices used to gain access to an
electronically restricted resource.
 Soft tokens (Software token)
– Are not physically tangible,
– Exist as software on common devices (for
example computers or phones)
 Tokens are machine-generated.
 Tokenization (data security)
 Tokenization
– The process of substituting a sensitive data
element with a non-sensitive equivalent, referred
to as a token, that has no extrinsic or exploitable
meaning or value.
– The process of protecting sensitive data by
replacing it with an algorithmically generated
number called a token.
 Encryption and Tokenization
 What data is best suited for Encryption Vs
Tokenization?
– Tokenization is ideal for structured data, such as
SIN or Credit Card Numbers;
– Encryption is ideal for "unstructured" fields or
databases of information that aren't exchanged
frequently or stored in multiple systems.
Structured and Unstructured Data
 Structured data
– highly-organized and formatted in a way so it's easily
searchable in relational databases.
– helps search engines better understand what the content is
specifically about.
 Characteristics of Structured Data
– Data type (numeric, currency, alphabetic, name, date,
address)
– Any restrictions on the data input (number of characters
– Restricted to certain terms (Mr., Ms. or Dr.; M or F).
 Unstructured data
– No pre-defined format or organization, making it
much more difficult to collect, process, and
analyze.
– Like Facebook and other BIG DATA sources.
– Examples: photos and graphic images, videos,
streaming instrument data, webpages, PDF files,
PowerPoint presentations, emails, blog entries,
wikis and word processing documents.
Encryption and Tokenization
 What is the difference between
Tokenization and Encryption?
 Tokenization - encrypts the Credit Card
information (One-Way Encryption) into a Token
Vault
– The encrypted random number created through
"Tokenization" is all that is stored with the merchant.
 Token Vaults are third party security technology
innovators, and many players compete in this space
– Visa or Mastercard operate their own vaults.
– Some are operated by banks
– some by digital wallet companies like PayPal
– some are cybersecurity startups.
 Two factor authentication

 Two-factor authentication (2FA) is a type, or

subset, of multi-factor authentication
 A method of confirming users' claimed identities
by using a combination of two different factors
– something they know
– something they have
– or something they are
 Google Authenticator
 A mobile security application based on two-
factor authentication (2FA)
 2FA reduces the probability that an
intruder can masquerade as an authorized
user
 Google Authenticator - a free security app –
to protect your accounts against password
theft.
 It's easy to set up
 2-step verification
– Google account becomes exponentially more
secure.
– But you still aren't invincible to hackers
 2-step authentication
– Use your password to log in and
– One other unique code (usually sent via text,
phone call, or an app like Google Authenticator
Apple Pay technology
 What challenges did Apple Pay have
that caused a poor market penetration
in the US?
 What is the gist of these new security
technologies offered by PayTech
solution providers?
– Just mask the account information.
– Use cryptographic tools to encrypt numbers to a
random number and allow ISSUER (customers
bank) to decipher it on there end
– EMV technology does just that at the physical
point of sale.
– Tokenization achieves this in the online points of
sale.
– Mobile solutions such as Apple Pay try to achieve
that directly at the client side.
– Combining all three would achieve this.
 What is near field
communication (NFC)?
 NFC is a short-range wireless connectivity
standard (Ecma-340, ISO/IEC 18092) that
uses magnetic field induction to
enable communication between devices
 NFC allows two devices placed within a few
centimetres of each other to exchange data.
– both devices must be equipped with an NFC chip
 Does NFC (Near Field Communication)
drain my Battery on my phone?
 Where do Fintech Payment innovators
need to focus?
 Who is the primary innovator in the brick
and mortar merchants?
 What was Square's value proposition to
the bricks & mortar companies?
 Who is doing this for Online Payment
Gateway's?
 What is an API?
 Business Model for Online and Offline
business model?
 Why are costs to the payment gateway
variable?
 What are different about Debit Card
Transactions that payment gateways
like Paypal and Venmo want to
promote?
 Summary
 Understand the credit card business
model
 Discuss how credit card is different from
other systems
 Discuss the differences between
tokenization and encryption