You tap your card at a coffee shop. The terminal beeps. Approved.

One second. Maybe less.

In that one second, your card data was encrypted, sent across at least six network nodes spanning your bank, a payment network, and back again — while your bank ran more than fifty background checks on you, your location, your spending history, and the risk profile of the merchant you just bought a cappuccino from.

Most people think "the bank just checks if I have money." That is the least interesting thing happening.

I know, because I have sat in bank server rooms and audited this infrastructure firsthand — as a PCI DSS assessor across multiple financial institutions in South Asia. This is part of the Behind the Firewall series, where I translate what happens inside enterprise security systems into something every person who owns a bank card deserves to understand.

Let us walk through it. Tap to beep.

< 1 second

Time for your bank to approve or decline

6+ hops

Network nodes your card data travels through

50+

Risk signals checked before approval

Your card number never actually travels

Here is the first thing that will change how you think about card security: when you tap your card, your actual 16-digit card number — called the PAN, or Primary Account Number — is not sent across the network.

What gets sent is a token. A substituted value that represents your card for this specific transaction, at this specific terminal, at this specific moment. Even if someone intercepted it, it would be useless anywhere else.

This is called tokenisation, and it is one of the most important things your bank does that nobody ever explains. Visa calls it a "token" — your bank maps it back to your real card number only inside their own systems, behind their own security perimeter. The merchant, the payment switch, the network — none of them ever see your actual card number.

Before tokenisation even sends anything, the terminal itself encrypts your data the moment it reads your card. P2PE — Point-to-Point Encryption — means your card details are scrambled inside the terminal before they leave. They travel through a TLS-secured channel, the same standard that protects your online banking and HTTPS websites. A man-in-the-middle attack cannot read encrypted, tokenised card data. There is nothing to steal.

ASSESSOR’S NOTE
During a PCI DSS validation engagement at a South Asian bank, I asked to see the card data flow end-to-end. What surprised me was not what was protected — it was where the gaps appeared. In one case, a legacy batch process was briefly writing raw PANs to a log file before the tokenisation layer kicked in. A six-hour window, once a day. That is what PCI DSS assessors are looking for. Your bank fixed problems like this years ago. Probably.

The hop journey: how your payment reaches your bank

This is the part that surprised me most when I first mapped it properly during an end-to-end transaction analysis.

Your card data does not go directly from the terminal to your bank. It travels through nodes — each one a routing point, a switch, a gateway. Think of it like a physical letter that has to pass through several post offices before it reaches its destination.

Here is what a typical journey looks like:

TRANSACTION JOURNEY

What happens between tap and beep

1
💳

Terminal captures your card

PAN, expiry, CVV2, amount, merchant — read in milliseconds by the contactless reader.

2
🔒

Data encrypted before it moves

P2PE locks your card data inside the terminal. It never leaves as plain text.

3
🔀

Travels through payment nodes

Terminal → acquiring bank → Visa/Mastercard network → your issuing bank.

4
🧠

Your bank runs 50+ risk checks

Balance, fraud score, location, behaviour, velocity — all in under 200 milliseconds.

The critical step
5

Approved or declined

Response travels back the same route. Tap to beep: under one second.

6
📋

Transaction logged and monitored

Your bank keeps watching. Fraud can be flagged minutes or hours after approval.

Total elapsed time from tap to terminal beep: under 1 second.

Say you have a City Bank card. You are using a Dutch-Bangla Bank ATM. The transaction does not go: terminal → City Bank. It goes: Terminal → Dutch-Bangla Bank's payment switch → Visa/Mastercard's global network → City Bank's issuing processor → City Bank's core banking system.

Then the response travels back the same route. All of this, in under one second.

Each hop is secured. Each hop communicates through authenticated, encrypted channels. But each hop is also a potential point of failure — which is why PCI DSS compliance covers not just the issuing bank, but every entity in this chain. The whole network has to meet the same standard. Payment brands enforce this with real financial penalties. That is Part 4 of this series — it is genuinely alarming reading.

The 1-second background check

While your encrypted token is travelling those hops, your bank is already making a decision.

Your card data arrives at the issuing bank's fraud scoring system. What happens next happens fast — we are talking under 200 milliseconds on a well-tuned system. Your bank is running what is effectively a background check in real time, every time.

FRAUD SCORING LAYER

What your bank checks in under 200ms

💰

Balance check

Do you have enough funds? The obvious one. Takes under 1ms.

🧠

Behavioural profile

Does this match your normal spending pattern — location, time, amount, merchant type?

Velocity check

How many transactions in the last few minutes? Fraudsters test cards with small amounts first.

🌍

Geo-anomaly detection

Your last transaction was in Dhaka. This one is in Amsterdam. The risk score escalates.

🏪

Merchant risk scoring

Some merchant categories correlate with fraudulent card use. Your bank knows which ones.

📱

Device & channel signals

For card-not-present transactions: device fingerprint, IP, browser — all contribute to the score.

All of this happens silently, every time. You never see it. Your bank never tells you the score.
⚠️ If score crosses the threshold:
OTP sent3DS triggeredBiometric requiredDecline (last resort)
ASSESSOR’S NOTE
The sophistication gap between large multinational bank branches and some local banks in South Asia is real. A multinational branch running Visa's VisaNet fraud scoring infrastructure is running machine learning models trained on billions of global transactions. A smaller local issuer may be running simpler rule sets. Both are PCI DSS compliant. Compliance sets the floor, not the ceiling.

The vault no one talks about — HSMs

There is a piece of hardware sitting in your bank's data centre that most people, even in the security industry, have never seen. It is called a Hardware Security Module, or HSM. It is physically about the size of a shoebox. It is worth understanding because it is the reason your bank cannot tell you your own PIN.

An HSM is a tamper-evident, tamper-resistant cryptographic device. It stores the encryption keys that your bank uses to process card transactions and verify PINs. It performs the cryptographic operations — PIN block decryption, key generation, digital signature verification — entirely inside its own secure boundary.

Here is the critical property: if someone tries to physically open or tamper with an HSM, it automatically destroys the keys inside. The data is gone. The attack fails. There is nothing to steal.

This is also why your bank cannot "look up" your PIN if you forget it. The PIN is never stored. When you set your PIN, a hash — a one-way mathematical transformation — is stored. When you enter your PIN, the same transformation is applied and compared. Match: approved. No match: declined. The original PIN value is never stored anywhere in recoverable form.

ASSESSOR’S NOTE
HSMs are physically intimidating. They are tamper-evident, meaning if someone tries to open one, it destroys the keys inside. During site visits, I have seen HSMs bolted to server racks with physical access controls, biometric locks, and 24/7 CCTV — all for a box the size of a shoebox. That shoebox is why your card PIN can never be retrieved, only reset.

If someone tries to physically open an HSM, it destroys the keys inside. The data is gone. The attack fails. There is nothing to steal.

From a PCI DSS site assessment — South Asia

When your bank says "hold on"

The fraud scoring system does not have two outcomes. It has three: approve, decline, and escalate.

Escalation is what triggers the experiences you recognise:

OTP — One-Time Password. Your bank sends a six-digit code to your registered number. You enter it. The transaction continues. This is your bank saying: "Risk score is elevated. Let us verify it is actually you."

3D Secure (3DS). For online transactions, 3DS is the layer that takes you to a verification page when you are buying something online. Visa calls it "Visa Secure." Mastercard calls it "Mastercard Identity Check." Same technology.

Biometric approval. If you are using your bank's mobile app to approve a transaction, you may be prompted for your fingerprint or face ID. The app communicates with the bank's authentication system. Clean — and fast.

None of these exist to annoy you. They exist because the fraud scoring system has decided the risk is above its silent threshold. Your bank is not certain it is fraud. It is asking you to confirm it is not.

What this means for you

Your bank is running an extraordinarily sophisticated security infrastructure on your behalf every single time you tap your card. The network security architecture behind a modern payment system would surprise most people who assume their bank is a conservative institution running old technology.

But here is what none of it protects against: you.

Not you being careless — you being targeted at the layer your bank cannot reach. If someone has your mobile banking password, they do not need to break the payment network. They are already inside your account. If your email password is the same as your banking password and your email gets breached, your bank's HSMs and fraud scoring and tokenisation did not help.

Banks protect everything inside their perimeter brilliantly. Your password is outside it.

There are two things worth doing immediately. First, set up transaction alerts on your account if you have not already — your bank's fraud detection is good, but you catching something fast matters. Second, make sure your banking password exists nowhere else. If you are reusing passwords across accounts — and most people are — that is the exposure. Not the payment network. For more on how scammers exploit weak accounts and keeping your devices secure, the security lane has you covered.

RECOMMENDED TOOL

Bitwarden

The free, open-source password manager. Your banking password should exist nowhere else. Bitwarden generates and stores unique passwords for every account — so a breach anywhere else can’t reach your bank.

Get Bitwarden free →
🔒

Affiliate link — we may earn a commission at no cost to you.

What comes next in this series

This was the end-to-end view. The surface. The series goes deeper:

💾

Part 2 — Where Your Card Number Lives

Your bank doesn't store your card number. Neither does Visa. Coming next.

🔑

Part 3 — Why Your Bank Can't Recover Your PIN

Not the helpdesk, not the CEO. One-way cryptography explained. Coming soon.

💰

Part 4 — How Visa Fines Your Bank

The penalties that keep your bank compliant. More alarming than you expect. Coming soon.

🔐CARD SECURITY SERIES

You just read Part 1. Here’s where the series goes:

Part 1You are here

Tap to Beep

The full journey from terminal to approval — encryption, hops, and fraud scoring.

Part 2Coming next

Where Your Card Number Lives

Your card number isn’t stored at your bank. Here’s the tokenisation architecture that replaces it.

Part 3Coming soon

Why Your Bank Can’t Recover Your PIN

Not the helpdesk, not the CEO. This is one-way cryptography doing exactly what it was designed to do.

Part 4Coming soon

How Visa Fines Your Bank

The financial penalties that actually keep your bank compliant — not goodwill, not regulation.

Get the next part in your inbox — no spam, unsubscribe anytime.

Subscribe →