Payments 101: Part 4 – Core Consumer Systems: Credit and Debit cards

This is part 4 in my Payments 101 series. In this article, I will talk about the core consumer payment systems – credit and debit cards. These cards are the most popular payment instruments used by US customers and have almost become ubiquitous. Other articles in this series can be found here:

  1. Payments 101: Part 1 – An overview

  2. Payments 101: Part 2 – Is Cash still the king? 

  3. Payments 101: Part 3 – Enterprise Systems: Check, ACH and Wires

  4. Payments 101: Part 4 – Core Consumer Systems: Credit and Debit cards (this article)


#1 Credit Cards:

Credit cards have led to an explosion in consumer credit. Total credit card debt in the US crossed $1T at the end of 2019. Note the steep decline in consumer credit card debt in 2008 i.e. at the time of US recession as consumers reduced their spend/balance on their credit cards. The debt has since rebounded.

The average credit card limit has also almost returned to the pre-recession amount i.e. ~$22K per credit card with the average balance on a card is at ~$6K.

Evolution of Credit Cards:

The concept of a credit card was first introduced by Western Union, who launched “metal money” in 1914. These plates were given to select customers. Customers could present the plate at a branch and could defer their payments i.e. customers could buy things on credit. “Charga-plate” was introduced a few years later. This was an embossed metal plate. When presented at a store, a sales clerk could quickly record an imprint of the information on the card as the relevant information was embossed (in fact, many credit cards continue to emboss some information on them even though the card terminal/readers read the information by swiping the magnetic strip on the card or by using the chip on the card).

Corner bars and other local businesses used ledger books to keep open tabs for their customers (something that is practiced even today when bars use a patron’s credit card to keep a tab open for them). Some stores handed out charge tokens or single-shop credit cards. A limitation of these cards was that they could be used only in a single store and customers found it cumbersome to carry multiple cards or to remember carrying the right card when visiting a store. For example Sears store cards were closed loop cards that could be used only at Sears.

The “Diners’ club” card, introduced in 1949, was the first example of a modern credit card. As the story goes, Frank McNamara was dining at a restaurant in New York City. When it came time to pay the bill, he realized that he had forgotten his wallet at home. Though versions of the story vary, it is said that McNamara got out of this situation by signing and promising that he would come to pay his bill the next day. This incident gave McNamara the idea for the Diners’ club card.

The first Diners’ club card was made of cardboard. At its inception, the club had 200 members and they could use the card at 27 participating restaurants. This was the first card that had wide geographical acceptance and within 2 years, its membership grew to 42,000 members across the US. A TIME article in 1951 had this to say about the Diner’s club card:

“Unlike other mortals, the 42,000 members of the Diners’ Club need never pay the waiter when they wind up a spirited evening on the town. They simply sign the check, get billed once a month.”

Fresno Drop: On 18th September 1958, Bank of America mailed 60,000 Fresno (in California) residents a “BankAmericard”. There was no application process and the card were delivered to the residents’ mailboxes. Consumers received between $300 and $500 in instant credit. Through this strategy, Bank of America was immediately able to “sign-up” 60,000 residents and this created an incentive for merchants to start accepting the card as well. 300+ Fresno merchants signed up and credit card fees for merchants were set at 6%. Thirteen months after the initial Fresno drop, the bank had issued 2 million cards and on-boarded 20,000 merchants. Credit cards have continued to grow since then.

American Express made the first plastic credit card in 1959. Bank of America, Carte Blanche, Diner’s Club and other newly formed credit card companies followed.

The card industry as we know it today, began in 1966. Bank of America formed a company, BankAmerica Service Corporation, to franchise its BankAmericard product to other banks. By 1970, the franchisees began pressing for a new organizational structure, leading to the formation of National BankAmericard Inc (NBI). This organization ultimately transformed into Visa. Another group of California banks formed a competing organization called the Interbank Card Association (ICA). The ICA created Master Charge: The Interbank Card and, in 1979, renamed itself and its products to MasterCard.

Banks were eager to participate in these associations. The open-loop networks allowed banks to access more customers and merchants. The consumer credit business was very profitable (and still is as the interest rate for credit cards is very high). Banks’ original goal was to use credit cards to efficiently lend to their own existing customers. However, banks realized that credit cards can be easily used to also lend to consumers outside of a bank’s existing geographic footprint. A checking account was no longer needed to establish a relationship with a customer and credit cards started becoming the main acquisition channel for banks vs. checking accounts.

Originally most banks were both issuers (issued credit cards to customers) and acquirers (provided card acceptance support to merchants). However, card acquiring was not as profitable as card issuing. Therefore, many banks abandoned the card acquiring business.

Economics of Credit cards:

Some of the key participants in the credit card ecosystem are as follows:

  1. User/consumer: Someone who pays for a purchase using a credit card

  2. Merchant: Someone who provides a product/service to a consumer and accepts credit card payment

  3. Card issuing banks: Banks that issue credit card to consumers. For example: Chase is the issuing bank for the Chase Sapphire Reserve credit card. The issuing banks own the relationship with the consumer

  4. Merchant acquirer: Banks that acquire the merchants and connect their merchant accounts to the card network so that they can be paid for all the credit card invoices that they receive

  5. Card networks: For example: Visa and MasterCard. These companies operate the network and are responsible for setting up the rules of the ecosystem/network.

I will use the value creation/value capture framework to better clarify the role/leverage of these participants. For example: In the transaction shown below, a consumer pays $100 for a purchase using a credit card. The Merchant receives only $98 from this transaction. The rest of the money – $2 – is distributed amongst the various participants. Therefore, the total value that these participants are creating is $2 i.e. ~2% of the transaction amount. In part 1 of this series, we mentioned that total non-cash consumer payments in the US was $40T in 2019. Assuming a 2% average payment fee for this volume implies a total payments fee market size of ~$800B in 2019.

The $2 is being split as follows:

  1. Interbank fees of $1.8. This amount is paid by the acquiring bank to the issuing bank. To be fully accurate, the merchant is indirectly paying this fee (as the acquiring bank will ultimately charge the merchant). To extend it one level further, the consumer is ultimately paying this fee as the merchant will increase the price of their product to factor in the cost that they would need to ultimately pay their acquiring bank. This indicates that the issuing bank is capturing 90% (90% of $2 = $1.8) of all the value that is being created. Why? The issuing bank has a lot of leverage in this ecosystem and takes on various roles/responsibilities and this allows it to capture the lion share of the value being created. The issuing bank:

  2. Is the source of the credit: It is easy to overlook that the issuing bank is the participant that is actually extending the credit that is at the very core of the credit card industry. There will be no fee (or value that will be created) if there is no credit that is being extended. While they have access to cheap source of funds (normally the deposit accounts of customers), they still incur some cost for the credit that is extended (based on time value of money).

  3. Acquires customers on behalf of Visa and Mastercard and, therefore, is responsible for the customer cost of acquisition

  4. Takes credit risk. If a customer does not pay the credit card bill then the risk is borne by the issuing bank. Since, credit card transactions are guaranteed pull transactions, an issuing bank has to pay the acquiring bank if the credit card transaction was successfully authorized even if the customer does not pay the issuing bank

  5. Runs credit card rewards program: Issuing bank also run rewards program to entice customers to spend more

  6. Card network fee of $0.1 i.e. Visa/Mastercard captures 5% of the total value that is being created. Why? These companies provides the network/fabric for transactions. They are also responsible for geographical expansion so that cards can be accepted all over the world (which in turn acts as an incentive for customers to use cards)

  7. Merchant acquirer fees of $0.1 i.e. 5% of the total value that is being created. Why?

  8. They take some credit risk. For example, a customer can claim that a product was defective. However, the acquiring bank may have already disbursed the money into the merchant’s account and may not be able to recover it

  9. Customer service cost for acquiring merchants

  10. Time value of money: They will typically pay the money immediately into merchant’s account but may not get paid by the issuing bank for a few days.

The above model is the dominant model in an offline world (in which a card is presented physically at a terminal/register). We will now see how this model changes for online transactions. In the online world, 2 key intermediaries are added:

  1. Digital Wallets: These are companies that can abstract away a specific payment instrument inside a wallet. For e.g. PayPal

  2. Payment gateways: Payment gateways make it easy for merchants to accept payments. For e.g. Stripe, WorldPay

The transaction flow and the value creation/capture for online transactions is shown below:

For the above sample transaction, $3 is the total value that is being created. Besides the capture that we saw earlier (for the offline transactions) , the 2 additional ecosystem players also capture some additional value:

  1. Faster checkout or wallet fee of $0.05 or 1.67% if total value created. The wallet company is able to capture some value because of the following:

  2. It does customer acquisition and owns the customer relationship

  3. It makes it easier for customers to enter their payment information, therefore, leading to faster checkout

  4. It takes on some risk. For e.g. if a customer’s PayPal account is compromised then PayPal bears that risk

  5. Payment gateway fee of $0.15 or 5% of total value created. The gateway can charge this fee because of the following:

  6. Makes payments acceptance very easy for the merchant

  7. Provided a single integration to enable payments acceptance from various card providers and other payment instruments

  8. Provided fraud protection to merchant

Note that there are many other intermediaries involved too. For example, many companies have emerged that provide fraud protection services to the merchant. For the sake of brevity, I did not include them in the discussion.

The above models align quite closely with a transaction categorization framework that is quite widespread in the industry:

  1. Card-present (CP) transactions: In these transactions, a cardholder is physically using his or her card at a terminal. These terminals can in-turn be attended (e.g. register at a retail store) or unattended (e.g. vending machine). Typically, card networks protect the merchant from fraud risk in a card-present scenario and the fraud loss is borne by the card issuer

  2. Card-not-present (CNP) transactions: These transactions occur when a cardholder is making a remote transaction. This can happen when the cardholder buys something on an e-commerce website (e.g. or over phone (airline ticket booking via phone) or when the cardholder sends the card information in reply-back mail (e.g. filling the subscription order form for a magazine). Typically, card networks do not protect the merchant from fraud risk in a card-not-present scenario. Merchants typically use a payment gateway for remote card acceptance and many gateways offer fraud protection as an additional service to merchants

The above charts show that remote (or card-not-present) transactions have grown faster than card-present transactions in the last few years. They represented 28% of all transactions in 2018 (Note: the charts include both credit and debit card transactions). However, value of remote transactions have grown a lot faster and in 2018, the total card payment volume was split almost equally between remote and in-person transaction type. The chart below shows the split by count and value of remote transaction type:

The chart shows the rapid increase in e-commerce transactions that has happened in the last few years.

As mentioned earlier, the fraud liability can shift from the merchant to the issuing bank based on the type of transaction: Typically, the merchant takes the liability for card-not-present transactions while the issuer takes the liability in card-present cases. This is a very simplistic view and the actual logic for determining fraud liability is more complicated. These rules are set by the card network companies – primarily Visa and MasterCard in the US. The card networks also use these fraud liability rules to influence issuers/merchants to adopt new technology standards. For example, card networks have deployed a security protocol known as 3D secure. This technology allows merchants to request the issuer to authenticate the cardholder in a card-not-present scenario. If a merchant asks for 3D secure authorization and the authorization is successful then the fraud liability shifts from the merchant to the issuer (as according to card networks, the merchant tried its best to authorize the user and the issues did not do a correct authorization in this case).

Another fraud prevention method is the use of CVN2 code. This is a three or four digit number printed on the signature panel on the back of the card. If the merchant captures the CVN2 and forwards it to the issuer then the issuer will respond by indicating the validity of the code. This can again help in preventing fraud from happening in cases where the card is not present. Note that using CVN2 code does not prevent abuse when the credit card has been physically stolen. This is because both the credit card number and CVN2 number is clearly printed on the card. However, CVN2 code is an information that is only printed on the card but is not present in the magnetic strip. Therefore, if a fraudster copies the credit card information by scanning the magnetic strip then the fraudster will not get access to the CVN2 code. Therefore, asking for CVN2 code can prevent card-not-present fraud in which card was not physically stolen from happening.

Card networks used this carrot-and-stick approach to introduce EMV chip based cards in the US. EMV chips based cards have an impact only for card-present transactions. As mentioned before, the fraud liability for such transactions typically lie with the issuer. For successful adoption of EMB based cards, merchants were required to replace their existing card terminals with new hardware that was capable of accepting an EMV based card (as consumers will not adopt EMV cards if very few merchants accepted them). To solve this chicken and egg problem, the card networks mandated that if merchants did not invest in this new EMV-compliant hardware then the fraud liability for card-present transactions will shift from the issuer to the merchant. This served as an appropriate carrot for many merchants to adopt the new hardware.

EMV based cards vs. magnetic strip cards

I think it is worthwhile to better understand what led to the development of EMV based cards in the first place. EMV stands for Europay, Mastercard and Visa. EMV is not a new technology. It was already widely adopted in many countries before it arrived in the US. We will begin by first understanding the shortcomings of the magnetic strip on a credit card and then analyze how EMV based cards get around those shortcomings.

A magnetic strip in a credit card is essentially a store for information that a merchant needs to charge that card. Typically, a magnetic strip contains 2 key pieces of information: (1) credit card number and (2) CVV1 number. The credit card number is also printed/embossed on the card. The CVV1 number is different from the CVV2 number (which is typically used for web transactions). The CVV1 number is stored only in the magnetic strip and is not printed anywhere else on the card. When a merchant swipes the magnetic strip, the combination of the credit card number and CVV1 number is transmitted to the card terminal and then used for charging the user’s credit card. The biggest issue with this approach is that the information that is being transferred is static and can be easily copied. Once copied, this information can be used to create copies of the credit card and can lead to fraudulent transactions.

Enter EMV. In EMV cards, a micro chip is embedded into the credit card. This chip has a secret password (which is similar to a CVV1 number). However, this secret password is never transmitted out of the card (unlike a CVV1 number, which is sent to the card reader when the credit card is swiped). This secret password is used to create an encrypted code that is sent along with the credit card number to the card terminal. This encrypted code is meant for a one-time use only. Therefore, copying this encrypted code will not allow the fraudster to commit future fraud transactions as the issuing bank will decline a transaction if the same encrypted code is used again.

Card networks started mandating that all new credit cards be introduced with chip in 2015 and EMV cards’ adoption has increased rapidly since then.

The main motivation to introduce them was to reduce the fraud rate as we discussed earlier and this has been validated with data. A 2016 report showed lower fraud rate on EMV cards. Visa claims that the counterfeit fraud dollars for merchants that have adopted EMV card acceptance has decreased by 76% between Sept 2015 (when EMV cards started being adopted) and Dec 2019.

EMV chip based cards can be further divided into 2 categories: (1) chip with signature and (2) chip with pin. Chip with signature is more common in the US while chip with pin is more common in the EU. Chip with signature means that the consumer needs to sign at the point of sale (and not enter a pin code). Typically this is not considered to the the most fraud proof as signatures can be easily forged (as we saw for checks). However, chip with signature also leads to a faster transactions and consumers do not have to remember a pin code to complete a transaction.

Contactless cards:

In the last few years, another kind of chip card has become popular. Traditional EMV cards can be read when the card is “dipped” into a card reader. However, new chip cards are equipped with RFID (radio frequency identification) technology and can support contactless payments. The impetus for introducing contactless cards was customer convenience (for speed of checkout) rather than to reduce fraud rates. Contactless cards have a special contactless symbol printed on them to indicate this capability.

Many cards have both EMV and RFID capabilities built into them (along with the older technology of a magnetic strip) for redundancy as not all merchants may have contactless or EMV chip compliant card readers. Moreover, sometimes one technology may not be working (for e.g. the EMV chip reader may be down) and the merchant can use the alternate technology (magnetic strip) to complete a transaction. This hybrid approach works well where relatively low value transactions can be performed quickly in contactless mode without requiring a PIN or signature while higher value (presumably more risky) transactions can continue to require full EMV authentication and cardholder verification with PIN or signature at the issuer’s option. This is evident from the chart shown below:

Like the EMV technology, contactless card is not a new technology and is already quite popular in many other countries as shown below:

#2 Debits Cards and ATM Networks:

Debit cards can be thought of as a hybrid of a credit card and a check. A debit card has now become an important component of a checking account. Typically, a consumer gets only one debit card from their bank while they can get multiple credit cards from the same bank (as credit cards vary a lot in the rewards and benefits that they offer). Debit card rewards are also less attractive than credit card rewards as the interchange revenue from debit cards is lower.

Evolution of Debit cards and ATM Networks

The ATM Network was the originator of the modern debit cards. In the 1960s, banks began introducing ATMs (Automated Teller Machines). The goal of these machines was to serve checking account customers so that banks could close down the low traffic branches. Banks started issuing ATM cards to their customers so that customers can withdraw money from the ATMs. The cards also required a personal identification number (PIN) so that customers could authenticate themselves at the ATM as the ATM was not attended.

A logical extension was to build networks that could connect the ATMs of different banks together. The primary motivation to build shared ATM networks was to reduce cost by leveraging the ATMs of other participating banks. In the 1980s and 1990s, these shared ATM networks went through many mergers and a number of large national networks were established like Interlink, STAR and NYCE.

Banks also realized that they can use the ATM cards and the ATM network for processing payments. Merchants had 2 incentives to use the ATM card (which got renamed as a Debit card) for 2 reasons:

  1. ATM/Debit cards were better than checks as it eliminated the check bounce risk. Moreover, merchant did not have the hassle of collecting and storing the physical checks

  2. ATM/Debit cards were better than credit cards as the Debit networks priced the product cheaply for merchants (i.e. the “discount rate” for merchants for the Debit network was lower than that for credit network).

However, merchants had to deploy new point of sale terminals so as to accept the cardholder’s PIN. As the Debit networks started becoming popular, Visa and Mastercard felt threatened and launched their own debit card products. These cards became known as “signature debit cards” vs. the “PIN debit cards”.

A debit card transaction can be processed as a PIN Debit or as a signature debit. This is determined by the method which is used to verify the customer’s identify. If the merchant verifies the identify by the customer’s signature then the transaction will be processed as a signature debit transaction and if the merchant asks customers to enter the PIN then the transaction will be processed as a PIN debit transaction. The same physical card, and the same card number, is typically used for both PIN and signature debit. The card issuer determines whether both authentication methods are supported. When merchants accept debit cards, they can look up the issuer’s routing options and determine whether to prompt for PIN or not. In the past, merchants often wanted to prompt for PIN as the PIN network was lower cost. However, there is no such economic advantage any more.

Debit transactions withdraw money directly from a checking or prepaid account. Only PIN debit transactions check the balance before authorizing the transaction. So, if you run the transaction as a signature debit, keep in mind the balance check is not performed. That means there’s a chance you won’t receive your funds because the customer’s account will be overdrawn.