Open in app

Sign in

Write

Sign in

Payment Card : Lifecycle ⏳

Shubham Baranwal
15 min readDec 30, 2022

--

Fun fact :-

In Q3 2022, UPI, Debit and Credit cards, Prepaid Payment Instruments like Mobile Wallets, and Prepaid Cards executed 23.06 billion transactions amounting ₹ 38.32 trillion ($480B).

The total number of credit and debit cards in circulation by end of Q3 2022 was 1.01 billion in India. Having said that, India is still largely an underpenetrated market, and only 3% of the population has a formal credit card.

Table of Contents

1. Card Issuance and Activation

  1. Card Ordering System
  2. Card Order
  3. Card Printing
  4. Card dispatch and Delivery
  5. Card Tagging
  6. Card Activation

2. PoS/ECom — Payment

  1. Payment Gateway
  2. Acquirer Bank
  3. Network
  4. Switch
  5. Card Management System(CMS)
  6. Cardhost

3. PoS/ECom — Settlement

  1. Process
  2. Un-settled pool
  3. Business Pool
  4. Bank settlement Pool
  5. Network settlement pool

4. In-app purchase + settlement

  1. Virtual Account/Wallet
  2. Pool
  3. Escrow
  4. Debit Confirmation
  5. Purchase Confirmation
  6. Audit Report
  7. Settlement Invoice

5. Corporate Account Inward

  1. Cardhost at Business
  2. Cardhost at CMS

6. Card closure — EMV Scripting

7. Design File for all attached images 🎨

Overview :-

Payment cards are plastic cards(sometimes virtual too) that enable cashless payments. They are simple embossed plastic cards that authenticates the card holder on behalf of the card issuing company, which allows the user to make use of various financial services.

These payments are made through a network of financial institutions and merchants that accept card payments. Card payment systems can be used to make payments in person, online, or by phone. They are a convenient and secure way to make payments, as they offer protection against fraud and unauthorized charges.

Credit card, debit card, open loop prepaid card and closed loop prepaid card

As of Q3 2022, the top credit card issuing banks was HDFC Bank, while the top debit card issuing banks was State Bank of India.

Customers aren’t particularly interested in knowing how their money reaches the receiver’s account, however, for businesses that deal with payments on a daily basis, it can be useful to know the key factors of payment processing.

But even before a customer starts their payment journey, there are steps which involve issuance of the card, delivery, activation and more. We will go through each one of those steps on a high level and try to understand this vast topic.

Purpose of this piece of article is to show how consumer fintech is complex yet interesting under the hood with endless scope of innovation.

and So, buckle up cz this is going to be an interesting ride 🚀

1. Issuance and Activation:

By the end of the Q3 of 2022, there would be 1.01 billion credit and debit cards in circulation. The number of outstanding credit cards climbed by 19% from 65 million in September 2021 to 77.7 million in September 2022, while outstanding debit cards increased by 2% from 920.3 million to 938.53 million during the same time.

Take it a bank or a non-banking entity, the below process will look more or less the same for how you issue and activate a card.

Things start with business placing orders for some cards and end when the customer activates the card from a phone or via ATM.

Card Activation flow — Insta/Non-Personalized Cards

Payment card issuing is a complex process that has two sides — acquiring and issuing — and involves numerous jobs, such as providing payment rails, knowing the customer, evaluating risk and profitability, creating and funding the card account, generating cards, authorizing transactions, settling transactions, keeping track of everything, watching out for fraud and money laundering, providing customer support, and collecting payments.

Historically, there were two main paths to card issuing — either issue a card that would differentiate a company in the market and produce long-term profit or quickly launch a co-branded or private-label card with an issuing bank partner.

The proliferation of fintech companies in the card issuing space has led to sponsor bank programs that enable smaller non-bank brands to take advantage of debit card products.

BaaS platforms and new issuer processors have emerged to help neobanks and other smaller non-bank brands streamline the process of working with sponsor banks and give them more control over their card products.

1. Card ordering system:-

Operations team (bank or banking partner) receives the requirement for N cards from the internal teams and gets it approved by the business team. Once they receive the approval, they ask the finance team to raise a purchase order for N+1%N (1.01N) cards. But the payment of cards will be done only for N cards, the rest 1% of cards are considered as error correction.

2. Card Order:-

Ops team places an order for the CMS/switch.

A CMS is an entity that generates the card numbers/ virtual cards which can be tagged to customer account numbers. A customer number is generated when a customer is onboarded in the business system/app.

While ordering this, the operations team shares below predefined details related to the program of the card.

Details includes units of cards, bank, product code, network, BIN, chip type, card type, card printer, card holder name and address in case of personalized cards.

Along with this, the switch already have embossa(card design) file and kit design (SOC, T&C, envelope and more) which is later shared with the printer.

3. Card printing:-

Once virtual cards are created by CMS/switch, they share this info with the printer and the Bank. Switch shares Kit ID(every Card envelope has a unique ID which can be termed as a card proxy number or kit ID), card’s last 4 digits and card expiry date with Business unit/program partner (Eg. Slice, Niyo, Razorpay and more). Similar but more detailed information is shared with the printer to start printing the cards. This includes CVV, PIN, SOC, T&C, Embossa (card design) files and more.

4. Card dispatch and delivery:-

Once card orders are placed, the printer also receives the information on how many cards need to be delivered where or in the case of personalized cards, which individual card needs to be delivered where.

Type of cards: Personalized and Non-personalized/Insta cards

In the case of insta cards, printers keep a stock of 3–4 weeks of cards for a business in buffer as it may take another 3–4 weeks to fulfill a new bulk request. Once cards are printed and ready to dispatch, they are tagged with an AWB number/tracking ID, so that partner business/bank and/or customer can track the delivery status of the card(s).

5. Card tagging:-

When a customer is onboarded into the system/app, customer ID is generated for them. After that they are tagged with either an Insta Card(physical) or a virtual card.

Virtual cards are also of 2 types, Pure virtual cards and Digital copy of Physical card.

When a user gets a virtual card, they are automatically tagged with the card and activated, so they can start using it.

Now, if that card is a copy of a Physical card, then the user can also request a physical copy. In that case, they receive a personalized card.

In any setting customers can not get a personalized card as soon as their customer ID is created.

If a user receives an Insta card, then that kit is tagged by an agent of the business and activated by the customer. Here customers can request a physical personalized card which will be auto-tagged but will be activated by the customer. Here CMS(card management system, we’ll learn about this below) replaces the insta card details with personalized cards and shares with switch(we’ll learn about this below).

There are 2 cases that are not so straightforward:-

  1. A pure virtual card can also be replaced with a Physical card (Insta or Personalized) and a digital copy card can be available to the customer, but the details of both cards will not be the same. Here virtual card will be blocked and replaced with the new physical card.
  2. Customer gets a virtual card (digital copy) that can be replaced with an Insta card. Here digital copy details will be replaced with the new insta card’s details. Later on, this insta card can also be replaced with a new physical card(insta or personalized) and a digital copy will be available to customers.
Card Tagging

6. Card activation:-

Once a card is received and tagged with a customer, they have to activate it by entering the last 4 digits of the card in the system (assuming the account is already created). Once that is done successfully, the card is now ready to use by the customer. Sometime user have to set PIN also to complete the activation.

Card Activation flow — Prepaid Cards
Card Activation flow — Personalized Cards

2. Payment for PoS/ECom:-

Credit card volume and value were 725 million and ₹3.5 trillion in Q3 2022, respectively.

Credit card transactions at POS accounted for 386.83 million, while e-commerce accounted for 338.80 million. In terms of value, in Q3 2022, customers spent ₹ 1.31 trillion at POS and ₹ 2.18 trillion on e-commerce purchases using credit cards.

In the Q3 2022, the volume and value of debit card transactions were 907 million and 1.88 trillion, respectively.

POS transactions accounted for 595.4 million of the total debit card volume, while e-commerce transactions contributed to 311.60 million. In terms of value, POS terminals processed ₹1.19 trillion, while e-commerce via debit cards processed ₹681.7 billion.

1. Payment gateway(PG):-

In the PoS/ECom transaction, after the checkout process, users have to go through a payment gateway and select the mode of payment.

There can be multiple ways to complete the payment of a product if a purchase is not done via in-app currency or account balance in the case of the bank/neobank app.

If the user selects the card payment option, then the payment gateway collects/encrypts the user’s card information and processes it further.

A payment gateway is a service that allows businesses to securely process transactions. When a customer makes a purchase from a business, the payment gateway processes the payment by sending the necessary information to the customer’s bank and the business’s payment processor. This allows the customer’s bank to verify that the transaction is authorized, and it allows the business to receive the payment for the purchase.

2. Acquirer Bank(AB):-

PG transfers the customer’s information to the AB. This is an entity where the merchant’s business account is created and integrated with the PG. Once a customer’s bank and transaction details are accepted(acquired) by the Acquirer bank, it routes the information to the network based on the transaction details(user’s card details).

3. Network:-

Once networks such as Rupay, Visa or MasterCard receive the transaction details, they route the information to the switch of the issuer bank. Issuers is an entity where a customer’s bank account is created.

Card number is made of 16 digits. First 6 are Bank Identification Number(BIN) , next 2 (7th and 8th) are sub-BIN(program code) and last 8 are customer identification number(CIN).

4. Switch:

When a switch (M2P, Zeta, FIS, FSS) receives the information from the network, routes the transaction based on card number and tries to validate the program/product code of the same. Switch and networks can be used to channel transactions based on minimum detail to speed up the execution.

5. Card Management System (CMS):-

This system generates the card number, CVV, expiry date and stores associated account details. So, when a transaction reaches here, all card-related info has to be validated. Whenever there is a transaction, the switch validates it with CMS. That’s how CMS make money, by managing customer account detail such as ₹10–15/customer/year.

6. Card Host/Issuer:

A card host is an entity where account details can be modified. Card host stores and validates information such as Account balance, Card limit set by the bank/customer, the channel of purchase, account status and more.

Checks the bills and approves/disapproves the transaction based on the available balance/limit in the account. When the system validates this information, they check and modify the account balance/limit details. This can be established at the bank, CMS or business premises. In case of prepaid card setup, businesses usually set up their own card host, as they can create virtual accounts/wallets for their customers.

Card Transaction — PoS/ECoM

3. PoS/ECom Settlement

To settle card transactions done via the PoS/ECoM channel, payment networks (VISA, RUPAY and more) set up their account in the bank from where they complete the settlement. This settlement account can be set up for bank-level or at the program level (Axis : Bank → Flipkart : Business unit → Credit card : Program) transactions.

If the settlement account is at the bank level, then the bank has to consolidate all transactions related to the network and move that money to the network’s account. But if the account is set up at the program level, then the bank moves money to the network’s program settlement account from that program’s pool account.

All transactions done by retail customers are part of the customer pool. Banks settle this by moving money from the customer pool to unsettled accounts(which is sometime used for failed transaction, refunds and cancellations) and later to the settlement pool.

This settlement has some steps of auditing the transactions also, which include network, switch, Bank and business/program partner.

1. Process:-

Network audits all transactions with the switch for the settlement. Switch validates this with Bank and Program partner.

If a network’s program-level transaction is successfully audited and approved by both Switch and Network, then switch requests Bank to move money from the program’s Pool account and credit network’s settlement account.

Switches do not have an account in the bank and do not process the money, they only validate the transaction.

2. Un-Settlement Pool:

In case of transaction failure, the bank moves money from this account to the customer/business pool account or to clear the refunds.

3. Business Pool:-

This is a pool account, where they/business issue virtual accounts/cards to their own customers. Businesses do not have debit access to this account although they are free to move money inside this account among virtual accounts/cards.

4. Bank Settlement Account:-

Banks use this account to settle transactions with the network. They first settle all transactions for programs, businesses, retail, move that money to this account and then settle the network.

5. Visa Settlement Pool:

This pool is established at the bank and it can be at the bank transaction (wholesales) level or can be at the program level.

Settlement — PoS/ECoM

4(a). In-App purchase and settlement for Prepaid Cards

1. Wallet/virtual account:

Every prepaid card is associated with a wallet/virtual account which is part of a pool/primary account. In the case of a retail/customer account, it’s generally a virtual account linked to a prepaid card but in the case of a business, prepaid cards are mapped to a business pool account.

One business pool account can have multiple wallets and those wallets belong to different full/partial KYC users. In case of retail prepaid cards, virtual accounts are tagged to individual account holders.

Example:- Every Paytm wallet is an individual Paytm account holder but it’s part of Paytm’s pool account.

2. Pool:

This account is associated with a business such as Slice, Paytm and more. They create a pool account and whenever a user creates an account with them, the user gets access to a virtual account which is part of the main pool account. Only with the user’s consent, money can be debited from their wallet/virtual account as businesses can not do that on their own. Businesses also do not have permission to debit money from their main pool account as it’s user/customer’s money.

In case if there is a use case(refund, cancelation, failed transaction and more) where business have to debit money, they keep some pool of money in a checking account also.

3. Escrow:

This is a third-party account that holds the advanced security deposit on behalf of the Business and the vendor whose product is listed on the platform.

Example :- Insurance product, mobile recharge, elctricity bill payment flow on Paytm.

4. API debit confirmation:

Once a business system receives the product purchase payment request from customer, it gets transferred to CardHost which validates the card status, account status, account balance and more. If found valid, the system debits the amount from the user’s wallet and moves that money to the merchant-specific wallet created by business in their pool account.

Businesses create this wallet for ease of settlement with banks and partner merchants/vendors. This merchant can be insurance providers, recharges, bill payments and more. All user transactions move to the merchant account first.

5. Purchase Confirmation status:

Once CardHost confirms the debit transaction, it sends the confirmation to the business system which later forwards that to the merchant. Once a merchant receives the successful transaction response, they confirm the purchase. Once the business system receives the confirmation from the merchant, they forward that to the customer’s account and the purchase of that in-app product gets completed.

6. Audit report:-

For every merchant, there is a dashboard for purchases. This dashboard is used to confirm the purchase order from the merchant side. Before settling the amount, the business confirms it from the merchant/vendor. If there are no issues, someone from the finance team raises a bank request to transfer money from the merchant’s wallet(part of the business pool account) to the merchant’s bank account, as businesses do not have debit permission. This completes the settlement process.

Based on the transaction, it can be daily, weekly, monthly or whatever both parties agree to. When a bank completes the transaction, they share a UTR (unique transaction reference) number to confirm the transaction and it is settled.

7. Settlement Invoice:

Now that settlement is done, businesses need to raise an invoice to the merchant for commission or platform fees to collect money. It can be based on units purchased, transaction volume or CPI (cost/impression) or anything that both parties agree to.

Example: Not every platform can sell insurance. They have to be a certified IRDIA broker to sell insurance on their platform. But insurance companies can use other platforms to market their product. In such cases, invoice amounts can not be directly proportional to insurance sold, that’s why they go with CPI in agreements.

Purchase Steps :-

  1. Customer Consent

2. Customer Wallet Debit

3. Interim/Vendor Wallet Credit

4. API call to Vendor

5. Purchase Confirmation

Settlement:-

  1. Pull out Interim Wallet Data

2. Pool Debit

3. Vendor A/C Credit

Prepaid Card Fund Flow for In-App Purchase

4(b). In-App purchase and settlement for Debit/Credit Cards

In case of payment by Debit card, there is no Wallet and Corporate/Business Pool. Each debit card and bank account is mapped to a customer. So, whenever there is a transaction, money goes directly from the customer’s account to the vendor’s wallet. Once the money is moved to the vendor’s wallet, the rest of the fund flow remains the same as the Prepaid card.

Debit Card Fund Flow for In-App Purchase

5. Corporate Wallet Inward:-

In a setup where business issues corporate cards such as RazorpayX, Volopay and more, they get a virtual account/wallet in partner bank and that account can have even more cards issued to different employees of the company.

Here corporates have to fund their wallet from an account. But before the corporates send money, they have to whitelist the account, as wallets can receive money from whitelisted accounts only.

Now to complete the money transfer, the below steps are being followed.

1. Business/Program hosted CMS :-

  1. Remitting Bank debits whitelisted A/C
  2. Remitting Bank sends a request to RBI
  3. RBI notifies partner bank
  4. Partner bank credits fund in Business Pool
  5. Partner bank Notifies Business
  6. Business Credits virtual wallet of corporate
Corporate Wallet Inward — CardHost at Business/Bank Partner

b) Switch/CMS hosted CardHost :-

  1. Remitting Bank debits whitelisted A/C
  2. Remitting Bank sends a request to RBI
  3. RBI notifies Partner Bank
  4. Partner Bank credits fund in Business Pool
  5. Partner Bank Notifies Business
  6. Business Notifies Switch
  7. Switch Credits virtual wallet
Corporate Wallet Inward — CardHost at CMS

6. Card Closure/EMV Scripting:-

You are walking down to a busy market, buying food, shopping stuff, having some time … until…. You realize… your wallet is missing from any of your pockets or bags and even worse, none of your friends are joking about it.

The first thing you’ll do is lock the card or maybe mark it lost and rest assured that no transaction will be allowed from this card until you unlock this card and start looking or file a complain.

But how?

How can a piece of plastic with no communication system be locked to use?

The answer is EMV Scripting.

When you lock a card, you update the card status in the card host. Next time when someone tries to use the card, they’ll receive a message that the card can not be used in the transaction response as this response is coming from the Card host only.

This method is used to Lock/unlock cards, mark them lost, change card pin, activate the card, check the balance and more.

Designs file for all attched images -> Click here

This will be an evolving document where I’ll update this based on feedback and new insights.

P.S.-

Fun facts about Q3 2022 :-

Total debit/credit cards in circulations = 1.01 Billion 💳

Total transactions count via debit/credit cards = 1.6 Billion 🏦

Total transactions value via debit/credit cards = ₹5.38 Trillion or $65.6 billion 💰

Average = ₹3362.5/transaction

But if you want to look at the bigger picture:-

Total Transaction count via UPI, Wallet and Cards = 23.06 Billion 🏦

Total Transactions value via UPI, Wallet and Cards = ₹ 38.32 Trillion or $480B 💰

Average = ₹1661.75/transaction 💳

So, average card transactions = 2 X average UPI/cards/wallets transaction 💸

Maybe UPI is good for those small ticket transaction like ₹17, and because of that UPI Lite have to come into the picture.

But for bigger transactions, we still want CVV+OTP based security. 🔒 🔑

A big thanks to Pradeep Tatineni for helping me write this.

Fintech
India
Startup
Payments
Money

--

--

Shubham Baranwal
Shubham Baranwal

Written by Shubham Baranwal

37 Followers
8 Following

Just a curious guy ✌️

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams