How the 4 companies behind every single credit card swipe prevent outages and thwart hackers from getting your data
- Just 4 payment processing companies are behind each credit or debit card swipe.
- The companies are basically huge data centers that look at billions of transactions 24/7.
- If one of the big four processors had an outage, merchants would be the most affected.
Dozens of large businesses - from McDonald's and Chick-fil-A, to a local DMV and car wash - couldn't accept credit card payments one afternoon in February - creating a flurry of confusion and frustrated customers.
The problem, which only lasted a few hours, can be traced to a backend system operated by just four companies that underpins much of the payments ecosystem. Most consumers know little to nothing about it.
When customers slip their debit or credit cards into a machine at a business, a little phrase pops up: "authorizing payment." Those two words reference an elaborate system that allows the multi-billion dollar payments processing industry to approve the charge for the customer.
It sounds simple, but each processor - the companies that handle every card payment by communicating between the merchant and customer's respective banks - must use an elaborate system of backups to keep the consumer economy running each day, preventing an outage that would leave many merchants scrambling to not lose sales from consumers who increasingly don't carry cash.
On top of that, they're pounded by hacking attempts from criminals wanting to steal payment information, meaning their cybersecurity must be top notch.
But in their most simplistic form, "you can think of them as being these huge data center-based companies that are processing billions upon billions of transactions, 24/7, 365," said Lisa Ellis, an analyst at MoffettNathanson.
On Feb. 26, when Fiserv, one of those payments processors had an internet outage, merchants across the US couldn't take electronic transactions until the issue resolved. The company services to a majority of fast-food restaurants, which explains why Chick-fil-A, McDonald's, and Popeye's were some of the businesses affected that day.
Fiserv, alongside FIS, Global Payments, and JPMorgan Chase, account for about 80% to 90% of the payments processing industry in the US, according to MoffetNathanson. That means each time you swipe your card, there's about a 90% chance one of those businesses is responsible approving the payment.
A case of an "outage," in which many merchants can't process card payments, is extremely rare, according to Ellis and Robert Le, an analyst at PitchBook. That's because the processors have backups for every single part of the process.
"The IT infrastructure of any large company has a whole backup plan to it," Ellis said. It's "a business continuity plan that says, 'OK what's the redundancy that's built in here in case something goes down?'"
Payments processors have backup internet providers and backup data centers that process payments in case one data center goes down. If a card is taking longer than normal to authorize, it might be because the payment is being routed to a data center farther away.
A spokesperson for FIS told Insider the company has heavily invested in its infrastructure "to minimize the likelihood and impact of an outage." It regularly tests backups, like its "auto failover" that allows payments to move between data centers as needed, they said.
Global Payments didn't respond to Insider's request for comment, and a representative from JPMorgan Chase declined to discuss company operations and cybersecurity measures.
As for Fiserv, which had the issues in February, a company spokesperson said: "Redundancy and resiliency are built into our solutions." That includes multiple internet service providers and data center backups across the country, they said.
In February, despite the hours-long wait many merchants had in being able to once again accept digital payments, Cave said Fiserv's internet backups worked as intended. She added that, "the initial internet service provider outage created a secondary impact for some clients."
A widespread, long-term outage at a payments processor is "very rare," Le, the Pitchbook analyst, said.
So rare, in fact, that when Visa, a payments provider that works with the processors, had an outage in Europe in September 2018, people thought it might have been a terrorist attack, Ellis said. More than 5 million transactions failed over the 10-hour outage because of a rare data center malfunction, Finextra reported at the time.
"People were freaking out," Ellis said, "because it's so unusual."
Though the Visa outage was a data malfunction, payments processors and others in the network must be on top of cybersecurity to prevent service problems related to a hacking. They're "bombarded constantly with cybersecurity attacking attempts" because criminals are wanting to get payment information, Ellis said.
"Aside from military agencies and stuff like that, they've got to be some of the most attacked networks in the world because they contain payment information," she said.
Outages, though rare, likely affect merchants the most, considering the lost sales and damage to the brand reputation with customers, according to Le.
"Consumers nowadays don't carry any cash," Ellis said. "So if you were in a store buying anything of a reasonable size and you couldn't use a card, most consumers would just walk out."
Over the years, cash has become less widely used as card payments have taken over. Card penetration, or the number of consumers using a card instead of cash, is about 60% to 70%, according to Ellis, but that varies across the country. In New York City, for example, card usage is even higher.
If there was a big outage at a payments processor in the future, it could "lead to a call to bring cash use back into the system," Le said. But in the long-term, merchants are likely to look for support from multiple payments processors, instead of just relying on one, he said.
Large businesses in the US usually do have multiple processors, so they have a backup in case one goes down. But smaller merchants generally don't, Ellis said.
Amid the COVID-19 pandemic, cash increasingly became a thing of the past, as merchants sought to use more contactless payments to avoid exposure to the virus. And the future of payments is likely digital, as Insider Intelligence predicts they will continue to grow from 2023 and beyond.