There are three basic methods for determining whether your credit card will pay for what you're charging:
- Merchants with few transactions each month do voice authentication using a touch-tone phone.
- Electronic data capture (EDC) magstripe-card swipe terminals are becoming more common -- so is swiping your own card at the checkout.
- Virtual terminals on the Internet
This is how it works: After you or the cashier swipes your credit card through a reader, the EDC software at the point-of-sale (POS) terminal dials a stored telephone number (using a modem) to call an acquirer. An acquirer is an organization that collects credit-authentication requests from merchants and provides the merchants with a payment guarantee.
When the acquirer company gets the credit-card authentication request, it checks the transaction for validity and the record on the magstripe for:
- Merchant ID
- Valid card number
- Expiration date
- Credit-card limit
- Card usage
Single dial-up transactions are processed at 1,200 to 2,400 bits per second (bps), while direct Internet attachment uses much higher speeds via this protocol. In this system, the cardholder enters a personal identification number (PIN) using a keypad.
The PIN is not on the card -- it is encrypted (hidden in code) in a database. (For example, before you get cash from an ATM, the ATM encrypts the PIN and sends it to the database to see if there is a match.) The PIN can be either in the bank's computers in an encrypted form (as a cipher) or encrypted on the card itself. The transformation used in this type of cryptography is called one-way. This means that it's easy to compute a cipher given the bank's key and the customer's PIN, but not computationally feasible to obtain the plain-text PIN from the cipher, even if the key is known. This feature was designed to protect the cardholder from being impersonated by someone who has access to the bank's computer files.
Likewise, the communications between the ATM and the bank's central computer are encrypted to prevent would-be thieves from tapping into the phone lines, recording the signals sent to the ATM to authorize the dispensing of cash and then feeding the same signals to the ATM to trick it into unauthorized dispensing of cash.
If this isn't enough protection to ease your mind, there are now cards that utilize even more security measures than your conventional credit card: Smart Cards.