The term acquiring bank (also referred to as a merchant bank, credit card bank, acquirer) denotes the independent financial institutions which authorise and process credit card payments on behalf of merchants. In this regard, an acquiring bank concludes what is known as a credit card acceptance agreement with the merchant as well as a licence agreement with the relevant credit card association (e.g. Visa or MasterCard). A merchant must have a credit card acceptance agreement with an acquiring bank in order to offer and accept credit cards as a payment method for their goods or services.
More information about acquiring banks:
- Origin of the term: ‘acquiring service provider’
- Explanation pattern: who is involved in processing a credit card transaction?
- Difference between acquiring banks and payment service providers (PSP)
- Risks for acquiring banks: cancellations and chargebacks
- Security: rules and regulations for credit card banks
- Full-service provider special case: issuer, acquirer and PSP all in one
1. Origin of the term acquiring bank: An intermediary between a credit card company and a merchant
The name ‘acquiring bank’ expresses just one of the two core tasks of this type of financial institution. From the perspective of a credit card company, one of the two core tasks involves gaining (acquiring) new merchants, and subsequently credit card acceptance points, in both physical stores and online trade. With each new merchant who joins the network, the distribution and total sales of this credit card brand expand. The second core task of an acquiring bank involves processing all credit card payments for the merchants that it has acquired. In the context of these two central responsibilities in the credit card payment cycle, a more accurate term would therefore be an ‘acquiring and processing merchant bank’.
2. Explanation pattern: Who is involved in processing a credit card transaction?
The credit card payment process is based on the cooperation between several parties and takes place over several individual steps. Below is an overview of all the parties involved in a credit card transactions and the individual responsibilities of each:
- Credit card association: The umbrella brand companies for credit cards are generally structured based on the principle of an association. The credit card associations grant licences for the issuing of their credit cards to an issuing bank and define the regulations for use (consumers) and processing (acquiring bank). International credit cards include American Express, Diners Club, MasterCard and Visa. Some major regional credit cards also include China UnionPay (China), Discover Card (USA) and JCB (Japan Credit Bureau).
- Issuing Bank (credit card issuing bank, customer bank): The issuing bank is the financial institution with which the consumer concludes the credit card agreement and which ultimately also issues the credit card to the customer (customer bank). The issuer requires a licence from the credit card company for this purpose. The issuing bank is therefore also responsible for settlement with the customer.
- Credit card holder (customer): The customer can choose from various credit card brands as well as from various issuing banks and their respective terms. The card holder settles their credit card payments exclusively with their issuing bank, which is also responsible for issuing receipts. When the card holder makes a payment using their credit card at a merchant, the acquiring bank checks the validity of this transaction and then, where applicable, authorises the customer bank of the card holder to transfer the corresponding amount from the customer’s account.
- Merchant (contract partner): From this perspective, the merchant is an additional commercial credit card acceptance point, where credit cards are accepted as a payment method. If a merchant wishes to offer credit card payments to their customers, they first need to conclude what is known as a credit card acceptance agreement with an acquiring bank, in which the payment and security terms as well as charges accrued are governed. The acquirer then processes all credit card payments for the merchant with a specific credit card, as well as additional e-payment options if applicable, and settles these with the various issuing banks of the card holders.
- Acquiring bank (merchant bank): The acquiring bank is the financial institution which processes the authorisation and processing of all credit card transactions for an acquired, contractually bound merchant with a certain credit card brand. They receive a certain percentage of total sales from the merchant (discount: generally 1.5–5% of the transaction volume). The merchant bank then in turn needs to pay a fixed portion of this to the issuing banks of the card holders. As of December 2015, these ‘interchange fees’ are now capped at 0.2% of the transaction amount for debit cards (EC card and Girocard) and 0.3% for credit cards in the European Union, compared to up to 2.2% as was previously the case. The acquirer then credits the payment amounts to the merchant’s account in their house bank at regular intervals.
3. What is the difference between an acquiring bank and a payment service provider?
Payment terminal service providers and payment service providers (PSPs):Payment terminal service providers provide the technical infrastructure (such as card readers) at points of sale, with which merchants can accept credit cards and transmit the data to the acquiring bank for processing. Payment service providers are similar to the payment service providers in e-commerce. Instead of ‘physical’ card readers, they offer and maintain electronic payment methods via secured gateways for online shops (also known as e-payments, micropayments or processors). In addition to credit card payments, these predominantly include direct debit, e-banking, e-wallets and PayPal. The transaction information is then again passed on the relevant financial institution for processing. For recording and transmitting payment information, both service providers typically charge a fixed fee per transaction (‘gateway fee’).
Acquirers can also be PSPs, but not the other way round:The rapid growth of online trade is also leading to increasing demand for secure online payment methods. Some major acquiring banks therefore also offer this service. In practice, they also take on the responsibilities of a payment service provider and offer the integration of electronic payment solutions and the processing of all cashless payments from a single source (see below). A major acquiring bank can therefore always also be a payment service provider, whereas a PSP cannot take on the responsibilities of a merchant bank.
4. Risks for acquiring banks: Cancellations and chargebacks
In the case of a subsequent cancellation (refund) by the card holder or due to goodwill on the part of the merchant in the case of a return, the chargeback leads to increased administration work throughout the entire credit card payment chain. The corresponding costs incurred by the credit card association, issuing bank and acquiring bank can total up to €20–60 and are charged to the merchant, as agreed in the contract. Merchants can protect themselves against these financial risks with a special chargeback insurance. Typically, with a chargeback rate of above 1%, merchants are classified as a risk by the acquiring bank, generally resulting in financial penalties, higher fees and higher security deposits. Depending on the grading, the security deposit is 5–15% of total sales earned over six months.
5. Security: What rules and regulations apply to acquiring banks?
Due to the high risk in electronic transactions, acquiring banks and all service providers involved in the credit card payment process must follow stringent IT security standards and guidelines for fraud prevention. The corresponding regulations are compiled in the Payment Card Industry Data Security Standard (abbreviated as PCI-DSS), supported by all major credit card associations.
- The Payment Card Industry Data Security Standard is based on the security standards of the major international credit card associations Visa (AIS and CISP), MasterCard (SDP), American Express (DSOP), Discover (DISC) and JCB.
- All financial institutions, service providers, companies and merchants involved in the credit card payment chain and which store, process and transmit credit card information are required to have PCI-DSS certification. They are required to demonstrate the security of their computer networks at regular intervals and undergo external security scans on a quarterly basis in most cases.
- The stringent PCI-DSS security standard also applies to merchants. They need to meet all necessary conditions to obtain PCI-DSS certification from their acquiring bank. In e-commerce, PCI-DSS payment service providers are therefore usually assigned the task of integrating, recording and transmitting Internet payments.
- The PCI-DSS regulations consist of twelve strict security requirements for the computer networks of all parties involved in credit card payments. In the case of infringements, high financial penalties and restrictions may be imposed, through to withdrawal of the credit card acceptance licence. 1. Installation and maintenance of a firewall; 2. Explicit guidelines for passwords and security settings; 3. Security regulations for saved customer data; 4. Encryption of data transmission; 5. Up-to-date virus protection; 6. Maintenance of software and apps used; 7. Restriction of access rights; 8. Unique user identification for all computers involved; 9. Restriction of physical access options; 10. Logging of all data access; 11. Regular check intervals and external security scans, based on annual transaction volume; 12. Introduction and maintenance of further IT security guidelines.
6. Full-service provider special case: Issuing bank, acquiring bank and PSP all in one
Some major credit card-merchant banks now provide their customers (merchants) with a comprehensive full-service offer. As a full-service provider, they combine all credit card payment expertise under one roof, and, based on these synergies, can save time, work, costs and charges. Of particular benefit for merchants is the combination of a credit card issuing bank for the customer, a processing acquiring bank for the merchant and a payment service provider which collects and transmits data.
Wirecard is one of the world’s leading full-service providers:
- Global network
- Issuing bank, acquiring bank, PSP payment solutions and e-commerce gateways
- Member of Visa, MasterCard and JCB International
- Subject to the security standards of a full-service German bank and monitored by the Federal Financial Supervisory Authority (BaFin)
- Member of the deposit protection fund of German banks