In a previous article, we saw in pretty detailed way what happens during a card payment transaction and the messages that are exchanged between the different participants. Cardholders does not use their cards only to make purchases. They use it also to withdraw cash from their account (the one to which the card is linked to). Cash withdrawal transactions have many things in common with card payments transactions. But some specificities exist though. In this article, we will look at a cash withdrawal transaction from the initiation to the funds transfer between issuer and acquirer. We assume that the cardholder’s bank is different from the bank that provides the Automated Teller Machine (ATM) or Automated Banking Machine (ABM).
As for a card payment, the cash withdrawal takes place in two main steps: during the first step, the cardholder inserts his card into the ATM, authenticates and receives the cash if all the controls are positive. In the second step, the Bank providing the ATM collects the amounts received by the cardholder during the first step from the cardholder’s bank account. In the rest of this article, the exchanges of flows that are done in the first and second step will be described.
1- Initiation of a cash withdrawal
The cardholder inserts the card into the ATM. After reading and identifying the chip, preliminary checks are performed including the authentication of the card and the expiration date. Card authentication ensures through asymmetric cryptography that the card was not made by fraudsters and that the card number has the right format and number range. The expiration date validation consists in checking that the card has not expired. If these first checks are positive, then the cardholder is prompted to enter the PIN to authenticate himself and validates the transaction. The PIN verification may be done online or offline. The online PIN verification means that the entered PIN code is not compared with the one on the chip card, but with the one known by the cardholder’s bank. So the request is sent to the issuer.
After a successful PIN verification, several choices can be proposed to the cardholder. The available options depend on the card, the bank and the machine (ATM or ABM). On some ATMs, it is even possible to recharge the mobile phone credit. The cardholder sees only the operations that he can perform. If the card does not allow to withdraw cash for example, the cash withdrawal option will not appear on the list. After the cardholder chooses to do a cash withdrawal (we assume that he can), the ATM will prompt him to indicate the amount he wants to withdraw either by choosing it from a list of amounts or by manually inputting it.
The cardholder validates the amount and this triggers the authorization process.
2- Authorization Request
There is a preparation phase before the authorization request itself, during which an authentication element is computed and the PIN code is encrypted. At this stage, it is worth mentioning that all ATMs are connected to an ATM Manager which is itself connected to the interbank network.
The bank of the ATM, which plays the role of both acceptor and acquirer in this transaction, forwards the authorization request to his own Acquiring Authorization Server (AAS). The AAS sends the authorization request to the issuer:
either by a national authorization network if it exists and if it is a card issued in the same country
or by international card network otherwise
The AAS uses the Issuer Identification Number (IIN) extracted from the card number to route the authorization request to the Issuer. After receiving and identifying the authorization request, the Issuer Authorization Server (IAS) will first do some checks on the card, then on the customer account and finally on the account balance:
Authenticity and validity of the card (card number, PIN code, expiry date, etc.)
Account Control (Existence, Open / Close, Block, etc.)
Provision control: Provision takes into account authorized overdrafts and credit reserves
Limit Checks (monthly, weekly): limit amounts depend on card types and terms negotiated with the customer.
Fraud control is most often based on behavioral analysis
Note: If the cardholder’s bank and the acceptor/acquirer bank are the same, then no need to go through a network, since the AAS and the IAS are at the same bank that will then acts as acceptor, acquirer and issuer for the transaction.
3- Authorization Answer
There are two possible responses to a cash withdrawal authorization: Approval or refusal
- After a positive response (Cash can be withdrawn), the cardholder may be requested to choose between small-denomination or high-denomination notes. The card is expelled from the machine after his choice, the transaction receipt is issued and the notes are counted and made available. The issuer then blocks the transaction amount, so that the cardholder cannot spend it anymore. The amount will be paid later during settlement (See point 5 below).
- In case of refusal, the card is swallowed by the ATM if the cardholder has entered a wrong PIN code three times in a row or if the card is identified as blocked. If there is a refusal because the withdrawal limit is exceeded, the issuer may provide information about the available balance to withdraw. The cardholder may then change the amount and a new authorization request will be sent. In other cases, the card will be expelled from the ATM.
The response to the authorization request is issued from the IAS to the AAS via the same network that was used for the request. If a check fails, the transaction is stopped.
Note: In certain countries, the ATM expels the card before making the notes available to the cardholder. In other countries (like the USA), it is the opposite. The expulsion of the card takes place after making the notes available. This seemingly insignificant difference has led to many disappointments during trips abroad. People took the money and left the expelled card on the ATM with the consequences that you can imagine.
4- Cash withdrawal notification
Depending on the amount and the agreement between the cardholder and the issuer, the issuer notifies his customer about the cash withdrawal. This is generally done through SMS or e-mail which contains the amount, the Bank’s name and the location where the transaction is taking place. The cardholder can take immediate action if he realizes that the card has been used fraudulently.
Let’s get back to the ATM. All transactions related to card withdrawals are recorded and stored in the ATM. It is the preparation of the second stage: the collection of the withdrawn amount by the bank of ATM from the Issuing Bank.
5- Flow exchanges, Clearing and Settlement
The first phase of this step is to debulk the transactions received from the different merchants and bulk them according to specific criteria like the dates or the Clearing system. The bulked transactions are now transmitted through interbank systems to the different card issuers:
either by the a national clearing system if it is a domestic transaction and the possibility exists
or by the card network otherwise
These transaction exchanges can occur many times during the day. The related clearing and settlement can happen once or many times during the day, depending on the clearing systems and card network rules. If you want to get a deep understanding of clearing and settlement, I strongly recommend you to read related articles on this blog.
The interbank system (national clearing system or card network) generates the debit instructions and transmits them to each issuing bank (or its direct participant). After receiving the funds from the issuers, it generates the credit instructions to credit the acquirers’ accounts and notifies them about the credits.
6- Debit notification / Reporting
The cardholder’s bank debits his account after receipt and correct processing of the card transaction messages received from the interbank exchange network. This information goes back to the cardholder via his account statement and/or other means as agreed between the bank and his client.