• Save
Payment Gateway
Upcoming SlideShare
Loading in...5
×
 

Payment Gateway

on

  • 13,043 views

an introduction to how payment gateway works, with some security issues.

an introduction to how payment gateway works, with some security issues.

Statistics

Views

Total Views
13,043
Views on SlideShare
12,868
Embed Views
175

Actions

Likes
39
Downloads
89
Comments
6

4 Embeds 175

http://www.squidoo.com 142
http://www.slideshare.net 31
http://www.docseek.net 1
http://www.docshut.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Useful document
    Are you sure you want to
    Your message goes here
    Processing…
  • Easy to understand via using pictures in the presentation. Good one.
    Are you sure you want to
    Your message goes here
    Processing…
  • very useful data
    Are you sure you want to
    Your message goes here
    Processing…
  • good one for beginners
    Are you sure you want to
    Your message goes here
    Processing…
  • Really its useful for people who working in payment gateway related projects
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • First I want to thank you all for taking the time to be here. We have

Payment Gateway Payment Gateway Presentation Transcript

  • Payment Gateway
  • Agenda
    • Terminology
    • Payment Gateway life cycle
    • Types of Payment Gateways
    • Advantages and Disadvantages
    • Security Issues
      • Vulnerabilities
      • Related Vulnerabilities
      • “ Must Do” list
    • Payment Gateway Implementation over SSL
    • What to ask in third payment gateways parties ?
    • Example ….
    • Most famous payment gateways
    • Questions
  • Some Terminologies :
    • Individuals
      • Merchant – seller of goods
      • Customer – buyer of goods
    • Institutions
      • Customer’s Issuing Bank – provides customer’s credit card information and verification
      • Merchant’s Acquiring Bank – provides internet merchant account
      • Processor – authorizes credit card transactions and settles funds for merchants
  • Basic Elements Interactions :
    • Processes
      • Authorization – the process of verifying a customer’s credit card
      • Settlement – the process of collecting funds from the customer’s account
    • Services
      • Payment Processing Service – connects merchants, customers, and banks through secure online transactions.
      • Gateway – the secure pipe between the banks and the processor
  • Authorization Process
    • Customer decides to make an online purchase and inputs credit card information
    • Merchant ’s website receives customer information and sends it to a payment processing service
    • Payment processing service routes information to processor
    • Processor routes information to bank that issued customer’s credit card (issuing bank)
    • Issuing bank sends authorization (or declination) to processor
    • Processor routes transaction results to payment processing service
    • Payment processing service sends results to merchant
    2 Payment Processing Service 7 6 5 Customer Merchant 1 Processor 3 Customer’s issuing bank 4
    • Merchant decides to accept or reject purchase
    8
  • Settlement Process
    • Merchant informs the payment processing service to settle transactions
    • Payment processing service sends transaction information to the processor
    • Processor checks the information and forwards settled transaction information to the issuing bank
    • Issuing bank transfers funds to the processor
    • Processor routes funds to the acquiring bank
    • Acquiring bank credits merchant’s bank account
    • Issuing bank includes merchant’s charge on customer’s credit card account
    7 2 Payment Processing Service Processor 6 4 Merchant’s acquiring bank 5 Merchant Customer 1 Customer’s issuing bank 3
  • PayPal (As an example) All-in-One Solution Customer’s issuing bank Merchant’s acquiring bank Customer Merchant Processor Payment Processing Service
  • Payment Gateways Types
    • COM based Gateways
      • requires that you install software called a DLL provided by the gateway company on your web hosting server.
      • requires that you have your own dedicated SSL certificate
    • XML transport Gateways
      • do NOT require a DLL install. They use a facility already installed on most Windows servers.
      • requires SSL certificate.
    • FORM based Gateways
      • do not require any extra software to be installed on your web hosting server.
      • some, but not all, require that you have your own SSL certificate.
  • Advantages and Disadvantages (for user)
    • Fixed fee per month
    • Percentage fee per amount spent
    • Fixed fee per transaction
    • User bank or the gateway's bank will charge a merchant fee for the privilege of allowing credit card purchases. This can range from 1-5% or more
    • Credit card validation and processing in real time
    • Money is normally deposited into bank account automatically (Transparency)
    • Reports are auto generated for users.
    • Doesn’t need special user deployment (a browser is adequate)
    Advantages Disadvantages
  • Some security Issues
    • An estimated $2.8B USD was lost to online fraud in the U.S. and Canada in 2005
    • The rate of credit card fraud for online sales is three to four times higher than the overall fraud rate
    • Authentication is a challenge
    • Hackers can break into a merchant’s network
    • Hackers can also steal customer identities
    • Recorded session attack
    Vulnerabilities … … leading to losses
  • Common Fraud-Related Risks Using stolen information to open new credit cards Issuing unauthorized credits or payments Identity theft Cash theft Accessing a payment network to complete fraud Accessing payment networks Using a stolen credit card to purchase goods and services Product theft Chargebacks A cardholder disputes a credit card purchase
  • How to Protect Your Business Against Fraud Transaction Level Ensure each transaction you accept and process is valid, and be careful in reviewing suspicious transactions because some may be valid. Account Level Make sure only authorized users have access to your payment gateway account, and be alert for suspicious account access patterns. Network Level Ensure your perimeter is defended against unauthorized access. 1 2 3
  • Your Disclosure Policy Tells Customers that You Are Honest and Dependable
    • Business Description – Explains what the company does
    • Shipping Policy – Details shipping terms, shipping classes offered, & expected delivery timeframe
    • Privacy Policy – Describes how the company treats and protects customers’ information
    • Return Policy – Provides clear guidelines on how a return is handled
    • Contact Information – Makes it easy for customers to get in touch with the merchant via different communication channels
  • Security basics “must do” list Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy
      • Protect stored cardholder data
      • Encrypt transmission of cardholder data across open, public networks
    • Use and regularly update anti-virus software
    • Develop and maintain secure systems and applications
      • Restrict access to cardholder data by business need-to-know
      • Assign a unique ID to each person with computer access
      • Restrict physical access to cardholder data
    • Track and monitor all access to network resources and cardholder data
    • Regularly test security systems and processes
    • Maintain a policy that addresses information security
    Control Objective Requirement Build and Maintain a Secure Network
      • Install and maintain a firewall configuration to protect cardholder data
      • Do not use vendor-supplied defaults for system passwords and other security parameters
  • Payment Gateway Implementation over SSL Refer to the attached PDF “ Payment Gateway Implementation.pdf”
  • What to ask in third payment gateways parties ?
    • How long has this company been in service ?
    • What is the company history ?
    • How long has their particular software package been in use ?
    • Can you test a demo software ?
    • How much will the setup and service bundle cost ?
    • How much are processing costs and fees ?
    • Does the system needs special installation equipments ?
    • Does the system provides extra services ?
    • What is the level of support provided by this third party ?
    • Who are the customers that already exist and uses this system ?
    • What are provided system authentication and authorization ?
  • An example of applying to a payment gateway (WorldPay) Refer to the attached PPS “ worldpay application.pps”
  • Most famous Payment Gateways    
  • Questions Confidential and Proprietary