Wednesday 28 July 2021

Payment Security: Understanding the Four Corner Model

Online shopping digital payment transactions may seem quite simple, but in reality, just one single transaction sets off multiple, long-chain reactions. The Payment Card Industry comprises debit cards, credit cards, prepaid, e-purse/e-wallet, and POS payment transactions that enable easy payment transactions for consumers. However, the card scheme is a popular payment transaction process which is also a central payment network that uses credit and debit cards to process payments. 

The card scheme comes in two variants namely the Three-Party Scheme and the Four Party Scheme payment model. The Four Corner Model also popularly known as Four-Party Scheme is the model under which most of the payment systems in the world operate. It is used in almost all standard card payment systems around the globe. So, explaining in detail the payment model, we have shared details on how the Four Corner Model works while also explain the role of every entity involved in it
The Payment Network: Four Corner Payment Security Model
The Four Corner Model of Payment Security and How it Works
The card payment network, often called the Four Party Scheme, comprises multiple entities involved in an online transaction. The entities involved would include the Cardholder, the Merchant, the Issuer, and the Acquirer. So, before moving on to understanding how the Four Corner Model works, let us briefly learn about the entities involved and their role in the process.

Cardholders are the consumers who are issued a debit or credit card by a financial institution, such as a bank. The cardholder is a client of the issuing financial institution and may have an account directly linked to the payment card. The cardholder uses the card to make financial transactions for products or services they avail from businesses.

Merchants are organisations that accept card payments from cardholders for the products or services they offer to them. These can be merchants offering “Card Present Payment” digital payment options such as card swipe terminals and/or “Card Not Present” digital payment options such as online portals or even using modes such as UPI at the POS itself.) For instance, the e-commerce platforms, restaurants, hotels, and shops equipped with POS payment terminals, etc. can be termed as merchants. For that matter even an ATM can be termed as a Merchant as the primary role of the merchant is to “accept” payment cards.

Issuer/Issuing Bank
The issuer is the Financial Institution that issues the payment card to the cardholder. It is generally the bank that issues a payment card which could be a debit card, credit card, or prepaid card. However, it is important to note the issuing bank on behalf of various payment card brands like Visa, Mastercard, American Express etc provides customers with payment cards. This can even be a private payment brand or network like a domestic scheme. But it is the issuing bank that is responsible for the security of the payment card, the cryptography, and the other relevant security controls.

An acquirer is basically a software and hardware vendor who provide a medium or a tool for accepting payment cards to the Merchants. They are a third-party system and not the bank where the merchant has an account. So, an acquirer provides hardware or a software application to the merchant for accepting card payments and process the transactions. That said, the acquirer is responsible for managing the final return authorization codes from a transaction and ensures the merchant delivers the goods or services based on the payments received. Examples for this can be Razorpay, PayU, Paytm, etc.

How the Four Corner Model Works
The Four Corner Model triggers when a consumer makes a payment online with a payment card for products or services purchased from the merchant. This triggers the event or flow of payment authentication and processing with various entities involved in the process. However, for this to happen a cardholder needs to have a payment card while the POS terminal of the merchant must be able to accept the payment card.

So, when a customer makes a payment with the card, an authorization request transmits from the merchant's POS terminal to the acquirer, and then to the issuer who either returns a positive or negative response which then again goes back to the merchant and then to the cardholder. The authorization process and response can be obererved on the POS terminal screen. It is important to note that the authorization requests and associated responses are transmitted via the card networks like VISA and MasterCard or a vast network of switches, gateways, and servers by card scheme network. On receiving a positive response from the issuing bank, the merchant processes the delivery of the goods or services to the client. At this point, it is also important to note that the Four Corner Model can also be a Three Corner Model if the Acquirer bank is skipped in the process, and the switches and gateways route the authorization flow directly to the Issuer. This makes the payment process less hassle on the payment network and also speeds up the transactions.

While this is just one side of the payment process, now there is the clearing and settlement process that requires the merchant to transmit the transaction details to the acquirer. On receiving the transaction details, the acquirer collects the funds from the cardholders’ account by transmitting the corresponding payment flows to the issuing banks. So finally the merchant bank receives the money only after there is an interbank settlement of funds.

The Four Corner Model is a popular model for online payment transactions. It is a systematic payment transaction process that facilitates end-to-end secure transactions that are ciphered and protected at every stage of the information or payment transmission process. That said, such payment transactions often need HSM and automated key management to prevent hacks or criminal activity during the processing of online payment transactions. It provides the framework for managing numerous keys throughout their life cycles and ensuring secure payment transactions.

Author Bio
Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC)
is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2,

PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.


Unknown said...

Am excellent primer for understanding the roles of 4 parties involved in card transactions. Thanks to Mr. Sahoo for raising the awareness.

Ashok Sharma said...

Credit card fraud and identity theft are the concerns of payment processing. Great Read. Informative Four Corner Model of Payment Security.