Web / E-Commerce Payment Flow
Card-Not-Present · From checkout to funds in account
Authorization Phase · ~1–3 Seconds
Cardholder
Enters card on checkout
1
HTTPS/TLS
Encrypted
Gateway
Tokenizes CHD routes txn
2
Auth Req
Secure API
Processor
Routes to card network
3
Network
ISO 8583
Card Network
Visa/MC/Amex routes to issuer
4
Auth Req
Issuing Bank
Balance + fraud check
5
Approve
Auth Code
Merchant
Receives approval fulfills order
6
Settlement Phase · End of Day
Batch Close
Merchant submits daily batch
7
Processor
Clears transactions
8
Acquiring Bank
Funds merchant minus fees
9
Merchant Account
Funds deposited 1–2 days
10
Key Actor
PCI Boundary
External Network
Encrypted/TLS
⚡
Authorization vs. Settlement — Critical Distinction
Steps 1–6 happen in 1–3 seconds and only reserve funds (authorization hold — no money moves). Actual money movement happens during Steps 7–10 at end-of-day batch close, with funds typically arriving 1–2 business days later.
🔐
PCI Scope — Web Payments
When using a hosted payment page or iFrame gateway, CHD never touches the merchant's servers. The gateway tokenizes at Step 2, removing the merchant from PCI scope and enabling SAQ-A compliance — the shortest SAQ type.
Step-by-Step Breakdown
#
Actor
What Happens
Timing
1
Cardholder
Enters card number, expiry, CVV, and billing address at checkout. Data encrypted in transit via TLS/HTTPS immediately.
Real-time
2
Gateway
Tokenizes CHD — replaces PAN with a token. Runs AVS, CVV match, velocity checks, and BIN lookup. Formats auth request and routes to processor.
<1 sec
3
Processor
Formats transaction into ISO 8583 protocol and routes to the appropriate card network based on the BIN (first 6 digits of PAN).
<1 sec
4
Card Network
Identifies issuing bank from the BIN and routes authorization request. Applies network-level fraud rules (e.g., Visa Advanced Authorization).
<1 sec
5
Issuing Bank
Checks available balance, applies fraud scoring, validates CVV and AVS. Returns Approve (with auth code) or Decline (with reason code) back through the network.
1–3 sec
6
Merchant
Receives approval or decline via gateway. On approval, an authorization hold is placed on the cardholder's funds. Order is fulfilled.
1–3 sec
7
Merchant
Batch close — end of business day. Merchant (or gateway auto-closes) submits all authorized transactions for settlement.
EOD
8
Processor
Clears transactions through card networks. Interchange fees calculated and deducted. Acquiring bank instructed to fund the merchant account.
EOD
9
Acquiring Bank
Deposits net funds (transaction total minus interchange, processor fees, and service fees) into the merchant's bank account.
1–2 days
10
Merchant Account
Funds available. Monthly statements reconcile transaction totals, interchange breakdown, fees, and net deposits.
1–2 days
Physical Terminal Payment Flow
Card-Present · EMV / NFC / P2PE · From tap to funds in account
Authorization Phase · ~1–3 Seconds
Card / Wallet
Chip / Tap / Swipe
1
EMV Crypto
Dynamic
P2PE Terminal
Encrypts CHD immediately
2
Encrypted
P2PE Blob
POS System
Never sees CHD passes cipher
3
TLS
Processor HSM
Decrypts in secure HSM
4
Network
ISO 8583
Card Network
Routes to issuer
5
Issuing Bank
EMV validation balance check
6
Approve
Auth Code
Approved
Receipt prints transaction done
7
Settlement Phase · End of Day
Batch Close
Terminal submits all txns
8
Processor
Clears calculates fees
9
Acquiring Bank
Funds merchant minus fees
10
Merchant Account
Net deposit 1–2 days
11
Key Actor
P2PE Security Boundary
External Network
P2PE Encrypted Blob
🛡️
P2PE — The PCI Scope Game-Changer
With validated P2PE, CHD is encrypted inside the terminal hardware before it ever reaches the POS system or network. The POS only ever sees an encrypted cipher text — never the raw PAN. This removes the POS, network, and all connected systems from PCI scope, enabling SAQ-P2PE (~30 questions) instead of SAQ-D (300+ questions).
🔑
EMV Chip vs. Swipe — Why It Matters
EMV chip generates a unique cryptogram per transaction. Even if intercepted, the cryptogram cannot be reused — making counterfeit fraud essentially impossible. Magnetic stripe data is static and can be cloned. Arrow Payments strongly recommends EMV or NFC-only environments.
Step-by-Step Breakdown
#
Actor
What Happens
Timing
1
Cardholder
Taps (NFC), dips (EMV chip), or swipes (magnetic stripe). EMV chip generates a unique transaction cryptogram — never reusable.
Real-time
2
P2PE Terminal
Immediately encrypts CHD inside tamper-resistant hardware using a symmetric key managed by the P2PE solution provider. Raw PAN never exits the device in cleartext.
<0.1 sec
3
POS System
Receives only the encrypted cipher text — never raw CHD. Adds transaction metadata (amount, MID, timestamp) and forwards to processor. POS is out of PCI scope.
<1 sec
4
Processor HSM
Decrypts the cipher text in a secure Hardware Security Module (HSM). Now has cleartext CHD to format and route. Applies fraud scoring before forwarding to the card network.
<1 sec
5
Card Network
Routes authorization request to the issuing bank. Applies network-level risk rules. Returns issuer response back through the chain.
<1 sec
6
Issuing Bank
Validates the EMV cryptogram, checks available balance, applies fraud rules. Returns Approve (with auth code) or Decline (with reason code).
1–3 sec
7
Terminal
Displays approval, prints receipt. Transaction complete from cardholder's perspective. Authorization hold placed on cardholder funds.
1–3 sec
8
Merchant
Batch close — terminal submits all authorized transactions EOD. Auto-close is best practice to prevent authorization expiry (typically 7 days).
EOD
9
Processor
Clears transactions through card networks. Interchange fees calculated based on card type, method, and data quality. Acquiring bank instructed to fund merchant.
EOD
10
Acquiring Bank
Deposits net funds — transaction total minus interchange, processor markup, and Arrow Payments service fees.
1–2 days
11
Merchant Account
Funds available. Monthly statements break down transactions by MID/department, interchange category, fees, and net deposits.
1–2 days
Web vs. Terminal — Side by Side
| Factor | 🌐 Web / E-Commerce | 💳 Physical Terminal |
|---|---|---|
| Card Present? | No — Card-Not-Present (CNP) | Yes — Card-Present (CP) |
| CHD Entry Point | Cardholder types card number on checkout page | Card chip/tap/swipe at physical terminal |
| Encryption Method | TLS/HTTPS in transit; gateway tokenizes | P2PE encrypts at device; cipher passed to POS |
| Fraud Auth Method | AVS + CVV match + velocity + BIN lookup | EMV cryptogram validation + PIN (if debit) |
| Chargeback Liability | Higher — merchant bears more liability | Lower — EMV shifts liability to issuer |
| PCI SAQ Type | SAQ-A (fully outsourced) or SAQ-C | SAQ-P2PE (with validated P2PE) or SAQ-B |
| Auth Speed | 1–3 seconds | 1–3 seconds |
| Settlement | End of day batch; 1–2 business days | End of day batch; 1–2 business days |
| Counterfeit Fraud Risk | N/A — no physical card present | Near-zero with EMV chip (unique cryptogram) |
| Interchange Rate | Higher (CNP carries more risk) | Lower (CP with EMV = qualified rate) |
💡
Same Parties, Different Paths
Both flows pass through the same core parties — gateway/terminal → processor → card network → issuing bank → back. The key differences are where CHD is captured, how it's protected in transit, and how liability is allocated when fraud occurs.
Flashcards
Tap any card to flip it.
Payments Glossary
Payment Flow Knowledge Test
20 questions covering the web and terminal payment flows, key actors, timing, PCI scope, fraud mechanics, interchange, and settlement. Questions randomized each attempt.
—
out of 20 correct
—
—
Question Review
Arrow Payments · Payment Flow Reference Guide · Internal Study Guide