A card payment is a lightning-fast relay race among five actors: the shopper, the merchant, the merchant’s processor (the acquirer), the card network, and the issuing bank. When you tap a card or click “pay,” the terminal or checkout page packages the essentials—amount, merchant ID, time stamp, and card credentials—into a standardized authorization message. With chip or contactless transactions, the card’s EMV chip generates a one-time cryptogram, a kind of dynamic signature that can’t be reused by fraudsters. That payload is encrypted and sent to the acquirer, which hands it to the network switch—VisaNet, Mastercard’s network, Amex’s platform—where the first gatekeeping happens: the system recognizes the card’s BIN, applies scheme rules, and routes the request to the correct issuer or its processor in a few hundred milliseconds.

At the issuer, risk engines go to work. They verify the cryptogram, check available credit or funds, compare location and device data, and score the transaction using machine-learning models shaped by billions of prior swipes. For e-commerce, an additional handshake called 3-D Secure can silently confirm identity or, if risk is elevated, step up to a one-time passcode or biometric. Approvals return with an authorization code and an immediate hold on funds; declines carry reason codes that guide merchant behavior on retries. If an issuer’s systems blink, the network can perform “stand-in processing,” making a best-effort decision based on the bank’s rules—one reason the rails feel reliably “always on.”

What settles in real time is the decision, not the money. Funds move in the clearing and settlement phase, usually overnight. The merchant batches the day’s approved authorizations; the acquirer compiles them into clearing files and sends them back through the network. Behind the scenes, the scheme calculates who owes what to whom, applying the fee machinery that keeps the ecosystem running. Interchange—paid from the acquirer to the issuer—rewards banks for issuing cards and taking credit and fraud risk. Network assessments compensate Visa or Mastercard for running the infrastructure. The acquirer pays the merchant the net amount, having deducted the “merchant discount,” which is interchange plus assessments plus the processor’s margin. Issuers post the transaction to the cardholder account; if the balance revolves, interest and fees accrue according to the card terms.

Security is layered by design. EMV replaces static magstripe data with per-transaction cryptograms, choking off card cloning at the physical point of sale. Tokenization swaps the primary account number for a device- or merchant-bound token, so Apple Pay and similar wallets can transmit a surrogate that’s useless elsewhere, with the network’s token service keeping the confidential mapping in hardened hardware security modules. For online commerce, card verification values, address checks, device fingerprints, and behavioral analytics work in concert. All participants are constrained by the networks’ rulebooks and PCI DSS standards, which specify how data is stored, transmitted, and audited—compliance that is costly to build and a quiet barrier to entry.

Disputes ride the same rails in reverse. If a customer contests a charge, evidence flows from merchant to acquirer to network to issuer, governed by detailed reason codes and time windows. Liability can shift based on who adopted which technology—EMV at the point of sale, 3-D Secure online—creating economic incentives to harden the edge. The message formats that carry all of this—legacy ISO 8583 and, increasingly, ISO 20022—allow global interoperability without bespoke connections between every bank and every merchant.

The technical choreography is why the moats here are so wide. Reliability at scale, global standards, and the operating rules that bind tens of thousands of banks and millions of merchants create a kind of institutional gravity. New payment methods can change the user interface, but most still ride or intersect with these rails. For investors, that’s the crux: the networks don’t just process payments—they set the rules of engagement, price the risk, and monetize the flow, all in milliseconds.

The Role of the Acquirer

If card networks are the rails, the acquirer is the merchant’s bank-of-record and first line of defense. It underwrites the business, opens the merchant account, connects to the schemes, and stands behind the merchant’s transactions. When a customer pays, the acquirer receives the issuer’s approval via the network, manages clearing, and—after netting fees—credits the merchant, sometimes same day, sometimes with a delay or reserve if risk is elevated. The most prominent acquirers are JPMorgan Chase Merchant Services, Fiserv (First Data), Worldpay, Global Payments (TSYS), Adyen, Stripe, Checkout.com, Worldline among many others.

Liability is why acquirers are cautious. If sales are later disputed or a merchant fails after payout, the network debits the acquirer first. That exposure drives onboarding checks, industry risk tiers, funding caps, rolling reserves, and pricing. It also explains the operational spadework: compiling captured authorizations into clearing files, applying interchange and assessments, reconciling payouts to the penny, enforcing PCI obligations, and steering disputes through chargeback rules and 3-D Secure programs that can shift fraud liability to issuers.

Processing can be in-house or outsourced. Some acquirers run their own switching and back office; others rely on processors while keeping the license, merchant contract, and risk. In PayFac models like Stripe, Adyen, or Square, the platform acts as both acquirer and processor for many sub-merchants, streamlining KYC, aggregating volume, settling via a sponsor bank where needed, and absorbing first-line chargeback exposure in exchange for a larger slice of the merchant discount.

Economically, acquirers live on thin spreads scaled over volume, supplemented by fees for terminals, chargebacks, compliance, and fraud tools. The moat is practical: once payouts, accounting, and risk controls are wired into an acquirer’s stack, switching is painful—approval rates, settlement timing, and dispute outcomes are hard to replicate exactly elsewhere.

The Role of the Processor

The processor is the merchant’s real-time engine for card payments—the system that turns a tap or click into an authorization, then into money in the bank.

It does the heavy lifting on the merchant side: (1) takes the transaction from the POS, e-commerce checkout, or gateway; (2) encrypts and formats it (ISO 8583/20022), manages EMV/contactless data and keys; (3) routes the auth request to the right card network (Visa/Mastercard/Amex) and on to the issuer; and (4) returns an approve/decline in a few hundred milliseconds. Many processors also run 3-D Secure servers, device fingerprinting, velocity checks, and other fraud screens before they even send the request.

After the sale, the processor handles capture, clearing, and settlement ops with the acquirer: batching approved auths, generating clearing files, injecting Level II/III data to lower interchange, calculating fees, reconciling deposits, and producing statements and reports. It provides chargeback tooling (alerts, evidence packaging, representment) and account updater services so stored cards keep working when numbers change. For physical stores it manages terminals and certifications (EMV kernels, PCI P2PE, remote key loads), and for online stores it offers vaulting/tokenization so merchants don’t store raw PANs (PCI DSS compliance). Two useful distinctions:

• Gateway vs. processor: a gateway is the software front door (API/checkout UI). A processor has the scheme connections and clearing machinery. Some firms do both, so the line blurs.
• Front-end vs. back-end processing: front-end = real-time auth routing; back-end = clearing/settlement, reconciliation, reporting.

In PayFac models (Stripe, Adyen, Square), the provider is effectively processor + acquirer for sub-merchants: it onboards them (KYC/AML), underwrites risk, processes the transactions, and settles funds via a sponsor bank. In classic setups, a bank or licensed acquirer holds the merchant account, while the processor supplies the tech rails and operations.

Bottom line: the processor is the merchant’s connectivity, risk, and ops layer—optimizing approval rates and costs up front, then getting the money settled accurately and on time at the back.

Can banks and merchants rout around the card network?

Short answer: you can route around Visa or Mastercard in specific use cases, but doing it at global, everyday scale runs into a hard trio—coordination, liability, and economics.

The networks solve a wicked coordination problem. They give every merchant a way to accept every card from every bank, in every country, with one contract and one technical spec. Replicating that means persuading millions of merchants and tens of thousands of issuers to adopt the same rules, certifications, and message formats—and to keep them in sync as fraud schemes and regulations change. That’s why most “alternatives” end up regional (UPI in India, Pix in Brazil) or platform-closed (Alipay/WeChat in China), not truly global replacements.

They also intermediate liability. A card payment isn’t just a message; it’s a bundle of rights: chargebacks, zero-liability fraud protection, dispute windows, and clear fault rules (EMV, 3-DS liability shifts). Merchants accept higher fees partly because those rules boost conversion and consumer trust. Pure bank-to-bank systems can be cheaper, but they often shift fraud and refund risk onto merchants and consumers, which suppresses adoption at checkout.

Economically, the four-party model spreads incentives. Interchange pays issuers to extend credit, invest in fraud controls, and issue more cards; assessment fees fund the network’s global uptime and security. That flywheel—rewards, acceptance, trust—creates the moat. “Pay by bank” schemes must replicate not only the plumbing, but the incentives that keep billions of cards at the top of customers’ wallets.

Technically, the networks bring resilience and standardization. They provide stand-in authorization when issuers are down, tokenization for mobile wallets, PCI rulebooks for data handling, and ISO message standards. They net and settle across members daily, including cross-border FX, with near-zero downtime. Building that reliability—and certifying every terminal, gateway, wallet, and processor against it—is a decade-long, multi-billion-dollar endeavor.

Where can they be designed out? In closed ecosystems (ride-hailing apps with stored value), account-to-account rails with strong consumer UX (UPI, Pix), recurring debits, and government-backed instant payment mandates (EU’s instant credit transfers). Even there, card rails persist for high-ticket purchases, cross-border commerce, travel, and segments where chargeback rights and rewards matter. In the West, Apple Pay/Google Pay look like alternatives, but they mostly tokenize and ride Visa/Mastercard underneath.

Bottom line

You can chip away at cards on the margins, but replacing Visa/Mastercard wholesale means rebuilding a global, always-on network with aligned incentives and a legal framework for disputes. That’s why most “disruption” ends up layering on top of, or alongside, the card rails rather than ejecting them.

A Deep Dive on the Global Payments Sector - Part 1: From Card Networks to Fintech Upstarts

A Deep Dive on the Global Payments Sector - Part 1: From Card Networks to Fintech Upstarts

The Global Payment Ecosystem: Visa and Mastercard mint margins as toll roads; fintechs add slick apps but face thinner take rates and fierce competition.

QMoatQMoat

A Deep Dive on the Global Payments Sector - Part 3: The Payment Processors

A Deep Dive on the Global Payments Sector - Part 3: The Payment Processors

Scale, software and data—not price—now decide who wins in payment processing. Giants like Fiserv, Global Payments and Adyen stitch cards, wallets and bank rails into one brain, lifting approvals and shaving fraud while embedding themselves in merchants’ operating systems.

QMoatQMoat