3.2 Smart Cards, Credit Cards & Debit Cards
Smart Cards
A smart card is a plastic card with an embedded integrated circuit (microchip) that can store and process data. Distinct from magnetic-stripe cards.
Types of smart cards
| Type | Description | Example |
|---|---|---|
| Contact | Inserted into a reader (chip touches contacts) | Modern credit/debit cards with chip |
| Contactless | NFC-based; tap to pay | Tap-and-pay cards, mobile wallets |
| Hybrid | Both contact AND contactless | Most modern bank cards |
| Dual-interface | Single chip, both modes | Same as hybrid |
| Memory-only | Stores data, no processor | Telephone calling cards |
| Microprocessor | Has CPU; can run programs | EMV cards, SIM cards |
Smart card structure
Plastic card body
│
├── Chip module
│ ├── Microprocessor
│ ├── RAM (working memory)
│ ├── EEPROM (persistent — stores data)
│ ├── ROM (operating system)
│ └── Communication interface
│
├── Embossed details (name, number)
├── Magnetic stripe (legacy)
└── Signature panel
Smart card capabilities
- Storage — up to ~256 KB
- Cryptographic processing — encryption, digital signatures
- Multiple applications on one card (banking + transit + ID)
- Tamper-resistant — physical security features
- Programmable — JavaCard, MULTOS operating systems
Smart card uses
| Use | Example |
|---|---|
| Banking | EMV credit/debit cards |
| SIM cards | Mobile network identity |
| Transit | Delhi Metro, Bangalore Namma Metro |
| Identity | Aadhaar-linked cards, government employee IDs |
| Healthcare | Health insurance cards |
| Loyalty | Petrol pump fleet cards |
| Access control | Office buildings, hotel rooms |
| e-Passport | Biometric passports |
---
Credit Cards
A credit card allows the holder to borrow funds to pay for goods/services, with repayment by a billing-cycle due date.
How credit cards work
The 4-Party Model — the heart of card payments
A card payment always involves the same four parties (with a fifth invisible facilitator). The cardholder is the customer whose name appears on the card and who initiates the purchase. The merchant is the business accepting the card. The issuing bank is the bank that issued the card to the customer — it holds the customer's credit line (for credit) or current account (for debit) and is the entity that ultimately approves or declines the transaction. The acquiring bank is the merchant's bank, which provides the merchant a payment-acceptance setup (POS terminal, online payment gateway) and the merchant account into which sale proceeds settle. Threading these four together is the card network — Visa, Mastercard, RuPay, American Express, or Diners — which operates the messaging rails between issuer and acquirer and sets the rules of the system. Without the card network, the issuer and acquirer would have no standard way to talk to each other.
Credit card payment flow (detailed)
1. Customer presents card at merchant
2. Merchant captures card details (swipe/insert/tap/CVV)
3. Merchant POS/gateway → Acquiring Bank: Authorization request
4. Acquiring Bank → Card Network → Issuing Bank: Verify
5. Issuing Bank verifies:
- Card not blocked
- Sufficient credit limit
- Not flagged for fraud
- 3D Secure / OTP / CVV check (for online)
6. Issuing Bank → Card Network → Acquiring Bank → Merchant: Approval
7. Transaction RECORDED (not yet settled)
8. End-of-day: Merchant batches authorisations → Settlement request
9. Settlement: Issuing Bank → Card Network → Acquiring Bank → Merchant account (minus fees)
10. Issuing Bank bills the Customer at month-end
Credit card economics
| Fee | Who Pays | Who Gets It | Typical |
|---|---|---|---|
| Merchant Discount Rate (MDR) | Merchant | Acquiring bank | ~1.5-2.5% |
| Interchange fee | Acquiring bank → Issuing bank | Issuing bank | ~1-1.5% |
| Network fee | Acquiring bank | Network (Visa, MC) | ~0.1% |
| Acquirer markup | Merchant | Acquirer | ~0.3-0.5% |
| Annual fee | Customer | Issuing bank | ₹500-10,000 |
| Interest on outstanding | Customer | Issuing bank | 36-42% annual |
| Late fees | Customer | Issuing bank | ₹500-1,500 |
Memorise: The 4 parties — Customer, Merchant, Issuing Bank, Acquiring Bank + Card Network.
---
Debit Cards
A debit card is linked directly to the cardholder's bank account. Transactions deduct funds immediately.
Debit vs Credit — exam table
| Aspect | Credit Card | Debit Card |
|---|---|---|
| Funds source | Bank's credit line | Customer's own bank account |
| Debit timing | Monthly bill | Immediate |
| Credit risk | Bank takes it | None (uses own funds) |
| Interest | Yes, if unpaid | None |
| Eligibility | Income, credit history | Just an account |
| Fees to customer | Annual fee, interest | Usually small annual fee |
| Rewards / cashback | Common | Limited |
| Credit-building | Yes (CIBIL impact) | No |
| Pre-authorisation | High (hotels, fuel) | Limited |
Common types of cards
| Type | Description |
|---|---|
| Credit card | Borrow up to a limit |
| Debit card | Account-linked |
| Prepaid card | Loaded amount, no link to bank account |
| Charge card | Pay in full each month (no carryover) — Amex traditional |
| Co-branded card | Bank + retailer (Amazon Pay ICICI, Flipkart Axis) |
| Secured card | Backed by FD (for low-credit-history users) |
| Gift card | Single-use prepaid |
| Forex card | Travel — pre-loaded foreign currency |
| Fuel card | Specific to petrol/diesel purchase |
---
Card Networks
| Network | Origin | Popular in India |
|---|---|---|
| Visa | USA, global | Largest globally |
| Mastercard | USA, global | Second-largest |
| RuPay | India (NPCI), 2012 | Indian-domestic, fast-growing |
| American Express (Amex) | USA | Premium / corporate |
| Diners Club | USA | Mostly merged into Discover |
| JCB | Japan | Limited Indian acceptance |
| UnionPay | China | Growing in Asia |
RuPay — India's domestic network
| Property | Value |
|---|---|
| Launched | 2012 by NPCI |
| Market share (debit cards) | ~65% (June 2024) |
| Lower MDR than Visa/MC | RBI mandate |
| Used in | Jan Dhan accounts, Aadhaar-linked cards |
| International | RuPay International cards available |
| UPI link | RuPay credit card can be linked to UPI |
---
EMV — the chip standard
EMV = Europay, Mastercard, Visa — the global standard for chip-based cards (1994 onwards).
Why EMV replaced magnetic stripe
Magnetic-stripe cards held the same static data on every transaction — anyone who copied the stripe (a "skimmer" at a corrupted ATM or restaurant POS) could clone it perfectly. EMV chip cards generate a unique cryptogram on every transaction, so a captured cryptogram is worthless for the next purchase. The chip costs more to manufacture and slightly more to process, but the fraud savings are dramatic: industry estimates put the fraud rate on magnetic stripe at around 30 basis points, on EMV chip at about 3 basis points — roughly a 10× improvement. In India, RBI mandated all new cards to be EMV chip-based by 2015 and magnetic-only swipe is no longer accepted at compliant terminals.
EMV transaction modes
An EMV-chip card can be used in four modes. Contact — the customer inserts the chip into a reader; the chip and the terminal communicate electrically. Contactless — the customer taps the card on the reader; data is exchanged via NFC (Near-Field Communication) radio. RBI permits contactless taps up to ₹5,000 in India without entering a PIN. Mobile contactless — the card is virtualised inside an Apple Pay, Google Pay, or Samsung Pay wallet on a phone or watch, and the tap uses the device's NFC. CNP (Card-Not-Present) — the entire online checkout flow, where the customer manually enters card number, expiry, and CVV (now usually replaced by tokens) and authenticates via 3D-Secure OTP.
---
3D Secure (3DS)
For online card transactions, an extra authentication step prevents fraud:
1. Customer enters card details on merchant site
2. Merchant → Gateway → Card Network → Issuing Bank
3. Issuing Bank challenges customer:
- OTP via SMS (India's RBI requirement)
- Or biometric in app
4. Customer enters OTP
5. Issuing Bank verifies → Approved
India requires 3DS for all online card transactions (RBI mandate) — this is why every online card txn asks for an OTP.
---
Card-related security
| Feature | Detail |
|---|---|
| CVV/CVC | 3-digit code on back (never stored by merchants — PCI-DSS) |
| Address Verification (AVS) | Postal code match |
| 3D Secure / OTP | Two-factor for online |
| Tokenisation | Real card number replaced by token; even merchant doesn't store actual number |
| EMV cryptogram | Each transaction has unique signature |
| Fraud monitoring | Anomaly detection — unusual location, amount, pattern |
PCI-DSS (Payment Card Industry Data Security Standard)
If a merchant handles card data, they must comply with PCI-DSS — a security standard. Key requirements:
- No storing of CVV
- Encryption in transit and at rest
- Regular vulnerability scans
- Network segmentation
- Access control
- Annual audit (for high-volume merchants)
This is why most merchants don't store cards — they use the payment gateway's tokenisation.
---
Key Terms — Lesson 3.2
The terms below cover smart-card architecture, the card-payments ecosystem, the EMV chip standard, and the security stack around online card use.
Smart Card — A plastic card with an embedded integrated circuit (microchip) that stores and processes data. Smart cards differ from magnetic-stripe cards in being able to encrypt data, run programs, generate per-transaction cryptograms, and host multiple applications simultaneously. EMV bank cards, SIM cards, metro cards, and modern access-control badges are all smart cards.
Contact vs Contactless Smart Card — A contact smart card is physically inserted into a reader; the chip's gold pad touches the reader's contacts to exchange data. A contactless smart card uses NFC (Near-Field Communication) radio at very short range (typically 4 cm) — the user "taps" the card on the reader. Modern bank cards are usually hybrid / dual-interface (both modes on one chip).
EEPROM — Electrically Erasable Programmable Read-Only Memory — the persistent storage inside a smart card that survives power-down and is where the card's "data" (account number, balance, transaction history) actually lives. EEPROM is what gives the chip its multi-year working life.
Credit Card — A card that lets the holder borrow funds from the issuing bank up to a pre-set credit limit to pay for goods and services, with repayment due by a billing-cycle date (typically 30–45 days later). Outstanding balance after the due date attracts interest at 36–42% annualised. The issuer earns from annual fees, interest, and a slice of the merchant discount rate.
Debit Card — A card linked directly to the holder's bank account. Each transaction debits the account immediately (or within minutes for some networks). No credit risk for the bank; no interest for the customer; eligibility is just holding a current/savings account.
Charge Card — A card that must be paid in full each billing cycle — no carry-over balance, no revolving credit. Classic American Express cards are charge cards; defaulting on the balance cancels the card.
Prepaid Card — A card pre-loaded with a fixed amount; not linked to a bank account. Gift cards, forex cards, fleet cards, and meal cards are common prepaid forms. Useful for gifting, controlled spending (corporate per-diem), and unbanked users.
Co-Branded Card — A card issued by a bank in partnership with a merchant — Amazon Pay ICICI, Flipkart Axis Bank, Tata Neu HDFC, Air India SBI. Co-branded cards offer accelerated rewards in the partner's ecosystem and create a strong loyalty hook.
EMV (Europay, Mastercard, Visa) — The global standard for chip-based card transactions, originating in 1994. EMV cards generate a unique cryptogram for each transaction, making cloning practically impossible. RBI mandated all India-issued cards to be EMV chip-based by 2015.
Magnetic Stripe — The legacy data-storage strip on the back of older cards. Magnetic stripes hold static data and can be cloned with a cheap "skimmer." They have been phased out for primary use in India, though many cards still carry one for backward compatibility with old terminals.
Card Network / Card Scheme — The intermediary that routes the transaction messages between issuer and acquirer and sets the rules of the system. The four big networks active in India are Visa, Mastercard, American Express, and RuPay (NPCI's domestic network). Diners Club and JCB have smaller acceptance.
RuPay — India's domestic card network, built by NPCI and launched in 2012 to reduce dependency on foreign networks. RuPay debit cards crossed 65% market share in India by 2024, partly because Jan Dhan accounts are RuPay-only. RuPay credit cards can also be linked to UPI — a uniquely Indian capability that lets users pay by scanning a UPI QR using credit-card funds.
Issuing Bank (Issuer) — The bank that issued the card to the customer. The issuer maintains the customer's credit line or current account, takes the credit risk (for credit cards), authorises/declines transactions, and bills the customer.
Acquiring Bank (Acquirer) — The merchant's bank, which provides the merchant a POS terminal or online payment gateway integration and the merchant account into which sale proceeds settle. Acquirers compete on MDR, settlement speed, and reconciliation tools.
Merchant Discount Rate (MDR) — The total percentage the merchant pays on each card transaction. MDR is split among the issuer (the largest share, called interchange), the card network (a small network fee), and the acquirer (the acquirer markup). Indian MDR for credit cards typically runs 1.5–2.5%; for debit cards it is capped lower by RBI; for RuPay debit and UPI, MDR for many merchants is zero.
Interchange — The slice of the MDR paid from the acquirer to the issuer. Interchange is set by the card network and varies by card category (premium cards, corporate cards, debit cards each have different interchange).
Authorisation vs Settlement (cards) — When a card is swiped, an authorisation message instantly confirms the customer has the funds/credit available and freezes that amount. The actual money movement, settlement, happens later — typically the next or second business day (T+1, T+2) when the merchant submits the batch and the issuer pushes funds through the network.
CVV / CVC (Card Verification Value / Code) — The 3-digit code on the back of Visa/Mastercard/RuPay cards (4-digit on Amex, on the front). CVV is not stored on the magnetic stripe or in the EMV chip, and merchants are forbidden by PCI-DSS from storing it. Its purpose is to prove the customer has physical possession of the card.
3D Secure (3DS / 3DS 2.0) — An additional authentication step for online card transactions where the issuer asks the cardholder to confirm the transaction — usually by entering an OTP sent to the registered mobile, increasingly by biometric or app-push (3DS 2.0). 3DS shifts fraud liability from the merchant to the issuer when used. RBI mandates 3DS for almost all Indian online card transactions.
Card-on-File Tokenisation — RBI's October 2022 mandate that prohibits merchants from storing actual card numbers. Instead, when a customer chooses "save my card for next time", the network (Visa/Mastercard/RuPay) issues a token specific to that merchant. The token works only at that merchant, even if leaked, so it is useless to attackers.
PCI-DSS (Payment Card Industry Data Security Standard) — A mandatory compliance standard for any entity that stores, processes, or transmits card data. Twelve requirements covering encryption, access control, network segmentation, monitoring, vulnerability scans, and policy. High-volume merchants must complete an annual audit; smaller ones do a self-assessment questionnaire.
NFC (Near-Field Communication) — A short-range (~4 cm) radio standard used for contactless tap-and-pay (cards, phones, watches). NFC is what makes contactless payments fast — no PIN required for transactions under ₹5,000 in India.
POS (Point of Sale) Terminal — The hardware (a card-reader machine, often with a printer) the merchant uses to accept in-person card payments. Modern POS terminals are EMV chip-capable, NFC-capable for contactless, and accept UPI QR display. Verifone, Ingenico, Pine Labs, and MSwipe are major Indian POS vendors.
---
Study deep
- Visa and Mastercard are the world's two most profitable companies by margin. ~60% operating margin. They don't lend money or take credit risk — they just route transactions and charge ~0.1% per txn at scale of trillions.
- RuPay's strategic role. Created by NPCI in 2012 to reduce dependence on Visa/Mastercard. Government insists on RuPay for Jan Dhan accounts. Now ~65% market share in debit cards. UPI integration (RuPay credit on UPI) is unique to India.
- The credit-debit decline. UPI is eating into both. India's UPI volumes (~16B/month) dwarf card volumes (~3.5B/month including debit + credit). Cards now retain prominence in offline POS and online checkout, but UPI dominates P2P and mobile commerce.
- EMV mandate completed quickly in India. RBI mandated by 2015. Bank deadline drove rapid switch. Magnetic stripes effectively dead now.
- Tokenisation is the next privacy frontier. Starting Oct 2022, RBI mandated card-on-file tokenisation — merchants can't store actual card numbers; only tokens. Customers re-enter card or use saved tokens.
PYQ pattern (very common): "Explain credit card payment flow with diagram." — Draw the 4-party model + card network; describe 10-step authorisation flow; explain settlement T+1/T+2.
PYQ pattern: "Differentiate credit card and debit card." — Tabulate 6-8 differences (funds source, debit timing, credit risk, interest, eligibility, rewards, building credit, pre-auth).