What happens when you swipe a card

Every swipe, tap, or online card transaction sets in motion a coordinated sequence among four parties: the issuer (the cardholder's bank), the acquirer (the merchant's bank), the network (Visa, Mastercard, American Express, Discover), and the merchant. The transaction completes in two or three logically distinct steps — authorization, clearing, and settlement — that may collapse together in time but are operationally distinct. Sitting on top of all of this is interchange, the per-transaction fee paid by the acquirer to the issuer, which forms the economic backbone of the card business and which is set by the network's published rate schedule.

This article describes the four-party model, the three operational steps, the role of interchange, and the consumer-protection implications of the differences between credit-card and debit-card transactions. For the credit-card product itself, see credit cards, mechanically; for the regulatory regime applicable to interchange, see Regulation II.

The four parties

The standard taxonomy of card-payment participants distinguishes:

• The issuer: the bank that issued the card to the cardholder. The issuer holds the cardholder's account (a deposit account for debit cards, a revolving credit line for credit cards), authorizes individual transactions, bears the credit risk on credit-card balances, and receives the bulk of interchange revenue on each transaction.
• The acquirer: the merchant's bank or payment processor, which has the contractual relationship with the merchant. The acquirer accepts the card transaction from the merchant, routes it through the network to the issuer, and credits the merchant's settlement account after interchange and processing fees are deducted.
• The network: Visa, Mastercard, Discover, or American Express. The networks operate the rails and switching systems that route transactions between acquirers and issuers, set interchange and other fees, and enforce network rules through rules-violation penalties and merchant-acceptance contracts. Visa and Mastercard are "open-loop" four-party systems in which issuers and acquirers are typically separate institutions; American Express and Discover historically operated as closed-loop three-party systems but now also license out the issuer and acquirer roles to bank partners.
• The merchant: the seller of goods or services. The merchant has a contract with the acquirer that establishes the discount rate (a percentage and per-transaction fee) the acquirer will deduct from settlement, plus interchange and network fees.

The cardholder is the fifth participant by transaction count but is not part of the four-party "model" in the technical sense — the cardholder's relationship is entirely with the issuer.

Step 1: Authorization

Authorization happens in real time at the point of sale. The merchant's terminal reads the card (chip, magnetic stripe, contactless near-field communication, or manually keyed data) and sends an authorization request through the acquirer and the network to the issuer. The request includes the card number, the merchant's identifier, the transaction amount, and (for chip and contactless transactions) cryptographic verification data that prevents replay attacks.

The issuer evaluates the request against its authorization rules — sufficient available balance for a debit card or sufficient available credit for a credit card, no fraud-rule flags, no account holds, no OFAC sanctions hit — and returns an approval or decline within seconds. If approved, the issuer places a hold on the funds (for a debit card) or earmarks a portion of the available credit (for a credit card). The merchant receives the approval and completes the sale.

Authorization does not move money. It is a real-time decision and a hold, with the actual funds movement happening in the clearing and settlement steps.

Steps 2 and 3: Clearing and settlement

Clearing happens later — typically the same day or the next business day — when the merchant batches authorized transactions and submits them through the acquirer to the network. The network passes the clearing records to the issuer, which compares them to the authorizations and (for debit cards) converts the authorization hold into a posted debit on the cardholder's account.

Settlement is the actual movement of funds: the issuer transmits funds to the network's settlement bank, which forwards them to the acquirer, which credits the merchant's settlement account. This typically happens on a one- or two-day cycle in the U.S.; merchants receive their net-of-fees settlement amount through a regular schedule defined in their acquirer contract.

The authorization and clearing amounts can differ. A restaurant authorizes the cost of a meal at the time the card is presented and clears the meal plus tip when the server enters the tip after the fact; a hotel authorizes an estimated amount at check-in and clears the actual amount at check-out. The "authorize for one amount, clear for another" pattern is well-established but is a recurring source of consumer confusion and occasionally of disputes.

Interchange

Interchange is the per-transaction fee paid by the acquirer to the issuer on each transaction. The rate is set by the network — Visa and Mastercard publish detailed interchange schedules with rates that vary by card type (consumer credit, consumer debit, business, premium rewards, etc.), merchant category, and transaction type (in-person, online, manually keyed). The merchant pays interchange (through the acquirer's discount rate), the acquirer remits interchange to the issuer through the network, and the issuer uses interchange revenue to fund rewards, cardholder services, and net interest margin on the credit-card portfolio.

Typical interchange rates for U.S. credit cards: 1.5% to 2.5% of the transaction amount plus a small per-transaction fee, varying by category. Rewards cards and business cards carry higher interchange to fund their richer reward structures.

Debit-card interchange is regulated. The Durbin Amendment to Dodd-Frank, codified at 15 U.S.C. §1693o-2 and implemented through Regulation II at 12 CFR Part 235, caps the interchange that card issuers with $10 billion or more in assets may charge on debit-card transactions. The current cap is 21 cents plus 0.05% of the transaction amount, with an additional 1-cent fraud-prevention adjustment available to compliant issuers. The cap has been the subject of substantial litigation and has been proposed for further reduction in a 2023 CFPB-led rulemaking; verify current status before relying on a specific figure. Issuers below the $10 billion asset threshold are exempt from the cap and earn unregulated debit interchange, which is substantially higher.

Regulation II also requires that every debit card be enabled for processing on at least two unaffiliated networks (preventing exclusive-network arrangements), and that merchants retain the right to route the transaction. The routing rules have been the subject of CFPB and Federal Reserve enforcement attention.

Credit-card versus debit-card consumer protections

The legal framework around dispute and unauthorized-transaction recovery differs sharply between credit and debit cards.

For credit cards, the framework is Regulation Z (TILA): the cardholder's liability for unauthorized charges is capped at $50 (in practice, most issuers waive even this), the billing-error procedure gives the cardholder a 60-day window to dispute incorrect charges with the issuer with no interest accrual on the disputed amount during investigation, and §170 of TILA gives the cardholder the right to assert claims and defenses against the issuer that the cardholder has against the merchant. The network chargeback machinery operationalizes these statutory rights, with detailed rules in each network's chargeback manual.

For debit cards, the framework is Regulation E (EFTA): consumer liability for unauthorized transfers is capped at $50 if reported within two business days of the consumer learning of the unauthorized use, $500 if reported within 60 days of the statement, and unlimited if reported later. The bank must investigate within ten business days (or longer if it provides provisional credit), and the consumer's protection against unauthorized transactions is broadly comparable to the credit-card case. The protection against merchant disputes — wrong item, undelivered goods — is weaker than for credit cards; the network chargeback machinery exists but is less reliably consumer-favorable, and the statutory backstop is narrower.

The practical implication: for purchases where merchant performance is uncertain (new vendor, high-value items, services to be delivered later), a credit card gives stronger consumer protection than a debit card. For everyday in-store purchases at established merchants, the two are roughly equivalent in protection terms.

Tokenisation and chip security

Two technical features have substantially reduced card fraud over the past decade. Chip cards (EMV) generate a unique cryptographic value for each in-person transaction; stealing the chip data does not enable replay because the value cannot be reused. Tokenisation — used in Apple Pay, Google Pay, and similar mobile wallets — substitutes a device-specific token for the actual card number, so that even if the merchant or processor is breached, the cardholder's primary account number is not exposed.

The shift in fraud since chip adoption has been from in-store "card present" fraud (substantially reduced) to "card not present" (online) fraud (substantially increased). Card-not-present fraud rates remain meaningfully higher than card-present rates, and the industry has responded with additional layers: 3D Secure 2.x, network token services, and merchant-side fraud-screening tools.

Limits and uncertainty

The four-party card model is stable; the underlying rails (network connections, ISO 8583 messaging, settlement banks) are durable. The regulated portion of debit interchange under Reg II has been the subject of recent rulemaking and litigation; the specific cap may change. The growth of alternative payment methods — peer-to-peer apps, BNPL, real-time payments, account-to-account at checkout — has shifted some volume off the card networks at the margin, particularly for younger and online-native consumers, but the card franchise remains the dominant U.S. retail-payment channel by a wide margin. Live areas of evolution include the network's response to alternative rails and the CFPB's continued attention to interchange, dispute resolution, and merchant-side practices.