So, let's go!
First of all, let's say a few words about payments. As you may know, there are offline and online payments. The main scope of this lecture is, of course, online and in particular card payments.
To generalize (although this is not entirely true from a technical, academic point of view) offline payments, these are all those payments that occur without the participation of payment cards or other electronic and automated methods of exchanging information between process participants, but only in the old fashioned way - in cash.
In fact, in the “correct” classification there is also an offline card payment (this is when the device, for example, records the card data, but the terminal itself conducts the operation itself when it becomes physically possible to do this - for example, in an airplane, in the air due to the fact that there is no Internet , a stewardess selling something, will take a person's card, hold it in the POS-terminal, which will make a purchase (or, more correctly, reserve funds) only upon arrival and connecting to the Internet.
By the way, about the reservation. does not happen, this is by the way. We will talk about this in more detail below.
Now, of course, it is no longer uncommon to have an Internet on board an aircraft, but the essence is just that. For ease of understanding, at this stage, we will restrict ourselves to a simple explanation of online / offline payment as follows: online is with a card, offline is cash (although, I repeat, “in science” this classification is NOT TRUE - there are also offline payments by cards).
Then we will understand more about the classification and eliminate this unnecessary simplicity, but for now we will work so as not to sow panic and chaos and not get confused in the wording.
The difference between offline and online payments lies in how the exchange of information flows between the participants in the operation will be organized: banks, buyer and seller (but first of all, of course, banks).
In fact, offline payments can occur without the involvement of cash. So, the buyer, upon providing the required documents, instructs his bank to transfer the required amount to the seller's bank account.
As a rule, the basis is an agreement, an invoice.
In all normal countries, banks are strictly regulated and such orders have their own time deadline. For example, in Russia this period is 3 days.
During this period, the bank is obliged to make the payment. It usually does it faster in practice.
When the seller receives funds from the buyer, he ships the goods or provides a paid service. Although, of course, this moment is implemented according to the agreement of the parties, and the conditions in it can be very diverse.
Sometimes a seller can provide a product or service to a buyer when the latter provides evidence that the bank has accepted funds from him. Thus, the buyer, showing documentary evidence of the payment accepted by the bank for execution, can receive the product or service before the seller actually receives the funds.
In the above scheme, as we can see, neither the seller nor the buyer are connected to payment systems. The payment itself is made directly by banks directly to each other. In other words, banks exchange information about the payment among themselves through established communication channels without involving third parties. In this case, all participants are offline in the classical sense.
Now, regarding online payments.
We talked about the exchange of information. So in the case of online payments, one of the participants must either be directly (or through an intermediary) included in the notorious information exchange.
How does it look like?
The buyer places an order. The seller, in turn, issues an invoice to the buyer. The buyer, having examined the invoice, agrees to pay it off and enters his details (payment data), as well as additional data required by the payment system to identify the payer and authenticate the payment itself.
After that, a request is made to the buyer's bank for the availability of funds and directly for the authentication itself (confirmation of the legitimacy of the payment). If there are sufficient funds on the account, then the required amount is instantly reserved and the corresponding answer is returned to the seller. At this stage, the seller realizes that the money for the sale is practically in his pocket. Although, please note, there has been no transaction as such (the movement of money from account to account).
After that, the bank that has reserved the funds within 3 days transfers them to the seller's account. There is also a reconciliation procedure that is carried out regularly between the participants in the operation, but we do not really care about this yet. There, the point of sale once a day, as a rule, sends the entire array of transactions to the bank so that it can carry out calculations. There are exceptions, they can delay the calculations. But as a rule, this is strict - if the counterparty informs the Ministry of Railways, there may be difficulties.
Now more and more customer-oriented services can make the actual movement of funds to the partner's account much faster than 3 days. But in such cases, as a rule, it is an intermediary and he operates with his own money, creating a cash gap for himself. Here we are talking about payment systems that process the payment itself, that is, in fact, they take the risk of allowing the payment to be made or not (in the case of, for example, a CNP payment).
In the case of online payments, we see deferred real cash flow through accounts, but instant turnover. An operation where the cash gap and other risks are shared by banks and their partners - payment systems.
Since it is technically very difficult for a bank to work directly with a huge number of sellers, intermediary partners have appeared in the form of payment services and systems (which in our everyday life is called “merch”).
I said earlier that this is academically incorrect, but for ease of understanding and to avoid misunderstandings, we intentionally make this simplification.
Why know how card payments are made? So that we have a general picture and we know the entire alignment of forces and have in our head the entire military map of actions. Not only online.
Fundamental knowledge will give us a solid theoretical base on the basis of which we will build our already practical base.
Typical participants in offline payments (not the Internet):
1) Issuing bank: this is the bank that issued the card and where the serviced account is located.
2) acquiring bank: the bank that serves the point of sale (terminal making the payment)
3) directly the device (payment terminal through which the operation takes place).
At this stage, I would like to first tell you about card payments in general and then delve directly into online.
There are two different ways to complete a payment transaction. Both of them, in fact, perform the same function.
With regard to card payments, we are talking about online and offline payments.
An online transaction in this case is the one that the issuing bank confirms immediately after the request, in real time. While an offline transaction is one that is not confirmed by an instance, but is carried out by the terminal by the terminal after a certain period of time. I have already spoken about this above.
Such transactions are typical for operations where there is a low level of risk (or in the case when there is
simply no connection with the issuing bank. And in this case, when I say “online,” I just mean making purchases on the Internet.
For these different types of payments, two different types of authentication are respectively provided.
If we are talking about online transit, then online authentication is performed accordingly with the participation of the issuer, while offline authentication is confirmed simply by the payment terminal.
Below is an illustration demonstrating the scheme and logic of transaction authentication. It is not necessary to delve into it, it is enough just to understand the scale of the disaster.
I will add that during an online transaction, it is technologically possible to perform both online and offline authentication AT THE SAME TIME - and the card and the terminal must allow such a procedure.
Moreover, directly at the stage of authentication, it is not always clear in which mode the transaction will take place.
These are quite in-depth technical details and most likely we will not need them in our direct work, but they are quite curious, as it seemed to me, and I included them in our lecture.
Here I would like to say a few words about the types of cards from a technological point of view. We will talk about this in more detail in a separate lecture specially designated for this topic.
Globally, from a technological point of view, cards are divided into 2 categories: magnetic and with a chip (EMV).
The former have magnetic stripes, the latter have a microchip (microprocessor cards). Quite often (I would even say often) these two technologies are combined. Chips appeared when the magnetic stripe began to become obsolete and ceased to provide an adequate level of security.
Then, by the way, the NFC standard appeared, but I would not single them out as a separate type, since they, with rare exceptions, are not the only technology for a single card.
The main task of the bank that issued the card (in offline payment) is card authentication (not to be confused with identification!).
Authentication here is a purely technical process, which is designed to confirm the fact that the card is issued by a bank that has authorization for this action by the relevant international payment system (hereinafter IPS).
From a purely technical point of view, it looks like this: the payment card data is sent by the terminal to the issuing bank through the acquirer bank and the payment system.
The issuer, having received this data, either confirms the transaction or does not pass it. At this moment, there is precisely the whole cornerstone of the security of payments for cards: the card's integrity is guaranteed by the CVV (Card Verification Value) or CVC (Card Verification Code) code, which cannot be modified or falsified ... Zatodanny cards can simply be photographed from both sides or stupidly rewrite the data.
Now I would like to delve a little into the topic of online payments, since they are the closest for us and are essentially our focus. Several more players are added to the above payment participants: the payment system and the payment aggregator. The payment system (in our country it is customary to call IPS - the international payment system) transfers funds. It's simple: an IPM is de facto a set of technical infrastructure, certain rules and procedures that are used to transfer funds from one payment participant to another.
In clerical terms, the IPS is an approved set of rules and procedures, relations, methods and methods of calculation that determine and carry out the movement of funds among the participants in the economy. The IPS is a business, respectively, they set themselves the goals of uninterrupted work and the receipt of new and new operations that they spend.
Accordingly, in order for this thing to work as it should, they have to keep the system viable and at the highest possible level: security, continuity, scalability, reliability, efficiency, and so on.
If for us SMEs are just an infrastructure through which some payments pass, then for the real world these are entire institutions that allow banks to implement their credit and financial policies, manage their liquidity and, most importantly, greatly simplify the formation of credit and financial programs in banks and others. financial institutions.
With the emergence and rapid development of the fintech industry, of course, a lot will change, but so far banks dominate all IPSs and help them a lot.
A typical IPS may consist of the following components: organizations (divisions) making payments, software performing internal and external operations, and a regulatory framework that regulates the work of the above. The Ministry of Railways is international for that, that it works on the whole ball and provides its services to everyone practically regardless of geographical location (with a few but specific exceptions).
The task of the IPS is to quickly carry out mutual settlements between market participants.
The most famous IPS are VISA, MasterCard, AmEx the same, Diners Club and so on. These dudes are essentially defining and setting the trends and politics of money “walking”. They earn money by treating the clients connected to them. Clients in this case are financial institutions (usually banks).
The latter are the first to deduct a fixed %, which depends on the volume of payments made. The IPS, as a certain dominant (but at the same time commercial!) Body, issues licenses to banks for the production of cards with the IPS logo and carefully monitors compliance with all internal regulations.
The next companion is the payment aggregator and payment gateway. What it is? What are they doing? Why do they need it? From a logical point of view, both of them do the same thing: they make an online payment (online purchase).
Then the question is: why are there two?
The only difference is that the gateway is just a technological partner that routes the payment without interacting with clients' funds, while the aggregator accumulates funds at its own place. The degree of risk for both is appropriate (one practically does not have it, the other has it very high). We will talk about this in much more detail in the next lecture.
I would also like to draw your attention to the non-obvious differences between such concepts as the International Payment System and simply the Payment System. It is important to understand that in the first case we are dealing with a financial giant, which
is important to understand that in the first case we are dealing with a financial giant that serves the banking infrastructure , which created its own standard and actively supports it (these are, as a rule, such comrades as VISA and MasteCard).
While in the second case, we are talking about small-town solutions, as a rule, rather narrowly focused (carrying out Internet acquiring, for example). The latter include PayPal, WebMoney, QIWI and the like. Yes, it is difficult to call a local PayPal, but according to the Ministry of Railways, if it is, then with a big stretch. The classification here is precisely what the company is doing, and in this respect, international practice is in solidarity with the definition of the Ministry of Railways, as a company serving, first of all, its own infrastructure related to real plastic.
All payments by plastic cards must go through a number of specific procedures.
One of them is cardholder verification: CVM (Cardholder verification method). This is a mandatory procedure along with authentication. And if, in the case of authentication, it was about establishing the authenticity of the card (checking its authenticity, establishing its belonging to a particular bank, payment system and the possibility of performing an operation), then in the case of identification it will be about establishing the legitimacy of the payment by confirming the identity of the holder. This operation is doubly interesting to us, since in fact, this is our sphere of activity. And we need to thoroughly understand what identification methods are possible in principle.
I will make a reservation right away that below we will consider a number of points that are related to transactions where the card is available (it does not matter the original or a duplicate). Then we will analyze the work in detail, when the card is not available - CNP transaction.
Fortunately for us, there are not so many identification methods, and no matter how pundits fought, it is still impossible to develop an effective, affordable and simple and inexpensive new identification method to implement. And objectively speaking, it won't work out for a long time. This, of course, does not mean that such a method will never appear. It's just that in the financial and technological paradigm in which today's banking system exists and functions, it is still impossible to create something that will not require colossal implementation costs.
The reason for this is the obsolete, both morally and functionally, technological basis (technology level), which is globally used by the industry.
The notorious fintech with its space solutions is also cosmically far from reality. But I'll probably tell you about this separately, if you want.
So identification.
Here, first of all, everything will go about shopping with a card, and not on the Internet, as I said. We will talk about CNP (card not present) transactions a little later. Perhaps we will even give a separate lecture if there is a “demand”.
A little higher, I already talked about the archaic level of technology in the industry, and below I will demonstrate this.
Look here. What do you think is the most common (and therefore most popular) identification method?
Entering the pin code and the signature of the holder. It was 2019 in the yard, and we still signed our checks.
It's funny that in most cases the signature is not even verified (although the rules of the Ministry of Railways and the job description of the cashier oblige to do this).
The situation with the emergence of EMV cards has slightly improved, but little has changed globally due to the fact that not all points of sale were able (or willing) to switch to terminals supporting extended functionality, which allows the bank to interact more closely with the card.
In turn, the EMV applications themselves may differ from each other and even terminals supporting this standard may not always correctly process a transaction. That is, in the presence of a seemingly new, more secure standard, it is still impossible to completely switch to it.
In such cases, the terminal is forced to choose the most relevant identification method for a particular situation. For such cases, CVM lists have been developed (below is an illustration with an example of such a list developed by the terminal and the application).
In this illustration, we see possible methods for verifying the identity of the holder and their priority. On the left are possible methods, on the right - the ones selected according to the total.
The situation is aggravated by the fact that both the terminal and the EVM application have their own CVM lists.
In the process of making a transaction, they both work out a single sheet and work on it. These are rather technical details, but I decided to give them pointwise. For example, anticipating the question in what situations the PIN is requested, I hasten to answer: each bank itself forms its CVM lists (sheets) for each specific product separately. Since when making a transaction, we are faced with two CVM lists.
One in POS and one issued by TMS - Terminal Management System (server with software for configuring and controlling POS operation of a particular issuer).
During the actual execution of the transaction, the sheets are compared and the methods that are present in both sheets are selected.
There are a number of well-established practices, but in fact it all depends on the issuer: if nerds are sitting there, they can quickly make the holders of specific cards very unhappy people)) For objectivity's sake, I decided to highlight one more point below, which will be useful. What is holding?
This is the same “freezing” of funds by the bank when a transaction is made using a payment card. In other words, funds do not leave the account, they become inaccessible. For ordinary citizens, this does not make a difference, but it's good to know. The actual and full withdrawal of funds usually occurs the next day, as mentioned above. But this period can be up to 30 days - it depends on the acquiring bank through whom the payment was made.
At first glance, the information may seem complicated. But this is not your usual "did this, did that" lecture. We have a scientific approach here, fundamental knowledge. The name Carding University is not taken from the ceiling. In the next lectures, we will consider the above things in more detail, and also analyze the participants in the payments - who, how, and why.
First of all, let's say a few words about payments. As you may know, there are offline and online payments. The main scope of this lecture is, of course, online and in particular card payments.
To generalize (although this is not entirely true from a technical, academic point of view) offline payments, these are all those payments that occur without the participation of payment cards or other electronic and automated methods of exchanging information between process participants, but only in the old fashioned way - in cash.
In fact, in the “correct” classification there is also an offline card payment (this is when the device, for example, records the card data, but the terminal itself conducts the operation itself when it becomes physically possible to do this - for example, in an airplane, in the air due to the fact that there is no Internet , a stewardess selling something, will take a person's card, hold it in the POS-terminal, which will make a purchase (or, more correctly, reserve funds) only upon arrival and connecting to the Internet.
By the way, about the reservation. does not happen, this is by the way. We will talk about this in more detail below.
Now, of course, it is no longer uncommon to have an Internet on board an aircraft, but the essence is just that. For ease of understanding, at this stage, we will restrict ourselves to a simple explanation of online / offline payment as follows: online is with a card, offline is cash (although, I repeat, “in science” this classification is NOT TRUE - there are also offline payments by cards).
Then we will understand more about the classification and eliminate this unnecessary simplicity, but for now we will work so as not to sow panic and chaos and not get confused in the wording.
The difference between offline and online payments lies in how the exchange of information flows between the participants in the operation will be organized: banks, buyer and seller (but first of all, of course, banks).
In fact, offline payments can occur without the involvement of cash. So, the buyer, upon providing the required documents, instructs his bank to transfer the required amount to the seller's bank account.
As a rule, the basis is an agreement, an invoice.
In all normal countries, banks are strictly regulated and such orders have their own time deadline. For example, in Russia this period is 3 days.
During this period, the bank is obliged to make the payment. It usually does it faster in practice.
When the seller receives funds from the buyer, he ships the goods or provides a paid service. Although, of course, this moment is implemented according to the agreement of the parties, and the conditions in it can be very diverse.
Sometimes a seller can provide a product or service to a buyer when the latter provides evidence that the bank has accepted funds from him. Thus, the buyer, showing documentary evidence of the payment accepted by the bank for execution, can receive the product or service before the seller actually receives the funds.
In the above scheme, as we can see, neither the seller nor the buyer are connected to payment systems. The payment itself is made directly by banks directly to each other. In other words, banks exchange information about the payment among themselves through established communication channels without involving third parties. In this case, all participants are offline in the classical sense.
Now, regarding online payments.
We talked about the exchange of information. So in the case of online payments, one of the participants must either be directly (or through an intermediary) included in the notorious information exchange.
How does it look like?
The buyer places an order. The seller, in turn, issues an invoice to the buyer. The buyer, having examined the invoice, agrees to pay it off and enters his details (payment data), as well as additional data required by the payment system to identify the payer and authenticate the payment itself.
After that, a request is made to the buyer's bank for the availability of funds and directly for the authentication itself (confirmation of the legitimacy of the payment). If there are sufficient funds on the account, then the required amount is instantly reserved and the corresponding answer is returned to the seller. At this stage, the seller realizes that the money for the sale is practically in his pocket. Although, please note, there has been no transaction as such (the movement of money from account to account).
After that, the bank that has reserved the funds within 3 days transfers them to the seller's account. There is also a reconciliation procedure that is carried out regularly between the participants in the operation, but we do not really care about this yet. There, the point of sale once a day, as a rule, sends the entire array of transactions to the bank so that it can carry out calculations. There are exceptions, they can delay the calculations. But as a rule, this is strict - if the counterparty informs the Ministry of Railways, there may be difficulties.
Now more and more customer-oriented services can make the actual movement of funds to the partner's account much faster than 3 days. But in such cases, as a rule, it is an intermediary and he operates with his own money, creating a cash gap for himself. Here we are talking about payment systems that process the payment itself, that is, in fact, they take the risk of allowing the payment to be made or not (in the case of, for example, a CNP payment).
In the case of online payments, we see deferred real cash flow through accounts, but instant turnover. An operation where the cash gap and other risks are shared by banks and their partners - payment systems.
Since it is technically very difficult for a bank to work directly with a huge number of sellers, intermediary partners have appeared in the form of payment services and systems (which in our everyday life is called “merch”).
I said earlier that this is academically incorrect, but for ease of understanding and to avoid misunderstandings, we intentionally make this simplification.
Why know how card payments are made? So that we have a general picture and we know the entire alignment of forces and have in our head the entire military map of actions. Not only online.
Fundamental knowledge will give us a solid theoretical base on the basis of which we will build our already practical base.
Typical participants in offline payments (not the Internet):
1) Issuing bank: this is the bank that issued the card and where the serviced account is located.
2) acquiring bank: the bank that serves the point of sale (terminal making the payment)
3) directly the device (payment terminal through which the operation takes place).
At this stage, I would like to first tell you about card payments in general and then delve directly into online.
There are two different ways to complete a payment transaction. Both of them, in fact, perform the same function.
With regard to card payments, we are talking about online and offline payments.
An online transaction in this case is the one that the issuing bank confirms immediately after the request, in real time. While an offline transaction is one that is not confirmed by an instance, but is carried out by the terminal by the terminal after a certain period of time. I have already spoken about this above.
Such transactions are typical for operations where there is a low level of risk (or in the case when there is
simply no connection with the issuing bank. And in this case, when I say “online,” I just mean making purchases on the Internet.
For these different types of payments, two different types of authentication are respectively provided.
If we are talking about online transit, then online authentication is performed accordingly with the participation of the issuer, while offline authentication is confirmed simply by the payment terminal.
Below is an illustration demonstrating the scheme and logic of transaction authentication. It is not necessary to delve into it, it is enough just to understand the scale of the disaster.
I will add that during an online transaction, it is technologically possible to perform both online and offline authentication AT THE SAME TIME - and the card and the terminal must allow such a procedure.
Moreover, directly at the stage of authentication, it is not always clear in which mode the transaction will take place.
These are quite in-depth technical details and most likely we will not need them in our direct work, but they are quite curious, as it seemed to me, and I included them in our lecture.
Here I would like to say a few words about the types of cards from a technological point of view. We will talk about this in more detail in a separate lecture specially designated for this topic.
Globally, from a technological point of view, cards are divided into 2 categories: magnetic and with a chip (EMV).
The former have magnetic stripes, the latter have a microchip (microprocessor cards). Quite often (I would even say often) these two technologies are combined. Chips appeared when the magnetic stripe began to become obsolete and ceased to provide an adequate level of security.
Then, by the way, the NFC standard appeared, but I would not single them out as a separate type, since they, with rare exceptions, are not the only technology for a single card.
The main task of the bank that issued the card (in offline payment) is card authentication (not to be confused with identification!).
Authentication here is a purely technical process, which is designed to confirm the fact that the card is issued by a bank that has authorization for this action by the relevant international payment system (hereinafter IPS).
From a purely technical point of view, it looks like this: the payment card data is sent by the terminal to the issuing bank through the acquirer bank and the payment system.
The issuer, having received this data, either confirms the transaction or does not pass it. At this moment, there is precisely the whole cornerstone of the security of payments for cards: the card's integrity is guaranteed by the CVV (Card Verification Value) or CVC (Card Verification Code) code, which cannot be modified or falsified ... Zatodanny cards can simply be photographed from both sides or stupidly rewrite the data.
Now I would like to delve a little into the topic of online payments, since they are the closest for us and are essentially our focus. Several more players are added to the above payment participants: the payment system and the payment aggregator. The payment system (in our country it is customary to call IPS - the international payment system) transfers funds. It's simple: an IPM is de facto a set of technical infrastructure, certain rules and procedures that are used to transfer funds from one payment participant to another.
In clerical terms, the IPS is an approved set of rules and procedures, relations, methods and methods of calculation that determine and carry out the movement of funds among the participants in the economy. The IPS is a business, respectively, they set themselves the goals of uninterrupted work and the receipt of new and new operations that they spend.
Accordingly, in order for this thing to work as it should, they have to keep the system viable and at the highest possible level: security, continuity, scalability, reliability, efficiency, and so on.
If for us SMEs are just an infrastructure through which some payments pass, then for the real world these are entire institutions that allow banks to implement their credit and financial policies, manage their liquidity and, most importantly, greatly simplify the formation of credit and financial programs in banks and others. financial institutions.
With the emergence and rapid development of the fintech industry, of course, a lot will change, but so far banks dominate all IPSs and help them a lot.
A typical IPS may consist of the following components: organizations (divisions) making payments, software performing internal and external operations, and a regulatory framework that regulates the work of the above. The Ministry of Railways is international for that, that it works on the whole ball and provides its services to everyone practically regardless of geographical location (with a few but specific exceptions).
The task of the IPS is to quickly carry out mutual settlements between market participants.
The most famous IPS are VISA, MasterCard, AmEx the same, Diners Club and so on. These dudes are essentially defining and setting the trends and politics of money “walking”. They earn money by treating the clients connected to them. Clients in this case are financial institutions (usually banks).
The latter are the first to deduct a fixed %, which depends on the volume of payments made. The IPS, as a certain dominant (but at the same time commercial!) Body, issues licenses to banks for the production of cards with the IPS logo and carefully monitors compliance with all internal regulations.
The next companion is the payment aggregator and payment gateway. What it is? What are they doing? Why do they need it? From a logical point of view, both of them do the same thing: they make an online payment (online purchase).
Then the question is: why are there two?
The only difference is that the gateway is just a technological partner that routes the payment without interacting with clients' funds, while the aggregator accumulates funds at its own place. The degree of risk for both is appropriate (one practically does not have it, the other has it very high). We will talk about this in much more detail in the next lecture.
I would also like to draw your attention to the non-obvious differences between such concepts as the International Payment System and simply the Payment System. It is important to understand that in the first case we are dealing with a financial giant, which
is important to understand that in the first case we are dealing with a financial giant that serves the banking infrastructure , which created its own standard and actively supports it (these are, as a rule, such comrades as VISA and MasteCard).
While in the second case, we are talking about small-town solutions, as a rule, rather narrowly focused (carrying out Internet acquiring, for example). The latter include PayPal, WebMoney, QIWI and the like. Yes, it is difficult to call a local PayPal, but according to the Ministry of Railways, if it is, then with a big stretch. The classification here is precisely what the company is doing, and in this respect, international practice is in solidarity with the definition of the Ministry of Railways, as a company serving, first of all, its own infrastructure related to real plastic.
All payments by plastic cards must go through a number of specific procedures.
One of them is cardholder verification: CVM (Cardholder verification method). This is a mandatory procedure along with authentication. And if, in the case of authentication, it was about establishing the authenticity of the card (checking its authenticity, establishing its belonging to a particular bank, payment system and the possibility of performing an operation), then in the case of identification it will be about establishing the legitimacy of the payment by confirming the identity of the holder. This operation is doubly interesting to us, since in fact, this is our sphere of activity. And we need to thoroughly understand what identification methods are possible in principle.
I will make a reservation right away that below we will consider a number of points that are related to transactions where the card is available (it does not matter the original or a duplicate). Then we will analyze the work in detail, when the card is not available - CNP transaction.
Fortunately for us, there are not so many identification methods, and no matter how pundits fought, it is still impossible to develop an effective, affordable and simple and inexpensive new identification method to implement. And objectively speaking, it won't work out for a long time. This, of course, does not mean that such a method will never appear. It's just that in the financial and technological paradigm in which today's banking system exists and functions, it is still impossible to create something that will not require colossal implementation costs.
The reason for this is the obsolete, both morally and functionally, technological basis (technology level), which is globally used by the industry.
The notorious fintech with its space solutions is also cosmically far from reality. But I'll probably tell you about this separately, if you want.
So identification.
Here, first of all, everything will go about shopping with a card, and not on the Internet, as I said. We will talk about CNP (card not present) transactions a little later. Perhaps we will even give a separate lecture if there is a “demand”.
A little higher, I already talked about the archaic level of technology in the industry, and below I will demonstrate this.
Look here. What do you think is the most common (and therefore most popular) identification method?
Entering the pin code and the signature of the holder. It was 2019 in the yard, and we still signed our checks.
It's funny that in most cases the signature is not even verified (although the rules of the Ministry of Railways and the job description of the cashier oblige to do this).
The situation with the emergence of EMV cards has slightly improved, but little has changed globally due to the fact that not all points of sale were able (or willing) to switch to terminals supporting extended functionality, which allows the bank to interact more closely with the card.
In turn, the EMV applications themselves may differ from each other and even terminals supporting this standard may not always correctly process a transaction. That is, in the presence of a seemingly new, more secure standard, it is still impossible to completely switch to it.
In such cases, the terminal is forced to choose the most relevant identification method for a particular situation. For such cases, CVM lists have been developed (below is an illustration with an example of such a list developed by the terminal and the application).
In this illustration, we see possible methods for verifying the identity of the holder and their priority. On the left are possible methods, on the right - the ones selected according to the total.
The situation is aggravated by the fact that both the terminal and the EVM application have their own CVM lists.
In the process of making a transaction, they both work out a single sheet and work on it. These are rather technical details, but I decided to give them pointwise. For example, anticipating the question in what situations the PIN is requested, I hasten to answer: each bank itself forms its CVM lists (sheets) for each specific product separately. Since when making a transaction, we are faced with two CVM lists.
One in POS and one issued by TMS - Terminal Management System (server with software for configuring and controlling POS operation of a particular issuer).
During the actual execution of the transaction, the sheets are compared and the methods that are present in both sheets are selected.
There are a number of well-established practices, but in fact it all depends on the issuer: if nerds are sitting there, they can quickly make the holders of specific cards very unhappy people)) For objectivity's sake, I decided to highlight one more point below, which will be useful. What is holding?
This is the same “freezing” of funds by the bank when a transaction is made using a payment card. In other words, funds do not leave the account, they become inaccessible. For ordinary citizens, this does not make a difference, but it's good to know. The actual and full withdrawal of funds usually occurs the next day, as mentioned above. But this period can be up to 30 days - it depends on the acquiring bank through whom the payment was made.
At first glance, the information may seem complicated. But this is not your usual "did this, did that" lecture. We have a scientific approach here, fundamental knowledge. The name Carding University is not taken from the ceiling. In the next lectures, we will consider the above things in more detail, and also analyze the participants in the payments - who, how, and why.
