Consumers and organizations have a variety of options for making and receiving payments. While these payment types share the ultimate goal of transferring funds from payer to payee, the path those funds travel and the approaches employed for safely and securely completing transactions vary. The Secure Payments Task Force developed the Payment Lifecycles and Security Profiles as an educational resource and to provide perspectives related to:

  • The lifecycles of the most common payment types, covering enrollment, transaction flow and reconciliation
  • Security methods, identity management controls and sensitive data occurring at each step in the payment lifecycles
  • Relevant laws and regulations, and other references, as well as challenges and improvement opportunities related to each payment type

The profiles employ a consistent format for describing the lifecycle of each payment type. The lifecycle template is not designed to represent the nuances of specific payment transaction flows, but as a broad taxonomy that can be applied across different payment types for understanding and comparing controls and risks. The profiles are not all-encompassing in describing the layered security strategies that may be employed by specific networks, providers or businesses and shouldn’t be considered an assessment of overall security of different payment types. The improvement opportunities noted in the profiles highlight areas for further industry exploration and are not intended as guidance or specific solutions to be implemented.

These valuable resources were developed through the collaborative efforts of more than 200 task force participants with diverse payments and security expertise and perspectives. It is the hope of the task force that by helping industry stakeholders better understand these payments processes, the security and risks associated with these processes, and potential improvement opportunities, they will be well positioned to take action to strengthen their payment security practices.

Note: These materials were created by the Secure Payments Task Force and are intended to be used as educational resources. The information provided in the Payment Lifecycles and Security Profiles does not necessarily reflect the views of any particular individual or organization participating in the Secure Payments Task Force. The document is not intended to provide business or legal advice and is not regulatory guidance. Readers should consult with their own business and legal advisors.

Feedback and/or questions related to the Payment Lifecycles and Security Profiles can be submitted by using the “provide feedback” form.

Card Not Present (CNP) Definition: A payment card (e.g. credit or debit) funded transaction whereby the cardholder does not physically present the card for a merchant’s visual examination at the time that an order is given and payment effected. This transaction may involve the cardholder typing his/her name, primary account number (PAN), one time use card number, virtual card number, account number, token, billing/shipping address, card verification code, biometric, pin, and/or expiration date into a payment access device which may include web or mobile based forms (e.g. internet browser, mobile browser, mobile application inclusive of in-app usage), or providing a portion of this information over the phone (mail order/telephone order – MOTO) to complete the purchase.

Enrollment

Payer ID / Enrollment

Enrollment of a payer includes identity (ID) proofing, management of users (enrollment, de-enrollment, and changes) and determination of authority based on role

Payment Type Operation

Credit

Individual or organization requests credit account with issuer. Issuer verifies customer information in accordance with their Know Your Customer (KYC) program. The PIN associated with the account may be communicated to the cardholder via direct outreach, email, or physical mail.

For card not present authentication, merchant identifies required information based on relationship with customer; enrollment could mean the cardholder establishes an account or profile with the merchant.

Debit

Individual or organization requests debit account with issuer. Issuer verifies customer information in accordance with their Know your Customer (KYC) program.

The PIN associated with the account may be communicated to the cardholder via direct outreach, email, or physical mail.

For card not present authentication exercise, merchant identifies required information based on relationship with customer; enrollment could mean the cardholder establishes an account or profile with the merchant.

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Payee ID / Enrollment

Enrollment of a payee includes identity (ID) proofing, management of users (enrollment, de-enrollment and changes) and determination of authority based on role

Payment Type Operation

Credit

Acquirer approves merchant

Merchant is registered in advance and identification data is attributed when registered by the acquirer.

Debit

Acquirer approves merchant

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Transaction*

Payer Authentication

Verification of payer when originating payments

Payment Type Operation

Credit

Cardholder and card verification methods include Primary Account Number (PAN) or PAN alternative (Virtual PAN, Token) expiration date, Card Verification Values1, Address Verification (AVS), Card Holder Name, Mod 10 check, out-of-band authentication/verification.

Payer authentication is ongoing (as merchants may perform some payer authentication controls pre-authorization and/or post-authorization and pre-shipment vs. post-shipment (pre-delivery).

Debit

Cardholder and card verification methods include PIN, PAN or PAN alternative (Virtual PAN, Token) expiration date, Card Verification Values1, Address Verification (AVS), Card Holder Name, Mod 10 check, out-of-band authentication/verification.

Payer authentication is ongoing (as merchants may perform some payer authentication controls pre-authorization and/or post-authorization and pre-shipment vs. post-shipment (pre-delivery).

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Initiation: Access Mode / Network

Environment in which the payment origination is requested

Payment Type Operation

Credit

Telephone, online, mobile, mail order

Debit

Telephone, online, mobile, mail order, cardless ATM transaction originated via a mobile device

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Initiation: Device / Method Used to Initiate Payment

Type of interaction or device used to enter payment account information

Payment Type Operation

Credit

Online Transactions: Internet-connected device (PC, smart phone, tablet)

Telephone purchases: Phone and Point of Sale (POS) where merchant manually enters card information

Mail order: Paper form and POS where merchant manually enters card information

Card on file Payments: Card information held at the merchant

Cloud wallet payments: App holds card information

Debit

Online transactions: Internet-connected device (PC, smart phone, tablet)

Telephone purchases: Phone and POS where merchant manually enters card information

Mail order: Paper form and POS where merchant manually enters card information

Card on file payments: Card information held at the merchant. PIN entry via e-commerce (e.g. with a virtual PIN pad)

Cloud Wallet Payments: App holds card information

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Initiation: Funding Account for Payment

Entry and/or identification of the funding account (with format checks)

Payment Type Operation

Credit

Credit account

Debit

Demand Deposit Account (DDA)

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Initiation: Payment Initiation Mechanism

Payment network, system and/or third-party accessed

Payment Type Operation

Credit

Merchant, acquirer, association or network, processor

Debit

Merchant, acquirer, association or network, processor

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Payer Authorization: Payment Network Traversed

“Rails” used to route authorization requests to the holder of the funding account

Payment Type Operation

Credit

Authorization occurs through payment networks (e.g. credit networks).

Debit

Authorization occurs through payment networks (e.g. debit networks)

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Payer Authorization: Transaction Authorization

Determination of whether to approve or decline a transaction including authorization time-frame, obligations, and any recourse decisions

Payment Type Operation

Credit

Transaction is confirmed but fulfillment may be delayed by merchant until fraud/risk screening is complete and/or until guarantee of funds.

Debit

Transactions are approved or declined by the issuer within payment network service-level agreements (SLAs) (includes “stand-in” transactions)

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Format Exchange

Payment instructions, rules, and formatting

Payment Type Operation

Credit

Acquirer authenticates merchant

Debit

As data is transferred, any conversion from one format to another, depending on payment network and brands. Payment network rules dictate format exchange rules.

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Receipt: Acknowledgement / Guarantee

Notification and confirmation of payment completion including terms for use

Payment Type Operation

Debit

Transaction is confirmed but fulfillment may be delayed by merchant until fraud/risk screening is complete and/or until guarantee of funds.

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Payee Authentication

Mode of access to funds (or accounts)

Payment Type Operation

Debit

Acquirer authenticates merchant

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Clearing and Settlement: Settlement / Exchange of Funds

Actual movement of funds to settle funding arrangements and applicable fees

Payment Type Operation

Credit

Settlement occurs per payment network rules (e.g. credit networks).

Debit

Settlement occurs per payment network rules (e.g. debit networks).

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Reconciliation

Reconciliation / Exception Handling

Process and responsibilities associated with reconciling and handling any exceptions or problems with a payment

Payment Type Operation

Credit

Cardholder is required to report dispute within specified timeframe defined by payment network or card rules and regulations.

Debit

Cardholder is required to report dispute within specified timeframe defined by payment network or card rules and regulations.

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

User Protection / Recourse

Applicable rules, regulations, and legal means of recourse

Payment Type Operation

Credit

Determined by payment network rules and applicable consumer protection laws and regulation

Regulation Z’s consumer protections apply to consumer credit

Debit

Determined by payment network rules and applicable consumer protection laws and regulation

Regulation E’s consumer protections apply to consumer debit.

 

Last Updated: 02/21/2018

Footnotes

1Card Verification Values represent data elements that are (1) encoded on the magnetic stripe or the chip of a payment card; or (2) printed on the physical payment card and are used to validate the card information during the transaction authorization process. Card Verification Values encoded on the magnetic stripe (e.g. CAV, CVV, CVC, CSC) or on the chip (e.g. dCVV, iCVV) are generated via a secure cryptographic process and may be static or dynamic data used to validate the card during the authorization process. Card Verification Values printed on the physical card (e.g. CID, CAV2, CVC2, CVV2) may be three-digit or four-digit codes printed on the front or back of the physical card that are uniquely associated with the physical card and ties the primary account number to the physical card. Note: Payment network rules and the PCI Security Standards Council provide additional definitions of Card Verification Values.

*Note: Payments/Transfers Flow in Both Directions