Low Level Design: ATM Network and Banking Switch

ATM networks process card transactions across millions of terminals through authorization switches. The design must be highly available, idempotent, and sub-second responsive to meet the expectations of cardholders and the contractual SLAs of card networks.

ISO 8583 Message Protocol

ATMs communicate with the switch using the ISO 8583 financial message format. A message consists of the MTI (message type indicator), a bitmap indicating which data elements are present, and the data elements themselves: card number, processing code, amount, transmission datetime, STAN (system trace audit number), terminal ID, merchant ID, and PIN block. MTI 0200 is an authorization request, 0210 is the authorization response, and 0420 is a reversal request.

Authorization Switch Flow

The card is inserted and the ATM encrypts the PIN using its HSM (hardware security module), then sends a 0200 authorization request to the acquirer switch. The acquirer routes the request to the card network (Visa or Mastercard) based on the BIN, which is the first 6 digits of the card number. The card network routes the request to the issuer switch. The issuer validates the card, checks the available balance, and applies fraud rules. A 0210 response is returned with a response code: 00 means approved, 51 means insufficient funds, and 05 means do not honor. The ATM dispenses cash or displays an error based on the response code.

PIN Verification

The customer enters their PIN, which the ATM HSM encrypts into a PIN block following ISO 9564 format. The encrypted PIN block is included in the authorization request. The issuer decrypts the PIN block using their own HSM and compares the result with the stored PIN offset. The raw PIN is never transmitted in plaintext. Each incorrect PIN attempt increments a PIN_try_counter on the card record. After 3 wrong attempts the card is blocked and further transactions are declined.

Idempotency and Reversals

Each transaction is uniquely identified by the combination of STAN, terminal_id, and date. The switch deduplicates on this composite key and returns the cached response if a duplicate request is detected. If the ATM does not receive a response within the timeout of 8 seconds, it sends a 0420 reversal message to undo the authorization. Reversals are processed idempotently so that duplicate reversal messages do not double-reverse a transaction.

Account Debit Flow

On approval, the issuer creates two ledger entries: a debit to the customer account and a credit to a suspense account. Cash is then dispensed by the ATM. At end of day, settlement nets all transactions between the acquirer and issuer banks. Settlement failures trigger the chargeback process, in which the issuer disputes the transaction and the acquirer must investigate and resolve the discrepancy.

High Availability

The switch must be active-active with no single point of failure. Geographic redundancy is maintained across two data centers with synchronous replication for transaction state. Each ATM is configured with a failover list and switches to the secondary switch if the primary is unreachable. The target availability is 99.999%, which corresponds to no more than 5.26 minutes of downtime per year.

{ “@context”: “https://schema.org”, “@type”: “FAQPage”, “mainEntity”: [ { “@type”: “Question”, “name”: “What are ISO 8583 MTI message types and how are they used in ATM transactions?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “ISO 8583 is the international standard for financial transaction messages. The Message Type Indicator (MTI) is a 4-digit code that identifies the message class, function, and origin. The first digit denotes the version (0 = 1987, 1 = 1993, 2 = 2003). The second digit is the message class: 1 = Authorization, 2 = Financial, 4 = Reversal, 8 = Network Management. The third digit is the function: 0 = Request, 1 = Request Response, 2 = Advice, 3 = Advice Response. The fourth digit is the originator: 0 = Acquirer, 2 = Issuer. For example, MTI 0200 is an acquirer financial request (a withdrawal), 0210 is its response, 0400 is a reversal request, and 0800 is a network sign-on message. ATMs send 0200 messages to the banking switch, which routes them to the card issuer; the issuer returns a 0210 with a response code (00 = approved, 51 = insufficient funds, etc.).” } }, { “@type”: “Question”, “name”: “How does STAN-based idempotency and reversal work in a banking switch?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “The Systems Trace Audit Number (STAN, ISO 8583 field 11) is a 6-digit sequence number assigned by the originating terminal for each transaction within a business day. The banking switch records the STAN along with the terminal ID and transaction date to form a composite idempotency key. If a duplicate 0200 message arrives with the same STAN+terminal+date, the switch returns the cached 0210 response without re-authorizing, preventing double charges from ATM retries. When a transaction must be reversed (e.g., cash not dispensed but account debited), the ATM sends a 0400 Reversal Request carrying the original STAN in field 56 (original data elements). The switch matches the reversal to the original authorization using that key, credits the cardholder’s account, and returns a 0410 Reversal Response. STAN rollover at 999999 resets to 000001, so the date component of the key is essential for uniqueness.” } }, { “@type”: “Question”, “name”: “How does PIN block encryption with an HSM protect cardholder PINs at an ATM?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “When a cardholder enters a PIN, the ATM’s encrypting PIN pad (EPP) immediately encrypts it into a PIN block using a PIN Encryption Key (PEK) u2014 typically a Triple DES or AES key injected into the EPP at manufacturing time. The PIN block format (e.g., ISO Format 0/1/3/4) XORs the PIN digits with the PAN (card number) to prevent replay attacks. The encrypted PIN block travels through the network to a Hardware Security Module (HSM) at the acquirer or switch. The HSM decrypts the block using the PEK, re-encrypts it under the zone master key shared with the issuer’s HSM, and forwards it. PINs are never present in plaintext outside the tamper-resistant HSM boundary. Key management follows the ANSI X9.24 DUKPT (Derived Unique Key Per Transaction) scheme: each transaction uses a unique derived key, so compromising one transaction key reveals nothing about others.” } }, { “@type”: “Question”, “name”: “How does BIN-based routing direct a card transaction to the correct card network?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “The Bank Identification Number (BIN), also called the Issuer Identification Number (IIN), is the first 6u20138 digits of a card’s PAN. The banking switch maintains a BIN table u2014 a lookup structure mapping BIN ranges to card networks (Visa, Mastercard, Amex, Discover) and to issuing banks. When a transaction arrives, the switch extracts the BIN from ISO 8583 field 2 (PAN) and performs a longest-prefix match against the BIN table, which may be stored in a trie or a sorted interval table for O(log N) lookup. The result identifies the destination network and the issuer’s host endpoint. The switch then forwards the 0200 message over the appropriate network (e.g., VisaNet, Banknet) using dedicated leased-line or IP VPN connections. BIN tables are updated regularly u2014 Visa and Mastercard publish BIN registry files u2014 and cached in memory with periodic refreshes to avoid database round-trips on hot paths.” } }, { “@type”: “Question”, “name”: “How is an ATM network designed for active-active high availability?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “An active-active ATM switch architecture runs two or more switch instances simultaneously, each capable of processing any transaction. ATMs connect to both switches via dual network paths (primary and secondary). A shared or replicated transaction log (e.g., via synchronous replication in Oracle RAC, CockroachDB, or a custom Paxos log) ensures that STAN deduplication state is visible to all instances so a failover does not cause a retry to be double-processed. Health checks (TCP keepalives + application-level echo messages, ISO 8583 0800/0810 network management messages) run every few seconds between ATMs and switches. If an ATM’s primary switch connection drops, it re-routes to the secondary within seconds without interrupting in-flight transactions that have already received a response. Load balancers or DNS-based routing distribute traffic across switch instances in steady state. Each switch node is deployed in a separate availability zone or data center so a site failure does not take down the entire network.” } } ] }

Frequently Asked Questions: ATM Network and Banking Switch

What are ISO 8583 MTI message types and how are they used in ATM transactions?
ISO 8583 MTI is a 4-digit code identifying the message class, function, and origin. Key values: 0200 = acquirer financial request (withdrawal), 0210 = its response, 0400 = reversal request, 0800 = network sign-on. The second digit denotes class (1=Authorization, 2=Financial, 4=Reversal, 8=Network Mgmt), the third the function (0=Request, 1=Response, 2=Advice), and the fourth the originator. ATMs send 0200 to the banking switch, which routes to the issuer; the issuer returns 0210 with a response code (00=approved, 51=insufficient funds).

How does STAN-based idempotency and reversal work in a banking switch?
The STAN (ISO 8583 field 11) is a 6-digit sequence number per terminal per business day. The switch stores STAN+terminal+date as a composite idempotency key. Duplicate 0200 messages return the cached 0210 without re-authorizing. For reversals, a 0400 message carries the original STAN in field 56; the switch matches it to the original authorization, credits the account, and returns a 0410. The date component handles STAN rollover at 999999.

How does PIN block encryption with an HSM protect cardholder PINs at an ATM?
The ATM’s encrypting PIN pad encrypts the PIN into a PIN block (e.g., ISO Format 0/3/4) using a Triple DES or AES PIN Encryption Key. The block XORs the PIN with the PAN to prevent replay. An HSM at the acquirer or switch decrypts and re-encrypts under the zone master key before forwarding to the issuer. PINs never appear in plaintext outside the HSM. Key management uses ANSI X9.24 DUKPT: each transaction derives a unique key so a compromised transaction key reveals nothing about others.

How does BIN-based routing direct a card transaction to the correct card network?
The BIN (first 6u20138 digits of the PAN, ISO 8583 field 2) is matched against a BIN table u2014 a range-to-network/issuer lookup stored as a trie or sorted interval table for O(log N) lookup. The result identifies the card network (Visa, Mastercard, Amex, Discover) and the issuer’s endpoint. The switch forwards the 0200 message over the corresponding network connection. BIN tables are updated from registry files published by the card networks and cached in memory with periodic refreshes.

How is an ATM network designed for active-active high availability?
Multiple switch instances run simultaneously, each able to process any transaction. ATMs maintain dual connections (primary + secondary switch). A shared transaction log (synchronous replication via Oracle RAC, CockroachDB, or Paxos) keeps STAN deduplication state consistent across instances. ISO 8583 0800/0810 echo messages serve as application-level heartbeats. On primary-link failure the ATM re-routes to the secondary within seconds. Switch nodes are deployed across separate availability zones so a site outage does not affect the full network.