Nowadays millions of people use credit and debit cards to buy goods and services, but few understand how they actually work. In this guide, we'll explain the process in detail so you can learn the part you play as an online business owner. We'll teach you what you need to know, including how money moves from the cardholder to you, and how a payment gateway fits in. Then you can focus on what's important: making money and protecting yourself against loss.
For information about how to set up a credit card payment acceptance solution, see our article on the Payments tab of the Settings app. For information on how to process orders, see our Orders app article.
When you use a credit or debit card to buy a shirt at a clothing store, for example, you swipe the card through a reader or insert it. If it's a credit card, you then sign your name; if it's a debit card, you type your PIN on a keypad. Regardless of the purchase type, your card is tied to an account with a spending limit.
With a credit card, the spending limit depends on the amount of credit the issuing bank is willing to offer you within a given time period. With a debit card, the spending limit depends on the amount of money you've deposited into the bank account, as well as any time period-based limit the issuer may have set. These details are specified in your cardholder agreement.
If the amount of the transaction is less than or equal to the current account spending limit, the transaction is approved. The store gets your money and you get the store's merchandise. Both parties walk away from the transaction happy.
This exchange may appear simple, but it involves a lot of steps you might not be aware of. And as a merchant, they can impact you in ways you might not expect.
Behind the Scenes
In the example above, if you paid for the shirt with a credit card, you'd have to repay your issuer. Your cardholder agreement with the issuer determines your repayment schedule and interest rate, just like the account credit limit. If you paid with a debit card, money you deposited with your bank is already removed from your account to cover the purchase. But in either case, the exchange of funds doesn't happen immediately.
When you swipe your card through the reader or insert it, the reader uses the data coded in card's magnetic stripe or chip to ask the issuing bank if the account is open and contains enough funds. If it does, the transaction is authorized. If it doesn't, the transaction is declined.
If you've ever looked at an online account statement, you may have noticed that the most recent charges are listed as "pending" and have no associated transaction dates. That's because merchants don't receive authorized transaction funds automatically. All transactions pass through a temporary state during which the funds are no longer available to the cardholder, and the merchant can either capture (accept) them or void (reject) them.
If the merchant captures a transaction, the finalization process begins. If the merchant voids it, the pending transaction disappears from the cardholder's statement and the funds return to the account spending limit. The same happens after a set period of time (chosen by the card issuer, but usually seven days) if the merchant takes neither action.
After the shirt purchase, the authorized transaction remains stored in an open batch of transactions within the card reader until the end of the business day. At that time, the merchant closes the batch and submits all authorized transactions to their merchant bank for settlement. This is the capture process. At that point:
- The merchant bank funds the merchant's account.
- The issuing bank reimburses the merchant's bank.
- The issuing bank removes the pending status from the cardholder's transaction.
- The transaction is finalized:
- With a credit card, the issuer adds the transaction to the cardholder's statement of transactions to be repaid.
- With a debit card, the issuer removes the funds from the account.
Online transactions behave in a similar way, but there is no opportunity to swipe a physical card through a reader or to insert it. In place of a physical card, the cardholder types the card data (number, cardholder name, expiration date, billing address, and security code) into a website form. And instead of a physical card reader pulling this data from the magnetic stripe or chip, software sends it from the form fields to the issuing bank to ask for authorization.
This software is called a payment gateway. Think of it as the online equivalent of a physical card reader. All other aspects of the online transaction funding process work the same way as they do in a card-present retail transaction. With Volusion, you can set up an account with the Stripe gateway and payment processing service in the Settings app. For details, see the "Stripe" section of our article on the Payments tab of the Settings app. You can also accept PayPal payments.
Once you're set up, all transactions work the same way. At the point of sale on your site checkout page, the gateway authorizes or declines the transaction with the issuer. For all authorized transactions, you have to manually capture the funds later during the order fulfillment process, after you've looked over each order for likelihood of fraud. Transactions then collect in an open batch as you capture them, and the gateway closes the batch automatically at the same time each day to begin the settlement process. For full details about how the billing process works in your Admin Area, see "How to Process Orders".
Credit Card Fraud
Issuers let cardholders submit chargebacks on purchases they didn't make (purchases made with a stolen card), usually for up to 180 days. A chargeback is a reversal of the charge made at the issuing bank's discretion. The issuing bank debits the merchant bank, which in turn debits the merchant's account. This means that all money merchants choose to accept can be taken out of their accounts without warning.
These situations are unpleasant for all parties involved except the card thief, and merchants pay the heaviest price. Not only do they lose the transaction funds, they also lose the merchandise they shipped. On top of that, their processing service usually charges a standard fee for the inconvenience.
In the worst cases, if a merchant is unlucky enough to become the target of a thief who makes high-ticket or high-volume purchases, the potential of additional loss can lead the processing service to freeze the funds in the merchant account to cover additional chargebacks the issuing bank is likely to make in the near future. They do this because if your account doesn't contain enough funds and you can't repay them, they have to pay on your behalf.
In this section:
- Online-Specific Risk
- Protecting Yourself
Physical cards are rarely lost or stolen. When they are, cardholders usually notice within 24 hours and contact their issuing banks. In these cases, the bank cancels the card, which stops the illegitimate cardholder from using it. This means that when the physical card is present, the merchant stands little risk of chargeback due to a fraudulent purchase.
In the online world, however, physical cards aren't used, and the card's alphanumeric details stand in place of the magnetic stripe or chip. Hackers can steal these details without the cardholder's knowledge during any online transaction by exploiting website security flaws or weak data management practices (on the part of the cardholder or the merchant).
As a result, when online purchases are made with stolen data, the cardholder is unaware; the cardholder doesn't contact the issuer, and the bank continues to authorize transactions that use the stolen card details.
Cardholders usually only become aware of this type of card theft when they see transactions they don't recognize in their online account summaries or on their monthly statements. And many cardholders don't check their accounts or statements regularly or review them closely. This is why issuers generally allow chargebacks for such a long period of time after the purchase date.
PCI DSS guidelines forbid online merchants from temporarily storing security code data (the 3-digit code on the back, or the 4-digit code on the face of American Express cards) alongside all other card details. For this reason, the CVC value is much more difficult for online thieves to steal. With Volusion, your gateway should provide a CVC response that lets you know if the value the purchaser entered matches the one on the card. Contact your gateway for response code details.
The default authorization & capture setting for your Volusion store is ideal for online transactions because it keeps the order process streamlined for shoppers while simultaneously giving you the opportunity to look over transaction details before you capture funds. You should never capture money on a transaction that features a CVC mismatch. The proper step is to void the authorization. Whether you cancel the order outright or reach out to the cardholder for another payment method is up to you.
We also recommend that you make other commonsense evaluations. For example, the purchaser name, purchaser email address, and cardholder name generally shouldn't use different people's names. Additionally, you should be suspicious of high order amounts or quantities that deviate significantly from your store's averages.
Points to Keep in Mind
If you're an online merchant, keep the following in mind:
- To accept credit and debit card payments online, you need a merchant account with a payment processing service and a payment gateway.
- For the right to process card payments, you can expect to pay standard monthly and / or per-transaction fees, and a percentage of all card-based sales.
- You can use any payment processing service that works with one of the gateways currently integrated with Volusion.
- Before you capture funds, you're responsible for looking over transactions for signs of fraud.
- Always check out the transaction details and CVC responses before capturing funds.