Having worked for a long time in the field of banking software, and in particular on all kinds of electronic payments, together with my colleagues I compiled a mini-FAQ on the topic of bank plastic cards. Many questions are obvious, but some can be quite obscure. In Russia, the plastic card business is gaining momentum, which is nice, and it’s better to be savvy in terms of hardware.
So, 10 common misconceptions.
1. The amount of money is stored on the card itself.
There is no money counter on a regular credit or debit card (even if it has a chip). A card is just an identifier. There are exceptions in the form of special additional wallet applications on cards with a chip. Usually this can be discount programs, virtual money (for example, liters of gasoline), etc. In general, something not directly related to the usual use of the card. But such special applications are only accepted at merchants that participate in supporting that particular type of card.
2. Anyone who wants to accept payments via bank cards can connect directly to Visa, MasterCard or any other international system.
You can’t just connect anyone directly to a Visa or MasterCard. Only rich banks or independent processing centers can do this, since they need special equipment, considerable insurance accounts, security certification and many other “little things” (not even every bank can afford this). Everyone else who wants to accept cards uses their services.
3. ATMs or payment terminals are connected directly to Visa or MasterCard.
Large international payment systems do not maintain their own ATMs or payment terminals. Any ATM or terminal necessarily belongs to some bank, which in turn is either itself or indirectly (see point 2) connected to the payment system.
4. I have $200 on my card. That's all I can spend.
The account balance and the amount that can be spent per day from the card are strongly unrelated. It is more constructive to talk about the daily limit on the card. The daily limit depends on many factors, and can be either less than the account balance or more. For example, even if you have a million in your account, you are unlikely to be allowed to withdraw more than a few thousand a day from an ATM (and this is not a limitation of the ATM as a device). And vice versa, but if you are a VIP client who usually has millions in his account, and now you are in a casino and have already lost everything, then after calling the bank, on an individual basis, one of the high managers can give the command to install the right one for you personally limit so that you can still pay. In this case, the bank takes responsibility that you will give it everything later.
5. When using a card, the PIN code will be checked by the ATM or payment terminal itself.
In the vast majority of cases, any use of the card implies a connection with the bank that issued the card. If you put a Sberbank card into an ATM in Australia, permission to dispense money will still be requested directly from Sberbank right before your eyes. This is because the PIN can only be verified by the bank that issued the card. The exception is cards with a chip. Such cards can check the PIN themselves (since the chip card itself is a minicomputer that can perform crypto functions). Also, sometimes in order to use a card to pay for a purchase (rather than withdraw cash), the merchant may not contact the authorization center for each purchase if the amount is less than some limit. This may be relevant for small amounts, when the purchase amount is less than the cost of an exchange session via an electronic channel. Since the amounts are small, and sometimes daily counters are used on cards authorized in this way, the risks of running into large losses due to fraudulent transactions are also small.
6. A PIN is written on the magnetic strip, which can be “stolen” by any bank employee if you just turn away while your card is in his hands.
In fact, the magnetic stripe contains a crypto-convolution of the PIN and card number, obtained using a cryptographic key that is stored inside a super-secure piece of hardware in the bank. That is, using data from the magnetic stripe, you can only check the PIN, and only if you know the secret key. Typically, 3DES is used as the encryption algorithm. A “super-secure piece of hardware” is a hardware device for storing keys and conducting crypto operations based on them. That is, after the initial entry of keys (personalization) into this device, they are never transferred outside the physical case in pure form.
In addition to serious measures for the physical protection of these devices, they themselves are protected from intrusion. For example, if you try to open its case to connect a “sniffer”, then all the keys will be automatically erased.
The method of initial key entry is interesting. For example, this scenario is real. N bank security officers are selected, for example, 3 (ideally, they should not even know each other personally). Everyone generates a version of the key and, of course, does not show it to anyone. Then, they take turns entering the room where the key storage equipment is located and each enter their own key. Then, when all the keys are entered, the device does an XOR operation between them and stores this internally as a key. It turns out that no one knows the key at all. And in order to restore it, it is necessary to obtain the original components from each of those N security officers who are obliged to take care of their confidential storage.
As I already wrote, there are no half measures in security, and such administrative measures are needed when the power of cryptography ends and the human factor begins.
Important note: none of the bank employees will ever, under any circumstances, ask you for your PIN. But if you knew how many times out of ten, clients calling the bank, when asked by the operator about their secret word (which was asked when opening an account), say PIN.
7. When making a purchase, the money immediately goes directly from the client’s account to the store’s account.
Typically, the real exchange of money (even electronic) occurs at the end of the working day. And at the time of the purchase itself, only the amount from the available limit is blocked (see clause 4). The write-off usually occurs after a few days, when the bank that owns the account receives a financial statement from the bank through whose terminal the payment was made.
8. The amount written on your receipt when paying by card will be debited from your account exactly.
In fact, the amount debited upon authorization may differ significantly from the amount debited in the financial transaction. This is especially evident when paying for car rentals and paying for hotels, since these retail outlets can write off additional expenses (for example, a shortage of gasoline, or an unpaid minibar). But not only these types of outlets are also allowed to increase or decrease the final amount.
Also, the amount blocked during authorization may differ from the amount debited from the account if the account currency differs from the transaction currency, since the actual debiting of funds from the account occurs in 1-2 days, and during this time the conversion rate may change .
9. The amount blocked on the account when paying by card will be debited from my account one way or another.
The amount blocked during authorization may never be debited from the account. After 10 (for an ATM) or 45 (all other terminals) days without your bank receiving financial confirmation of the transaction from the payment system, it will be unblocked. This is both “good” and “bad”. It’s “good” when you have had an operation that you want to immediately refuse. Immediately after the operation, you call the bank, explain to the operator the reason for the refusal, and if it is permitted, then the operation is “cancelled” and the block can be lifted. In this case, if suddenly a financial confirmation from a retail outlet arrives for the operation (in a couple of days), then the bank itself will deal with it without your participation (and your money). This is “bad” when you have waited a day or two, and the financial confirmation has already arrived at the bank before your call, then it will be more difficult to “roll back” the operation. The bank will be forced to initiate formal proceedings in this case, which may last these 45 days. During this time, the purchase amount may remain blocked.
10. Owners of debit (rather than credit) cards cannot be “indebted to the bank.”
As already mentioned in paragraph 4 - the logic for authorizing a purchase is based not on the actual amount in the account, but on daily limits, then both for credit cards and debit cards, you can “get into the minus” if the bank sets daily limits, a little exceeding the account balance even for debit cards.
I hope this information will help you avoid some unpleasant surprises when using plastic cards.
So, 10 common misconceptions.
1. The amount of money is stored on the card itself.
There is no money counter on a regular credit or debit card (even if it has a chip). A card is just an identifier. There are exceptions in the form of special additional wallet applications on cards with a chip. Usually this can be discount programs, virtual money (for example, liters of gasoline), etc. In general, something not directly related to the usual use of the card. But such special applications are only accepted at merchants that participate in supporting that particular type of card.
2. Anyone who wants to accept payments via bank cards can connect directly to Visa, MasterCard or any other international system.
You can’t just connect anyone directly to a Visa or MasterCard. Only rich banks or independent processing centers can do this, since they need special equipment, considerable insurance accounts, security certification and many other “little things” (not even every bank can afford this). Everyone else who wants to accept cards uses their services.
3. ATMs or payment terminals are connected directly to Visa or MasterCard.
Large international payment systems do not maintain their own ATMs or payment terminals. Any ATM or terminal necessarily belongs to some bank, which in turn is either itself or indirectly (see point 2) connected to the payment system.
4. I have $200 on my card. That's all I can spend.
The account balance and the amount that can be spent per day from the card are strongly unrelated. It is more constructive to talk about the daily limit on the card. The daily limit depends on many factors, and can be either less than the account balance or more. For example, even if you have a million in your account, you are unlikely to be allowed to withdraw more than a few thousand a day from an ATM (and this is not a limitation of the ATM as a device). And vice versa, but if you are a VIP client who usually has millions in his account, and now you are in a casino and have already lost everything, then after calling the bank, on an individual basis, one of the high managers can give the command to install the right one for you personally limit so that you can still pay. In this case, the bank takes responsibility that you will give it everything later.
5. When using a card, the PIN code will be checked by the ATM or payment terminal itself.
In the vast majority of cases, any use of the card implies a connection with the bank that issued the card. If you put a Sberbank card into an ATM in Australia, permission to dispense money will still be requested directly from Sberbank right before your eyes. This is because the PIN can only be verified by the bank that issued the card. The exception is cards with a chip. Such cards can check the PIN themselves (since the chip card itself is a minicomputer that can perform crypto functions). Also, sometimes in order to use a card to pay for a purchase (rather than withdraw cash), the merchant may not contact the authorization center for each purchase if the amount is less than some limit. This may be relevant for small amounts, when the purchase amount is less than the cost of an exchange session via an electronic channel. Since the amounts are small, and sometimes daily counters are used on cards authorized in this way, the risks of running into large losses due to fraudulent transactions are also small.
6. A PIN is written on the magnetic strip, which can be “stolen” by any bank employee if you just turn away while your card is in his hands.
In fact, the magnetic stripe contains a crypto-convolution of the PIN and card number, obtained using a cryptographic key that is stored inside a super-secure piece of hardware in the bank. That is, using data from the magnetic stripe, you can only check the PIN, and only if you know the secret key. Typically, 3DES is used as the encryption algorithm. A “super-secure piece of hardware” is a hardware device for storing keys and conducting crypto operations based on them. That is, after the initial entry of keys (personalization) into this device, they are never transferred outside the physical case in pure form.
In addition to serious measures for the physical protection of these devices, they themselves are protected from intrusion. For example, if you try to open its case to connect a “sniffer”, then all the keys will be automatically erased.
The method of initial key entry is interesting. For example, this scenario is real. N bank security officers are selected, for example, 3 (ideally, they should not even know each other personally). Everyone generates a version of the key and, of course, does not show it to anyone. Then, they take turns entering the room where the key storage equipment is located and each enter their own key. Then, when all the keys are entered, the device does an XOR operation between them and stores this internally as a key. It turns out that no one knows the key at all. And in order to restore it, it is necessary to obtain the original components from each of those N security officers who are obliged to take care of their confidential storage.
As I already wrote, there are no half measures in security, and such administrative measures are needed when the power of cryptography ends and the human factor begins.
Important note: none of the bank employees will ever, under any circumstances, ask you for your PIN. But if you knew how many times out of ten, clients calling the bank, when asked by the operator about their secret word (which was asked when opening an account), say PIN.
7. When making a purchase, the money immediately goes directly from the client’s account to the store’s account.
Typically, the real exchange of money (even electronic) occurs at the end of the working day. And at the time of the purchase itself, only the amount from the available limit is blocked (see clause 4). The write-off usually occurs after a few days, when the bank that owns the account receives a financial statement from the bank through whose terminal the payment was made.
8. The amount written on your receipt when paying by card will be debited from your account exactly.
In fact, the amount debited upon authorization may differ significantly from the amount debited in the financial transaction. This is especially evident when paying for car rentals and paying for hotels, since these retail outlets can write off additional expenses (for example, a shortage of gasoline, or an unpaid minibar). But not only these types of outlets are also allowed to increase or decrease the final amount.
Also, the amount blocked during authorization may differ from the amount debited from the account if the account currency differs from the transaction currency, since the actual debiting of funds from the account occurs in 1-2 days, and during this time the conversion rate may change .
9. The amount blocked on the account when paying by card will be debited from my account one way or another.
The amount blocked during authorization may never be debited from the account. After 10 (for an ATM) or 45 (all other terminals) days without your bank receiving financial confirmation of the transaction from the payment system, it will be unblocked. This is both “good” and “bad”. It’s “good” when you have had an operation that you want to immediately refuse. Immediately after the operation, you call the bank, explain to the operator the reason for the refusal, and if it is permitted, then the operation is “cancelled” and the block can be lifted. In this case, if suddenly a financial confirmation from a retail outlet arrives for the operation (in a couple of days), then the bank itself will deal with it without your participation (and your money). This is “bad” when you have waited a day or two, and the financial confirmation has already arrived at the bank before your call, then it will be more difficult to “roll back” the operation. The bank will be forced to initiate formal proceedings in this case, which may last these 45 days. During this time, the purchase amount may remain blocked.
10. Owners of debit (rather than credit) cards cannot be “indebted to the bank.”
As already mentioned in paragraph 4 - the logic for authorizing a purchase is based not on the actual amount in the account, but on daily limits, then both for credit cards and debit cards, you can “get into the minus” if the bank sets daily limits, a little exceeding the account balance even for debit cards.
I hope this information will help you avoid some unpleasant surprises when using plastic cards.
