Understand payments,
end to end.

The four parties in every card transaction

Every card payment involves four key players. Understanding their roles is the foundation of understanding payments.

In between these parties sit the card networks (Visa, Mastercard, Amex) — they set the rules and provide the rails that connect issuers and acquirers.

The transaction flow

Here's the simplified journey of a card payment from tap to settlement:

This entire round-trip typically completes in 1–3 seconds. The authorization is instant; the actual movement of money (settlement) happens later, usually within 1–2 business days.

Online vs. in-person payments

The underlying flow is the same whether a payment is made online or in person, but the method of capturing card data differs:

• In-person (card present): Data is read from the chip or NFC. These transactions carry lower fraud risk and therefore lower interchange rates.
• Online (card not present): The cardholder manually enters their card number, expiry, and CVV. Higher fraud risk means higher fees and stricter authentication requirements.
• Stored credentials / subscriptions: Card details saved on file are re-used for recurring charges. Tokenization makes this secure.

Authorization

Authorization is the process of verifying that a cardholder's account is valid and has sufficient funds (or credit). When a customer pays, a request is sent to the issuing bank asking: "Can this transaction proceed?"

The issuer responds with an authorization code (approved) or a decline code. No money moves at this point — only a hold is placed on the customer's available balance.

Capture

Capture is the instruction to actually charge the authorized amount. For most e-commerce merchants, authorization and capture happen simultaneously. But in some industries they're separated:

• Hotels authorize at check-in, capture at checkout (often with adjustments)
• Marketplaces may authorize when an order is placed, capture only when shipped
• Car rentals hold a large authorization, then capture final amount after return

You can also do partial captures — capturing less than the authorized amount — and in some cases multiple captures against a single authorization.

Settlement

Settlement is when funds actually move from the issuing bank to your acquiring bank, and then to your account. This typically takes 1–3 business days, though some processors offer same-day or next-day settlement at a premium.

Refunds vs. Reversals

How a chargeback happens

Common chargeback reason codes

Friendly fraud

Friendly fraud (also called first-party fraud) occurs when a legitimate cardholder disputes a transaction they actually authorized. This is one of the most common and fastest-growing sources of chargebacks — estimates suggest it accounts for 40–80% of all chargebacks in e-commerce.

Common scenarios: buyer's remorse, family members making unrecognized purchases, or deliberate abuse of the dispute process to get goods for free.

How to fight a chargeback

When you receive a chargeback notification, you typically have 7–30 days to respond with evidence ("representment"). Strong evidence includes:

• Proof of delivery (tracking numbers, signature confirmation)
• IP address and geolocation data matching the customer
• Device fingerprint and browser data
• Email / chat correspondence with the customer
• Signed terms of service or refund policy acknowledgment
• AVS and CVV match confirmation
• 3DS authentication data (shifts liability to issuer)

Prevention is better than winning

The best chargeback strategy is one that avoids them in the first place. Key prevention levers:

• Clear billing descriptor (what customers see on their statement)
• Easy, prominent refund policy
• Proactive customer service before disputes escalate
• Order confirmation emails with clear itemization
• 3DS authentication to shift fraud liability
• Velocity checks and fraud rules to catch stolen cards early

What card networks actually do

Card networks are often mistaken for banks. They don't issue cards or hold money. Their role is to:

• Set the rules — interchange rates, acceptance requirements, dispute resolution procedures
• Provide the rails — the infrastructure that routes authorization requests between acquirers and issuers
• Manage the brand — the logo on a card signals to any merchant worldwide that it will be accepted

Open vs. closed network models

Why this matters for merchants

Networks set interchange rates — the baseline fee paid to the issuing bank on every transaction. Because Amex controls both sides, their merchant fees have historically been higher (though the gap has narrowed). Merchants in lower-margin industries sometimes choose not to accept Amex for this reason.

What is interchange?

Interchange is a fee paid to the issuing bank on every card transaction. It compensates the issuer for the cost of credit, fraud risk, and reward programs. It's set by the card networks (Visa, Mastercard) and varies by:

• Card type (debit, credit, premium rewards, corporate)
• Industry / merchant category code (MCC)
• Transaction type (card present vs. card not present)
• Data quality (does the transaction include Level 2/3 data?)

The fee layers

Pricing models

How your processor packages these costs determines your effective rate:

• Flat rate: One simple rate (e.g. 2.9% + $0.30). Easy to understand, but expensive for high-volume merchants. Common with Stripe and Square.
• Interchange-plus (cost-plus): You pay the actual interchange rate plus a fixed processor markup. Transparent and almost always cheaper for merchants doing meaningful volume.
• Tiered pricing: Transactions are bucketed into "qualified," "mid-qualified," and "non-qualified" tiers. Often misleading — many transactions fall into expensive tiers without explanation. Avoid if possible.
• Subscription / membership: Monthly fee plus a small per-transaction fee on top of interchange. Can be very cost-effective at scale.

Card testing

Fraudsters obtain lists of stolen card numbers and run small transactions (often $0–$1) to check which cards are still active before using them for larger fraud. Symptoms: sudden spike in low-value declines, unusually high decline rates, multiple attempts from the same IP or device.

Account takeover (ATO)

Attackers gain access to a customer's account using stolen credentials (often from data breaches) and use stored payment methods to make fraudulent purchases. Particularly damaging in subscription businesses and marketplaces.

Friendly fraud

A legitimate cardholder disputes a transaction they actually authorized — intentionally or because they don't recognize the charge. Represents the majority of e-commerce chargebacks and is increasing year-over-year.

Synthetic identity fraud

Fraudsters create fake identities by combining real and fabricated information (e.g. a real SSN with a fake name). These identities are "built up" over time with small credit activities before being used to commit fraud at scale.

Refund fraud

Abuse of return and refund policies — claiming non-delivery on items that were received, returning used or counterfeit goods, or social-engineering customer service agents into issuing refunds.

The layered approach

No single tool catches all fraud. Effective fraud prevention stacks multiple signals and controls at different points in the transaction journey:

• Pre-authorization: Velocity rules, device fingerprinting, IP reputation, email risk scoring
• At authorization: CVV/AVS matching, 3DS authentication, ML-based risk scoring
• Post-authorization: Order review queues, manual review for high-risk orders, chargeback monitoring

Key fraud signals to monitor

The false positive problem

Blocking fraud aggressively also blocks legitimate customers. False positives — declined transactions from real cardholders — are often more costly than the fraud they prevent, especially for high-AOV merchants. Every rule you add should be measured for its impact on both fraud decline rates and legitimate decline rates.

What 3DS does

3DS adds an authentication step between payment submission and authorization. The cardholder is challenged to prove they are the legitimate account holder — either through a one-time password, biometric, or silent device authentication.

3DS1 vs 3DS2

Liability shift

The key commercial benefit of 3DS: when a 3DS-authenticated transaction is later disputed as fraud, the liability shifts to the issuing bank, not the merchant. You still lose the sale if it's reversed, but you are not charged the chargeback fee.

When to use 3DS

• Required by law: PSD2 in Europe mandates Strong Customer Authentication (SCA) for most online payments
• High-value orders: Applying 3DS selectively to orders above a threshold
• High-risk indicators: New customers, mismatched billing/shipping, high-risk geographies
• Dispute-prone categories: Digital goods, travel, subscription renewals

Payment gateway

A gateway is the technology layer that captures payment data from your checkout and securely transmits it to the processor. Think of it as the pipe. It encrypts card data, connects to the acquiring network, and returns an authorization response.

Payment processor / acquirer

The processor (or acquiring bank) is the financial institution that processes transactions on your behalf. They hold your merchant account, receive funds from the card networks, and settle them to your bank. Some processors are also banks; others are third-party processors working on behalf of acquiring banks.

Payment Service Provider (PSP)

A PSP bundles gateway and processing functionality into one service. Stripe, Adyen, Braintree, and Worldpay are all PSPs. They handle the full stack — from capturing card data to settling funds — under one contract. This simplifies setup but may limit flexibility at scale.

How it works

When a card is tokenized, the real card number (PAN) is replaced with a randomly generated string. The token has no exploitable value outside the specific system it was created in.

PSP tokens vs. network tokens

Network tokenization is increasingly important. Tokens are issued by the card networks and updated automatically when cards are reissued — solving the problem of failed recurring payments due to expired cards.

Who needs to comply?

Every merchant that accepts card payments. The level of compliance required (SAQ A through SAQ D, or a full audit) depends on your transaction volume and how you handle card data.

PCI merchant levels

SAQ types

The Self-Assessment Questionnaire (SAQ) type you need depends on how you accept payments:

• SAQ A: All payment processing outsourced (e.g. Stripe, PayPal hosted page). Simplest. ~22 requirements.
• SAQ A-EP: E-commerce with JavaScript-based payment form on your page. Slightly more involved.
• SAQ D: You store, process or transmit card data yourself. Most complex — ~329 requirements.

Strong Customer Authentication (SCA)

PSD2 requires that most online payments in Europe use SCA — authentication based on at least two of three factors:

• Something you know — password or PIN
• Something you have — phone or hardware token
• Something you are — biometric (fingerprint, face ID)

In practice, SCA is most commonly implemented via 3DS2. Certain transactions are exempt — low-value payments (<€30), trusted beneficiaries, recurring transactions with fixed amount — and these exemptions are important for managing conversion.

Open Banking

PSD2 also mandated that banks open their data and payment infrastructure to licensed third parties via APIs. This enabled two new categories of payment services:

• Account Information Services (AIS): Aggregating account data across banks (used in personal finance apps, credit underwriting)
• Payment Initiation Services (PIS): Initiating bank transfers directly from a customer's account, bypassing card networks entirely

Quick definitions

Gateway: Technology layer. Securely captures card data and routes it to the processor. Examples: Authorize.Net, NMI, Stripe (gateway-only mode).

Acquirer / Acquiring bank: The financial institution that holds your merchant account, processes transactions, and settles funds. Examples: Chase Paymentech, Worldpay, Elavon.

PSP (Payment Service Provider): An all-in-one service that bundles gateway, processing, and merchant account into one product. Examples: Stripe, Adyen, Square, Braintree.

Why the distinction matters

When you use an all-in-one PSP, you're a sub-merchant on their master merchant account. This is fine for most businesses but can create complications at high volume (pricing leverage, reserve requirements, account stability). At scale, having your own direct acquiring relationship gives you more control, better pricing, and a direct relationship with the institution holding your money.

The cross-border cost problem

When a card issued in one country is charged by a merchant in another country, it's a cross-border transaction. The card networks add a surcharge (typically 0.4–1.5%) on top of standard interchange. If you're processing in a currency that's then converted, you're also paying FX fees.

Local acquiring vs. cross-border acquiring

The most effective way to reduce cross-border costs is local acquiring — having a merchant account in each market so that transactions are processed domestically. This typically reduces authorization failure rates (issuers are more likely to approve domestic transactions) and eliminates cross-border surcharges.

Currency strategy

Customers convert better when they see prices in their local currency. Options for presenting and processing in local currency:

• Dynamic Currency Conversion (DCC): Customer chooses to pay in home currency at point of sale. Typically expensive for the customer — often considered bad practice.
• Multi-currency pricing: You display and settle in local currencies using your processor's FX rates. Simpler than local acquiring; monitor the FX markup closely.
• Local settlement: Accept and settle in local currency, convert periodically at favorable rates.

Why local methods matter

In many markets, the majority of consumers either don't have credit cards, prefer alternatives, or actively distrust entering card details online. Offering local payment methods can dramatically improve conversion in those markets.