How Do Credit Cards Work

Ingenious evolution of the modern bankcard

Every time a bank card is swiped data points are transferred, analysed and an authorisation decision is made within the blink of an eye. Within 300 milliseconds to be precise.

Rajat Taneja, the president of technology at Visa, says that happens on an average day nearly 700 million times.

In the modern banking system, a person’s hard-earned cash is translated into a series of ones and zeros. The bank card is the digital key that unlocks it.

A bank card is made up of four physical components: a pocket-sized piece of plastic, a microchip, a magnetic stripe and a contactless antennae.

The stripe encodes the ones and zeros as a series of magnetic and nonmagnetic spaces. Sprinkling some iron filing onto the magnetic stripe and tapping away the excess will reveal a barcode pattern which contains all the information needed to complete a transaction. The first bit would spell out a person’s card number, followed by their name and prefix, the card’s expiration date and a security code.

Bank of America and the Fresno Drop

In mid-September 1958, Bank of America (BoA) launched a promotional campaign that would revolutionise the financial system. The bank mailed all of its 60,000 customers in Fresno, California one of the first all-purpose credit cards issued in the US. At that time, cash and cheques still reigned supreme, and so BoA incentivised customer participation by preloading the cards with $300 in credit.

The trial was a resounding success. Consumers began to pay on plastic for the first time, and within a year, over two million cards had been sent out all over California. The BankAmericard programme set BoA up as a precursor to one of the largest credit card issuers and payment networks worldwide: Visa.

Consumers couldn’t tap or swipe to make purchases with those early prototypes of the credit card. Merchants had to place the card into a device, stack a carbon-paper sales slip over it and slide a bar over the card to copy the embossed account information. One copy of the sales slip went to the customer, and the merchant sent the other copy to the bank to begin the process of receiving payment. But the process was time consuming and prone to error. A more reliable system was needed before the credit card became the modern fixture that it is today.

The solution came from an unlikely source: the American CIA.

Magnetic Stripes

In 1961, during the midst of the cold war, the agency was preparing to move into its new headquarters in Langley, Virginia. The sprawling building posed a major security issue, as posted security guards were expected to recognise all the people with the clearance to enter. The CIA tasked computer engineers at IBM with creating a secure ID card. Magnetic tape was already being used at the time to record and store digital information, so the engineers only had to figure out how to permanently attach the tape to a plastic card. IBM engineer Forrest Parry is credited with inventing the magnetic stripe card, but his wife, Dorothea, provided the cinching solution. Parry was attempting to adhere the stripe to the plastic with glue, which warped the tape and distorted the encoded information. He recounted his struggles to his wife while she was ironing clothes. She suggested using an iron to bond the tape to the card — and the solution stuck. The magnetic stripe remains a common fixture among credit and debit cards, gift and stored-value cards, hotel keycards and ID badges.

But scammers quickly realised that the magnetic stripe had some fundamental security flaws. The information isn’t encrypted and can be easily copied with the proper device.

Tony Sales, dubbed “Britain’s greatest fraudster”, stole £30m over the course of his criminal career. Now, he shares trade secrets in an attempt to protect companies and consumers from fraud.

Sales committed his first credit card fraud at age 13. He would ask friends working in retail to put a card skimmer behind the counter, away from customer eyes, and swipe the card to steal their information. Then he could use the details to commit identity fraud or sell their info to other criminals.

“I was young, foolish, full of ego and wanted to be someone,” he told the Mirror. “I’ve spent the rest of the time trying to prove myself.”

The reformed con artist recently staged a street campaign to demonstrate how easily someone can be tricked into divulging personal information. A hidden film crew recorded him asking passers-by to sign up for anti-scam tips from an organisation called MACs (“scam” spelled backwards). An alarming percentage of the people questioned gave up sensitive personal information, including their full name, address, phone number, email address and date of birth. After revealing his background to those who were overly forthcoming, he warned them about the consequences of letting their personal data fall into unscrupulous hands.

“Fraud causes poverty, and some people never recover from it,” he said.

Microchip security upgrades

The bank card has evolved over time to incorporate stronger security measures. US inventors Jack Kilby and Robert Noyce patented the technology for the microcomputer chip in the late ‘50s. French inventor Roland Moreno pioneered the use of smart cards in the mid ‘70s.

Moreno originally wanted the technology to be worn as a ring, providing digital authentication similar to the individual authority granted by signet rings throughout the ages. The chipped ring idea didn’t catch on, but Moreno simplified the design by converting it into a card format. He created the world’s first chipped card and reader requiring a secret code, or PIN, to access. He even added a James Bond touch to early iterations, where the chip would self-destruct after three incorrect code attempts.

The banks were hesitant to adopt the technology, as the chipped card was much more expensive than the magnetic stripe standard. But in 1983, France Télécom incorporated the smart card across its network of pay phones. French banks followed suit in 1992, launching the national debit card system, Carte Bleue.

Moreno’s chip-and-PIN technology didn’t reach the US until 1999; the UK was even further behind, with its first trial run in 2003.

By the time Moreno died in 2012, his company, Innovatron, had collected around €150m in royalties. He is hailed as a French hero, although he never received the global name recognition of similar tech entrepreneurs. According to his friends, if he were more organised, he could have been “a billionaire, the French Bill Gates.”

Chip and PIN technology dramatically reduced card fraud — but criminals evolve just as swiftly as technology. Hackers have proven capable of capturing the data conversation between cards and terminals, while a new generation of skimmers and spy-cams are being installed on ATMs and pay-at-the-pump stations to harvest account information and PIN numbers.

Tap for contactless payments

The technology behind contactless card payments relies on radio frequency identification (RFID) — and can be traced back to the Cold War between the US and the Soviet Union.

Russian physicist Lev Sergeyevich Termen, known as Leon Theremin in the West, invented the first passive RFID listening device. He is more widely known as the inventor of one of the first electronic musical instruments to be mass-produced — the theremin. The instrument is controlled without physical contact by the performer. The theremin produces an otherworldly sound as the performer moves their hand around metal rods, interrupting the electromagnetic field and changing the frequency of the sound. It’s a common feature among sci-fi soundtracks. Theremin invented his namesake instrument in 1919 and patented it in 1928.

In 1938, the musician was accused of being a counter revolutionary, arrested and sent to a Gulag labour camp. Within two years, Theremin was transferred to a secret research and development laboratory in the Gulag system, where his physics expertise aided the country’s espionage efforts.

In 1945, Soviet-era Russia gave the American ambassador a gift — a carved wooden replica of the Great Seal of the US. The sculpture was presented by a group of school children as a symbol of friendship and goodwill between the nations. The ambassador prominently displayed the seal in his office, but hidden within the sculpture was a small, sophisticated bugging device. The unpowered passive listening device was only discovered by accident, seven years and four ambassadors later. The device consisted of a monopole antenna connected to a resonator with a flexible sound-sensitive membrane and relied on a transmitter outside the embassy to create modulated backscatter of conversations within the room. The device was essentially the first long-range passive ultra-high-frequency RFID tag, and modern RFID variants operate along those same basic principles.

Back to the modern bank card, this technology now powers contactless payments. Deconstruct a contactless-capable bank card, and the loop of cooper wire that serves as the antenna will be revealed. The wires power the microchip within the card by picking up the signal transmitted by the payment processing device and converting it into electricity. Barclays introduced contactless payments in the UK in 2007.

Enhanced security for card-not-present transactions

Anyone who’s ever purchased something online will be familiar with the three- or four-digit code on the back of the card, the CVV, or card verification value. Unlike the card account number, the CVV isn’t stored in online merchant databases, making it similar to the signature or PIN required for in-person purchasing. The CVV was introduced in the ‘90s to combat fraud as online shopping became more prevalent.

The innovation starts with an unlikely source — the porn industry. Richard Gordon was hired by a small company to investigate the disproportionately high number of credit card chargebacks in the adult entertainment industry. Chargebacks result when a customer successfully disputes a transaction on their account statement to receive a refund.

Gordon found that 25 percent of customers claimed they’d never called a phone-sex line. This meant that a quarter of the business’ monthly income was being disputed, most of which ruled in the favour of the clients, not the company. Dispute claims were costly for the porn companies and the banks that processed the payments. In the early ‘90s, it cost around $12 just to resolve a dispute, not to mention the lost charges, so the banks began to pressure the industry to come up with a solution.

“We built something called electronic authorisation systems, which basically analysed every transaction in real time to see if there were other calls from the same number,” said Gordon. “There were a series of algorithms that we had that analysed the transactions.”

His system was able to cut down fraud by proving the calls had been made. The banks encountered a similar issue as adult entertainment shifted online.

“Banks didn’t want to be associated with anyone that was involved in the adult industry,” he said. “So, part of my job was to break that firewall down and open up the banking to the industry. As we developed into the online world, we had to continuously upgrade and monitor the systems so that they could stay ahead of the fraud.”

By the mid ‘90s, internet shopping was gaining in popularity, and the banks were seeking new methods to make consumers feel more secure. A security code for card-not-present transactions was developed by UK Equifax employee Michael Stone in 1995. The CVV was originally an eleven-character alphanumeric code comprising cardholder information, but which was prohibited from being stored online by merchants. The CVV quickly evolved into the short numerical code that is now used worldwide.

Criminals evolve in-step with financial innovations

Natalie Kelly, the chief risk officer at Visa Europe, heads the department tasked with analysing anomalies to prevent fraud. She says enumeration bots are often behind the high data spikes that can flag an attack.

She likens the verification process to a locker requiring a three-digit code for access. “You could roll those numbers a thousand times, and you’re eventually going to get it right. Enumeration is the same thing, but with a bot.”

The bots can generate millions of account numbers, expiration dates and CVV numbers, until they chance upon the correct combination. The bots work autonomously, and after acquiring the card number and verification codes, they’re programmed to make high-value purchases that can be quickly sold for cash on the black market.

“It’s basically our AI against their AI,” Kelly explained from Visa’s fraud war room. “They’re getting more sophisticated every day.”

She demonstrated how easily a criminal can find a hacker for hire, opening a page on the dark web reminiscent of Amazon’s marketplace. Vendors proudly display customer ratings alongside listings of stolen credit numbers. Criminals are paying each other in bitcoin, which uses super-secure three-factor authentication — leaving zero room for fraud amongst the fraudsters.

Biometrics could make the bankcard obsolete

Fingerprinting has been around since the 1800s. Primitive voice recognition machines first showed up in the ‘50s, followed by early versions of face and iris recognition. These technologies are now common security features on smart phones and are moving steadily into the world of payments processing.

Facial recognition payments are under development at Visa’s Innovation Centre. Richard Tomsett, a senior applied scientist at Onfido, and Charlotte Hogg, the CEO of the Visa Europe, met with Hannah Fry, the mathematics professor who hosts BBC’s The Secret Genius of Modern Life, to explore how the future of spending is shaping up.

Hogg points out how people are unique in many different ways — face, voice, fingerprints or even the way someone types. “If you move to a world where we’re increasingly using biometrics, you can begin to take out the steps that we probably don’t realise are quite clunky today.”

Hogg and Tomsett walked the mathematician through the facial recognition software they’re developing for the payments system. Frey uploaded her driver’s license to the system then used the app to video-verify her identity, slowly turning her face so the system’s AI could match axis points between the driver’s license photo and video.

Tomsett says that the AI might have issues if a serious change to a person’s face occurred. Getting glasses, growing a beard or wearing makeup wouldn’t phase the AI. A nose job might, though, as the model plots elevated and recessed points on the face.

They test the AI with a print-out of Frey’s face. As it’s turned, the model becomes increasingly confident that the face isn’t genuine. Tomsett tugs on a 3D-printed full-head mask and tops it off with a wig. The AI easily flags the impersonation attempt, as it doesn’t pass the liveness check.

The more examples of spoof faces that the team feeds the model, the more confidently the AI can spot a fake.

But the technology does raise some ethical questions about privacy.

Onfido says that the system only stores videos of people who have given explicit permission for it to do so. The world is increasingly teeming with Big Brother technology, and regulatory protections are lagging far behind.

In May 2022, the UK’s privacy and data watchdog fined a facial recognition company for collecting 20 billion online images of people from social media platforms and other web sources for its global database. The Information Commissioner’s Office also ordered the US company, Clearview AI, to delete the data of UK residents from its systems.

Consumers should question big tech about their own data and privacy rights. Who has access to the data? How secure is it? How is it being used now and how could it be potentially used in the future?

---