This guide explains the basics of how card transactions work: which entities are involved in card transactions, the sequence of events, and some examples of how different merchant types handle transactions. Along with this guide you may want to read these other documents:
- About Transactions — A general guide to how transactions are represented in the Galileo system.
- Card Transaction Scenarios — Example scenarios to show how various card transaction types appear in the Program API, Events API, Auth API, and the RDFRDF - Raw data file. Once per day Galileo sends you RDFs that contain a list of all of your previous day's transactions and all of your current customers. Compare the RDFs with your own records and if there are discrepancies, treat the RDFs as authoritative.s. Ask Galileo for the PDF of this document.
Subsections in this guide:
- Networks — Credit and debit network types and how transactions are routed
- Authorization — Authorization requests and their variants such as preauthorization, incremental authorizations, and partial authorizations
- Settlement — Settlements, backouts, and completions
- Crediting Cardholder Accounts — Card transactions that move funds into cardholder accounts such as reversals, merchant credits and card loads
- Card Transaction Examples — Examples of the transaction types explained in the other guides
A card transaction is initiated by a cardholdercardholder - An account holder who has been issued a card. at a point of sale. The transaction is facilitated through its various phases by card networks until the transaction has completed.
Prominent card networks are Visa and Mastercard for credit card transactions, whereas interbank networks such as Interlink and Maestro handle ATM and PIN-debit transactions. Galileo is integrated with most major credit card and interbank networks in the United States.
Card transactions are not initiated or facilitated through the Program API; however, you may be informed of each step of the transaction in real time through the Events API, or you may subscribe to the Authorization Controller API, to participate in authorizations. These transactions are also recorded in the RDFs and can be viewed using transaction-retrieval endpoints such as Get All Transaction History.
All card transactions have at least five participants.
A merchant is an entity that offers goods, services, or cash in exchange for a card payment. A merchant can be a physical store, an online vendor, a mobile app, an ATM, a card-loading vendor, or a money-movement app. Merchants have card-reading devices on their physical premises or card-processing software on their online sites or in their mobile apps.
Prior to accepting card transactions, a merchant must set up a business relationship with an acquirer, which is a bank or intermediary. The acquirer has physical access to the card networks and provides the merchant with card-reading hardware or software. The acquirer handles card-network messages on behalf of the merchant as well as moves funds between the merchant account and the card networks. Merchants send their transactions to their acquirers over an electronic connection.
A card network is an entity that has laid cable to create the network over which card transactions are processed. This physical infrastructure is called a network's "rails," which transmit a standardized set of messages between acquirers and issuers. The networks also transfer funds between issuers and acquirers and assist in resolving disputes.
For more information see the Networks guide.
The issuer is an entity, usually a bank or an intermediary, that offers cards to customers and maintains the card accounts. Issuers determine which card types to offer, what features the account has, and which restrictions to impose. Issuers also have physical connections to the card networks and handle network messages on behalf of their cardholders.
For Galileo clients, Galileo fulfills the role of issuer in payment-card transactions by partnering with issuing banks (which hold the funds for cardholder accounts), handling the messages that arrive over the network rails and by transferring funds between customer accounts and the card networks.
The account on which a card transacts is the cardholder account. In most cases the account is a DDADDA - Demand deposit account. The banking-industry term for an account from which funds can be withdrawn at any time, such as a checking account., but it can be another type of account. These accounts may be held by Galileo or by you, depending on your setup.
At the time that you create a card program, you decide whether to permit PIN transactions, signature transactions, or both, and you determine which networks to use for each type of transaction.
All payment-card transactions pass through these phases:
- Reconciliation and settlement
In this first phase of the transaction, the cardholder presents card information at a merchant's point of sale.
At physical locations the card information is acquired through a card reader. This device is provided to merchants by their acquirers. Most card readers permit cardholders to insert their cards into a slot that reads a chip, which contains sophisticated security information that is difficult to reproduce for fraudulent purposes. For cards without chips, the reader permits the magnetic stripe to be swiped. In "contactless" transactions, a specialized card can be "waved" near an NFCNFC - Near-field communication. A wireless transmission specification for two devices at a distance of 4 cm or less. Used for mobile wallet payments at physical points of sale. reader that can pick up the card information, or the cardholder can wave a mobile phone that contains a mobile walletmobile wallet - A specialized smartphone app that contains tokenized versions of payment cards.. Depending on how the card is set up, the cardholder may be required to enter the PINPIN - Personal identification number. A four-digit number that cardholders use to validate their cards at points of sale. for the card.
For websites and mobile apps, merchants obtain specialized software from their acquiring banks that accepts a typed-in PANPAN - Primary account number. The 16-digit number that is printed on a card, beginning with the BIN. This number is not the same as the account identifier, which is the PRN, or the card identifier, which is the CAD., expiry dateexpiry date - The date that a card expires. This date is displayed on a virtual or physical card and is randomly set at the time the card is created. The expiry date is encrypted in the Galileo system and cannot be retrieved by anyone who is not PCI compliant., and CVVCVV - Card verification value. A number that is included on a card to help verify that a cardholder has the actual card (physical or virtual) in hand. CVV1 is a value that is embedded in a card's magnetic stripe, CVV2 is a 3- or 4-digit number printed on the actual card, and iCVV is a number embedded in security chips. In most cases, "CVV" refers to CVV2., as well as the cardholder's billing address. Mobile apps also accept payments from mobile wallets. See the About Mobile Wallets guide for the Galileo implementation.
Older methods of acquiring card information include making a physical imprint of the card onto paper (if the PAN is embossed), typing the PAN via keypad into a device, or writing the PAN on a paper slip to submit to the acquirer. Issuers, acquirers or card networks may no longer permit some of these acquisition methods for security reasons.
With all of the electronic methods, the card's PAN, expiry date, CVV, card network, and other information are transmitted to the authorizing entity (issuer) through the network. With non-electronic methods the PAN, expiry date, and CVV are manually delivered to the acquirer, which converts the information into an electronic format and sends it to the network. For non-electronic methods where authorization is not requested prior to the transaction, the merchant assumes the risk of accepting cards that may not be not valid or that might not support the transaction.
Neither Galileo nor its clients are involved in the acquisition phase of a payment-card transaction; however, different acquisition configurations affect how the transactions are processed and therefore affect the data that you see.
Acquisitions can be classified according to whether the physical card is used to initiate a transaction. When the cardholder is present on the merchant's premises and can produce the physical card (or a phone that contains a mobile wallet), it is a "card present" transaction. When the cardholder presents card information without being present at a physical site—at an e-commerce site, in a mobile app, or over the phone—it is a "card not present" transaction.
For card-not-present transactions, issuers or card networks usually require verification information such as the expiry date and CVV, and merchants use AVSAVS - Address verification service. An authentication method whereby the merchant submits a card's billing address in an authorization request. to ensure that the legitimate cardholder is initiating the transaction. Issuers may decide not to allow card-not-present transactions, or in other cases may temporarily disallow card-present transactions, such as when the physical card is in transit to the cardholder.
Validating a debit card at a point of sale can take one of two forms, depending on how the card account is set up and merchant decisioning:
- PIN — The cardholder enters a PIN on the keypad of a card-reading device.
- Signature — The cardholder signs a receipt, and the merchant compares the signature to the signature on the back of the debit card. Online transactions, cash-app transfers and any other transactions where a PIN is not input are treated as signature transactions as well.
Whether a PIN is entered determines the type of network that the transaction uses. See the Networks guide for more information.
At the time of acquisition, the merchant or acquirer may apply rules to determine whether they will accept the card type, based on the BINBIN - Bank identification number. Assigned by a bank, it is the first six or eight digits of a PAN.. For example, a merchant might have a policy to not accept prepaid cards. In that case, the card is rejected at the merchant site and no authorization request is sent.
Authorization is an anti-fraud and risk-mitigation measure to verify the card and cardholder's authenticity as well as the card's ability to support the transaction.
The merchant transmits the amount of the purchase with the authorization request. After the card information and purchase amount are acquired, the authorization request is routed to the appropriate card network by the merchant's acquirer. The network performs some preliminary fraud-detection checks and sends a risk score, along with the authorization request, to the issuer.
The issuer verifies that the card passes validation checks, then ensures that the card account can support the transaction. In the case of a debit or prepaid account, the issuer checks for sufficient funds, and in the case of a credit account, that the credit limit has not been exceeded. The issuer also checks for violations of velocity limits and other restrictions such as location or merchant type. Further fraud-detection checks may also take place at this point.
For authorizations Galileo fulfills the role of issuer. Galileo clients may also participate in the authorization process by using the Authorization Controller API.
If the card and transaction pass all verification checks, the issuer returns an "authorization approved" message and the merchant completes the transaction; otherwise, the issuer returns an "authorization denied" message, along with the reason for the denial, and the merchant cancels the transaction.
After approving an authorization request, Galileo places a hold on the cardholder account for the amount of the transaction. This hold changes the available balance amount such that it is not taken into consideration for the next authorization request. For example, if a cardholder has $200 in their account and Galileo approves an authorization for $50, the cardholder then has only $150 in available funds. If the cardholder attempts to make another purchase for $151, the authorization will be denied for insufficient funds, even if the first $50 has not yet been debited from the account.
See the Authorization guide for further details about authorization, including preauthorization, upcharges, partial authorizations, AVS-only checks, balance inquiries, provisioning requests, authorization linkage, and incremental authorizations.
Merchants regularly compile a list of completed transactions during a particular period, usually the current day, although some high-volume merchants may compile these lists multiple times per day and low-volume merchants may send them every few days. These lists include adjusted amounts that were added to the transaction after initial authorization was granted, such as a tip added at a restaurant, or a transaction may be for less than the authorized amount.
The merchants then send the clearing messages to their acquirers. The acquirers sort through the transactions, and then route batch files to the various card networks. The networks sort through the transactions and compile batch files to send to each issuer.
The issuer receives a batch file from each network at least once per day. The issuer compares the transactions to the authorizations that it has on file, and when the transaction matches, the hold is backed out, the transaction is changed from an outstanding authorization to a settled transaction, and the amount is posted to the cardholder account. Matching the clearings with authorizations is called reconciliation, and posting the amount to the account is called settlement.
See the Settlement guide for details on settlement, including backouts, completions, force posting and incremental clearings.
As the final step in a transaction, the network calculates the debits and credits for each issuer and presents the net amount owed to the issuers. In separate processes, the networks settle with acquirers and the acquirers settle with their merchants.
This diagram shows the stages of a typical transaction.
Although most transactions move funds from the cardholder account to the merchant, some transactions move funds in the opposite direction:
- Merchant credits
- Card loads
For information on these types of transactions, see the Crediting Cardholder Accounts guide.
The majority of cardholder transactions will be at retail outlets, either online or on premises, with the typical three-transaction sequence (authorization, backout, settlement). This section explains what kinds of variations you can expect with transactions from particular merchant types.
- Restaurants and bars
- Gas pumps with convenience stores
- Car rental
- Ride-share services
- Peer-to-peer cash transfers
- Card loads
- Gig-economy workers
- Mobile wallets
- International merchants
In many establishments that serve food or alcohol, customers are permitted to add a tip to the bill when paying with a card. The tip-adding can take one of two forms:
- At the table the customer is presented with a bill, and the customer gives the server the card.
- The server obtains authorization or preauthorization for the amount of the bill and prints out a receipt.
- The customer writes in a tip and signs the receipt.
- The merchant sends a clearing amount for the bill amount plus the tip. The settlement and preauthorization amounts are therefore different.
Galileo is obligated to post the full amount to the cardholder account even if the cardholder's account is driven negative by the tip amount. See Upcharges in the Authorization guide for a way to mitigate this risk.
- The server gives the bill to the customer.
- The customer goes to the cashier and uses the card reader to input a PIN. The card reader is programmed to ask if the customer wants to add a tip, and then accepts manual input.
- The card reader sends the bill amount plus the tip as a single authorization request.
With this method there is no risk of the tip amount driving the account negative, because the full amount is authorized.
Most fast food restaurants do not use PIN verification, especially at a drive-through window. To improve their customer experience, some restaurants do not wait for authorization before completing a transaction, and so when they clear the transaction it results in a force-post. Restaurants therefore assume the risk of the transaction being charged back.
It's not unusual for a customer who pumps gas to also make a purchase at the corresponding convenience store. In that case you will see two sets of transactions within a few minutes of each other: one for the pump (often MCCMCC - Merchant category code. Indicates the type of merchant that acquired the payment, such as supermarket, auto supply, bakery. The codes are defined in ISO 18245. 5542, automated pumps) and one for the convenience store (MCC 5541, service stations).
ATMs typically use MCC 6011. ATM fees may be assessed by the ATM operator, by the network, or by you. An authorization request for an ATM includes all fees in one request. With the settlement, the fees from the ATM operator and network are included with the cash amount, whereas any fees assessed by you are broken out in a separate transaction.
ATMs are programmed to send reversals when there is an error, such as a duplicate authorization or an amount dispensed that is different from the authorized amount.
For more information see ATMs in the Authorization guide and ATM networks in the Networks guide. For examples see ATM withdrawal in Card Transaction Examples or these scenarios in the Card Transaction Scenarios PDF:
- Scenario 11: ATM withdrawal
- Scenario 12: ATM reversal
When a cardholder makes a purchase on an e-commerce site, the merchant usually performs an AVSAVS - Address verification service. An authentication method whereby the merchant submits a card's billing address in an authorization request.-only check, which has an authorization amount of 0.00. Galileo returns response code 85 (valid test, non-financial transaction) along with the AVS results when the card and account are active. If the card or account are not active, Galileo returns 05, or if other conditions apply such as a lost or stolen card, Galileo responds with the appropriate code. (See the Authorization Response Codes enumeration.)
Because web sites and apps cannot ask for PIN input, all e-commerce transactions are signature transactions.
See AVS-only checks in the Authorization guide for more information.
When a cardholder initiates a transaction, Amazon usually performs an AVS check. Some hours later, Amazon sends out preauthorization requests in a batch file and later sends a conventional clearing or completion. When an order includes items from a third-party vendor, the vendor usually gets its own preauthorization for that portion of the order and clears or completes it separately. There is no identifier to tie the transactions to the AVS check or to the various parts of a single order. The timing of when portions of an Amazon order are authorized varies widely depending on how the third-party vendors are integrated with Amazon as well as a number of other factors internal to Amazon.
Keep in mind that the merchant identifiers for the various parts of an Amazon order might be different from the original AVS check, depending on who fulfills the order. A third-party vendor usually has something like "AMZN Mktp" (Amazon Marketplace) in the transaction description and a different merchant identifier than the AVS check.
For an example see Amazon transaction in Card Transaction Examples. Also see Incremental clearing in the Settlement guide for another way that e-commerce merchants might clear orders that ship separately.
When a hotel accepts a reservation, it typically preauthorizes the guest's card for $50 or so as a reservation fee. When the guest checks in, the hotel often reverses the reservation fee and preauthorizes the card for the anticipated amount of the stay. When the guest checks out, the hotel sends a clearing for the total amount of the stay, including minibar and other charges. Sometimes a hotel does not reverse the reservation fee but rather deducts it from the settlement at the end of the stay.
In the case of an extended stay, a hotel might get preauthorizations for the next two days only, for example, and then send a clearing message for those two days before preauthorizing the next two days.
Car rental agencies typically obtain a preauthorization for an amount that is considerably higher than the anticipated final amount, often for several hundred dollars. When the car is returned the agency sends a partial reversal to release the excess funds from the hold. They then send a conventional clearing message a few days later.
For a detailed example of a car rental transaction, see "Scenario 8: Partial reversal on preauthorization" in the Card Transaction Scenarios PDF.
The ride-share apps tend to send a high number of preauthorizations that are later backed out or reversed because of these factors:
- The apps get preauthorizations at the beginning of the ride for the estimated amount, and then may get separate authorizations when the ride is finished and the ride total is known.
- Many cardholders have two ride-share apps, so they create ride requests on both apps at once to see which service can provide a ride the soonest. Then they cancel one request in favor of the other.
- Ride-share app users often make and then cancel ride requests soon after.
When a rider is picked up the app sends a preauthorization request for the estimated amount. This transaction often has "pending" or "temp auth hold" in the transaction description. The next steps vary depending on what the app is configured to do. Any of these scenarios may play out:
- When the ride is completed, the app sends another preauthorization request for the actual amount. The description for this second preauthorization may contain "trip" or "charges." Galileo backs out the first preauthorization soon after.
- When the ride is completed, the app sends a reversal for the difference between the preauthorization and the final amount, if the final amount is less. Galileo expires the reversal when it receives the clearing message.
- When the ride is completed, the app sends a conventional clearing message for the actual amount, which may be less than the preauthorized amount. The preauthorized amount is held until Galileo gets the clearing message.
- When the rider provides a tip after the ride transaction has completed, the app gets another preauthorization for that amount, and the clearing for the tip may be included with the clearing for the original ride or it may be cleared separately.
Services such as Venmo, Cash App, Zelle and PayPal perform peer-to-peer cash transfers and typically use MCCMCC - Merchant category code. Indicates the type of merchant that acquired the payment, such as supermarket, auto supply, bakery. The codes are defined in ISO 18245. 4829 (wire transfers) or 6012 (financial institutions).
When your customers send funds to a peer, the transaction is authorized and settled in the usual manner as a debit from the account. The name of the peer who receives the funds is in the transaction description.
When your customers receive funds from a peer, the transaction is a card load, which is a payment activity type. The name of the peer who sent the funds is in the transaction description. The load will be either a Mastercard or Visa load, depending on the card's branding.
See Card loads, below, for more information. For a detailed example of a peer-to-peer cash transfer, see "Scenario 7. Refund after clearing (Mastercard Banknet)" in the Card Transaction Scenarios PDF.
According to your settings, cardholders can directly load cash onto their cards at selected merchant sites, or companies can electronically load funds onto cards. When a cardholder receives funds from a cash-transfer app, such as a Venmo cashout, or payments from a gig-economy company such as Uber, the load type depends on the card's branding: Mastercard or Visa.
For more information see Card loads in the Crediting Cardholder Accounts guide. For an example see Uber payment in Card Transaction Examples and for a detailed example see "Scenario 17. Card load (Maestro)" in the Card Transaction Scenarios PDF.
Drivers for ride-share and food-delivery services often receive payments to their accounts as card loads, such as a Maestro load or Visa Money Transfer.
For examples see Uber payment in Card Transaction Examples and "Scenario 17. Card load (Maestro)" in the Card Transaction Scenarios PDF.
When a cardholder adds a mobile wallet card as a payment method in a mobile app, the app typically sends an AVS request to verify that the card is valid. After a successful AVS check, the app sends a conventional authorization request for the sale amount with a conventional settlement afterwards.
When a merchant obtains an authorization, the amount in the authorization request is the amount in the cardholder account's local currency. For example, if a cardholder who resides in Alabama goes to a gift shop in Rome, and the sale total is 50 Euros, the authorization amount will be expressed in the equivalent number of dollars.
When the settlement arrives, the settlement amount is usually different from the authorization amount, because it reflects fluctuations in the currency conversion rate between the authorization time and the clearing time.
Networks charge currency-conversion fees for international transactions. These fees are billed in a separate invoice rather than being included in the authorization amount. Issuing banks may also charge international transaction fees. Both fee rates may vary based on the card type.
The networks usually provide an indicator in authorization requests for domestic transactions. When a network determines whether a transaction is domestic, it can be as simple as comparing the country code of the issuing bank to the country code of the acquirer, and if they are the same, the transaction is domestic. In the case of U.S. territories, the determination is based on whether the issuing bank is in the same territory or region as the acquiring bank. Transactions that cross regional boundaries may not be considered domestic. For Visa cards issued in Puerto Rico, there may be special issuer reimbursement fees applied for non-domestic transactions. Consult the documentation for each card network for more information about how they determine whether a transaction is international or domestic.
When Galileo determines whether a transaction is international for the purpose of assessing issuer fees, it first consults the indicator in the authorization request. If a valid value cannot be obtained in that way, Galileo compares the merchant's country code to the card's country code. You can also use the DOMCC parameter to specify which countries should be considered domestic.
For examples see International transaction in Card Transaction Examples and these scenarios in the Card Transaction Scenarios PDF:
- Scenario 13: International authorization
- Scenario 14: International reversal
Updated 7 months ago