card issuing step by step


Steps to start card issuing business.

Your organization had an idea to start issuing payment cards. After analyzing customer demands and matching those with your business relevant to card products it will be time to start with practical steps.

Schema or brand.

MasterCard or VISA or something else. The most important value schemas are offering to your business is (worldwide) acceptance network. There are also other schemas – like AMEX, Discover, JCB, Diners Club, domestic ones but in order to get the best acceptance – only VISA or MasterCard can offer it.

In order to get into such schema – you need to become a member of VISA or MasterCard. There are several licensing options available – which can be grouped into 2 – full or sponsored membership. Full membership means that your organization will have a full financial responsibility towards schema; sponsored one means that your organization shall find some existing full member of the schema who will be financially responsible towards schema on your organization activities. Of course – in order to operate in financial business – your organization should be licensed as the financial organization as well. Be aware that licensing process will take time – even 6 months or more. In most cases – if your business is small – only option to start is sponsored membership.

Which schema is the best? Well – they are similar. Current practice shows that (at least in EU) MasterCard is faster and easier to get things done. But it depends on region to region. Do not forget to check brand awareness if your customers what concerns VISA or MasterCard – it might happen that in your particular region one or another is more preferred.

Having both – VISA and MasterCard? Well for beginning it’s not necessary – just doubling implementation cost and time with no return.

One thing more to remember – from schemas your business will get access to acceptance network. But most important brand towards your customers is your organization brand, not VISA nor MasterCard – this is your product.

A processor or direct connection.

Next challenge to tackle is how to make your cards operable. You need to have a solution to produce cards (to be discussed in next chapter) and to process card related transactions. Card transaction means online messages sent from card’s point of usage to card issuing (e.g. your business systems) and back with the main purpose to check the availability of funds of the particular cardholder. Such messaging is mostly based on implementation versions of the standard called ISO8583. Being financial organization – you have probably some sort of general ledger system – keeping information on customer debit or credit account balances – and the challenge is to have interface towards schema selected in order to be able to adjust your customers account balances according to card usage.

The new player is stepping in – which is processor or 3rd party service provider. It’s just a company having built working interfaces towards card schemas and having some sort of interfaces available towards financial institutions. They can offer more card related services as well – like card data management; Point Of Sale and ATM management.

In a way there are 3 options available:

outsource this service fully to 3rd party service provider/processor. And receive just periodic transaction lists from service provider in order to adjust account balances
This option will require minimum initial investments in terms of IT development but is risky especially in the case when customers can use their accounts via other channels – online banking per example – as well. The delay between card transaction and posting onto accounts will be quickly discovered and abused.

outsource card specific part to service provider but having an online messaging link with them in order to accept/decline transaction amounts after checking actual balances
This option is probably for beginners most reasonable – keeping risks under control with minimum efforts. Just to mention that messages related to card transactions will not contain only transaction amounts but the number of specific information related card and transaction security. A downside is another money asking organization in between, but also limitations of self-service card management – e.g. if you would like to offer to customers services like blocking or activating cards via your online environment – it would be challenging.

having direct links with schema and keep everything in house.
It is possible in 2 ways. One way is to buy in some card management software including interfaces towards card schemas as well. It might be costly – especially to integrate with your organization’s existing systems – like general ledger, online banking, different kind of reporting solutions. But the upside is the fact that you will buy market experience + support and upgrade services which will keep your systems up to date according to scheme rules. Another way is to built interfaces by yourself – having strong IT or strong IT partner. Probably interfacing with existing systems will be easier but there will be some learning curve and customer testing as those interface messaging and transactions standards defined by card schemas are not followed by 100%. And it will result in some customer dissatisfaction when transactions will be declined due to some standard mismatch.

Within processing option selections you need to keep in mind a fraud management as well. E.g. even cards are equipped with a chip (mostly for security reasons) – there might take place still some fraudulent transactions with a stolen card, using copied magnetic stripe at ATM’s or online. To mitigate such risks a proper fraud management solution should be implemented – either using service provider offered options or in house.

But cards (and PIN)

Yes – cards shall be produced as well. At least so far (until all of them will be moved to smartphones). You need to find card producer and personalization service provider as well. In most cases, those services are offered by the same company. It’s simply not practical to produce and personalize cards in house as there is a long list of security-related rules set by card schemes. Card production means card plastic (with design defined by your organization) will be produced and chip embedded. Personalization means the process when on cards will be printed cardholder name, card number and same data + some additional security-related data will be stored on mag stripe and chip.

4 items to have focused on:

plastic and design
A plastic producer will be the part of service package offered by your card production partner. The most important matter is design – this is important – as quite often the card is only branded real thing in customer’s hands they can show to others as well what concerns their relationship with financial service providers. Card design needs to follow rules – e.g. paints logos and etc defined by card schema. But there is plenty of room to be creative. Design process shall be started as soon as possible – as this is only thing everyone in your organization will have an opinion. And this is the reason why design matters will take always more time than planned.

Chip producers are different, chip operational systems are different, available memory sizes and functions are different as well. As standard – chip options are offered by card production partner. Its advisable to use as much technologically advanced option as possible – in order to avoid the need to change chips in nearest future. In terms of memory size available for 3rd party applications – without clear vision what and how to have those applications – select chips having just enough memory to run standard EMV applications. As practice shows – very few issuers are implementing those 3rd party applications due to the need to adapt acceptance devices as well in order to have application usable.

card profiles
Card profile is set of card-related parameters stored on the chip. Some of them can be changed after the card is issued to the customer. Some of them not. First advice is to minimize blocking of options set by parameters which can not be changed after the card is issued. This will minimize the risk that your cardholders cannot use some services in the future due to the reason that such particular service is blocked by card. You need to keep in mind that if cards are issued with 4 years expiry – in worst scenario 25% of customers can start using the service offered after 4 years.
Card profiles are also defining how card shall act in different situations when offline, online, how many PIN tries before the block, how to act with contact or the contactless environment. Try to keep simple rules and use default values offered by card schema. Card producer can help you but this is not always so. It’s good to pre-check selected profile options with persons at card schemes as well.

PIN – Personal Identification Number is some digit’s code to ensure that cardholder is right cardholder using the card. Topics to take care – what kind of PINs, who will generate and who will deliver PIN to customers. There are several PIN printing options (fancy and less fancy) available – to be checked with card producer/personalizer. In terms of PIN generation – to do this in house some black boxes called HSM (Hardware Security Module) needed + strict security rules to be followed. Some decision point here is the solutions supporting PIN change later on. As addition there are some non-printing options of PIN delivery available as well – like SMS and PIN via net/mobile self-service. In this case, you might face the need keep PIN and card management in house.
From the technical point of view – your organization needs an ability to send personalization file to your card personalization vendor. In case having in house card management most probably it would be possible to create such file in house and send on daily or some periodic basis to personalization company. In case of card data management is outsourced it might be possible to use services of processing company to add card specific data into card ordering file and send them to card personalization company. Sounds complicated.

Card schemes would like to approve cards, designs, and profiles – this is usually done by card producer/personalization vendor.

And finally – card delivery to customers – how to handle that? 2 major options – via the physical branch (if having such) or ordinary mail. Need to tackle questions how to handle new customers – to be in line with Know Your Customer requirements, how to ensure having legally valid /card/ agreement with a customer in the case using remote channels. It depends quite extensively on local legal / authority interpretations of remote identification options. What concerns mailing (your card personalization company will do it for you) you need to think on options of card activation – e.g. mailed cards shall be closed for use and to be activated by the customer via online banking application, by first PIN-based transaction or via some other options.

I am not going to stop on other activities relevant to launching card products, but related and handled mostly inside your organization – like how this product is available/present in self-service and other channels; how shall look like credit approval process, what kind of reporting is needed, how back office shall operate, how sales and marketing shall look like etc. Rather focusing on unique processes and topics relevant only with cards.

Implementation project

If licensing matters are cleared out, processing options are agreed and card production matters as well – by practice schemas will start an implementation project. To get so far you need to fill a bunch of online forms. Implementation project will focus on 2 things – card and transaction processing.

Within licensing process, your organization will get a scheme business ID (per example called ICA at MasterCard) which will identify your organization in further business interactions (billing, reporting and etc) with the scheme.

Within implementation project, the first major step is to get some sort of project manager appointed by card scheme and applying and getting product BIN numbers. BIN (Bank Identification Number) is mostly 6 digit number helping to separate different card products between themselves – BIN is always 6 first digits of any payment card number.

The implementation project is often called as certification as well. The card certification is handled by card producer/personalization company – incl. review of chip, design, profiles and doing some test transactions.

Interface certification depends on the scope. If the processor is the part of the value chain – they will manage the testing, the only limitation for such end to end testing is that the test cards shall be ready beforehand. In the case in house or direct to schema connection was used – the testing will be more extensive and time-consuming. However – schemas will provide necessary support and emulators for pre-tests.

Those end to end testing slots shall be agreed some time beforehand as availability is limited.

If tests are successful – a live date – a date when your organization issued cards will work in the card schemas worldwide network – will be announced. As matter of fact – you should not very much expect that in the next day after the live date your cards will be operable worldwide – as there might be numbers of processors who will load there BIN tables later on. So its advisable to start only limited – employee pilot after the live date for testing purposes and not earlier than 1 month to start some public launch.

If tests are not successful – you will have time to fix issues apply to next slot and test again. Just to keep in mind that those projects are not for free – as long you have a project running more you are paying.

And if other parts of projects are completed as well – the real life begins.

Although is interesting to invent the wheel again – its still advised involving some experts into projects in order to get things faster done and avoid expensive mistakes costs time and money later.