Credit cards are issued after an account has been approved by the credit provider, after which cardholders can use it to make purchases at merchants accepting that card.
When a purchase is made, the credit card user agrees to pay the card issuer. The cardholder indicates his/her consent to pay, by signing a receipt with a record of the card details and indicating the amount to be paid or by entering a Personal identification number (PIN). Also, many merchants now accept verbal authorizations via telephone and electronic authorization using the Internet, known as a 'Card/Cardholder Not Present' (CNP) transaction.
Electronic verification systems allow merchants to verify that the card is valid and the credit card customer has sufficient credit to cover the purchase in a few seconds, allowing the verification to happen at time of purchase. The verification is performed using a credit card payment terminal or Point of Sale (POS) system with a communications link to the merchant's acquiring bank. Data from the card is obtained from a magnetic stripe or chip on the card; the latter system is in the United Kingdom and Ireland commonly known as Chip and PIN, but is more technically an EMV card.
Other variations of verification systems are used by eCommerce merchants to determine if the user's account is valid and able to accept the charge. These will typically involve the cardholder providing additional information, such as the security code printed on the back of the card, or the address of the cardholder.
Each month, the credit card user is sent a statement indicating the purchases undertaken with the card, any outstanding fees, and the total amount owed. After receiving the statement, the cardholder may dispute any charges that he or she thinks are incorrect (see Fair Credit Billing Act for details of the US regulations). Otherwise, the cardholder must pay a defined minimum proportion of the bill by a due date, or may choose to pay a higher amount up to the entire amount owed. The credit provider charges interest on the amount owed if the balance is not paid in full (typically at a much higher rate than most other forms of debt). Some financial institutions can arrange for automatic payments to be deducted from the user's bank accounts, thus avoiding late payment altogether as long as the cardholder has sufficient funds.
Credit card issuers usually waive interest charges if the balance is paid in full each month, but typically will charge full interest on the entire outstanding balance from the date of each purchase if the total balance is not paid.
For example, if a user had a $1,000 transaction and repaid it in full within this grace period, there would be no interest charged. If, however, even $1.00 of the total amount remained unpaid, interest would be charged on the $1,000 from the date of purchase until the payment is received. The precise manner in which interest is charged is usually detailed in a cardholder agreement which may be summarized on the back of the monthly statement. The general calculation formula most financial institutions use to determine the amount of interest to be charged is APR/100 x ADB/365 x number of days revolved. Take the Annual percentage rate (APR) and divide by 100 then multiply to the amount of the average daily balance (ADB) divided by 365 and then take this total and multiply by the total number of days the amount revolved before payment was made on the account. Financial institutions refer to interest charged back to the original time of the transaction and up to the time a payment was made, if not in full, as RRFC or residual retail finance charge. Thus after an amount has revolved and a payment has been made, the user of the card will still receive interest charges on their statement after paying the next statement in full (in fact the statement may only have a charge for interest that collected up until the date the full balance was paid...i.e. when the balance stopped revolving).
The credit card may simply serve as a form of revolving credit, or it may become a complicated financial instrument with multiple balance segments each at a different interest rate, possibly with a single umbrella credit limit, or with separate credit limits applicable to the various balance segments. Usually this compartmentalization is the result of special incentive offers from the issuing bank, to encourage balance transfers from cards of other issuers. In the event that several interest rates apply to various balance segments, payment allocation is generally at the discretion of the issuing bank, and payments will therefore usually be allocated towards the lowest rate balances until paid in full before any money is paid towards higher rate balances. Interest rates can vary considerably from card to card, and the interest rate on a particular card may jump dramatically if the card user is late with a payment on that card or any other credit instrument, or even if the issuing bank decides to raise its revenue.
Benefits to customers
Because of intense competition in the credit card industry, credit card providers often offer incentives such as frequent flyer points, gift certificates, or cash back (typically up to 1 percent based on total purchases) to try to attract customers to their programs.
Low interest credit cards or even 0% interest credit cards are available. The only downside to consumers is that the period of low interest credit cards is limited to a fixed term, usually between 6 and 12 months after which a higher rate is charged. However, services are available which alert credit card holders when their low interest period is due to expire. Most such services charge a monthly or annual fee.
A credit card's grace period is the time the customer has to pay the balance before interest is charged to the balance. Grace periods vary, but usually range from 20 to 40 days depending on the type of credit card and the issuing bank. Some policies allow for reinstatement after certain conditions are met.
Usually, if a customer is late paying the balance, finance charges will be calculated and the grace period does not apply. Finance charges incurred depend on the grace period and balance; with most credit cards there is no grace period if there is any outstanding balance from the previous billing cycle or statement (i.e. interest is applied on both the previous balance and new transactions). However, there are some credit cards that will only apply finance charge on the previous or old balance, excluding new transactions.
Benefits to merchants
For merchants, a credit card transaction is often more secure than other forms of payment, such as checks, because the issuing bank commits to pay the merchant the moment the transaction is authorized, regardless of whether the consumer defaults on the credit card payment (except for legitimate disputes, which are discussed below, and can result in charges back to the merchant). In most cases, cards are even more secure than cash, because they discourage theft by the merchant's employees and reduce the amount of cash on the premises. Prior to credit cards, each merchant had to evaluate each customer's credit history before extending credit. That task is now performed by the banks which assume the credit risk.
For each purchase, the bank charges the merchant a commission (discount fee) for this service and there may be a certain delay before the agreed payment is received by the merchant. The commission is often a percentage of the transaction amount, plus a fixed fee. In addition, a merchant may be penalized or have their ability to receive payment using that credit card restricted if there are too many cancellations or reversals of charges as a result of disputes. Some small merchants require credit purchases to have a minimum amount (usually between $5 and $10) to compensate for the transaction costs, though this is strictly prohibited by credit card companies and must be reported to the consumer's credit card issuer.
In some countries, for example the Nordic countries, banks guarantee payment on stolen cards only if an ID card is checked and the ID card number/civic registration number is written down on the receipt together with the signature. In these countries merchants therefore usually ask for ID. Non-Nordic citizens, who are unlikely to possess a Nordic ID card or driving license, will instead have to show their passport, and the passport number will be written down on the receipt, sometimes together with other information. Some shops use the card's PIN for identification, and in that case showing an ID card is not necessary.
- Cardholder: The holder of the card used to make a purchase; the consumer.
- Card-issuing bank: The financial institution or other organization that issued the credit card to the cardholder. This bank bills the consumer for repayment and bears the risk that the card is used fraudulently. American Express and Discover were previously the only card-issuing banks for their respective brands, but as of 2007, this is no longer the case.
- Merchant: The individual or business accepting credit card payments for products or services sold to the cardholder
- Acquiring bank: The financial institution accepting payment for the products or services on behalf of the merchant.
- Independent sales organization: Resellers (to merchants) of the services of the acquiring bank.
- Merchant account: This could refer to the acquiring bank or the independent sales organization, but in general is the organization that the merchant deals with.
- Credit Card association: An association of card-issuing banks such as Visa, MasterCard, Discover, American Express, etc. that set transaction terms for merchants, card-issuing banks, and acquiring banks.
- Transaction network: The system that implements the mechanics of the electronic transactions. May be operated by an independent company, and one company may operate multiple networks. Transaction processing networks include: Cardnet, Nabanco, Omaha, Paymentech, NDC Atlanta, Nova, TSYS, Concord EFSnet, and VisaNet.
- Affinity partner: Some institutions lend their names to an issuer to attract customers that have a strong relationship with that institution, and get paid a fee or a percentage of the balance for each card issued using their name. Examples of typical affinity partners are sports teams, universities, charities, professional organizations, and major retailers.
The flow of information and money between these parties — always through the card associations — is known as the interchange, and it consists of a few steps.
- Authorization: The cardholder pays for the purchase and the merchant submits the transaction to the acquirer (acquiring bank). The acquirer verifies the credit card number, the transaction type and the amount with the issuer (Card-issuing bank) and reserves that amount of the cardholder's credit limit for the merchant. An authorization will generate an approval code, which the merchant stores with the transaction.
- Batching: Authorized transactions are stored in "batches", which are sent to the acquirer. Batches are typically submitted once per day at the end of the business day. If a transaction is not submitted in the batch, the authorization will stay valid for a period determined by the issuer, after which the held amount will be returned back to the cardholder's available credit (see authorization hold). Some transactions may be submitted in the batch without prior authorizations; these are either transactions falling under the merchant's floor limit or ones where the authorization was unsuccessful but the merchant still attempts to force the transaction through. (Such may be the case when the cardholder is not present but owes the merchant additional money, such as extending a hotel stay or car rental.)
- Clearing and Settlement: The acquirer sends the batch transactions through the credit card association, which debits the issuers for payment and credits the acquirer. Essentially, the issuer pays the acquirer for the transaction.
- Funding: Once the acquirer has been paid, the acquirer pays the merchant. The merchant receives the amount totaling the funds in the batch minus the "discount rate," which is the fee the merchant pays the acquirer for processing the transactions.
- Chargebacks: A chargeback is an event in which money in a merchant account is held due to a dispute relating to the transaction. Chargebacks are typically initiated by the cardholder. In the event of a chargeback, the issuer returns the transaction to the acquirer for resolution. The acquirer then forwards the chargeback to the merchant, who must either accept the chargeback or contest it.
Secured credit cards
A secured credit card is a type of credit card secured by a deposit account owned by the cardholder. Typically, the cardholder must deposit between 100% and 200% of the total amount of credit desired. Thus if the cardholder puts down $1000, they will be given credit in the range of $500–$1000. In some cases, credit card issuers will offer incentives even on their secured card portfolios. In these cases, the deposit required may be significantly less than the required credit limit, and can be as low as 10% of the desired credit limit. This deposit is held in a special savings account. Credit card issuers offer this because they have noticed that delinquencies were notably reduced when the customer perceives something to lose if the balance is not repaid.
The cardholder of a secured credit card is still expected to make regular payments, as with a regular credit card, but should they default on a payment, the card issuer has the option of recovering the cost of the purchases paid to the merchants out of the deposit. The advantage of the secured card for an individual with negative or no credit history is that most companies report regularly to the major credit bureaus. This allows for building of positive credit history.
Although the deposit is in the hands of the credit card issuer as security in the event of default by the consumer, the deposit will not be debited simply for missing one or two payments. Usually the deposit is only used as an offset when the account is closed, either at the request of the customer or due to severe delinquency (150 to 180 days). This means that an account which is less than 150 days delinquent will continue to accrue interest and fees, and could result in a balance which is much higher than the actual credit limit on the card. In these cases the total debt may far exceed the original deposit and the cardholder not only forfeits their deposit but is left with an additional debt.
Most of these conditions are usually described in a cardholder agreement which the cardholder signs when their account is opened.
Secured credit cards are an option to allow a person with a poor credit history or no credit history to have a credit card which might not otherwise be available. They are often offered as a means of rebuilding one's credit. Secured credit cards are available with both Visa and MasterCard logos on them. Fees and service charges for secured credit cards often exceed those charged for ordinary non-secured credit cards, however, for people in certain situations, (for example, after charging off on other credit cards, or people with a long history of delinquency on various forms of debt), secured cards can often be less expensive in total cost than unsecured credit cards, even including the security deposit.
Sometimes a credit card will be secured by the equity in the borrower's home. This is called a home equity line of credit (HELOC).
Prepaid "credit" cards
A prepaid credit card is not a credit card, since no credit is offered by the card issuer: the card-holder spends money which has been "stored" via a prior deposit by the card-holder or someone else, such as a parent or employer. However, it carries a credit-card brand (Visa, MasterCard, American Express or Discover) and can be used in similar ways just as though it were a regular credit card.
After purchasing the card, the cardholder loads the account with any amount of money, up to the predetermined card limit  and then uses the card to make purchases the same way as a typical credit card. Prepaid cards can be issued to minors (above 13) since there is no credit line involved. The main advantage over secured credit cards (see above section) is that you are not required to come up with $500 or more to open an account.  With prepaid credit cards you are not charged any interest but you are often charged a purchasing fee plus monthly fees after an arbitrary time period. Many other fees also usually apply to a prepaid card.
Prepaid credit cards are sometimes marketed to teenagers for shopping online without having their parents complete the transaction.
Because of the many fees that apply to obtaining and using credit-card-branded prepaid cards, the Financial Consumer Agency of Canada describes them as "an expensive way to spend your own money". The agency publishes a booklet, "Pre-paid cards", which explains the advantages and disadvantages of this type of prepaid card.
As well as convenient, accessible credit, credit cards offer consumers an easy way to track expenses, which is necessary for both monitoring personal expenditures and the tracking of work-related expenses for taxation and reimbursement purposes. Credit cards are accepted worldwide, and are available with a large variety of credit limits, repayment arrangement, and other perks (such as rewards schemes in which points earned by purchasing goods with the card can be redeemed for further goods and services or credit card cashback).
Some countries, such as the United States, the United Kingdom, and France, limit the amount for which a consumer can be held liable due to fraudulent transactions as a result of a consumer's credit card being lost or stolen.
Credit card security relies on the physical security of the plastic card as well as the privacy of the credit card number. Therefore, whenever a person other than the card owner has access to the card or its number, security is potentially compromised. Merchants often accept credit card numbers without additional verification for mail order purchases. They however record the delivery address as a security measure to minimise fraudulent purchases. Some merchants will accept a credit card number for in-store purchases, whereupon access to the number allows easy fraud, but many require the card itself to be present, and require a signature. Thus, a stolen card can be cancelled, and if this is done quickly, will greatly limit the fraud that can take place in this way. For internet purchases, there is sometimes the same level of security as for mail order (number only) hence requiring only that the fraudster take care about collecting the goods, but often there are additional measures. The main one is to require a security PIN with the card, which requires that the thief have access to the card, as well as the PIN.
The PCI DSS is the security standard issued by The PCI SSC (Payment Card Industry Security Standards Council). This data security standard is used by acquiring banks to impose cardholder data security measures upon their merchants.
The low security of the credit card system presents countless opportunities for fraud. This opportunity has created a huge black market in stolen credit card numbers, which are generally used quickly before the cards are reported stolen.
The goal of the credit card companies is not to eliminate fraud, but to "reduce it to manageable levels". This implies that high-cost low-return fraud prevention measures will not be used if their cost exceeds the potential gains from fraud reduction.
Most internet fraud is done through the use of stolen credit card information which is obtained in many ways, the simplest being copying information from retailers, either online or offline. Despite efforts to improve security for remote purchases using credit cards, systems with security holes are usually the result of poor implementations of card acquisition by merchants. For example, a website that uses SSL to encrypt card numbers from a client may simply email the number from the webserver to someone who manually processes the card details at a card terminal. Naturally, anywhere card details become human-readable before being processed at the acquiring bank, a security risk is created. However, many banks offer systems where encrypted card details captured on a merchant's webserver can be sent directly to the payment processor.
Controlled Payment Numbers which are used by various banks such as Citibank (Virtual Account Numbers), Discover (Secure Online Account Numbers, Bank of America (ShopSafe), 5 banks using eCarte Bleue and CMB's Virtualis in France, and Swedbank of Sweden's eKort product are another option for protecting one's credit card number. These are generally one-time use numbers that front one's actual account (debit/credit) number, and are generated as one shops on-line. They can be valid for a relatively short time, for the actual amount of the purchase, or for a price limit set by the user. Their use can be limited to one merchant if one chooses. The effect of this is the users real account details are not exposed to the merchant and its employees. If the number the merchant has on their database is compromised, it would be useless to a thief after the first transaction and will be rejected if an attempt is made to use it again.
The same system of controls can be used on standard real plastic as well. For example if a consumer has a chip and pin (EMV) enabled card they can limit that card so that it be used only at point of sale locations (i.e restricted from being used on-line) and only in a given territory (i.e only for use in Canada). There are many other controls too and these can be turned on and off and varied by the credit card owner in real time as circumstances change (ie, they can change temporal, numerical, geographical and many other parameters on their primary and subsidiary cards). Apart from the obvious benefits of such controls: from a security perspective this means that a customer can have a chip and pin card secured for the real world, and limited for use in the home country assuming it is totally chip and pin. In this eventuality a thief stealing the details will be prevented from using these overseas in non chip and pin (EMV)countries). Similarly the real card can be restricted from use on-line so that stolen details will be declined if this tried. Then when the card user shops online they can use virtual account numbers. In both circumstances an alert system can be built in notifying a user that a fraudulant attempt has been made which breaches their parameters, and can provide data on this in real time. This is the optimal method of security for credit cards, as it provides very high levels of security, control and awareness in the real and virtual world. Furthermore it requires no changes for merchants at all and is attractive to users, merchants and banks, as it not only detects fraud but prevents it.
The Federal Bureau of Investigation and U.S. Postal Inspection Service are responsible for prosecuting criminals who engage in credit card fraud in the United States, but they do not have the resources to pursue all criminals. In general, federal officials only prosecute cases exceeding US $5000 in value. Three improvements to card security have been introduced to the more common credit card networks but none has proven to help reduce credit card fraud so far. First, the on-line verification system used by merchants is being enhanced to require a 4 digit Personal Identification Number (PIN) known only to the card holder. Second, the cards themselves are being replaced with similar-looking tamper-resistant smart cards which are intended to make forgery more difficult. The majority of smartcard (IC card) based credit cards comply with the EMV (Europay MasterCard Visa) standard. Third, an additional 3 or 4 digit Card Security Code (CSC) is now present on the back of most cards, for use in "card not present" transactions. See CVV2 for more information.
The way credit card owners pay off their balances has a tremendous effect on their credit history. All the information is collected by credit bureaus. The credit information stays on the credit report, depending on the jurisdiction and the situation, for 1, 2, or even 10 years after the debt is repaid.