Common misconceptions about bank cards
Working for a long time in the field of banking software, and in particular for all kinds of electronic payments, together with my colleagues, I compiled a mini-FAQ on the topic of bank plastic cards. Many questions are obvious, and some can be very vague. In Russia, the business of plastic cards is gaining momentum, which is nice, and it is better to be savvy in the "hardware".
So, 10 common misconceptions.
1. The amount of money is stored on the card itself.
There is no money counter on a regular credit or debit card (even if it is with a chip). A card is just an identifier. There are exceptions in the form of special additional wallet applications on cards with a chip. Usually it can be discount programs, virtual money (for example, liters of gasoline), etc. In general, something unrelated directly to the normal use of the card. But such special applications are only accepted at points of sale involved in supporting this particular type of card.
2. Anyone who wants to accept payments through bank cards can connect directly to a Visa, Mastercard or any other international system.
You can’t just connect anyone directly to a Visa or Mastercard. Only wealthy banks or independent processing centers can do this, since special equipment, considerable insurance accounts, security certification and many other “little things” are needed (even not every bank can afford it). Everyone else who wants to accept cards uses their services.
3. ATMs or payment terminals are connected directly to the Visa or Mastercard.
Large international payment systems do not keep their ATMs or payment terminals. Any ATM or terminal necessarily belongs to some bank, which in turn is either itself or indirectly (see clause 2) connected to the payment system.
4. I have $ 200 on my card. That’s all I can spend.
The account balance and the amount that can be spent per day from the card are highly unrelated. It is more constructive to talk about the daily limit on the card. The daily limit depends on many factors, and can be either less than the balance on the account, or more. For example, even if there is a million in the account, you are unlikely to be allowed to withdraw more than a few thousand a day from an ATM (and this is not a limitation of an ATM as a device). And vice versa, but if you are a VIP-client, who usually has millions in your account, and now you’ve already flashed everything at the casino, then after a call to the bank, individually, one of the top managers may instruct you to personally establish the right one for you limit so that you can still pay. In this case, the bank assumes responsibility that you will give everything to him later.
5. When using a PIN card, the ATM itself or the payment terminal will check it.
In the overwhelming number of cases, any use of the card implies a connection with the bank that issued the card. If you put a Sberbank card at an ATM in Australia, then permission to issue money will still be requested directly from Sberbank right before your eyes. All this is because the PIN code can only be verified by the bank that issued the card. The exception is cards with a chip. Such cards can themselves verify the PIN (since the chip card itself is a minicomputer that can perform crypto functions). Also, sometimes to use a card to pay for a purchase (rather than withdraw cash), the outlet may not contact the authorization center for each purchase if the amount is less than a certain limit. This may be relevant for small amounts when the purchase amount is less than the cost of an exchange session on an electronic channel. Since the amounts are small,
6. A PIN is written on a magnetic strip that can be “stolen" by any bank employee, you just have to turn away while your card is in his hands.
In fact, the crypto-convolution of the PIN and the card number obtained using a cryptographic key, which is stored inside a super-protected piece of iron in a bank, is recorded on the magnetic strip. That is, using data from the magnetic strip, you can only check the PIN, and even then, if you know the secret key. Typically, 3DES is used as the encryption algorithm. “Supervised piece of iron” is a hardware device for storing keys and conducting crypto operations based on them. That is, after the initial entry of keys (personalization) into this device, they are never transferred in their pure form outside the physical enclosure.
In addition to serious measures for the physical protection of these devices, they themselves have protection against penetration. For example, if you try to open its case to connect the "sniffer", then all the keys will be automatically erased.
An interesting technique is the initial key entry. For example, such a scenario is real. N bank security officers are selected, for example, 3 (ideally, they should not even know each other personally). Each generates a key option and, of course, does not show it to anyone. Then, they take turns going into the room where the key storage equipment is located, and enter each of their keys. Then, when all the keys are entered, the device makes an XOR operation between them, and it saves it inside as a key. It turns out that no one knows the key at all. And to restore it, you need to get the source components from each of those N security officers who are required to take care of their confidential storage.
As i wrote, there are no half measures in safety, and such administrative measures are needed when the power of cryptography ends, and the human factor begins.
Important note: none of the bank employees will ever, under any circumstances, ask you for a PIN. But if you knew how many times out of ten, customers calling the bank, when asked by the operator about their secret word (which was asked when opening an account), they say PIN.
7. When making a purchase, the money immediately goes directly from the customer’s account to the store’s account.
Usually a real exchange of money (albeit electronic) takes place at the end of the working day. And at the time of the purchase itself, only the amount from the available limit is locked (see paragraph 4). The write-off usually takes place in a few days, when the financial presentation from the bank through whose terminal the payment was made reaches the bank-holder of the account.
8. The amount written on your check when paying by card will be deducted from your account exactly.
In fact, the amount debited during authorization may differ materially from the amount debited from the financial transaction. This is especially true when paying for car rental and paying for hotels, as these retail outlets can “follow up” to write off additional costs (for example, gas shortage, or an unpaid minibar). But not only these types of outlets are also allowed to increase or decrease the final amount.
Also, the amount blocked during authorization may differ from the amount debited from the account if the currency of the account differs from the currency of the transaction, since the actual withdrawal of funds from the account occurs after 1-2 days, and during this time the conversion rate may change .
9. The amount blocked on the account when paying by card is somehow debited from my account.
The amount blocked during authorization may never be debited from the account. After 10 (for an ATM) or 45 (all other terminals) days without a financial confirmation of a transaction coming from your payment system to your bank, it will be unlocked. This is both “good” and “bad”. This is “good” when you have performed an operation that you want to immediately refuse. Immediately after the operation, you call the bank, explain to the operator the reason for the refusal, and if it is permitted, then the operation is “canceled” and the lock can be lifted. In this case, if suddenly a financial confirmation comes from the outlet (in a couple of days), the bank itself will deal with it without your participation (and your money). This is “bad” when you did wait a day or two, and a financial confirmation has already arrived at the bank before your call, then it will be more difficult to “roll back” the operation. The bank will be forced to start a formal hearing on this case, which may last these 45 days. During this time, the purchase amount may remain blocked.
10. Holders of debit (not credit) cards cannot be “owed to the bank”.
As already mentioned in paragraph 4 - the logic of authorization of a purchase is based not on the actual amount on the account, but on the daily limits, then for both credit cards and debit, you can "get into minus" if the bank sets daily limits, a little exceeding account balance even for debit cards.
I hope this information helps you avoid some unpleasant surprises when using plastic cards.
Related posts:
So, 10 common misconceptions.
1. The amount of money is stored on the card itself.
There is no money counter on a regular credit or debit card (even if it is with a chip). A card is just an identifier. There are exceptions in the form of special additional wallet applications on cards with a chip. Usually it can be discount programs, virtual money (for example, liters of gasoline), etc. In general, something unrelated directly to the normal use of the card. But such special applications are only accepted at points of sale involved in supporting this particular type of card.
2. Anyone who wants to accept payments through bank cards can connect directly to a Visa, Mastercard or any other international system.
You can’t just connect anyone directly to a Visa or Mastercard. Only wealthy banks or independent processing centers can do this, since special equipment, considerable insurance accounts, security certification and many other “little things” are needed (even not every bank can afford it). Everyone else who wants to accept cards uses their services.
3. ATMs or payment terminals are connected directly to the Visa or Mastercard.
Large international payment systems do not keep their ATMs or payment terminals. Any ATM or terminal necessarily belongs to some bank, which in turn is either itself or indirectly (see clause 2) connected to the payment system.
4. I have $ 200 on my card. That’s all I can spend.
The account balance and the amount that can be spent per day from the card are highly unrelated. It is more constructive to talk about the daily limit on the card. The daily limit depends on many factors, and can be either less than the balance on the account, or more. For example, even if there is a million in the account, you are unlikely to be allowed to withdraw more than a few thousand a day from an ATM (and this is not a limitation of an ATM as a device). And vice versa, but if you are a VIP-client, who usually has millions in your account, and now you’ve already flashed everything at the casino, then after a call to the bank, individually, one of the top managers may instruct you to personally establish the right one for you limit so that you can still pay. In this case, the bank assumes responsibility that you will give everything to him later.
5. When using a PIN card, the ATM itself or the payment terminal will check it.
In the overwhelming number of cases, any use of the card implies a connection with the bank that issued the card. If you put a Sberbank card at an ATM in Australia, then permission to issue money will still be requested directly from Sberbank right before your eyes. All this is because the PIN code can only be verified by the bank that issued the card. The exception is cards with a chip. Such cards can themselves verify the PIN (since the chip card itself is a minicomputer that can perform crypto functions). Also, sometimes to use a card to pay for a purchase (rather than withdraw cash), the outlet may not contact the authorization center for each purchase if the amount is less than a certain limit. This may be relevant for small amounts when the purchase amount is less than the cost of an exchange session on an electronic channel. Since the amounts are small,
6. A PIN is written on a magnetic strip that can be “stolen" by any bank employee, you just have to turn away while your card is in his hands.
In fact, the crypto-convolution of the PIN and the card number obtained using a cryptographic key, which is stored inside a super-protected piece of iron in a bank, is recorded on the magnetic strip. That is, using data from the magnetic strip, you can only check the PIN, and even then, if you know the secret key. Typically, 3DES is used as the encryption algorithm. “Supervised piece of iron” is a hardware device for storing keys and conducting crypto operations based on them. That is, after the initial entry of keys (personalization) into this device, they are never transferred in their pure form outside the physical enclosure.
In addition to serious measures for the physical protection of these devices, they themselves have protection against penetration. For example, if you try to open its case to connect the "sniffer", then all the keys will be automatically erased.
An interesting technique is the initial key entry. For example, such a scenario is real. N bank security officers are selected, for example, 3 (ideally, they should not even know each other personally). Each generates a key option and, of course, does not show it to anyone. Then, they take turns going into the room where the key storage equipment is located, and enter each of their keys. Then, when all the keys are entered, the device makes an XOR operation between them, and it saves it inside as a key. It turns out that no one knows the key at all. And to restore it, you need to get the source components from each of those N security officers who are required to take care of their confidential storage.
As i wrote, there are no half measures in safety, and such administrative measures are needed when the power of cryptography ends, and the human factor begins.
Important note: none of the bank employees will ever, under any circumstances, ask you for a PIN. But if you knew how many times out of ten, customers calling the bank, when asked by the operator about their secret word (which was asked when opening an account), they say PIN.
7. When making a purchase, the money immediately goes directly from the customer’s account to the store’s account.
Usually a real exchange of money (albeit electronic) takes place at the end of the working day. And at the time of the purchase itself, only the amount from the available limit is locked (see paragraph 4). The write-off usually takes place in a few days, when the financial presentation from the bank through whose terminal the payment was made reaches the bank-holder of the account.
8. The amount written on your check when paying by card will be deducted from your account exactly.
In fact, the amount debited during authorization may differ materially from the amount debited from the financial transaction. This is especially true when paying for car rental and paying for hotels, as these retail outlets can “follow up” to write off additional costs (for example, gas shortage, or an unpaid minibar). But not only these types of outlets are also allowed to increase or decrease the final amount.
Also, the amount blocked during authorization may differ from the amount debited from the account if the currency of the account differs from the currency of the transaction, since the actual withdrawal of funds from the account occurs after 1-2 days, and during this time the conversion rate may change .
9. The amount blocked on the account when paying by card is somehow debited from my account.
The amount blocked during authorization may never be debited from the account. After 10 (for an ATM) or 45 (all other terminals) days without a financial confirmation of a transaction coming from your payment system to your bank, it will be unlocked. This is both “good” and “bad”. This is “good” when you have performed an operation that you want to immediately refuse. Immediately after the operation, you call the bank, explain to the operator the reason for the refusal, and if it is permitted, then the operation is “canceled” and the lock can be lifted. In this case, if suddenly a financial confirmation comes from the outlet (in a couple of days), the bank itself will deal with it without your participation (and your money). This is “bad” when you did wait a day or two, and a financial confirmation has already arrived at the bank before your call, then it will be more difficult to “roll back” the operation. The bank will be forced to start a formal hearing on this case, which may last these 45 days. During this time, the purchase amount may remain blocked.
10. Holders of debit (not credit) cards cannot be “owed to the bank”.
As already mentioned in paragraph 4 - the logic of authorization of a purchase is based not on the actual amount on the account, but on the daily limits, then for both credit cards and debit, you can "get into minus" if the bank sets daily limits, a little exceeding account balance even for debit cards.
I hope this information helps you avoid some unpleasant surprises when using plastic cards.
Related posts: