Credit Card Certification

Disclaimer: This material is confidential and proprietary to Infosys and may not be copied or otherwise reproduced, repackaged, further transmitted, transferred, disseminated, redistributed or resold, or stored for subsequent use for any such purpose, in whole or in part, in any form or any manner or by any means whatsoever, by any person without express authorization of Infosys. All information contained herein is obtained by Infosys from sources believed by it to be accurate and reliable. Although reasonable care has been taken to ensure that the information herein is true, such information is provided ‘as is’ without any warranty of any kind and Infosys, in particular, makes no representation or warranty, express or implied, as to the accuracy, timeliness or completeness of any such information. All information contained herein must be construed solely as statements of opinion and Infosys shall not be liable for any loss incurred by users from any use of this report or its contents.

Credit Card Certification

Page 1 of 65

Table of Contents
1. 2. 3.
3.1. 3.2. 3.3.

COURSE OBJECTIVES................................................................................6 INTRODUCTION ...........................................................................................7 TYPES OF CARDS .......................................................................................9
Credit Cards ................................................................................................................................... 9 Debit Cards ................................................................................................................................... 12 Stored Value Cards ...................................................................................................................... 13

4.
4.1. 4.2.

KEY FEATURES OF A CREDIT CARD ......................................................17
Credit-Card Numbers.................................................................................................................. 18 The Stripe on a Credit Card........................................................................................................ 19

5.
5.1. 5.2. 5.3.

CARD NETWORK MODELS.......................................................................21
Bilateral Model ............................................................................................................................. 21 Single Card Issuer Model ............................................................................................................ 21 Multiple Card Issuer Model ........................................................................................................ 22

6.
6.1. 6.2. 6.3. 6.4. 6.5. 6.6. 6.7. 6.8.

KEY PLAYERS ...........................................................................................25
Card-Holder ................................................................................................................................. 25 Merchant....................................................................................................................................... 25 Issuer ............................................................................................................................................. 25 Acquirer ........................................................................................................................................ 26 Network / Association .................................................................................................................. 26 Processors ..................................................................................................................................... 27 Credit Bureaus ............................................................................................................................. 28 On-us and Off-us Merchants and Cards .................................................................................... 28

7.
7.1.

BASIC TRANSACTION FLOW ...................................................................30
Authorization................................................................................................................................ 30

Credit Card Certification

Page 2 of 65

7.2. 7.3.

Clearing......................................................................................................................................... 32 Settlement ..................................................................................................................................... 32

8.
8.1. 8.2. 8.3. 8.4. 8.5.

COMMERCIALS OF A CARD TRANSACTION..........................................34
Discount / Interchange Fees ........................................................................................................ 34 Membership / Annual Fees.......................................................................................................... 35 Finance Charges ........................................................................................................................... 35 Cash Advance Fees....................................................................................................................... 36 Other Fees and Charges .............................................................................................................. 36

9.
9.1. 9.2. 9.3. 9.4. 9.5. 9.6.

BUSINESS PROCESSES ...........................................................................38
Credit Evaluation ......................................................................................................................... 38 Reward Programs ........................................................................................................................ 40 Billing ............................................................................................................................................ 40 Payments Processing .................................................................................................................... 41 Disputes and Chargeback............................................................................................................ 42 Fraud Management...................................................................................................................... 43

10.
10.1. 10.2. 10.3. 10.4. 10.5. 10.6. 10.7.

REGULATIONS IN THE CARDS INDUSTRY .........................................48
Fair Credit Billing Act ................................................................................................................. 48 Fair and Accurate Credit Transactions Act .............................................................................. 49 Anti Money Laundering Regulations ......................................................................................... 50 Bank Secrecy Act – Financial Record Keeping ......................................................................... 51 USA PATRIOT Act...................................................................................................................... 52 Privacy Regulations ..................................................................................................................... 53 Gramm-Leach-Bliley Act ............................................................................................................ 54

11.
11.1. 11.2.

RECENT TRENDS IN THE CARDS INDUSTRY .....................................56
Online Usage of Cards ................................................................................................................. 56 Smart Cards.................................................................................................................................. 57

Credit Card Certification

Page 3 of 65

11.3. 11.4. 11.5.

Contactless Cards......................................................................................................................... 58 Decoupled Debit Cards ................................................................................................................ 60 Mobile Payment Systems ............................................................................................................. 60

APPENDIX 1 - FURTHER READING.................................................................62 APPENDIX 2 - GLOSSARY OF TERMS............................................................63

Credit Card Certification

Page 4 of 65

Table of Figures
Fig 2-1 - Non-cash payments statistics during 2003 and 2006........................................... 8 Fig 4-1 - Front-side of a typical card ................................................................................ 17 Fig 4-2 - Back-side of a typical card................................................................................. 17 Fig 4-3 - Numbers on a card ............................................................................................. 18 Fig 5-1 - A bilateral card network model.......................................................................... 21 Fig 5-2 - A single-issuer card network model .................................................................. 22 Fig 5-3 - A multiple-issuer card network model............................................................... 23 Fig 6-1 - Risk-reward matrix for on-us off-us transactions .............................................. 29 Fig 7-1 - Authorization Process ........................................................................................ 30 Fig 7-2 - Clearing and Settlement Process........................................................................ 32 Fig 8-1 - Commercials of a typical card transaction......................................................... 34 Fig 9-1 - Dispute Resolution Process................................................................................ 43 Fig 9-2 - Fraud Reporting Set-up...................................................................................... 46 Fig 11-1 - A typical Smart-card and a Smart-card Reader ............................................... 58 Fig 11-2 - Contactless Cards............................................................................................. 58 Fig 11-3 - Contactless Card Reader .................................................................................. 59

Credit Card Certification

Page 5 of 65

1. Course Objectives
In this course you will learn about different types of cards including credit cards, debit cards and stored value cards. You will know the features of a typical card, role of various players in the cards industry and commercials of a typical card transaction. You will also gain a good understanding of business processes followed by various industry players and the regulations that the industry is subjected to. This material also gives you some knowledge of recent trends in the industry. The first appendix has references that the authors have used; you can refer to these sources to learn more about the topics covered in this material. In the second appendix is a Glossary of Terms that are used in this material. The table below summarizes the sections and the key learnings from each of them.

Credit Card Certification

Page 6 of 65

2. Introduction
Credit cards, as we know them today, have been around for just over half of a century. One of the first credit cards appeared in 1951 when loan customers of Franklin National Bank of New York were screened for credit and those approved were given a card they could use to make retail purchases. Participating merchants copied the customer information from the card onto a sales slip and the bank would credit the merchant account for the loan less a flat fee to cover the costs of providing the loan. In 1958, The American Express Company began issuing a charge card for travel and entertainment charges which was accepted at participating restaurant, hotel and airline merchants. Card-holders enjoyed the convenience of plastic charge cards (especially when on the road for business) as well as the line of credit offered by the new bank credit cards. Merchants found that credit card customers usually spent more than if they had to pay with cash (which is still true today – the average credit card purchase is 112 percent more than if cash is used). Accepting bank-issued cards was safer (from internal and external theft and error) for the merchant than dealing with cash and less expensive than creating and maintaining a merchant-specific credit program. The general-purpose credit card was born in 1966, when Bank of America established the BankAmerica Service Corporation that franchised the BankAmericard brand (later to be known as Visa) to banks nationwide. In 1966, another national credit card system was formed when a group of credit-issuing banks joined together and created the Interbank Card Association, which is now known as MasterCard Worldwide (it was temporarily known as MasterCharge). The new bank card associations were different from their predecessors in that an “open-loop” system was now created, requiring interbank cooperation and funds transfers. Visa and MasterCard still maintain "open-loop" systems, whereas American Express, Diners Club and Discover Card until recently remained "closed-loop”. As the bank card industry grew, banks interested in issuing cards became members of either the Visa association or MasterCard association. Their members shared card program costs, making the bank card program available to even small financial institutions. Later, changes to the association bylaws allowed banks to belong to both associations and issue both types of cards to their customers.

Credit Card Certification

Page 7 of 65

In 2007 Federal Reserve conducted a study of the Payments industry to estimate the number and value of payments by check, debit card (both signature and PIN), credit card, automated clearing house (ACH), and electronic benefits transfer (EBT). This study shows that cards (both credit and debit cards) increased their share of non-cash payments (in terms of number of transactions) from 42% in 2003 to 50% in 2006. The figure below provides more details.

50 45 40 35 30 25 20 15 10 5 0 Checks Debit Cards Credit Cards ACH EBT

Transaction (%)

2003 2006

Non-Cash Payments

Fig 2-1 - Non-cash payments statistics during 2003 and 2006

Credit Card Certification

Page 8 of 65

3. Types of Cards
There is a wide range of plastic cards on the market, all offering different terms and conditions and ways to pay off your balance. Three broad categories of cards are –

3.1.

Credit Cards

Credit cards allow card-holders to make purchases up to a specified limit. They offer an interest free period for purchases (where the balance is paid in full) before the bill has to be settled. You can repay a minimum amount each month, but you will be charged interest on the balance. If the bill is paid in full by the date specified on the statement, you incur no interest. There are hundreds of providers - most cards are Visa or MasterCard issued through a bank or a building society. The following is a brief description of the common types of credit cards available through banks or other financial institutions. • Revolving Cards – This is the most common form of credit card. Customer can choose to pay only a part of the total amount due on the card and would pay interest on balance outstanding (in case he chooses to make a partial payment). Charge Cards - Customer needs to pay the full balance each month. These are typically corporate cards. Installment Cards - Customer agrees to repay a fixed amount of credit in equal payments over a specified period of time. Consumer durables, automobiles, furniture are often financed this way. Co-branded Cards - Banks often tie-up with other organizations / institutions like Airlines etc to offer co-branded cards which offer additional benefits to customers. For e.g. a Disney Co-branded card could allow customers to earn double the reward points for every $ spent in Disney stores / facilities. Some of the variations to Co-branded cards are – o Affinity Card – a card which you can use to show your affinity to a group or a cause. Every usage of the card results into a small contribution to the group / cause. Professional Associations, University Alumni Associations, Sports Teams, etc are the usual groups in most affinity cards. o Private Label Card – a card operated in closed-loop by a retailer – the card is accepted only the retailer’s outlets. These are generally designed to increase sales and enhance loyalty, rather than focusing on the credit function as a profit center. All large stores typically offer such cards.

• •

Credit Card Certification

Page 9 of 65

Balance Transfer Cards - Balance Transfer Cards allow consumers to transfer a higher interest credit card balance onto a credit card with a lower interest rate, thus saving them money in interest charges. For example, if you transfer a balance to a credit card with a low introductory Annual Percentage Rate (APR) of 0%, the APR for this balance will typically stay at this 0% interest level for a specified period of time, thus potentially saving the consumer hundreds of dollars in interest charges. The terms of balance transfer credit cards can vary between offers, so customers should always read the terms and conditions for each specific card. Nowadays, a number of card issuers provide balance transfer facility on existing cards issued by them. Low Interest Cards - Low Interest Cards offer either a low introductory APR that changes to a higher rate after a certain period of time or a low fixed rate APR. For example, you may get an introductory APR credit card with an interest rate of 5% for the first six months and 10% thereafter. Then, for the first six months, any purchases or balances you carry will be only charged a 5% annual interest rate. However, any new purchases or balances that carry over after the six-month period will be subject to a 10% APR. Many people take advantage introductory APRs to make larger purchases, so that they can take several months to pay them off. Low APR Credit Cards can help save consumers a lot of money on interest charges. Credit Cards with rewards program - Credit Cards with rewards programs usually "reward" the card-holder with incentives, rebates and even cash-back for purchases they make on their credit card. You can get additional airline miles, cash-back rewards or discounts on merchandise for each dollar charged on such a card. Other typical rewards include gasoline rebates, entertainment rewards and store discounts for specialty store cards. Reward Cards usually require better than average credit for approval. These days most credit cards come with some sort of reward programs. o Airline Mile Credit Cards – airline mile credit cards or frequent flyer credit cards give you airline miles credits (or frequent flyer miles) whenever you use your card. Typically, you as the card-holder accumulate "points" based on the dollar amount of your credit card purchases over a period of time. Based on a predetermined point level, you can then redeem those points for airline travel (much like frequent flyer miles). Because airline mile reward programs can be costly for credit card companies, many airline mile credit cards come with an annual fee. These cards are great for people who frequently travel or for those who want to use their cards to plan vacations, but the associated fee might make them impractical for other types of card-holders. o Cash Back Credit Cards - Cash back credit cards give you cash rewards for making purchases with the card. The more the card is used, the more cash rewards you usually get. Most cash back rates are around 1% of your total purchases, excluding interest and finance charges. However, some cards offer a higher cash-back percentage with increased usage while still others offer a higher cash back percentage at select merchants or for particular types of purchases. Since cash back programs are costly to the credit card companies, some cash back credit cards also have an annual fee, which can vary from $50

Credit Card Certification

Page 10 of 65

to $100. This type of card is particularly good for people who are faithful about paying off their balances each month. If used appropriately a cash back credit card can earn the card-holder a significant amount of money over time. • Secured Credit Cards - Secured credit cards require collateral for approval. With secured credit cards, a security deposit of a predetermined amount is needed in order to secure the credit card. Generally, the security deposit needs to be of equal or greater value to the credit amount. Collateral can come in the form of a bank deposit, a car, a boat, jewelry, stocks or anything else of monetary value. Secured credit cards are for people with either no credit or poor credit who are trying to build or rebuild their credit history. Often, such cards come with low credit lines ($250 or so) and additional fees may apply (application fees, etc). Specialty Credit Cards - Specialty credit cards are for individuals with unique and special needs for their credit use. Examples of these types of card-holders include business users and students. These credit card programs are designed specifically to meet the needs of these particular groups. Business Credit Cards - Business credit cards are available for business owners and executives and have many of the same features as traditional credit cards: low introductory rates, cash-back rewards, airline rewards, etc. However, business credit cards can also have many additional benefits in comparison to traditional credit cards. These cards are issued to employees for meeting official expenditure for e.g. travel and entertainment, etc. Some of these bonuses include: o Business expenses kept separate from personal expenses o Special business rewards and/or savings o Expense management reports o Higher credit limits Using company credit or debit cards to make purchases offers businesses a number of key benefits: o Convenience - cards are quicker and cheaper to use than the company check book. They're useful for everyday expenses and can be used over the phone and Internet. o Credit - if you use the credit or charge cards to cover business expenses, you don't have to settle the bill immediately - you can benefit from an interest-free period. o Cards are globally recognized - using cards for foreign-travel purchases may give you better exchange rates. It also reduces the need to change cash before traveling. o Ability to monitor expenditure - you can specify which employees receive cards and set different credit limits for each card. o Fast access to cash - card-holding employees can withdraw cash from cash machines. However, credit and charge card issuers may levy a commission each time. And, with credit cards, you will pay interest from the day the cash is withdrawn regardless of when you settle your bill. Credit Card Certification Page 11 of 65

o Reduction in administration - with a company credit or charge card, you pay one bill each month, no matter how many purchases you make. Receiving monthly statements helps with your accounting and administrative procedures. As purchases are specified you can distinguish business from personal expenses. Your provider may also be able to supply a report of your annual expenditure and a breakdown of the VAT charged on purchases - far more convenient than ploughing through piles of receipts. • Student Cards - Students generally have little or no credit history. Because of this, students may often find it difficult to get approved for a traditional credit card. Student credit cards are set up to help students build up the credit history that most of them don't already have. Student credit cards are often scaled back in terms of rewards, features and other benefits. If used wisely, a student can take the first step towards building a solid credit history with a student credit card. Premium Credit Cards - Premium cards such as Gold or Platinum Cards are charge or credit cards that offer additional benefits such as travel upgrades, special insurance or exclusive seating for concerts. Generally, premium cards require a substantial income and an excellent credit history, offer a higher credit limit, and may charge higher fees.

3.2.

Debit Cards

A debit card is issued in conjunction with a saving account or a business current account, and is a cheap substitute for cheques. Payments are deducted almost immediately from the associated account. As a result, spending is limited by available funds and only signatories of the account can use these cards. This offers a greater degree of control – card-holders can only spend what's in their account - but lacks the same degree of flexibility as other cards. There are currently two ways that debit card transactions are processed: Online Debit (also known as PIN Debit) and Offline Debit (also known as Signature Debit). In some countries including the United States and Australia, they are often referred to as "debit" and "credit" respectively, even though in either case the user's bank account is debited and no credit is involved. • Online Debit - Online debit cards require electronic authorization of every transaction and the debits are reflected in the user’s account immediately. The transaction may be additionally secured with the personal identification number (PIN) authentication system and some online cards require such authentication for every transaction, essentially becoming enhanced automatic teller machine (ATM) cards. One difficulty in using online debit cards is the necessity of an electronic authorization device at the point of sale (POS) and sometimes also a separate pin-pad to enter the PIN, although this is becoming commonplace for all card transactions in many countries. Overall, the online debit card is generally Page 12 of 65

Credit Card Certification

viewed as superior to the offline debit card because of its more secure authentication system and live status, which alleviates problems with processing lag on transactions that may have been forgotten or not authorized by the owner of the card. Banks in some countries, such as Canada and Brazil, only issue online debit cards. • Offline Debit - Offline debit cards have the logos of major credit cards (e.g. Visa or MasterCard) or major debit cards (e.g. Maestro in the United Kingdom and other countries, but not the United States) and are used at point of sale like a credit card. This type of debit card may be subject to a daily limit, as well as a maximum limit equal to the amount currently deposited in the current/chequing account from which it draws funds. Offline debit cards in the United States and some other countries are not compatible with the PIN system, in which case they can be used with a forged signature, since users are rarely required to present identification. Transactions conducted with offline debit cards usually require 2-3 days to be reflected on users’ account balances. FSA Debit Cards - An FSA Debit Card is a special type of debit card issued in the United States to access tax-favored spending accounts such as Flexible Spending Accounts (FSA), Health Reimbursement Accounts (HRA), and sometimes Health Savings Accounts (HSA) as well. All such cards to date bear the Visa or MasterCard brand and operate through their main networks; thus all FSA debit card transactions are of the offline variety (also known as "signature debit" or, inaccurately but commonly, "credit").

Although the value of debit card payments is still less than half the value of credit card payments, the number of debit card payments now exceeds that of credit cards. Debit card payments increased 17.5 percent per year from 2003 to 2006. The growth of debit card payments has given rise to new debit type payment products like prepaid cards and decoupled debit cards.

3.3.

Stored Value Cards

Stored-value cards look like credit cards but are actually prepaid cards. A storedvalue card has a set value which decreases as the card is used. One major difference between stored value cards and debit cards is that debit cards are usually issued in the name of individual account holders, while stored value cards are usually anonymous. Stored-value cards represent money on deposit and function in much the same way as conventional debit cards. The key difference is that funds are not stored in an account that is directly linked to the card-holder, but are stored onto the card and held at a remote database with a financial services provider. In this respect there is no actual value stored on the card itself; they do not act as a substitute for cash, so lost or stolen cards can be easily stopped and replaced. Credit Card Certification Page 13 of 65

Prepaid cards use the Credit/Debit infrastructure and are accepted at all the places where debit and credit cards are accepted. They have found application in both public and private sectors. For instance, prepaid cards are used in public sector for making benefit payments like child support and unemployment benefit payments. In private sector, prepaid cards are used for payroll in industries where cash or checks are predominantly used. Prepaid cards are also given to employees for expensing their travel costs. Prepaid cards improve the security and control over payments, reducing the potential for errors and fraud. By replacing the check and cash, they reduce the operational cost involved in check clearing and cash handling. Most stored value cards are smart cards (contain an integrated microchip). Smart cards are more flexible because they contain an integrated microchip that can be programmed to provide information codes as well as financial information. The prepaid value of a smart card decreases as you use the card but can be increased by paying for additional value. Many colleges issue smart cards that give students access to food services, vending, photocopying, laundry, telephone and other purchases as well as access to the library, laboratories and other secured areas on campus. Depending on the acceptability, stored-value cards can be classified as – o Closed system cards - Closed system cards have emerged and replaced the traditional "gift certificate" and are commonly known as "gift cards". Purchasers buy a card for a fixed amount and can only use the card at the merchant that issues the card. Generally, few if any laws govern these types of cards. Card issuers or sellers are not required to obtain a license. Closed system cards are not subject to Patriot Act, as they generally cannot identify a customer. Traditionally, gift certificates have fallen under state abandoned property law (APL). However, the emergence of closed system cards has blurred the applicability of APL. o Semi-closed system cards - These are similar to closed system cards. However, card-holders are permitted to redeem the cards at multiple merchants within a geographic area. These types of cards are issued by a third party, rather than the retailer who accepts the card. Examples include university cards and mall gift cards. Laws governing these types of cards are unsettled. o Open System Purchasing Cards – These are also known as "stored value credit cards", however, they are not really credit cards, as no credit is offered by the card issuer: the card-holder spends money which has been "stored" on the card via his own prior deposit. The value is not physically stored on the card; instead, the card number uniquely identifies a record in some central database, where the balance is recorded. These cards are similar to gift cards, but are issued with a credit card logo such as Visa or MasterCard and can, unlike gift Credit Card Certification Page 14 of 65

cards, be used anywhere a Visa or MasterCard may be used. They are very similar to a debit or check card except that they don't require a checking account. However, they do not have many of the benefits of the credit card (like product or service return/refund assistance, unauthorized purchase protection, etc). These cards have been marketed to consumers with poor credit, who are unable to qualify for the line of credit that backs a mainstream credit card. The fees associated with these cards are often very high. A variation of this are the PaidByCash virtual cards in the United States and the 3V cards issued in the Republic of Ireland. These consist only of a card number plus expiry date and verification number, so can only be used for customer-not-present transactions. o Open System Prepaid Cards – These are the most regulated of all the stored value cards. An example is the Payroll card. Payroll cards are used by employers to pay employees. The employee is issued a card that permits access to an account established by the employer. At the end of each pay period, the employee's ability to draw money from that account is increased by the amount of his or her wages. The card may be used at an Automated Teller Machine (ATM) to obtain cash, and, in some instances, may be used at a store to pay for purchases. The payroll card is particularly useful for employees who do not have a regular checking or savings account at a financial institution because they can access their wages conveniently. Also, if there is no charge for using ATM, they avoid fees charged for cashing checks. The advantage to the employer is low cost of paying wages and efficiency. An example of stored-value card is special pre-paid Visa card for mail, telephone and Internet use only (this segment is popularly known as MOTO segment). These are made available by a small number of banks. They are sometimes called "virtual Visa cards", although they usually do exist in the form of plastic. An example is 3V. Recently, these virtual cards have been increasingly issued by non-financial institutions such as grocery and convenience stores to consumers as a replacement for money orders (such as PaidByCash in the United States). Such cards can be used whenever the remote store accepts Visa cards. Before making a transaction, the customer transfers the required amount of money from his main account to the card's sub-account using the bank's website or telephone. Next, the customer gives the card number and the CVV2 code (a 3 - 4-digit value associated with a card; it is used to secure "card not present" transactions) to the merchant, who authorizes the transaction electronically, as with a regular Visa card. If there is enough money in the sub-account, the bank grants the authorization and locks the adequate amount on the sub-account. Such a card prevents fraud by a card number thief even if the card is not blocked, because the customer normally does not store any money on the sub-account and Credit Card Certification Page 15 of 65

fraudulent transactions do not get authorized by the bank. For extra security, the CVV2 code is not printed on the card but rather sent separately to the customer in a secured envelope. The bank also rejects local transactions (ones that are not made over the Internet, mail or telephone). However, some merchants use software incompatible with Visa regulations and send authorization requests that wrongly tell the bank that the transaction is not a MOTO/Internet one, in which case the bank rejects the request. Additionally, some merchants do not use electronic authorization at all, in which case the transaction cannot be completed as well. For these two reasons the card is unusable with a small minority of Internet, telephone and postal stores.

Credit Card Certification

Page 16 of 65

4. Key Features of a Credit Card
Let us see what a credit card looks like, what are its key features and understand various signs, symbols numbers that appear on a card. This is what the front-side of a typical card looks like -

Fig 4-1 - Front-side of a typical card 1) 2) 3) 4) 5) 6) 7) Logo of the Issuer Bank (the bank that issues the card) EMV chip (commonly referred to as 'Chip And Pin') – the smart-card chip Hologram 16 digit card number Logo of the card network (Visa, Master, Discover, Amex, etc) Expiry date of the card Name of the card-holder

This is what the reverse-side of a typical card looks like –

Fig 4-2 - Back-side of a typical card (1) Magnetic stripe (2) Signature strip (3) CVV2 code - used to secure "card not present" transactions Credit Card Certification Page 17 of 65

4.1.

Credit-Card Numbers

Card numbers have a certain amount of internal structure, and share a common numbering scheme.

Fig 4-3 - Numbers on a card The first digit in credit-card number signifies the Major Industry Identifier (MII) that represents the category of the entity that has issued the credit card. Different digits represent the following issuer categories: 0 – ISO/TC 68 (a technical committee of International Standards Organization) and other industry assignments 1 – Airlines 2 – Airlines and other industry assignments 3 – Travel/ Entertainment cards (such as American Express and Diners Club) 4 – Banking & Financial 5 – Banking & Financial 6 –Merchandizing and Banking 7 – Petroleum 8 – Telecommunications and other industry assignments 9 – National assignments For example, American Express, Diner's Club, and Carte Blanche are in the travel and entertainment category, Visa, MasterCard, and Discover are in the banking and financial category, and Sun Oil and Exxon are in the petroleum category.

Credit Card Certification

Page 18 of 65

Structure of the card number varies as per the system. E.g. American Express card numbers start with 37; Carte Blanche and Diners Club with 38. In general, each card number has three parts – • • Issuer Identifier Number - the set of first 6 digits Account Number - the next 7 to (n-1) digits. For 16-digit credit card numbers, there are 10 possible numbers (from 0 to 9) that can be arranged in these 9 places. This gives rise to 10^9 combinations, that is, 1 billion possible account numbers (per Issuer Identifier). Check Digit - the last digit to ensure that the card number is correct; for a given Issuer Identifier and an account number, there cannot be more than one correct check digit.

Within each of the first two parts, each network follows different protocols – • American Express - Digits three and four are type and currency, digits five through 11 are the account number, and digits 12 through 14 are the card number within the account and digit 15 is a check digit. Visa - Digits two through six are the bank number, digits seven through 12 or seven through 15 are the account number and digit 13 or 16 is a check digit. MasterCard - Digits two and three, two through four, two through five or two through six are the bank number (depending on whether digit two is a 1, 2, 3 or other). The digits after the bank number up through digit 15 are the account number, and digit 16 is a check digit.

• •

4.2.

The Stripe on a Credit Card
The stripe on the back of a credit card is a magnetic stripe or a magstripe. It is made up of tiny iron based magnetic particles in a plastic-like film. Each particle is a tiny bar magnet. There are three tracks on the magstripe. Each track is about one-tenth of an inch wide. The ISO/IEC standard 7811, used for magstripes, specifies: • • • Track one is 210 bits per inch (bpi), and holds 79 6-bit plus parity bit read-only characters. Track two is 75 bpi, and holds 40 4-bit plus parity bit characters. Track three is 210 bpi, and holds 107 4-bit plus parity bit characters.

Credit Card Certification

Page 19 of 65

A card typically uses only tracks one and two. Track three is a read/write track (it usually includes an encrypted PIN, country code, currency units and amount authorized), but its usage is not standardized among banks. The information on track one is contained in two parts – Part A, which is reserved for proprietary use of the card issuer, and Part B, which includes the following: • • • • • • • • • • • Start sentinel - one character Format code= "B" - one character (alpha only) Primary account number - up to 19 characters Separator - one character Country code - three characters Name - two to 26 characters Separator - one character Expiration date or separator - four characters or one character Discretionary data - enough characters to fill out maximum record length (79 characters total) End sentinel - one character Longitudinal redundancy check (LRC) - one character. LRC is a form of computed check character.

The format for track two, developed by the banking industry, is as follows: • • • • • • • Start sentinel - one character Primary account number - up to 19 characters Separator - one character Country code - three characters Expiration date or separator - four characters or one character Discretionary data - enough characters to fill out maximum record length (40 characters total) LRC - one character

To retrieve the information on the magstripe one needs a magstripe reader. If an ATM does not accept a card, it could be because of • • dirty or scratched magstripe erased magstripe

Credit Card Certification

Page 20 of 65

5. Card Network Models
Cards are basically payment mechanisms. Today, typical card transactions involve multiple participants - card-holders, merchants, banks issuing cards and processing merchant transactions, and processing network. Over the last half century, cards have evolved from bilateral models (involving only merchants and card-holders) to multiple-issuer models (involving a number of parties). Let us look at these models –

5.1.

Bilateral Model

Fig 5-1 - A bilateral card network model This is the simplest form of model, wherein a merchant issues cards to its customers in order to provide credit. In this model, the card-holder makes purchases; the merchant presents a bill to the card-holder listing all purchases at the end of the billing period (usually a month). After the merchant presents the card-holder with the bill, the card-holder sends the payment to the merchant. In this model, the information and funds flow between a merchant and a card-holding customer when the merchant extends credit.

5.2.

Single Card Issuer Model

Credit Card Certification

Page 21 of 65

Fig 5-2 - A single-issuer card network model A bilateral model evolved into the more complex Single-Issuer model (also known as Closed-Loop Card Association model). In this system, cards are issued by an entity that is separate from the merchants. This entity is called the Issuer; in cases where the entity is an association of a number of entities, it is known as Card Association. The issuer in this case has relationships with a number of merchants who extend credit to customers who hold the cards issued by the issuer. Merchants send information about each purchase, including the customer account number, the transaction amount, and verification to the card issuer. The card issuer pays the merchants and sends monthly statements to the card-holders listing all transactions which occurred during the statement period. The customers then pay the balance due, in whole or in part, based on the credit terms that were extended by the issuer. The original Diners Club model and, until very recently, Discover Card and American Express models (which have now converted to the multiple-card-issuer model) are of this type.

5.3.

Multiple Card Issuer Model

Credit Card Certification

Page 22 of 65

Fig 5-3 - A multiple-issuer card network model The most complex form of credit card network is the one with the greatest number of participants: the multi-issuer card model (Visa and MasterCard networks are typical examples of this model). In this model there is one card association, many card-holders, many merchants, and multiple banks. The card association (or network) plays an important role by imposing rules for issuing cards, clearing and settling transactions, advertising and promoting the brand, authorizing transactions, assessing fees, and allocating revenues among transaction participants. Further, each participant in the credit card transaction has an incentive for participating in the network. The above figure shows a basic illustration of the multiple card issuer model with an example of the flow of payments in a sample $100 credit card purchase. The cardholder makes a purchase for $100 by presenting the card (which contains the account information) to the merchant. The merchant transmits the card-holder's account number and the amount of the transaction to its bank (generally called the acquiring bank). The card association sends an authorization request to the issuing bank. The issuing bank sends back an authorization response to the card association. If the issuing bank approves the transaction, it will send $98.00 to the card association. Next, the card association sends the authorization response to the acquiring bank Credit Card Certification Page 23 of 65

along with $98.00 to the merchant's bank. The acquiring bank then sends $97.50 to the merchant, subtracting 50 basis points for its services. At the end of the billing cycle, the issuing bank sends a monthly statement to the card-holder and receives payment of $100 from the card-holder.

Credit Card Certification

Page 24 of 65

6. Key Players
Having understood the card network models, let us understand the role of each player.

6.1.

Card-Holder

The owner of a credit card is referred to as card-holder. The card-holder or consumer is issued a credit card after necessary verification by a credit approving authority which s/he can use to make purchases at merchants up to a defined limit (known as credit limit). Based on the responsibility for making the payments, a card-holder can be – • Primary Card-holder - the person listed on an account, who has the primary responsibility and obligation for making payments due on the card account. • Secondary Card-holder - The secondary card-holder is an add-on card-holder to the primary card-holder. All transactions executed on the secondary card will appear on Primary card-holder account. The advantage on add-on card is any dependent on Primary card-holder can use the card independently.

6.2.

Merchant

A merchant is an individual or a business establishment that accepts credits card as a means of payment for products or services sold to the card-holder. Merchants accept cards as this provides customers with another payment option and in most cases increases the amount of spend.

6.3.

Issuer

An issuer is a bank, organization or financial institution that issues the card to cardholder. An issuer is responsible for marketing (sourcing new accounts), card production, loyalty and campaigns. It evaluates potential customers for credit risk. It is responsible for generating the payment statements that are required to be paid back by the card-holder and bears the risk in case of any fraud. Other functions it conducts include collections, payment processing and customer service. For an organization to be an issuer, it needs to tie up with a number of organizations - card association (Visa, Master, Discover, Amex and JCB etc), card vendors (for card embossing, production, etc), credit bureaus and third party processors for outsourcing. Credit Card Certification Page 25 of 65

While there are more than 7000 card issuers in the US alone, the following top ten issuers controlled an estimated 89.5% of the general purpose credit card market share in 2004 – 1. JPMorgan Chase 2. Bank of America 3. Citigroup 4. Capital One 5. U.S. Bank 6. HSBC 7. Wells Fargo 8. USAA Savings 9. Washington Mutual 10. Barclays

6.4.

Acquirer

An acquirer is an organization that is in the business of processing credit card transactions for business businesses (acceptors). It is an organization that collects credit-authentication requests from merchants and provides the merchants with a payment guarantee. An acquirer provides a number of services, including – • Providing authorization services when customers present their cards -- the acquirer processes the transaction information, coordinates and updates its accounts, and then relays the sales data to the issuing bank for authorization. Once the transaction is authorized, the acquirer informs the merchant that the sale has been approved. • Acquirer takes risk by paying to merchants upfront. • Signing up merchants and managing relationship with them. • Installing terminal equipment • Keeping track of transactions and reporting the data to merchants • Transferring funds to the merchant on a daily basis to cover card purchases, i.e. clearing and settlement • Responding to merchant problems with card processing

6.5.

Network / Association

For a transaction to be serviced it requires an electronic network. The network allows for movement of electronic data by acting as a medium for transmission, verification and validation and authorization before a merchant acknowledges it in lieu for a product or service. An association is a group of card issuing banks that set the terms and conditions for merchants, issuers and acquirers.

Credit Card Certification

Page 26 of 65

Credit card networks can be classified as two types – proprietary (also known as single issuer model) and open (also known as multiple issuer model) networks. Examples of open card networks are – • Visa - Visa, Inc., commonly called VISA, is an economic joint venture of 20,000+ financial institutions that issue and market Visa products including credit and debit cards. The company was originally named Visa International Service Association (was born in 1966, when the Bank of America established the BankAmerica Service Corporation that franchised the BankAmericard brand – later to be known as Visa). The name change occurred in the fall of 2007 as a part of VISA's restructuring and IPO plan. The company is based in San Francisco, California, USA. • MasterCard - In 1966, a national credit card system was formed when a group of credit-issuing banks joined together and created the Interbank Card Association (ICA). The ICA is now known as MasterCard Worldwide, though it was temporarily known as MasterCharge. This organization competes directly with a similar Visa programs. The “open” associations are different from proprietary ones in that an 'open-loop' system requires interbank cooperation and funds transfers. Visa and MasterCard’s organizations both issue credit cards through member banks and set and maintain the rules for processing. Their members share card program costs, making the bank card program available to even small financial institutions. They are both run by board members who are mostly high-level executives from their member banking organizations. Examples of proprietary card networks are – • Discover • American Express • Diners Club Till recently, bylaws of Visa and MasterCard associations allowed banks to belong to both associations and issue both types of cards to their customers; and more significantly prevented the member-banks from issuing cards of other networks (e.g., American Express, Discover, etc). However, recent court rulings have made such bylaws illegal and hence, allowed the erstwhile closed-loop / proprietary networks to issue cards through other financial institutions.

6.6.

Processors

The back end systems that are responsible for encrypt-decrypt data, verification, validating and authorizing transactions are called processors.

Credit Card Certification

Page 27 of 65

6.7.

Credit Bureaus

A credit bureau is an independent agency that provides credit information on individual borrowers. This assists issuers in assessing the credit worthiness in terms of one’s ability to pay back of a potential card-holder and expedites the process of credit card issuance. Credit bureaus collect and collate personal financial data on individuals and businesses from data furnishers with which the bureaus have a relationship. Data furnishers are businesses, utilities, debt collection agencies, public institutions, and the courts (i.e. public records) that a consumer or business has had a relationship or experience with. Data furnishers report the experience with the consumer or business to the credit bureaus. The data provided by the data furnishers as well as collected by the bureaus are then aggregated into the credit bureaus data repository or files. The resulting information is made available on request to contributing companies for the purposes of credit assessment and credit scoring. While Equifax (also called CBI), Experian (formerly TRW), TransUnion and Innovis are the major global credit bureaus, there are about 50 regional credit service providers and a number of local bureaus in the US.

6.8.

On-us and Off-us Merchants and Cards

Since most of the large banks are both issuers and acquirers, it is possible for a bank to be both issuer and acquirer for a particular transaction. An issuer classifies merchants as – • On-us Merchants – merchants who have been acquired by the issuer bank • Off-us merchants – merchants who have not been acquired by the issuer bank Similarly, acquirers classify cards as – • On-us Cards – cards issued by the acquirer bank • Off-us Cards – cards not issued by the acquirer bank These classifications are important because these determine what risks the bank is taking and what the quantum of rewards from these transactions. The graph below shows this in a pictorial form.

Credit Card Certification

Page 28 of 65

Fig 6-1 - Risk-reward matrix for on-us off-us transactions

For example, if JP Morgan Chase is the acquirer for all card transactions at Wall Mart and Bank of America is the acquirer for transactions at American Airlines, the scenarios (from JP Morgan Chase’s perspective) would be – • A JP Morgan Chase card-holder uses his card at Wall Mart – the transaction would be termed as an On-us – On-us transaction. JP Morgan Chase would earn the most revenue in this transaction (approx 1.4% - 1.9%). JP Morgan Chase undertakes the highest risk (merchant risk as well as card-holder risk) and hence it earns highest rewards. • A Bank of America card-holder uses his card at Wall Mart – the transaction would be termed as an Off-us – On-us transaction. JP Morgan Chase would earn between 0.5% and 0.7% for this transaction -- lower risk (only merchant risk) hence lower rewards. • JP Morgan Chase Card-holder uses his card at American Airlines – the transaction would be termed as On-us-Off-us transaction. JP Morgan Chase would earn between 1.1% and 1.4% for this transaction -- higher risk (card-holder risk) and hence higher rewards. • If an Amex card-holder uses his card at American Airlines then the transaction would be termed as an Off-us – Off-us transaction – these transactions would not be visible to JP Morgan Chase and represents the market share which is lost to competition -- no risk hence no rewards.

Credit Card Certification

Page 29 of 65

7. Basic Transaction Flow
In this chapter we would look at the mechanism of a card transaction, right from the time that a customer presents his card to pay for the good/service he is buying to the time that he makes the payment to the card-issuing bank.

7.1.

Authorization

A card transaction has three discrete steps – authorization, clearing and settlement. Let us understand authorization process with the help of diagram below.

Fig 7-1 - Authorization Process Authorization is a process of validating the card and checking whether there is enough credit on the card account to pay for the transaction. After an authorization, even though the card is not actually charged, the amount is blocked on the card and reserved for this transaction. • • • Voice Authentication - merchants with few transactions each month do voice authentication using a touch-tone phone. Electronic data capture (EDC) – merchants have swipe terminals using which they / card-holders swipe the card and enter the amount. This is the most common way. Virtual terminals – this is the way that internet shopping sites use.

Authorization is made up of a request and a reply. When a reply is sent back to the terminal, the switch may receive a completion message from the terminal which confirms that action taken by the terminal. The switch then sends an acknowledgment of receipt to the terminal. The steps in authorization are –

Credit Card Certification

Page 30 of 65

1. Customer presents the card to a cashier (enters the card number online in case of a card-not-present scenario) 2. The cashier swipes credit card through a reader. The EDC software at the pointof-sale (POS) terminal dials a stored telephone number to call an acquirer. 3. The acquirer gets the credit-card authentication request and checks the transaction for validity and the record on the magstripe for: • • • • • • Merchant ID Valid card number Expiration date Credit-card limit Card usage Personal Identification Number (PIN) entered by the card-holder using a keypad (in case of online debit card). The PIN is typically not on the card -- it is encrypted (hidden in code) in a database.

If it finds no issue with the request, acquirer forwards the request through the network (Visa in this case to the issuer. 4. The issuing bank checks to see if the customer information is valid and if there is enough credit in the account to cover the transaction. At the same time, it verifies that the billing address on the order matches the billing address on file for the credit card (this is called Address Verification Service). 5. If the account is valid and there is enough credit and the address is verified, the issuing bank sends an authorization code back to the merchant (through the acquirer) and puts a hold on the funds in the customer's account. If the account is not valid or there isn't enough credit to cover the transaction or there is a problem with the billing address, the issuing bank sends a "transaction declined" message back to the merchant. On receipt of this message, the POS machine displays a receipt to the cashier if the transaction was authorized, or a "problem" message if declined. Sometimes, an authorization request is aborted before it reaches the authorization server (can happen at the ATM / POS terminal or at the switch). In case of an aborted request, the payment network has the functionality to ensure reversal – ensuring that money debited, if any, is credited back. If the authorizer is unavailable the system may stand-in to authorize the transaction. There are a variety of ways that stand-in can be provided. Authorization processor has a set of pre-defined rules for stand-in.

Credit Card Certification

Page 31 of 65

7.2.

Clearing

Fig 7-2 - Clearing and Settlement Process After a card transaction is authorized, payment of money to all parties involved is a two step process where the first step is Clearing followed by Settlement. During the clearing process the acquirer provides the issuer with information on the sale. No money is exchange during clearing. Clearing involves the exchange of data only. The acquirer provides data required to identify the card-holder’s account and provide the dollar amount of the sales. When the issuing bank gets this data, the bank posts the amount of the sale as a draw against the card-holder’s available credit and prepares to send payment to the acquirer. Steps involved in clearing are – 1. Merchant delivers sales draft info to acquirer (by hand or electronically) 2. Acquirer credits merchant account (less fee) 3. Acquirer batches all sales drafts info 4. Acquirer forwards sales drafts from all its merchants to the network (Visa Interchange Center in this case) 5. The network center consolidates transactions from all acquirers and creates interchange files for each issuer

7.3.

Settlement

Settlement is the step where actual exchange of funds takes place. The issuer sends a record of money that is being transferred from its account to that of the acquirer. From this account the acquirer pays the merchant. Funds are settled between issuers Credit Card Certification Page 32 of 65

and acquirers through accounts with large banks that are members of the Federal Reserve System and have been selected for that purpose. Payments to merchants are made usually through the Federal Reserve’s Automated Clearing House (the “ACH”) which is an electronic funds transfer system. Steps involved in clearing are – 6. The network center transmits interchange files electronically through the payment network to issuers 7. Issuers post transactions to card-holder statements 8. Issuers transfer funds to the settlement bank for all acquirers 9. Issuers produce statements for card-holders

Credit Card Certification

Page 33 of 65

8. Commercials of a Card Transaction
Pays n/w 7.9 Cents per transaction

Pays n/w 6.9 Cents per transaction

VISA

3) Gets paid $98.10. Discount 1.9%

4) Submit transaction to n/w 2) Submit sales draft

5) Issuer pays Acquirer 98.60 $. Discount 1.4 %

6) Issuer charges 100$ to the card holder

1) Purchase 100$

7) C/H Pays 100 $

Fig 8-1 - Commercials of a typical card transaction

8.1.

Discount / Interchange Fees

Discount or Interchange fees (as it is known in the industry parlance) is the most important component of a credit card transaction. Interchange fee is one component of the Merchant Discount Rate, which is paid by merchants to their banks when they accept credit and debit cards for purchases. The card-issuing bank in a payment transaction deducts the interchange fee from the amount it pays the acquiring bank that handles a credit or debit card transaction for a merchant. The acquiring bank then pays the merchant the amount of the transaction minus both the interchange fee and an additional, smaller fee for the acquiring bank. In the diagram above, 1.4% is the interchange fees (the discount by issuer to the acquirer). Interchange fees have a complex pricing structure, which is based on the card brand, the type of credit or debit card, the type and size of the accepting merchant, and the type of transaction (e.g. online, in-store, phone order). Further complicating the rates schedules, interchange fees are typically a flat fee plus a percentage of the total purchase price (including taxes). Credit Card Certification Page 34 of 65

Interchange rates are established at differing levels for a variety of reasons. For example, a premium credit card that offers rewards generally will have a higher interchange rate than do standard cards. Transactions made with credit cards generally have higher rates than those with signature debit cards, whose rates are in turn typically higher than PIN debit card transactions. Sales that are not conducted in person, such as by phone or on the Internet, generally are subject to higher interchange rates, than are transactions on cards presented in person. Cards in a multi-issuer model represent a complex form of two-sided markets -merchants are more willing to accept cards that have many card-holders, and cardholders want cards that are accepted at many establishments. The payment network benefits the merchant and the buyer jointly and entails joint costs, and it must price its service so that it gets and keep, the two sides participating in the network. It does this largely by setting interchange fees at levels that will maintain balance in the incentive structures of issuing banks (banks that issue credit cards) and acquiring banks (banks that service merchants and process their credit card transactions).

8.2.

Membership / Annual Fees

Annual fee is a charge sometimes required by credit card companies for use of an account. Annual fees range between $10-50 a year and are most common with rewards cards or cards for subprime borrowers.

8.3.

Finance Charges

Biggest revenue stream for card issuers is from finance charges – basically interest earned from outstanding dues on credit card accounts. Different credit card issuers calculate the outstanding amount for finance charges in different ways. Some card companies gives a stretch during which no interest is charged for new purchases; others start the finance charge meter running the minute a purchase is made. It all comes down to whether or not the company includes new purchases in the outstanding balance, which is the amount on which finance charges are computed. Different ways in which different credit card issuers calculate the outstanding balance include – • average daily balance method, including new purchases • average daily balance method, excluding new purchases • two-cycle average daily balance method, including new purchases • two-cycle average daily balance method, excluding new purchases • adjusted balance method • previous balance method

Credit Card Certification

Page 35 of 65

With the average daily balance method, the outstanding balance is averaged for the billing cycle. So, the company adds up the outstanding balance for each day during the billing cycle, taking into account any payments you may have made or credits received, then divides by the number of days in the billing cycle. Whether or not the company includes new purchases in this balance can make a big difference in the finance charge an individual pays. If the company excludes new purchases, the user essentially gets to own those products interest-free until the beginning of the next billing cycle. The two-cycle average daily balance method works much the same way, except it takes the current and the preceding billing cycle into account in computing the outstanding balance. The adjusted balance method is perhaps the easiest to understand. It’s simply the outstanding balance at the beginning of the billing cycle, less any payments or credits during that billing cycle. Finally, the previous balance method is the outstanding balance at the beginning of the billing cycle (ignoring any payments in the interim). The methods that normally result in the lowest finance charges—and, therefore, work best for the consumer—are: • the average daily balance method, excluding new purchases • the adjusted balance method • the previous balance method

8.4.

Cash Advance Fees

Most card issuers charge a hefty fee for a cash advance (usually 2 to 4 percent of the amount). Many issuers charge higher interest rate on cash advances than they do on purchases. And, on top of that, there’s usually no grace period—so the higher interest starts piling up right away. A point to note is that payments are allocated to the lower-interest charges first, which means that even if the card-holder pays some part of the outstanding balance, it is usually allocated to purchases and the interest keeps building on the cash advance amount.

8.5.

Other Fees and Charges

Late Fees - If a card-holder’s payment arrives late, the credit card company charges a penalty, usually in the $15 to $50 range. Some card issuers trigger a penalty interest rate on some accounts if there are multiple late fees in a specific time period (such as two late fees within six months) -- these interest rates can be exorbitant (as high as Credit Card Certification Page 36 of 65

23.99 percent) and can last for the life of the credit card account. Some credit card companies monitor card-holder’s credit reports even after they’ve already issued a card and in some instances, increase the interest rate on cards if the credit reports indicate late payments to other accounts. Over-Limit Fees – the fees charged by issuer for allowing card-holders transactions that put the card account over the agreed limit. These are typically $20 - $25 and apply for all the billing period that the card balance remains over the limit.

Credit Card Certification

Page 37 of 65

9. Business Processes
Now that we have gained detailed understanding of the basic processes in a credit card transaction, namely, Authorization, Clearing and Settlement, in this section we would cover some of the other business processes followed in the cards department of an Issuing bank.

9.1.

Credit Evaluation

When a customer applies for a card, the bank checks credit worthiness of the customer. The bank uses internal credit scoring models and uses credit bureaus for this. This section would cover the details of credit rating / scoring and how banks use them to make credit decisions. When a customer fills out an application for credit card, the bank requests a detailed credit report on the customer a credit bureau (sometimes the bank sends this request to only one bureau while at other times it sends it to more than one). Credit bureau reverts back with a detailed credit report on the customer. Such a credit report is a record of individual’s past borrowing and repaying, including information about late payments and bankruptcy. This information is used by the credit card company to determine the individual's credit worthiness; that is, determining individual’s means and willingness to repay indebtedness. This helps determine whether to extend credit, and on what terms. With the adoption of risk-based pricing on almost all lending in the financial services industry, this report has become even more important since it is usually the sole element used to choose the annual percentage rate (APR). The most important part of a credit report is the credit rating / credit score. It is an indicator of the credit worthiness and aids lending decisions by helping the lender understand the risks and price the credit. It is a numerical expression based on a statistical analysis of a person's credit files, to represent the creditworthiness of that person. Credit scoring is not limited to card issuers alone. Other organizations, such as mobile phone companies, insurance companies, employers, and government departments employ the same techniques. Credit ratings are determined differently in each country, but the factors are similar, and may include – • Payment record - a record of bills being overdue lower the credit rating. • Control of debt - lenders wants to see that borrowers are not living beyond their means. Experts estimate that non-mortgage credit payments each month should not exceed more than 15 percent of the borrower's after tax income. • Signs of responsibility and stability - lenders perceive things such as longevity in the borrower's home and job (at least two years) as signs of stability. Having a respected profession can improve a credit rating. Credit Card Certification Page 38 of 65

Credit cards that are not used - although it is believed that having too many credit cards can have an adverse effect on a credit score, closing these lines of credit may not improve the score. Credit rating formulae look at the difference between the amount of credit a person has and the amount being used – lower the percentage of available credit, the more the credit score will drop. The credit formulae also factor in the length of time credit accounts have been open. Credit inquiries – an inquiry is a notation on a credit history file. There are two types of credit inquiries – o Soft pulls – these don't affect the credit score and are characteristic of the following examples: A credit bureau may sell a person's contact information to an advertiser purchasing a list of people with similar characteristics, like homeowners with excellent credit. A creditor can check a person's credit periodically. Or, a credit counseling agency, with the client's permission, can obtain a client's credit report with no adverse action. o Hard credit inquiries – these are typically made by lenders. Lenders, when granted a permissible purpose by a borrower for the purposes of extending his credit, can check his credit history. Hard inquiries from lenders directly affect the borrower's credit score. Keeping credit inquiries to a minimum can help a person's credit rating. A lender may perceive many inquiries on a person's report as a signal that the person is looking for loans and will possibly consider that person a poor credit risk.

Score can be different for the same customer from any of the three major agencies, depending on the data sources and their logic to determine the score. The most widely used credit model in the industry is FICO (The Fair Isaac Company) model. It uses the following criteria to develop a numeric score called the FICO score (which ranges between 0 – 1000) – • Payment History – this factor carries 35% weightage. Recent late payments lower credit score. • Credit Utilization – has 30% weightage. Balances below 50% of the credit line improve score. • Credit History – has 15% weightage. Longer the account history better is the score. • Inquiries – has 10% weightage; includes number of enquiries / new accounts / length since last inquiry. • Other factors can also be added to the model but they cannot be discriminatory (e.g., use of parameters such as race, color, nationality, sex etc is prohibited). Customers are usually classified into the following grades based on FICO scores – • 720 and above - AA • 700 to 719 - A • 680 to 699 - A- / B+ • 660 to 679 - B+/B • and so on Credit Card Certification Page 39 of 65

One of the important concepts in credit history is that of re-aging. Through re-aging, a credit history is re-written and the person is given a fresh start on that particular account. This can dramatically improve the credit score. In 2000 the Federal Financial Institutions Examination Council (FFEIC) clarified guidelines on re-aging accounts for delinquent borrowers.

9.2.

Reward Programs

It is in the interest of all players to incentivize customers to use cards more often and to make large purchases each time. The primary tool for this is Reward Program managed by Issuing banks. Most credit card companies have Reward Programs to ensure that they not only retain existing customers but also give incentive to potential customers to use their credit cards. In other words, Reward programs enable credit card companies to make their customers more loyal to them. Rewards programs may be of different kinds – • Points – each kind of transaction add to points against the customer’s account that can be later redeemed for items like merchandise or cash. • Gas and Retail – programs that allow redemption of points for gas and retail purchases • Travel / Hotel / Holiday – one of the most popular Reward programs where the customer is rewarded with travel miles (tickets for travel), hotel accommodation or vacation packages. • Cash-back – these kinds of credit cards usually require an excellent credit history. The customer gets cash back on transactions. Reward programs are usually implemented after conducting a marketing research analysis. The actual structure of the rewards and the quantum of the rewards depend on the drivers for starting the reward programs; some of these drivers could be – • Ensure loyalty of existing customers • Attract new customers • Motivate existing customers to maintain a good credit record so that they qualify for Rewards programs thereby bringing down cases of fraud/delinquency • Motivate existing customers to spend more • Drive co branded partnerships to success stories • Increase the spend on On-us cards / from On-us merchants

9.3.

Billing

Billing cycle is the period between two statement dates; normally, a billing cycle has 30 days. On the billing date, all the purchases made using the credit card during the previous 30 days are added and billed to the card-holder.

Credit Card Certification

Page 40 of 65

Credit card issuers calculate the account balance over one billing cycle or two (a one cycle billing period will usually result in lower charges), and may include or exclude new purchases in the balance (excluding new purchases is usually better for consumers). The balance may be calculated in one of these 3 ways: • Adjust Balance Method – The credit card issuer computes the financial charges by taking the amount owed at the start of billing cycle and subtracting any payments made during the cycle. New purchases are not included. • Previous Balance Method – The issuer uses the amount owed at the beginning of the billing cycle to compute finance charges. • Adjusted Daily Balance Method – The issuer adds balances for each day in the billing cycle and then divides that total by the number of days in the cycle. Payments made during that period are subtracted to get the daily amounts owed. New purchases may or may not be included, depending on the plan. If the issuer uses the two-cycle average daily balance method, it uses the average daily balance for two billing cycles. New purchases may or may not be included in the total.

9.4.

Payments Processing

Customers are informed of the amount they need to pay each month by means of a regular monthly statement. This statement comprises of a variety of charge and payment information displaying a snapshot of the customers’ account at that point in time. The statement is generated every month at about the same time, and is termed as “statement date”. The time between two statement dates is called the “statement cycle”. The monthly statement shows – • Statement cycle date • Payment Due date • Transaction history for the billed period • The actual payment amount due till date • The minimum payment on credit card (calculated as a percentage of current balance). The issuer expects at least the minimum payment to be sent in by the payment due date -- a late fee is applied if the minimum payment is not received by the payment due date. The unpaid balances start accruing interest from the transaction posting date. • Any additional charges / processing fees/ late fees etc. Traditionally paper statements were sent out for every credit card account on their cycle day. To reduce risks of identity thefts and to reduce the possibility of the statement falling in wrong hands, companies now offer paperless statements / estatements wherein the statements are available online and can be downloaded from the site directly. The most common method of credit card payment is dropping a check of an amount equal to the total payment due or at least the minimum amount due in the nearest drop Credit Card Certification Page 41 of 65

box of the credit card issuing bank or company. Modern methods allow payments through ACH (Automated Clearing House), Wire Transfers, VRU (Voice Recognition units) and Electronic Fund Transfers. The amount deposited by a card-holder can be in one of the following states – • Processed Payment – payment submitted through a certified payments processing method (e.g. paper check, direct deposit, internet, etc.) but not yet posted to an account • Posted Payment – payment successfully applied to a credit card account • Posted Returned Payment – payment returned by the issuing bank as being invalid for various reasons.

9.5.

Disputes and Chargeback

To “dispute” something is to question the validity of it. All calls into a credit card company related to disputes begin the same way. The representative will inquire about the nature of the dispute to determine how it will be handled by the company. In the U.S., the Fair Credit Billing Act (FCBA) outlines the dispute settlement procedures. The FCBA law applies to credit accounts, like credit cards and revolving charge accounts. It does not cover installment loans or lines of credit. The law is meant to address billing errors, such as unauthorized charges, charges with the wrong amount or date, charges for items that were not delivered, and math errors. Common errors include transposition (charged $213 instead of $123), multiplier (charged $200 instead of $20), and double billing (received two charges for $35 instead of just one). It also covers failures to post credits, such as returns, and payments to an account. There are many valid reasons why a customer may be disputing a charge. Before a customer calls the credit card company to dispute a charge, however, a real effort must be made to resolve the dispute directly with the merchant. The consumer must write to the creditor so that the letter reaches the creditor within 60 days of the first bill that contains the error. It is important that the customer sends any correspondence to the creditor by certified mail and keeps the originals of all receipts and a copy of the dispute letter. The credit card company must respond to the consumer within 30 days after receiving the letter, unless the problem has already been resolved. The problem must be resolved within two billing cycles after receiving the letter. While the charge is in dispute, the customer can withhold payment for that portion of your bill; however, he must pay all the remaining charges. The creditor cannot charge interest or late payment fees on the disputed amount. However, they can apply the disputed amount against the overall credit limit.

Credit Card Certification

Page 42 of 65

Depending on the credit card company, there are slightly different process flows that are followed. For example, because American Express is both the issuer and processor, the process is simplified. However, the process is similar no matter who the creditor is.
3. Merchant responds and provides supporting documentation

1. Customer disputes charge

2. Merchant receives the inquiry

4. Creditor decides resolution

5. Merchant receives result

Fig 9-1 - Dispute Resolution Process Step 1: The customer disputes the charge. The creditor takes the relevant information and forwards it to the merchant. The charge in question will be noted on the cardholder’s account and the merchant will be “charged back” for the amount. Step 2: The merchant receives the inquiry, either in hard-copy letter form or via email. Step 3: The merchant responds to the inquiry. The merchant can issue a full refund, issue a partial refund or issue no refund. Depending on how the merchant responds and the supporting documentation that is provided, the credit card company will either close the inquiry or make a decision. Step 4: The credit card company may go back to the card-holder to gather additional information. Once the creditor has all the available information, a final decision will be made. If the creditor determines that the card-holder is correct (let’s say that the account was double-charged), the chargeback on the merchants account will stand. However, if the merchant is found to have correctly charged the account, the chargeback will be reversed. Step 5: The merchant receives the result of the inquiry.

9.6.

Fraud Management

Another type of credit card dispute relates to an unauthorized use of card. If someone steals, borrows, or uses a card or the card number without the card-holder’s permission, it is considered fraud. Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. Credit card fraud is also an adjunct to identity theft. Fraud, if not recovered, negatively impacts company revenue (the cost of credit card fraud reaches into billions of dollars annually). Fraud detection and recovery are the Credit Card Certification Page 43 of 65

two key elements necessary to minimize losses due to fraud. In US, for any fraudulent activity on the card, the liability lies with the issuer bank and not the customer. It is in a company and card issuer’s interest to prevent fraud or, failing this, to detect fraud as soon as possible. Otherwise consumer trust in both the card and the company decreases and revenue is lost, in addition to the direct losses made through fraudulent sales. As soon as a consumer suspects fraud, a call should be made to the creditor to report it. If the consumer calls before the unauthorized charges have been made, then he is not liable for any amount that is put onto the card. Typically, the credit card company will cancel the card and send a new one. If the card-holder calls after unauthorized charges have been made, then his liability will be limited to $50, no matter how much has been charged on the card. The consumer has the right to dispute the $50 charge also. From the merchant’s standpoint, fraud cases take longer to resolve. There are two broad categories of fraud – • Identity fraud – occurs when the fraudster uses the identity of someone else to commit fraud. For instance, an individual applies for an account using someone else’s information (i.e. identity); this application is fraudulent and all activity on the account is fraudulent. The following types of frauds can be classified as Identity fraud – o Application fraud – such type of fraud occurs when a family member, roommate etc access an individual’s mail and personal information (i.e. Social Security Number, Date of Birth, etc) and fills out a credit card application sent to the individual and then upon receiving the card, uses it as if he were the true card-holder. o Account Takeover fraud – occurs when a criminal obtains enough personal information about an individual to effectively represent the person with the card issuing bank. For example, the fraudster used the information to have the address changed and new plastics issued; the cardholder still has their plastic and may be unaware of the takeover until the account is over limit. • Transactional fraud – occurs when fraudulent activity takes place in the form of unrecognized transactions on the card-holder’s account. A transaction refers to the exchange of goods or services between the card-holder and the merchant or card acceptor, e.g. ATM, for an amount, which may be a credit or debit. The following types of frauds can be classified as transactional fraud – o Lost and stolen credit cards – This is the most happening fraud activity in the credit card industry. When a credit card is lost or stolen the criminal gains direct access to the individual’s credit card account. o Non-receipt (mail-intercept) Fraud – Such fraud occurs when an individual’ mail is intercepted by a criminal. To avoid such a fraud, most issuers have card activation programs requiring customers to call and authenticate in order to begin purchasing with their card.

Credit Card Certification

Page 44 of 65

o Counterfeit cards fraud – A counterfeit card is created when a criminal gains possession of a valid card number. This information can then be encoded on a blank card’s magnetic stripe or manually changed on the face of a stolen plastic. For example, the customer sees a charge on his statement that he did not authorize; he is in possession of his card, but the transaction indicates that the card was physically swiped. o Mail Order/Telephone Order (MOTO) fraud – Unauthorized charges have been made via mail order, telephone order, catalogue sales, or online. All fraudulent transactions on this account must be MOTO for the fraud type to be MOTO. The card-holder probably has his plastic, but someone has gotten their account number and made unauthorized charges to the account. o Skimming - Skimming is the theft of card information used in an otherwise legitimate transaction. It is typically an "inside job" by a dishonest employee of a merchant, and can be as simple as photocopying of receipts and noting down the 3 or 4 digits CVV2 code. In more complex schemes, the skimmer can put a device over the card slot of an ATM, which reads the magnetic strip as the user unknowingly passes the card through it; and use the device in conjunction with a pinhole camera to read the user's PIN at the same time. Detecting skimming is difficult for a typical card-holder, but fairly easy for a bank (provided the bank has a fairly large sample) – the bank collects a list of all the card-holders who have complained about fraudulent transactions, and then uses data mining techniques to discover relationships among the card-holders and the merchants they use. For example, if many of the customers used one particular merchant, that merchant's terminals can be directly investigated. Sophisticated algorithms can also search for known patterns of fraud. Merchants must ensure the physical security of their terminals, and penalties for merchants can be severe in cases of compromise, ranging from large fines to complete exclusion from the card processing system. o Carding - a term used for a process to verify the validity of stolen card data. The thief presents the card information on a website that has real time transaction processing; if the card is processed successfully, the thief knows that the card is still good (the specific item purchased is immaterial; if a purchase is actually made, it is usually for a small monetary amount, both to avoid using the card's credit-limit, and also to avoid attracting attention. In most cases, the thief does not need to purchase an actual product; a website subscription or charitable donation would be sufficient). A website known to be susceptible to carding is known as a cardable website. While in the past, carders used computer programs called ‘generators’ to produce a sequence of credit card numbers, and then test them to see which accounts were valid, these days, carding is typically used to verify credit card data obtained through other means. A set of credit card details that has been verified in this way is known as a phish. A carder will typically sell data files of phish to other individuals who will carry out the actual fraud; market price for a phish ranges from a dollar to Credit Card Certification Page 45 of 65

up-to fifty dollars depending on the type of card, freshness of the data and credit status of the victim. The diagram below shows the flow of information for a typical fraud reporting set-up.

Help Desk

Card Member

Worldwide Processing Centres

Fraud Dept

Fig 9-2 - Fraud Reporting Set-up Fraud detection is a proactive defense for identifying and preventing fraud. There are third party applications containing customized rules, which are used internally to score each authorization in real time or in batch to determine fraud risk. This is a proactive approach to fraud detection and defense (prevent). Fraud is detected early via patterns and contact with the card-holder. If warranted to prevent further activity, the account may be restricted automatically. If the score indicates high risk, a case is generated and an associate contacts the customer to determine if fraudulent activity has occurred or is occurring. If the customer doesn’t recognize the transaction that means a fraud has happened and recovery case is created for the account. The cardholder is issued a new plastic and all the good transactions are transferred to the new account. The fraud transactions are not transferred as the card-holder is not responsible for the same. The priority of the case is based on the score. The higher priority cases are always worked first in order to minimize the losses of the issuer bank. Prevention of Transaction fraud – fraud risk is determined based on authorization score. The more the score there is more risk of fraud. Scoring is done based on various parameters like authorization amount, the spending patterns, location of the transaction, available credit limit etc. Credit Card Certification Page 46 of 65

For example, if a card-holder is based in Virginia and he normally purchases groceries and other items in one of the cities. The spending pattern is such that he does not spend on large-ticket transactions like jewelry. At the same time if there is a transaction of $5000 at jewelry store in California utilizing almost 90% of credit limit, then there is a possibility of fraud on the account. A decision case is created and if the associate decisions this case as fraud then a recovery is created. Prevention of Identity fraud – this can be prevented at the time of credit card application itself. When a person applies for the credit card, the issuer first verifies his credit report. The date of birth, phone number, address, etc entered in the application is compared with the report. If there is a mismatch, then a decision case is created. The associate/agent calls up the customer who has applied to verify his identity to make sure that the person who has applied is the right one. Identity frauds are also common within a family. For Identity fraud prevention the issuer always make sure that they issue the card to the correct person and if in doubt, they verify all the necessary documents. Identity fraud if not prevented can cause very big losses for the issuer bank. The fraudster might initially pay in regularly for months and when he gets an increase in credit he might in one go utilize the entire credit limit and never pay. Fraud recovery is an attempt to minimize losses due to fraud that has already occurred. To recover from fraud it is important to determine the category of fraud that is suspected. After the fraud has occurred, there are four possible resolutions for a fraudulent transaction – • Charge-off – Issuer cannot recover the amount and reports it as a loss. The transaction is considered unrecoverable. • Chargeback – Issuer recovers the full or partial amount of the transaction by sending the merchant a chargeback if the merchant failed to follow procedure defined by the network. The merchant may dispute this and represent the transaction. • Rebill card-holder – Issuer determines that the card-holder is responsible for the transaction; issuer rebills the card-holder for the amount of the transaction (when the fraud was originally reported the card-holder received credit for the amount of the transaction).

Credit Card Certification

Page 47 of 65

10. Regulations in the Cards Industry
Cards Industry formed its place through Banks and Credit Card companies. Hence the regulations for cards were gradually added to those already mentioned for Banks, Card companies and other trades. There are several Regulators in US which control Cards Industry. Some of these are – • Board of Governors of the Federal Reserve (the “Fed”) • Office of the Comptroller of the Currency (“OCC”) • Office of Thrift Supervision (“OTS”) • Federal Deposit Insurance Corporation (“FDIC”) • Federal Trade Commission (“FTC”) • Direct Marketing Association (“DMA”) • Better Business Bureau (“BBB”) Regulations are more or less same in entire US with minor differences as imposed by state or local bodies.

10.1. Fair Credit Billing Act
Federal Trade Commission (FTC) has come up with Fair Credit Billing Act (FCBA) to regulate "open end" credit accounts, such as credit cards, and revolving charge accounts - such as department store accounts. It does not cover installment contracts loans or extensions of credit. The FCBA settlement procedures apply only to disputes about "billing errors". For example: • Unauthorized charges. Federal law limits consumer’s responsibility for unauthorized charges to $50; • Charges that list the wrong date or amount or are mathematically incorrect; • Charges for goods and services you didn't accept or weren't delivered as agreed; • Failure to post payments and other credits, such as returns; • Failure to send bills to consumer’s current address - provided the creditor receives change of address, in writing, at least 20 days before the billing period ends; • Charges for which consumer ask for an explanation or written proof of purchase along with a claimed error or request for clarification. Disputes about the quality of goods and services are not "billing errors", so the dispute procedure does not apply. However, if you buy unsatisfactory goods or services with a credit or charge card, you can take the same legal actions against the card issuer as you can take under state law against the seller. Reporting and resolving billing error Credit Card Certification Page 48 of 65

In case of any billing error identified in FCBA, consumer must: • write to the creditor at the address given for "billing inquiries" (not the address for sending payments) and include his name, address, account number and a description of the billing error • send this letter so that it reaches the creditor within 60 days after the first bill containing the error was mailed to consumer (card-holder is advised to keep a copy of this letter, sales slips or other documents with him) The creditor must acknowledge consumer’s complaint in writing within 30 days after receiving it, unless the problem has been resolved. The creditor must resolve the dispute within two billing cycles (but not more than 90 days) after receiving consumer’s letter. During this time, consumer may withhold payment on the disputed amount (and related charges). Although he must pay any part of the bill not in question, including finance charges on the undisputed amount. The creditor may not take any legal or other action to collect the disputed amount and related charges (including finance charges) during the investigation. While consumer’s account cannot be closed or restricted, the disputed amount may be applied against your credit limit. The creditor may not threaten consumer’s credit rating or report him as delinquent while his bill is in dispute. However, the creditor may report that consumer is challenging the bill; which, by the way, won’t affect consumer’s credit. Other billing rights Businesses that offer "open end" credit also must: • Send consumer’s bill at least 14 days before the payment is due. • Credit all payments to consumer’s account on the date they're received, unless no extra charges would result if they failed to do so. • Promptly credit or refund overpayments and other amounts owed to consumer’s account. Consumer can even sue a creditor who violates the FCBA. If consumer wins, he may be awarded damages, plus twice the amount of any finance charge - as long as it's between $100 and $1,000. The court also may order the creditor to pay consumer’s attorney's fees and costs. Similar restrictions apply for debit card transactions between consumer and issuing banks.

10.2. Fair and Accurate Credit Transactions Act
Identity theft occurs when someone uses your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes. Credit Card Certification Page 49 of 65

Fair and Accurate Credit Transactions Act of 2003 (FACTA)’s Sections 114 and 315 provide guidelines to detect possible Identity Theft, so called “Red Flags”. It also induces the need to reconcile address discrepancies. Red Flag, as proposed, is defined as a pattern, practice, or specific activity that indicates the possible risk of identity theft. Some of the events that can be considered as source to set Red Flags for the suspected consumer account are – • A consumer fraud alert or active duty alert • Any account that would adversely affect a consumer’s credit standing should be considered at risk of identity theft and thus subject to a red flag • An address discrepancy reported by a consumer reporting agency • A consumer’s communication with the financial institution or creditor about attempted or actual identity theft should always be a red flag • A company’s knowledge of a security breach within its own confines or that of an affiliate with which the company has shared customer data • Attempts to open a new account with altered documents • Suspicious actions by employees such as downloading customer account information or being added to a customer account Additionally, • Notice from the customer or others that a credit or debit card has been lost or stolen • Notice that the consumer’s information may have been lost or stolen through a data security breach • An address discrepancy on a credit application sent by a consumer in response to a company’s solicitation generated by credit report prescreening or other marketing lists • Alerts distributed by government, trade associations, or media reports about recent trends in identity theft • A creditor or financial institution learns that its business identity has been fraudulently used to obtain personal information, such as in phishing schemes Apart from all these, preventing Identity theft is the prime responsibility of consumer by himself.

10.3. Anti Money Laundering Regulations
Anti-money laundering (AML) is a term mainly used in the financial and legal industries to describe the legal controls that require financial institutions and other regulated entities to prevent or report money laundering activities What is Money Laundering?

Credit Card Certification

Page 50 of 65

Definition: Money laundering is the criminal practice of processing ill-gotten gains, or “dirty” money, through a series of transactions; in this way the funds are “cleaned” so they appear to be proceeds from legal activities. The objective of the launderer is to hide the ownership and source of funds. Stages: Money laundering can occur in 3 distinct stages: placement of cash into the financial system, layering transactions to obscure the origin of funds and integration to create the appearance of legitimacy through additional transactions. Terrorist financing: AML efforts have begun to focus on terrorist financing, where funds derived from both legitimate activities (such as charitable donations) and illegal activities (such as credit card fraud) are used to support ideological objectives and finance terrorism. Role of Financial Service Industry: As gatekeepers to the financial system, financial services industry can detect, interdict, prevent and disrupt money laundering. In addition fighting money laundering and terrorist financing helps to preserve a financial institution’s safety and soundness and its reputation. The Office of Foreign Assets Control (OFAC): a part of the U.S. Treasury Department, OFAC administers and enforces economic and trade sanctions. The OFAC regulations require financial institutions to identify any transaction and property subject to economic sanctions. Once identified, the transaction or asset must be frozen or, in some cases, rejected. The financial institution is then required to advise OFAC of the blocked asset or rejected transaction. The Canadian equivalent is known as Office of the Superintendent of Financial Institutions (OSFI). Anti Money Laundering Regulations Two main regulations provide the legislative foundation for anti-money laundering activities

10.4. Bank Secrecy Act – Financial Record Keeping
The Bank Secrecy Act of 1970 (BSA, or otherwise known as the Currency and Foreign Transactions Reporting Act) requires U.S.A. financial institutions to assist U.S. government agencies to detect and prevent money laundering. Specifically, the act requires financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash transactions exceeding $10,000 (daily aggregate amount), and to report suspicious activity that might signify money laundering, tax evasion, or other criminal activities. It was passed by the Congress of the United States in 1970. The BSA is sometimes referred to as an "anti-money laundering" law ("AML") or jointly as “BSA/AML”. The BSA regulations require all financial institutions to submit the following reports to the government – Credit Card Certification Page 51 of 65

Currency Transaction Report (CTR) – A report filed with the Internal Revenue Service (IRS), which provides details of cash transactions in excess of $10,000 during the same business day (the amount over $10,000 can be either from one transaction or a combination of cash transactions). Report of International Transportation of Currency or Monetary Instruments (CMIR) - Each person (including a bank) who physically transports, mails or ships, or causes to be physically transported, mailed, shipped or received, currency, traveler’s checks, and certain other monetary instruments in an aggregate amount exceeding $10,000 into or out of the United States must file a CMIR Suspicious Activity Report (SAR) - Any cash transaction where the customer seems to be trying to avoid BSA reporting requirements (e.g., CTR, MIL). A SAR must also be filed if the customer's actions indicate that s/he is laundering money or otherwise violating federal criminal law. The customer must not know that a SAR is being filed. These reports are filed with the Financial Crimes Enforcement Network ("FinCEN").

10.5. USA PATRIOT Act
The USA PATRIOT Act (commonly known as the Patriot Act) was signed into law on October 26, 2001. The complete name is Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001. It has ten titles, each containing numerous sections. Title III: International Money Laundering Abatement and Financial Anti-Terrorism Act of 2001 is actually an act in its own right as well as being a title of the USA PATRIOT Act, and is intended to facilitate the prevention, detection and prosecution of international money laundering and the financing of terrorism. The title's sections primarily amend portions of the Money Laundering Control Act of 1986 and the Bank Secrecy Act of 1970. USA PATRIOT Act requires that every financial institution collect Name, date of birth, SSN, and physical address for each new customer. It also requires financial institutions to verify the information they give from a third-party source. There are several sections that establish special measures that financial institutions must undertake – • Section 312 – Established Enhanced Due Diligence with respect to Private Bank Accounts and Foreign Correspondent Accounts • Section 313 – Prohibits transactions with “Shell Banks” (financial institutions that do not have a physical presence in any country) • Section 314 – Facilitates information sharing between law enforcement and financial institutions Credit Card Certification Page 52 of 65

• • • •

Section 319 – Requires financial institutions to make records available within specific timeframes to law enforcement and regulatory agencies. Section 326 – Customer Identification Requirements for all new accounts opened after October 1, 2003 Section 327 – Requires Regulatory Agencies to consider the effectiveness of a financial institution’s AML compliance program when acting on an application Section 352 – Required financial institutions implement the 4 pillars of an “effective anti-money laundering program” – o Designation of a responsible person o A system of internal controls o An effective training program o Independent review to test the program

10.6. Privacy Regulations
Even though by definition, most countries treat privacy as the rights of individuals and not institutions, given that governments and other organizations collect vast amounts of personal information for a variety of purposes, privacy laws limits how these organizations can collect and use this information. The Fair Information Practice Principles form the basis for many privacy laws in countries across the world. These principles are – • Openness - There should be a general policy of openness about the practices and policies with respect to personal information. Generally, the publication of the privacy policy is an outcome of this aspect. • Collection Limitation - Personal information should be collected only for a stated purpose by lawful and fair means and with the knowledge or consent of the subject. The options of opt-in and opt-out are a result of such a principle. • Purpose Specification - The purpose for collecting personal information should be specified at the time of collection. Further uses should be limited to those purposes. E.g., when an opt-in is provided, it has to be associated with a stated purpose such as sharing with commerce partners or for newsletters or sending in additional product information. • Use Limitation - Personal information should not be used for purposes other than those specified, except with the consent of the subject or by the authority of law. E.g., if a personal email address is collected for sending in a newsletter, the email address must not be used to send in additional product information, etc. without the consent of the individual. • Data Quality - Personal information should be accurate, complete, timely, and relevant to the purpose for which it is to be used. This is an important principle in areas where critical decisions such as healthcare decisions or financial decisions about an individual are made. Only the reliable information should be used for such purposes. Credit Card Certification Page 53 of 65

• • •

Individual Participation - Individuals should have the right to inspect and correct their personal information. Security Safeguards - Personal information should be protected against such risks as loss, unauthorized access, destruction, modification, or disclosure. Accountability - Someone in an organization should be held accountable for compliance with the organization’s privacy policy.

10.7. Gramm-Leach-Bliley Act
Gramm-Leach-Bliley Act (GLBA) is the main privacy regulation in the US. It defines a ‘consumer’ as "an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, and also means the legal representative of such an individual". A ‘customer’ is a consumer that has developed a relationship with privacy rights protected under GLBA. A ‘customer’ is not someone using an automated teller machine (ATM) or having a check cashed at a cash advance business. These are not ongoing relationships like a ‘customer’ might have; i.e. a mortgage loan, tax advising, or credit financing. A business is not an individual with personal nonpublic information, so a business cannot be a customer under GLBA. A business, however, may be liable for compliance to GLBA depending upon the type of business and the activities utilizing individual’s personal nonpublic information. GLBA compliance is mandatory - whether a financial institution discloses nonpublic information or not, there must be a policy in place to protect the information from foreseeable threats in security and data integrity. Major Components put into place to enforce this are – • Financial Privacy Rule - requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer’s right to opt-out of the information being shared with unaffiliated parties per the Fair Credit Reporting Act. Should the privacy policy change at any point in time, the consumer must be notified again for acceptance. Each time the privacy notice is re-established, the consumer has the right to opt-out again. The unaffiliated parties receiving the nonpublic information are held to the acceptance terms of the consumer under the original relationship agreement. In summary, the financial privacy rule provides for a privacy policy agreement between the company and the consumer pertaining to the protection of the consumer’s personal nonpublic information. • Safeguards Rule - The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information. The Credit Card Certification Page 54 of 65

Safeguards Rule also applies to information of those no longer consumers of the financial institution. This plan must include: o Denoting at least one employee to manage the safeguards, o Constructing a thorough risk management on each department handling the nonpublic information, o Develop, monitor, and test a program to secure the information, and o Change the safeguards as needed with the changes in how information is collected, stored, and used. This rule is intended to do what most businesses should already be doing: protect their clients. The Safeguards Rule forces financial institutions to take a closer look at how they manage private data and to do a risk analysis on their current processes. No process is perfect, so this has meant that every financial institution has had to make some effort to comply with GLBA. Pretexting Protection - Pretexting (sometimes referred to as "social engineering") occurs when someone tries to gain access to personal nonpublic information without proper authority to do so. This may entail requesting private information while impersonating the account holder, by phone, by mail, by email, or even by "phishing" (i.e., using a "phony" website or email to collect data). GLBA has provisions that require the financial institution to take all precautions necessary to protect and defend the consumer and associated nonpublic information. GLBA makes pretexting illegal and punishable.

Under GLBA, financial institutions must provide their clients a privacy notice that explains what information the company gathers about the client, where this information is shared, and how the company safeguards that information. This privacy notice must be given to the client prior to entering into an agreement to do business. There are exceptions to this when the client accepts a delayed receipt of the notice in order to complete a transaction on a timely basis. This has been somewhat mitigated due to online acknowledgement agreements requiring the client to read or scroll through the notice and check a box to accept terms. The privacy notice must also explain to the customer the opportunity to ‘opt-out’ (the client can say "no" to allow his information to be shared with affiliated parties). The Fair Credit Reporting Act is responsible for the ‘opt-out’ opportunity, but the privacy notice must inform the customer of this right under GLBA. The client cannot opt-out of – • information shared with those providing priority service to the financial institution • marketing of products or services for the financial institution • when the information is deemed legally required Violation of GLBA may result in a civil action brought by the US Attorney General. The penalties include civil penalty of not more than $100,000 for each violation to the financial institution as well as the officers and directors of the financial institution.

Credit Card Certification

Page 55 of 65

11. Recent Trends in the Cards Industry
Cards industry is one of the most dynamic industries in the payments space. There have been a number of recent developments which are changing the industry and have the potential to change the industry in next few years. This section covers some such changes which include online usage of cards and its impact on identity protection and privacy, and new products like smart cards, contactless cards, decoupled debit cards and payments through cellular phones.

11.1. Online Usage of Cards
Internet has revolutionized the way people and businesses interact. Today we buy books, music and groceries, arrange travel plans, trade stocks and sign-up for enewsletters simply by logging on to the Internet. E-shops or virtual shops that existed only on the internet have revolutionized the commerce with online credit card payment-acceptance ability and real time processing. Real time processing allows the vendor to accept credit card payments instantly and to have the funds credited to his/her account online. For this, the vendor needs to have a security-enabled shopping cart, an internet merchant account and a payment gateway provider. The typical steps involved in an online shopping include – 1. The buyer goes to the vendor’s website and inputs his/her credit card information to pay for goods and services. 2. The security-enabled shopping cart captures the information and sends it to the payment gateway. 3. The payment gateway service sends the data to the fraud verification service to make sure the card is not reported as stolen and to the processor to confirm funds available. 4. Once approved, the gateway sends the information to the processor who settles the corresponding debits and credits to the vendor and buyer. Setting up online transactions can be expensive for small and medium enterprises – this has given rise to third party vendors (e.g., PayPal) who can receive online credit card payments on behalf of the merchant at an additional fee per transaction.

Identity protection in online usage One of the pitfalls of online credit card usage is the possibility of online credit card fraud. There are primarily two types of fraud – • The first one is related to the company, on whose website you made online credit card payment for purchase of goods; this company itself could be fraudulent i.e. it could take the online credit card payment from you but not deliver the goods to Credit Card Certification Page 56 of 65

you. Moreover, they could use the details of your credit card (received through the filling up of online credit card payment form by you) for fraudulent purposes. The second type of fraud is committed by fraudsters who use various software /devices to capture the details of online credit card payments (as you enter them on the online credit card payment form of a website). These software are popularly known as spyware and these fraudsters as online spies. The spyware works by capturing keystrokes or taking screenshots of whatever you do on your computer and then passes it on to the spy. However, there are anti-spyware software available which can be used to counter such spyware.

With more and more transactions going the online way, card-holders are advised to follow some basic precautions to make online usage convenient and secure -• Shop only at Internet merchants you know and trust. • Don't be pushed or rushed into buying an item, especially by "limited supply" or "time limit" warnings. Use common sense - apply the same discretion online as you would when shopping for something in a mall. • Make sure the merchant has a secure transaction system before providing credit card or other sensitive information. • It may make sense to have a single credit card, with a lower credit limit, dedicated for online purchases you might make. In doing so, losses will be kept to a minimum if you are ever defrauded. Plus you'll also know that it was an online purchase that led to the fraud. • Clear the cache of your browser after visiting secure sites. This will ensure that nobody else can view any confidential information you may have transmitted. • If you think you've given credit card or banking information to a fraudulent site, immediately notify your Credit Card Company and/or financial institution.

11.2. Smart Cards
Smart card is a plastic card embedded with a chip which can process information. A regular credit card stores its data on a magnetic stripe that must be physically swiped at a point of sale terminal. A smart card, on the other hand, stores its data on a microchip embedded in the card's plastic; information about the card is read from the chip when the card is inserted in a card reader. First introduced in Europe over a decade ago, smart cards debuted as a stored value tool for pay phones to reduce theft. In 1993, the international payment brands Europay, MasterCard and Visa (EMV) worked together to develop the specifications for the use of smart cards as payment cards (debit or credit card). Smart cards are widely used in Europe and Asia in several key applications, including healthcare, banking, entertainment and transportation.

Credit Card Certification

Page 57 of 65

Fig 11-1 - A typical Smart-card and a Smart-card Reader

While smart cards suffer from higher failure rates (the embedded chip sometimes damaged when the plastic card is roughly handled or carried in the wallet), they offer the following advantages – • Smart cards are more secure as compared to the ordinary credit cards having magnetic stripe. It has helped reduce the fraud especially in counterfeit, lost and stolen card cases. • The chips in smart cards are same as the SIM cards (Subscriber Index Module cards used in mobiles phones), just programmed differently. This allows the card terminals to become smaller and cheaper. This is also expected to fulfill the vision of equipping every home PC with a card reader and software to make internet shopping more secure.

11.3. Contactless Cards

Fig 11-2 - Contactless Cards

Credit Card Certification

Page 58 of 65

Fig 11-3 - Contactless Card Reader Contactless cards are smart cards that employ a radio frequency (RFID) between card and reader to transmit data without physical insertion of the card. The microchip in the card is fitted with a radio antenna that is capable of transmitting the card's data to a card reader. While in ordinary credit card the card needs to be swiped at the point of sale terminal; in case of a contactless card, the card-holder needs to hold or wave the card in front of the secure reader. Most contactless cards have a magnetic stripe as well, so they can also be used at checkouts not yet equipped with the RFID readers. Contactless credit cards are introduced to persuade consumers to use plastic at places that have traditionally been cash-intensive. Contactless payments offer speedy and convenient checkouts resulting in moving queues (Visa, MasterCard, and American Express have all enacted rules that dispense with the requirement for a signature for most purchases under $25.00, making the transaction even faster). To make a purchase, the card owner just waves his card over the RFID reader, waits for the acceptance indicator - and goes on his way. The numbers below give us an idea about the approximate average transaction speeds using different transaction speeds – • Contactless credit card transaction: 15 seconds • Magnetic strip card transaction: 25 seconds • Cash transaction: 34 second In case of contactless cards, the card never leaves the card-holder's hand, thereby increasing security. The account number that is transmitted by the contactless card is only good for RFID transactions. It is different than the actual credit card number, making it difficult for a savvy thief to go on a shopping spree with any data stolen from an RFID transaction.

Credit Card Certification

Page 59 of 65

However, contactless cards are more exposed than regular credit cards. If you want to keep your credit card secure, you could keep it safely in an enclosed wallet or purse; thieves would have absolutely no way to even know if you have a credit card. However, a thief armed with a suitable reader, within a few feet of you, would be able to interrogate all of the cards in your wallet or purse without your knowledge. These concerns have, of course, been carefully noted by credit card companies. The RFID chip in the contactless credit card responds to the merchant reader with a unique number used for that transaction only; it does not simply transmit the consumer's account number. This number is also encrypted. Reasonable success of contactless cards at selected convenience stores, gas stations, movie theaters, and quick service restaurants has given confidence to card associations and issuers to expand their usage at other places. Some of the prominent examples of contactless cards are PayWave from Visa, PayPass from MasterCard, ExpressPay from American Express and Blinko from Chase.

11.4. Decoupled Debit Cards
Debit cards are mostly issued by the financial institutions holding the demand deposit account (DDA) (also known as checking account). Until recently, it was nearly impossible for any financial institution lacking the checking accounts to issue debit cards. Decoupled debit card (DDC) is Capital One’s new payment product that was launched to issue MasterCard branded debit cards to customers holding checking accounts at other financial institutions. It supports both PIN and signature transactions and can be used at all the places including ATMs where MasterCard, Maestro and Cirrus cards are accepted. DDC rewards are much more in value than other debit card product rewards and are key attraction for customers. DDC business model is supported by NACHA’s (The Electronic Payments Association) Automated Clearing House (ACH) network. Customer’s transaction at the point of purchase is authorized by the debit card issuer, which then creates an ACH to debit the amount from the card-holder’s bank account. Contrary to the traditional debit card where a transaction is only authorized if the funds are available in the account, a DDC transaction is authorized without verifying the available balance in the account. The payment is initiated via ACH after some time lag thus allowing an opportunity for fraud. To reduce the risk of frauds Capital One has set daily limit on the total transaction amount.

11.5. Mobile Payment Systems

Credit Card Certification

Page 60 of 65

In countries where the cards infrastructure is not extensive, mobile payments have evolved. These mobile payments systems are supported by the already existing telecom infrastructure. In rural areas of developing countries like India and China, the growing middle class’s reliance on cash as a mode of payment has made it difficult for consumers to spend and retailers to sell. These countries can’t afford to set up the expensive magnetic stripe or smart card infrastructure in a short duration. However existing mobile Short Message Service (SMS) network could be quickly and cheaply deployed to provide an SMS-based payment system. In this system, the customer sends an SMS message specifying the mobile phone number of the payee and the amount to transfer, along with a personal identification number (PIN). Almost instantaneously, the payee and payer both receive a confirmation message by SMS and the money is moved to the designated account. An alternative mobile payments solution which is gaining exposure around the world is one in which a chip is inserted in the mobile phone and payment is made by tapping the phone in front of the reader. For example, Canada has recently introduced a system that allows a transaction to be completed using a mobile phone with Near Field Communication (NFC) chips and a contactless reader that will enable users to make purchases just as they would with a contactless payment card.

Credit Card Certification

Page 61 of 65

Appendix 1 - Further Reading
• For guidelines from FTC to Deter, Detect and Defend Identity theft – o http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/deter.html o http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/detect.html o http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html For details on online usage of cards – o http://www.td.com/security/smartonline.jsp To find out more about the Fair Credit Billing Act (FCBA), visit the Federal Trade Commission’s website at – o http://www.ftc.gov/bcp/conline/pubs/credit/fcb.shtm Wikipedia – o http://en.wikipedia.org For the US Regulators which control Cards Industry – o Board of Governors of the Federal Reserve http://www.federalreserve.gov/ o Office of the Comptroller of the Currency - http://www.occ.treas.gov/ o Office of Thrift Supervision - http://www.ots.treas.gov/ o Federal Deposit Insurance Corporation - http://www.fdic.gov/ o Federal Trade Commission - http://www.ftc.gov/ o Direct Marketing Association - http://www.the-dma.org/ o Better Business Bureau - http://www.bbb.org/

• •

• •

Credit Card Certification

Page 62 of 65

Appendix 2 - Glossary of Terms
Term 3V Acquirer Meaning A Visa branded stored value card available in some European countries (UK, Germany, Spain and Ireland) An acquirer is a member of MasterCard and/or Visa which maintains merchant relationships and receives all bankcard transactions from the merchant. Fees / Charges imposed by Credit card company on consumer for using the facility of Credit card. An organized body of card companies / banks that allow customers of mutual banks / companies use their services to provide extended network Process of mapping credit to consumer in order to allow consumer for legal transactions. Owner of the card. An upscale charge card from Diners’ Club A chargeback occurs when a consumer requests a refund from their credit or debit card company. A charge-off is considered to be "written off as uncollectible." Clearing denotes all activities from the time a commitment is made for a transaction until it is settled. A credit limit is the maximum amount of credit that a financial institution or other lender will extend to a debtor for a particular line of credit. The length of time for which a firm's customer is granted credit. Card Verification Value, also known as Card Security Code, a security feature for credit cards. This is encoded on the magnetic stripe of the card and used for transactions in person. The CVV2 is a 3- or 4-digit value printed on the card or signature strip, but not encoded on the magnetic stripe. This is used to secure "card not present" transactions. The discount rate is a financial concept based on the future cash flow in lieu of the present value of the cash flow. DSA manufactures and distributes goods and services directly to consumers typically through in-home or person-to-person sales. A standard for interaction of smart cards and POS terminals, developed by Europay, MasterCard and Visa organizations Page 63 of 65

Annual Fees Association

Authorization Card-holder Carte Blanche card Chargeback Charge-off Clearing Credit Limit

Credit Period CVV

CVV2

Discount Rate

DSA (Direct Selling Agent)

EMV

Credit Card Certification

Term FICO Score

Grace Period Imprinter Interchange Interchange Fee

Issuer IVR

Maestro Merchant Minimum Due Network Off-us Cards Off-us Merchants On-us Cards On-us Merchants Open end Credit Over the Limit Charges PaidByCash Card

Penalty Charges PIN POS Terminal

Meaning It’s a credit score maintained by Fair Isaac Corporation. It is a number that is based on a statistical analysis of a person's credit report, and is used to represent the creditworthiness of that person. A period of time after a payment due date within which the fee can be paid without penalty. Small machine that allows using credit/debit card for billing and prints the bill for shopping. Interchange refers to the money paid from the Acquirer to the debit or credit card issuer for every transaction. Interchange fee is the portion of a purchase’s cost that merchants are charged by banks for processing credit card transactions. Company / Bank that issues the credit / debit card. Interactive Voice Response System is an alternative method to process credit cards, check cards and checks via any touch-tone telephone. An international debit and pre-paid card service operated by MasterCard Any wholesale or retail shopkeeper who accepts credit / debit card to charge his customer for shopping. An "interest free" minimum amount consumer needs to pay his credit card issuer. The system that implements the mechanics of the electronic transactions. Cards of mutual banks in the association. Merchants primarily processing off-us cards. Cards issued and processed by the same firm. Merchants primarily processing onus cards. a consumer credit line that can be used up to a certain limit or paid down at any time Charges imposed when customer exceeds the credit limit by proposed percentage. A stored value card mechanism available in the US that allows customers to load cash onto an account identified by a unique card number; once loaded, the customer can use the card number to pay for a merchandise at any online retailer that accepts MasterCard. Charges imposed when customer fails to pay the credit bill before due date. Personal identity number used to authenticate debit card transaction. Point of Sale Terminals are the preferred way of processing credit cards, debit cards, checks, smart chip cards, electronic benefits transfer (EBT). Page 64 of 65

Credit Card Certification

Term Processor Re-aging Receivables Regulators Revolving charge Reward Points Settlement

Smart Cards

Meaning Organization that processes the card transactions. The process of re-writing credit history Amount that customer owes to the issuer. Organization that establishes, monitors, reforms and enforces regulations in Credit Card Industry. Same as Open end Credit Rewards offered by issuer to the good customer. The process of exchanging the consideration for financial instruments once a transaction has been executed Any pocket-sized card with embedded integrated circuits which can process information.

Credit Card Certification

Page 65 of 65

Sign up to vote on this title
UsefulNot useful