Skip to content

Cryptography & Payments

Arthur Van Der Merwe

  • HSM
  • Cryptography
  • Financial Switching
  • ATM Tracing
  • Downloads
  • About

Tag Archives: credit cards

Credit vs Debit

Back in the 1980s, we had a simple, bifurcated world:  there were credit cards (PIN-less and tied to a credit line); and there were ATM cards (always requiring a PIN and tied to a bank account).  Muddying the waters was the advent of the so-called ‘check card,’ which can be thought of as a ‘dual mode’ card – it can be used without a PIN as sort of a ‘secured’ credit card (‘secured’ in the sense that the cardholder is dipping into real money in a bank account) or with a PIN as a debit card.

Now, we get into some rather misleading definitions that this muddying has caused…

  • When you use that check card with a PIN, it’s called Online Debit.  For those of you familiar with ISO8583, that PIN-ed request is going to result in you (as the acquirer) formatting an 0200 (the typical MTI used for a Purchase/Sale) request to the Debit/EBT gateway.
  • The card issuer (or its authorizer) authorizes that request and treats it as the ‘letter of record’ (my term) to debit the account in its nightly posting cycle.
  • The Debit/EBT gateway may or may not require the inclusion of that Debit transaction in a nightly extract/settlement file (prepped and sent by the acquirer).
  • When you use the same card without a PIN, it’s called Signature Debit, i.e., because you sign for the transaction like a credit card – of course, new regulations muddy the waters further: at some merchant categories, a signature is no longer required for purchases of < AUD$ 25, as frequenters of Starbuck’s know.
  • Now, the ultimate in misleading definitions: Signature Debit is often called Offline Debit, this despite the fact that 99 times out of 100 (you’re not obligated to authorize these, but you open yourself up to chargebacks), the acquirer sends an online transaction request to get an approval decision (for ISO8583-savvy folks, you send an 0100 – the auth MTI – in these situations).  Where the ‘offline’ designation comes from is that this online auth is not the letter of record.  In these situations, you (as the acquirer) are obligated – assuming the transaction isn’t subsequently reversed – to put these ‘offline debit’ transactions into the settlement/extract file.  And it is these items that the Issuer uses to debit the related bank account.  In other words, the ‘offline’ appellation here refers to the manner in which the bank account ultimately gets debited, not whether you sent an online request at the time of purchase.
  • Okay, to further complicate matters: this Offline Debit transaction is often referred to as a Credit .  Ugh.  Why?  Well, you auth it via a 0100, like credit.  And, when you stick the related entry into the nightly extract file, you format it as a Credit record.  For example, in the FDR North extract file, these transactions get formatted as the Credit ‘D’ record, not the Debit/EBT ‘Q’ record.  Indeed, from the perspective of a host-based payment system, you can’t tell the difference between a purchase conducted with a ‘true’ credit card and one conducted with check card in PIN-less mode.  In the words of Dan Rather, “If it looks like a duck, walks like a duck, and quacks like a duck, it must be a duck.”
Advertisement
Posted byarthurvdmerweJune 25, 2014June 25, 2014Posted inFinancial SwitchingTags:bank account, credit card, credit cards, Debit transactionLeave a comment on Credit vs Debit

Recent Posts

  • A brief comparison of AS2805 and (TR-31) Key Blocks
  • What is the random oracle model and why should you care? (Part 5) — A Few Thoughts on Cryptographic Engineering
  • Attack of the week: searchable encryption and the ever-expanding leakage function — A Few Thoughts on Cryptographic Engineering
  • From Bi-Linear Maps to Searchable Encryption
  • Mutual Authentication using Certificates
  • Importing ZPK and ZMK into Thales Payshield 9000 HSM
  • Signature and Certificate based key injection for ATM
  • The Refund vulnerability of AS2805 and EFTPOS
  • DUKPT Explained with examples
  • EFTPOS Initialisation using RSA Cryptography
  • ATM Pin encryption using 3DES
  • Implementing AS2805 Part 6 Host to Host Encryption using a Thales 9000 and Python
  • Typical Cryptography in AS2805 Explained
  • Thales 9000 with AS2805 Interchange & RSA EFTPOS Commands.
  • Thales Key Exchange Examples and Troubleshooting
  • Testing DUKPT
  • Parsing AS2505/8583 Messages
  • Dynamic Key Exchange Models
  • Doing PIN Translation with DUKPT
  • Credit vs Debit
  • AS2805 Standards for EFT
  • Trace your ATM Transactions

Archives

  • February 2020 (1)
  • January 2020 (1)
  • February 2019 (1)
  • December 2017 (1)
  • February 2017 (1)
  • September 2016 (1)
  • July 2016 (1)
  • July 2015 (1)
  • May 2015 (3)
  • March 2015 (1)
  • January 2015 (1)
  • December 2014 (1)
  • August 2014 (2)
  • July 2014 (1)
  • June 2014 (5)

Social

  • LinkedIn
  • GitHub
Cryptography & Payments, Create a free website or blog at WordPress.com.
  • Follow Following
    • Cryptography & Payments
    • Join 29 other followers
    • Already have a WordPress.com account? Log in now.
    • Cryptography & Payments
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Report this content
    • View site in Reader
    • Manage subscriptions
    • Collapse this bar