OverviewPayment gatewayA Payment Gateway/Payment Service Provider (PG/PSP)facilitates the transfer of information between a paymentportal (such as a website) and the Front End Processor oracquiring bank. It offers merchants online services for acceptingelectronic payments by a variety of payment methods includingcredit card, bank-based payments such as direct debit, banktransfer and real-time bank transfer based on online banking.
Connectivity Type of connectivity• Direct XML API solution - all actions are performed within the website (online booking engine) environment of the merchant, credit card data is processed via XML API connection.• Generic solution (redirection) – the merchant’s website redirects the customer to a third party acquirer’s payment page where the credit card data is submitted, processed and if successful, system redirects back to webpage of merchant for completion of process. Alternatively redirection can be done after booking process is complete.
Processing Payment processing• And order is submitted via a website, the customers web browser encrypts the information to be sent between the browser and the merchants webserver. This is done via SSL (Secure Socket Layer) encryption• The merchant then forwards the transaction details to their payment gateway. This is another SSL encrypted connection to the payment server hosted by the payment gateway• The payment processor forwards the transaction information to the card association (i.e., Visa/MasterCard)• The credit card issuing bank receives the authorization request and sends a response back to the processor (via the same process as the request for authorization) with a response code. In addition to determining the fate of the payment, (i.e. approved or declined) the response code is used to define the reason why the transaction failed (such as insufficient funds, or bank link not available
Processing Payment processing• The payment gateway receives the response, and forwards it on to the website (or whatever interface was used to process the payment) where it is interpreted as a relevant response then relayed back to the cardholder and the merchant (the entire process typically takes 2–3 seconds)• The merchant submits all their approved authorizations, in a "batch", to their acquiring bank for settlement• The acquiring bank deposits the total of the approved funds in to the merchants nominated account. This could be an account with the acquiring bank if the merchant does their banking with the same bank, or an account with another bank• The entire process from authorization to settlement to funding typically takes up to 3 days
3-D Secure3-D Secure is an XML-based protocol used as an added layer ofsecurity for online credit and debit card transactions. It wasdeveloped by Visa to improve the security of Internetpayments. It adds another authentication step for onlinepayments. In most current implementations of 3-D Secure, theissuing bank prompts the buyer for a password that is knownonly to the bank/ACS provider and the buyer. Since themerchant does not know this password and is not responsiblefor capturing it, it can be used by the issuing bank as evidencethat the purchaser is indeed their cardholder
3-D SecureThis decreases risk in two ways:• Copying card details, either by writing down the numbers on the card itself or by way of modified terminals or ATMs, does not result in the ability to purchase over the Internet because of the additional password, which is not stored on or written on the card.• Since the merchant does not capture the password, there is a reduced risk from security incidents at online merchants; while an incident may still result in hackers obtaining other card details, there is no way for them to get the associated password.
PCI DSS compliancyCompliancyIn order to be able to accept online payment a merchant has tomeet certain standards and requirements.There are 12 requirements for compliancy in the Payment CardIndustry Data Security Standard (PCI DSS) organized into sixlogically related groups.Validation and certification of compliance can be performedeither internally or externally, with the assistance of the PCIRequirements, depending on the volume of card transactionsthe merchant organization is handling, but regardless of the sizeof the organization, compliance must be assessed annually.
Benefits Key Benefits• Long term reduction of costs• Automation of payment processing• Fraud detection tools• Flexibility - partial or full capture• Accept online payments 24/7• Improved security – PCI DSS
Future TrendsWith the development of wireless technologies and the onlineindustry, it becomes clear that in the near future credit cards willbecome obsolete. In development are new online and offlinemobile payment technologies which allow for increased flexibilityof using your mobile device , which has all your credit card dataencrypted and stored within your SIM card.This will allow for future merging of online banking and mobileservices together and usage of the full potential of wirelesstechnologies. Here are some in-development as well as alreadyimplemented technologies:
Online payment• Online payments - All credit, debit card and bank account details are encrypted and stored within the mobile device. When a customer reaches a payment page online, the mobile device recognizes it and suggest payment methods available on it. Then the desired payment method details are prepopulated automatically on the payment page. Authorization of a transaction is only done via touchscreen fingerprint recognition software as well as a password to prevent data theft in case of lost or stolen mobile devices.
Offline payment• Offline payments – also known as Near Field Communication (NFC) where the actual mobile device serves as a payment device. A consumer using a special mobile phone equipped with a smartcard waves his/her phone near a reader module.The customer then gets prompted (optionally) for a password on the mobile device to authorize the charge. This technology is already available in multiple shopping points worldwide.