Card Transactions Explained
by Donald Blake
Did you ever stop and think about what happens when you go to an Automated Teller Machine (ATM) or to a store and pay with plastic? What exactly happens when you run your card, pay for your stuff, and then walk out of the store?
These are what the industry calls "Card Transactions." It's really simple how they work. You run your card and the machine compares the first six digits of your card (BIN Number) to a BIN table telling it which credit union and network the card belongs to. Then it hops onto said network and gets routed to your credit union. Once there, the processing software approves or denies the transaction. Then it will update the account and route back a response to the machine letting you know if it was approved.
Basically, any transaction that uses a credit card or a debit card is deemed a "Card Transaction." There are a few different flavors. There's your basic ATM transaction where you go to an ATM machine and pull money directly out of your bank account. Point of Sale (POS) transactions are done when you go to the store and enter in your PIN. A credit transaction is when you run the card through as credit. The big difference between credit and debit is who pays the cost of the transaction. If you run your card as POS, then your credit union pays for it; hence the reason you usually get charged a fee. If you run it through as credit, then Visa/MasterCard pays for it and you get the transaction for free!
Then there's "Bill Pay" for when you want your credit union to pay your bills for you. Bill Pay is really nice because if you go online and have all your bills paid by your credit union, then you don't have to deal with postage and mailing a check. They do it all for you. The credit union has electronic payment connections with companies like utilities and phone companies that they do business with all the time. As a result, your transaction will go through immediately. For the people who don't have electronic connections, the credit union will write an actual check and send it to the address you specified. So if you're not using online Bill Pay, you should definitely look into it because it saves you envelopes and stamps. Paying bills becomes as easy as pointing and clicking.
Another important transaction type you want to pay attention to is Shared Branching. This is the one you want to look for when shopping for a credit union. Shared Branching allows you to go into any credit union nationwide that also has shared branching and do financial transactions just like you were in your credit union back home for free! Anyone a frequent shopper at 7-Eleven? They're pretty much all over the place except here in Vermont. If you're not a frequent shopper at 7-Eleven, you really should be because they allow you to do free ATM transactions. If you can't make the scene without the green, go to a 7-Eleven and get the green!
Let's talk about some networks. If you look at the back of your card, you'll notice some logos. I have Cirrus, Star, and CO-OP on mine. CO-OP is the important one. CO-OP allows you to do Shared Branching and it's also the network that allows you to do free transactions at 7-Eleven. Also, if you go to any credit union ATM machine that is also on CO-OP, the transactions are generally free. The networks are what your financial institution use to send and receive transactions. Some credit unions can do over a hundred thousand transactions per day. Credit unions usually pay the network by the transaction; typically around five cents per transaction. Get a new card recently? Check the back of it to make sure the logos are the same. Chances are your credit union found a better deal at a different network for their card transactions.
The networks have a few different setups. The network needs to know some things about how the credit union plans to process transactions. This will affect what the networks know about the credit union's members. There are basically two ways to process transactions: batch and online. In batch mode, the network is not directly connected to your credit union. They have limited information of your account, but enough to process your transaction. The network will basically be given a set of rules and approve the transactions for the credit union. For instance, they generally won't allow a member to pull more than five hundred dollars in one transaction or have a maximum amount the member can withdraw in one day. If you deposit money into an ATM, they may hold the entire amount of a deposit until it clears. At the end of the day, the transactions get put into a file and the network sends this file to the credit union which they then feed into their processing software which then updates all of the accounts for all of the transactions in that file. This is the reason why it might take a couple of days for a transaction to show up on your account. It just depends on when the credit union processes the file.
The online version is when the network and the credit union will always be connected and the credit union will process their own transactions in real time. This gives the credit union a lot more control over the transactions because they have access to all of the information in the account. You usually get the transaction history the minute it occurs in your account history. The major benefit to online versus batch is that credit unions don't have to worry about the network approving/denying transactions that they shouldn't.
Now I did say "always be connected." Yeah right, that never happens. If the network loses the connection with the credit union, then the network will process the transactions based on rules similar to batch rules that the credit union gave them. The network will hold the transactions for the credit union in a "store and forward" queue. Once the network reconnects with the credit union, it will send the transactions in the "store and forward" queue first to the credit union. Once the "store and forward" queue is empty, the credit union will process live transactions again. This can be a problem because sometimes the network and credit union are a little out of sync of what the rules actually are. If the credit union doesn't like how the network processed a type of transaction, they have to go to the network to complain which is usually useless because generally the network wins.
Online transactions come into the credit union over TCP/IP. They specify an IP address and a specific port. Getting the connection running for the first time can be a real hassle. The credit union and network systems have to be able to send and receive information. They also have a firewall in place and mask and translate the IP address. Generally, the server that the software is installed on can't ping or traceroute because they've got it disabled. This makes troubleshooting more difficult. The messages themselves are text and set to either use ASCII or EBCDIC and this needs to be set correctly too on both sides or else the software won't recognize the message. Getting people to change these settings can be difficult as well. It requires paperwork and manager approval - and the network usually takes a day or so to flip the switch. It can get pretty tense too!
Sometimes people don't believe each other and things will just start working without any admission of guilt! However, once the messages get going, then it's pretty smooth sailing.
The online messages come into the credit union one after the other. Timeframe separation is usually just a few milliseconds. The messages themselves are just plain text in fields similar to what ID3 tags look like on MP3s. These fields are described in a specification document that the network uses for their messages. It specifies what the fields actually are, what type of data they can have and how long each field can be. In the specification document, they also explain how all the transactions work and how the fields are used. There's usually a hundred or so fields. They have fields for card number, card expiration, location of transaction, merchant type, and others. You ever see those ATM machines that can deposit the individual check or cash without having to put it in an envelope? They use the deposit type field to tell if the deposit is a check or cash. This is cool because if the credit union knows you deposit cash, they will not place a hold on it because they don't need to check to see if the cash is good or not.
Now the credit union can also use something called a controller. A controller acts as an intermediary to the network and the credit union. This is helpful because the controller has more information about the member's accounts and when the connection gets lost they can process transactions more accurately than the network can. From a programming perspective, controllers are a pain in the neck to deal with. When trying to solve a problem, you may get two different versions of the message depending on if you talk to the network or controller. Of course, you have to have someone breathing down your neck while you try and solve the problem too!
Credit union processors are really a niche market. There's not many of them out there. It's pretty difficult and requires quite an investment to get into the business because of all the regulations that go along with it. The leading credit union processing software out there is called Episys by Jack Henry & Associates Symitar Division. Fiserv, Fidelity, and Corelation have a few different credit union processing software packages. I know Episys is written primarily in PL/1. Fiserv and Fidelity have credit union processors written in PL/1. I believe Corelation's KeyStone software is written in C++. I've heard Fiserv and Fidelity have started to upgrade into Java and C++, which is why I was told Jack Henry can steal Fiserv and Fidelity clients.
You're probably curious as to why most credit union processors are using PL/1, which you've probably never heard of unless you're 65 or so. Anyone who's ever had to rewrite software knows that it isn't easy. In the credit union industry, it's especially hard because generally credit union processors that rewrite their software in a more modern language like Java or a flavor of C have built an inferior product and lose clients. This is why Episys has yet to be rewritten. The software package is usually priced at a couple million dollars and they also have specific hardware that comes with it. Specifically, IBM pSeries servers running AIX. Not to mention the software isn't exactly easy to use, so there's a lot of training that goes along with it. From a rewrite standpoint, this is bad because not only does the client have to get new software, but they also need to get new hardware and retrain their work force. If they are going to do all that anyway, then they might as well shop around for better credit union processing software.
A credit union's computer system can be set up in a few different ways. The credit union can buy the software and hardware and run it themselves. Since the software and hardware are expensive, they may want to join forces with other credit unions and build a shared hosting environment where they buy the hardware together and run the hardware together, but run different copies of the software. They can also share network connections too! Another thing they can do, which because of the Internet is getting more and more popular, is operate in a cloud hosting environment. This is where the credit union buys the software license but goes to a server farm like Member Driven Technologies. Jack Henry & Associates' EASE/Outlink rents out hardware to run the credit union's computer system. This makes it so they don't need IT people running their computers. Instead, if they have a problem with their hardware or software for whatever reason, they just call the server farm or credit processor!
There's a potential danger in the cloud hosting model. If someone were to gain access to the cloud, then they could get access to all the credit unions' software. We're talking billions and maybe even trillions of dollars. Another issue is if the credit union processor decided to write code so that credit unions could pool information on members' spending habits, then they would know how healthy companies are and know what people are buying - which would be great for marketing different products and services.
I'm sure there are a few people out there reading this who would love to get their hacking skills on and get a hold of billions or even trillion of dollars. You can't access the credit unions without going through a VPN. Some clients will disable it and some of them are even on modems which get disabled too! Depending on the credit union, when someone wants to log on they have to call the credit union in order to do that. After you are finished, the credit union may want you to call back to let them know that you are finished. Another thing you're going to have to deal with is the disaster recovery of credit unions. Every night, a credit union runs a process called "good night" and it updates the system and creates backups of all the accounts. These backups are then sent over the Internet to a server vault or backed up on tape and then sent to a server vault that is at least a good distance away from the credit union so if a disaster affects the location where the credit union is located, it won't affect the backups. They can also send it over the Internet and across the country too. This vault is rated to withstand pretty much any type of disaster that may come along. So if they don't know where the money is, they have all the backups they need to figure out where it went.
Now is a pretty good time to talk about insurance. Let's go back to the fact that you get charged to do a POS transaction and credit transactions are free! The reason it works this way is because for POS transactions, the credit union has to pay for the fraud insurance. But if it's a credit transaction, then Visa/MasterCard picks up the fraud insurance. All credit unions have to have fraud insurance. When someone steals your card and uses it, it's really just a bunch of paperwork. When you call up your credit union to tell them your card was stolen, the credit union will just call the fraud insurance company to deal with it.
There's some pretty cool tech coming out for plastic. Do you give your kids allowances? You can give them a card and then periodically update the card so that they can pull money out of it. Another thing that credit union software can do is analyze your finances. So when you are shopping for something like a car, they can tell you if you can afford it or not and offer you a nice loan for it too! This is where the cloud credit unions could be troubling because there could be software that knows what everyone else is doing for deals on loans. And there's cooler tech on the way. Your card is going to do things you never thought possible.
Thanks for reading!
Shout out to Violet The Incredible.