Brother
Professional
- Messages
- 2,590
- Reaction score
- 506
- Points
- 83
When you insert a card into a "foreign" POS-terminal (or into a "foreign" ATM), the card transaction sometimes goes quite a long way.
The process by which a decision is made on whether to purchase (or withdraw cash) is called authorization. This process can be done in two ways. Online and offline. Let's look at all of this using a chip card as an example (smart cards, EMV cards are all the same). Everything is simpler for a card with a beckoning strip, there is less data.
Online authorization
An obvious, difficult and expensive way, and the most reliable one.Insert the SaveBank card into the POS - terminal of the bank ITD-24 (by the way, POS means Point Of Sale, point of sale). The cashier, either at the terminal itself or at the cash register to which the terminal is connected, enters the sale amount. The so-called. authorization request. This request contains a lot of any additional information, not only the amount and card details. The terminal also adds information about itself there. Name, location, its ability to process the card, date, time, amount. currency, etc. etc. Then he sends this data to the card (!). The card signs all this with its secret key (!). The result is a digital signature called ARQC (Authorization Request Cryptogram). This entire data packet, along with ARQC, is returned to the terminal.
Now the terminal cannot substitute data. If he substitutes a different amount, for example, then the composition of the data will change, and then the ARQC will not converge. The terminal forwards this packet to the acquiring bank ITD-24 (the banking business of accepting cards is called acquiring). The bank to which this terminal is connected. The acquiring bank sees that the card is "not his" (he is not the issuer of this card). But the bank sees that it is a Visa card. Then he forwards this entire data packet to the Visa processing center, with which he has a high-quality dedicated connection.
They look at Visa processing: these are SaveBank cards, judging by the first digits of the PAN (number) of the card. Banks redeem these numbers from Visa, so Visa knows exactly which card belongs to which bank. Visa processing forwards the data packet to the issuer (SaveBank).
SaveBank receives the packet and verifies the signature (ARQC). Also SaveBank checks the balance on the card, as well as a number of other things (for example, the correct PIN) and decides whether to allow the transaction. Generates a response packet containing ARPC (Authorization Response Cryptogram, response cryptogram). SaveBank sends this packet to Visa. And he himself reserves (holds, hold) the required amount on the account.
The visa forwards the package to the ITD-24 bank.
Bank ITD-24 records the transaction for itself, noting that it now owes money to the merchant. And forwards the response to the terminal.
The terminal cheerfully prints out a check that everything is fine, the sale is allowed. And at the same time transfers this packet to the card. Because the response sent by SaveBank contains a lot of things. For example, there may be so-called. scripts that can manipulate the map. Using these scripts, the card can be blocked, unblocked, changed PIN, changed card data, and much more. I'll tell you in a separate post.
For these transactions, the ITD-24 bank issues payment requirements to a special Visa bank (yes, processing is just processing, and money is a separate channel). In order to conduct all these mutual settlements in general, banks participating in the payment network pay a lot of money to Visa, and have a rather large deposit in their accounts in a special bank Visa. Here, within the framework of this deposit, settlements between banks are being carried out. Mutual settlements do not take place instantly, but at the end of the banking day, if it is a purchase. The second phase of authorization takes place. During this phase, the issuer deducts money from the account.
With an ATM it is a little different: there money is debited from the account immediately, although mutual settlements between banks also occur at the end of the banking day.
Maintaining an "online channel" is expensive and difficult, both technically and organizationally. And it is not always possible! For example, there is no necessary communication channel on the plane, but payment must be accepted.
Offline authorization
In this case, there is no permanent connection between the terminal and the acquiring bank. Accordingly, the transaction does not travel much anywhere. There is only dialogue between the card and the terminal. Moreover, that the terminal, that the card can refuse to complete the transaction. If they do agree, then the terminal records the transaction with the card's signature (the card can write transactions!) In its journal, and the card changes its internal counters.When a connection appears (for example, once a day), all transactions from the terminal log are sent in batches to the acquiring bank. And the bank already through the payment system (Visa) requests a claim for the reimbursement of these amounts from the issuing banks. Then everything is about the same, through the visa bank.
Offline authorization is an interesting and rather complicated thing worthy of a separate post. About this some other time.
