In the typical credit card transaction, once a merchant accepts a credit card and enters card information into a payment system, the card data is sent to an acquirer and payment processor for routing. In principle, the acquirer and payment processor can be separate entities; in practice, these processors—at least the major ones—are one entity.
The acquirer and payment processor route the transaction data to the governing brand (e.g., VISA, MasterCard, etc.), which forwards the data to the issuing bank. The issuing bank verifies that the card account is legitimate and contains sufficient funds, sending an authorization number back to the brand. The brand than sends the authorization and card data back down the chain
A small number of acquirers dominate the market. In a 2012 report, “Challenges & Opportunities for Merchant Acquirers,” CapGemini estimated that the top 10 acquirers in the world handled nearly 50 percent of the global cards transaction volume in 2010, basing the estimate on data from “Top 150 Acquirers Worldwide,” from The Nilson Report, October 2011.
Source: Aggregated Cyber Risk: The Nightmare Scenarios by AIR Worldwide, citing information from a First Data white paper, “Where Security Fits in the Payments Processing Chain” by First Data Thought Leadership and R. McMillon, May 2010.