← Back to All Questions
Very Hard~60 minFinTech & Banking

Design Credit Card Processing System

VisaMastercardStripeSquareAdyen

📝 Problem Description

Design a credit card payment processing system. Handle authorization, clearing, settlement, fraud detection, and integration with card networks. Ensure PCI DSS compliance.

👤 Use Cases

1.
Merchant wants to submits payment so that authorization returned
2.
System wants to routes to network so that Visa/Mastercard processes
3.
System wants to settles transaction so that funds transferred
4.
Cardholder wants to disputes charge so that chargeback initiated

✅ Functional Requirements

  • Authorize card transactions
  • Capture authorized payments
  • Void and refund transactions
  • Batch settlement with networks
  • Fraud detection
  • Chargeback handling
  • PCI DSS compliant storage

⚡ Non-Functional Requirements

  • Authorization < 2 seconds
  • 99.99% availability
  • Handle 10K transactions/sec
  • Zero data loss

⚠️ Constraints & Assumptions

  • PCI DSS compliance required
  • Network protocols are complex (ISO 8583)
  • Must handle timeouts gracefully

📊 Capacity Estimation

👥 Users
100K merchants, 1B transactions/day
💾 Storage
100TB (transactions, encrypted PANs)
⚡ QPS
Auth: 10K/sec, Settlement: batch
📐 Assumptions
  • 1B transactions per day (~12K TPS average)
  • 50K peak TPS (Black Friday, flash sales)
  • Average transaction amount: $50
  • Settlement T+1 (next business day)
  • Authorization timeout: 2 seconds
  • Fraud detection latency: < 100ms

💡 Key Concepts

CRITICAL
Tokenization
Replace PAN (card number) with token for storage. Original PAN encrypted in vault. Token useless if stolen. PCI DSS requires tokenization for stored cards.
HIGH
ISO 8583
Binary message format for card network communication. MTI indicates message type. Bitmap indicates present fields. Standard across Visa/MC.
CRITICAL
Auth-Capture
Two-phase payment: authorize reserves funds, capture collects them. Allows for order changes, cancellation. Capture must happen within 7 days.
MEDIUM
Interchange
Fee paid by merchant bank to cardholder bank. Set by networks based on card type, transaction type. Major component of processing cost.
HIGH
BIN (Bank Identification Number)
First 6-8 digits of card number identify issuing bank and card network. Used for routing decisions. BIN database updated daily.
CRITICAL
PCI DSS
Payment Card Industry Data Security Standard. Mandatory for all entities handling card data. 12 requirements covering security controls.
CRITICAL
HSM (Hardware Security Module)
Tamper-resistant hardware for cryptographic operations. Stores encryption keys securely. Required for PAN encryption and PIN translation.

💡 Interview Tips

  • 💡Start with the authorization flow
  • 💡Emphasize PCI DSS compliance requirements
  • 💡Discuss tokenization and its benefits
  • 💡Be prepared to explain the settlement process
  • 💡Know the difference between card-present and card-not-present
  • 💡Understand the role of acquirers, issuers, and networks