Issuing bank
What is an issuing bank for a credit or debit card?
An issuing bank is the financial institution that issues credit, debit or prepaid cards to the end consumer within the four‑party model that governs card payments. It is the cardholder’s bank, and its main role is to approve or decline each transaction based on available balance, credit limit and detected risk level.
Although the term includes the word “bank”, issuance is not exclusive to credit institutions. Payment institutions and electronic money institutions may also act as card issuers under PSD2, transposed in Spain by Royal Decree‑Law 19/2018.
How an issuing bank works
The issuer of credit or debit cards participates in every transaction through a process that takes milliseconds:
- Authorization request: the merchant sends the data to the acquiring bank, which transmits it through the card network (Visa, Mastercard) to the issuer.
- Risk evaluation: the issuer analyzes balance, limits, device location and purchase history to decide whether to approve or decline the transaction.
- Response: it returns an approval or decline code that travels back through the same route to the ecommerce gateway.
- Settlement: the issuer transfers funds to the acquirer, deducting the interchange fee regulated by Regulation (EU) 2015/751.
The issuing bank has the final decision on every payment. Neither the merchant, nor the acquirer, nor the card network can force an authorization. The quality of the data sent in the request directly impacts the business’s approval rate.
Regulatory impact and applicable security for an issuing bank
The issuing bank operates under a demanding European regulatory framework:
PSD2 (Directive (EU) 2015/2366), transposed in Spain by Royal Decree‑Law 19/2018, requires issuers to apply Strong Customer Authentication (SCA) in electronic payments. This means verifying the cardholder’s identity with at least two factors: something they know (password), something they have (mobile device) or something they are (biometrics). The most widely used technical protocol to comply with SCA is 3D Secure 2 (EMV 3DS), which allows the issuer to analyze contextual data before requesting a challenge or approving the transaction frictionlessly.
For card‑data protection, the issuer must comply with PCI DSS v4.0. Requirement 3 mandates protecting stored account data, and Requirement 7 requires restricting access to cardholder data based on operational need.
As an obliged entity under anti‑money laundering law (Law 10/2010), the issuer applies due‑diligence measures (KYC) before issuing a card and throughout the commercial relationship.
Operational advantages and disadvantages for merchants
| Aspect | Advantage for the merchant | Disadvantage for the merchant |
|---|---|---|
| Authorization | Fraud‑filtering that protects the ecosystem | A conservative issuer may decline legitimate transactions and reduce conversion |
| SCA / 3D Secure | Shifts fraud liability to the issuer | May add friction if exemptions are not applied |
| Chargeback | Regulated process with defined timelines | Issuers often favor the cardholder, requiring merchants to document disputes thoroughly |
| Loyalty | Encourages card usage and increases volume | Premium‑card interchange fees are higher |
To maximize the approval rate, merchants should send complete data in every authorization (address, email, phone) and use tokenization for recurring payments. Issuers approve more transactions when they receive strong trust signals.
Was this term useful?
Leave a Comment