Nokia 6216 Classic Nokia 6212 Classic Nokia 6131 NFC Nokia 3220 + NFC Shell Nokia 5140(i) + NFC Shell
Samsung S5230 Tocco Lite/Star/Player One/Avila Samsung SGH-X700 NFC
Samsung D500E
SAGEM my700X Contactless LG 600V contactless Motorola L7 (SLVR) Benq T80 Sagem Cosyphone Google Nexus S Google Nexus S 4G Samsung Galaxy S II Samsung Wave 578 BlackBerry Bold 9900/9930 Nokia N9
Chapter - 5
Payment Gateway and Payment Processor
5.1 What is a Payment Gateway?
A payment gateway is a application that authorizes payments for e-businesses, online retailers, bricks and clicks, or traditional brick and mortar. It is the equivalent of a physical point of sale terminal located in most retail outlets. Payment gateways protect credit card details by encrypting sensitive information, such as credit card numbers, to ensure that information is passed securely between the customer and the merchant and also between merchant and the payment processor.
5.1.1 How payment gateways work?
A payment gateway facilitates the transfer of information between a payment portal (such as a website, mobile phone or IVR service) and the Front End Processor or acquiring bank. When a customer orders a product from a payment gateway-enabled merchant, the payment gateway performs a variety of tasks to process the transaction:
1. A customer places order on website by pressing the 'Submit Order' or equivalent button, or perhaps enters their card details using an automatic phone answering service.
2. If the order is via a website, the customer's web browser encrypts the information to be sent between the browser and the merchant's webserver. This is done via SSL (Secure Socket Layer) encryption.
3. The merchant then forwards the transaction details to their payment gateway. This is another SSL encrypted connection to the payment server hosted by the payment gateway.
4. The payment gateway forwards the transaction information to the payment processor used by the merchant's acquiring bank.
5. The payment processor forwards the transaction information to the card association (e.g., Visa/MasterCard)
1. If an American Express or Discover Card was used, then the processor acts as the issuing bank and directly provides a response of approved or declined to the payment gateway.
2. Otherwise, the card association routes the transaction to the correct card issuing bank.
6. The credit card issuing bank receives the authorization request and sends a response back to the processor (via the same process as the request for authorization) with a response code. In addition to determining the fate of the payment, (i.e. approved or declined) the response code is used to define the reason why the transaction failed (such as insufficient funds, or bank link not available)
7. The processor forwards the response to the payment gateway.
8. The payment gateway receives the response, and forwards it on to the website (or whatever interface was used to process the payment) where it is interpreted as a relevant response then relayed back to the cardholder and the merchant.
9. The entire process typically takes 2–3 seconds.
10. The merchant submits all their approved authorizations, in a "batch", to their acquiring bank for settlement via their processor.
11. The acquiring bank deposits the total of the approved funds in to the merchant's nominated account. This could be an account with the acquiring bank if the merchant does their banking with the same bank, or an account with another bank.
12. The entire process from authorization to settlement to funding typically takes 3 days. Many payment gateways also provide tools to automatically screen orders for fraud and calculate tax in real time prior to the authorization request being sent to the processor. Tools to detect fraud
include geolocation, velocity pattern analysis, delivery address verification, computer finger printing technology, identity morphing detection, and basic AVS checks.
5.1.2 Security Features of a Payment Gateway
Since the customer is usually required to enter personal details, the entire communication of 'Submit Order' page (i.e. customer - payment gateway) is often carried out through HTTPS protocol.
To validate the request of the payment page result, signed request is often used - which is the result of the hash function in which the parameters of an application confirmed by a «secret word», known only to the merchant and payment gateway.
To validate the request of the payment page result, sometimes IP of the requesting server has to be verified.
There is a growing support by acquirers, issuers and subsequently by payments gateways for Virtual Payer Authentication (VPA), implemented as 3-D Secure protocol - branded as Verified by VISA, MasterCard SecureCode and J/Secure by JCB, which adds additional layer of security for online payments. 3-D Secure promises to alleviate some of the problems facing online merchants, like the inherent distance between the seller and the buyer, and the inability of the first to easily confirm the identity of the second
5.1.3 Some of the Leading Payment Gateways Globally 1) Authorize.net 2) Cybersource 3) First Data 4) RBS WorldPay 5) Paypal Payflow 6) Skipjack 7) Orbital/Paymentech 8) 2Checkout.com 9) ElysNet (France) 10) EProcessingNetwork
11) eSelectPlus / Moneris (Canada) 12) Evertec MMPay (Latin America) 13) eWAY (Australia, UK, NZ) 14) First Atlantic Commerce
15) EBS (India) 16) ICICI (Payseal)
17) Maybankcard / Maybank2U (Malaysia) 18) St. George / IPN (Australia)
5.2 What is a Payment Processor?
A payment processor is a company (often a third party) appointed by a merchant to handle credit card transactions for merchant banks. They are usually broken down into two types: front-end and back-end.
Front-end processors have connections to various card associations and supply authorization and settlement services to the merchant banks’ merchants. Back-end processors accept
settlements from front-end processors and, via The Federal Reserve Bank, move the money from the issuing bank to the merchant bank.
In an operation that will usually take a few seconds, the payment processor will both check the details received by forwarding them to the respective card’s bank issuing bank or card association for verification, and also carry out a series of anti-fraud measures against the transaction.
Additional parameters, including the card’s country of issue and its previous payment history, are also used to gauge the probability of the transaction being approved.
Once the payment processor has received confirmation that the credit card details have been verified, the information will be relayed back via the payment gateway to the merchant, who will then complete the payment transaction. If verification is denied by the card association, the payment processor will relay the information to the merchant, who will then decline the transaction.
Authorize.Net manages the complex routing of the data on behalf of the merchant through the following steps/entities
Authorize.Net passes the secure transaction information via a secure connection to the Processor.
The Merchant Bank's Processor submits the transaction to the credit card network (like Visa or MasterCard). The credit card network routes the transaction to the bank that issued the credit card to the customer.
The issuing bank approves or declines the transaction based on the customer's available funds and passes the transaction results back to the credit card network.
The credit card network relays the transaction results to the merchant bank's processor. The processor relays the transaction results to Authorize.Net.
Authorize.Net stores the transaction results and sends them to the website for the customer and merchant to see.
The issuing bank sends the appropriate funds for the transaction to the credit card network, which passes the funds to the merchant's bank.
The bank then deposits the funds into the merchant's bank account. This is called 'settlement', and typically the transaction funds are deposited into the merchant's primary bank account within two to four business days.
5.2.1 The Payment Processing Network
Here's a breakout of the participants and elements involved in processing payments: • Acquiring Bank: In the online payment processing world, an Acquiring Bank provides Internet Merchant Accounts.A merchant must open an Internet Merchant Account with an Acquiring Bank to enable online credit card authorization and payment processing. Examples of Acquiring Banks include Merchant eSolutions and most major banks. • Authorization: The process by which a customer's credit card is verified as active and that they have the credit available to make a transaction. In the online payment processing world, an authorization also verifies that the billing information the customer has provided matches up with the information on record with their credit card company.
• Credit Card Association: A financial institution that provides credit card services that are branded and distributed by Customer Issuing Banks. Examples include Visa® and MasterCard®.
• Customer: The holder of the payment instrument-such as credit card, debit card, or electronic check.
• Customer Issuing Bank: A financial institution that provides a customer with a
credit card or other payment instrument. Examples include Citibank, Suntrust, etc. During a purchase, the Customer Issuing Bank verifies that the payment information submitted to the merchant is valid and that the customer has the funds or credit limit to make the proposed purchase.
• Internet Merchant Account: A special account with an Acquiring Bank that allows the merchant to accept credit cards over the Internet.The merchant typically pays a processing fee for each transaction processed, also known as the discount rate.A merchant applies for an Internet Merchant Account in a process similar to applying for a commercial loan.The fees charged by the Acquiring Bank will vary.
• Merchant: Someone who owns a company that sells products or services.
• Payment Processing Service: A service that provides connectivity among merchants, customers, and financial networks to process authorizations and payments.The service is usually operated by a third-party provider such as VeriSign.
• Processor: A large data center that processes credit card transactions and settles funds to merchants.The processor is connected to a merchant's site on behalf of an Acquiring Bank via a Payment Processing Service.
• Settlement: The process by which transactions with authorization codes are sent to the processor for payment to the merchant. Settlement is a sort of electronic bookkeeping procedure that causes all funds from captured transactions to be routed to the merchant's acquiring bank for deposit.
5.2.2 How Payment Processing Works
Payment processing in the online world is similar to payment processing in the offline or "brick and mortar" world, with a few exceptions. In the online world, the store and the transaction are virtual.This means that the card is "not present" at the transaction and that the transaction
information is submitted and processed via the merchant store network. Because of this, merchants are held liable for fraudulent transactions by the credit card associations. Merchants must take additional steps against online fraud, including verifying that the card information is being submitted by the actual owner of the card and protecting their store and network infrastructure against hacking attempts.
Payment processing can be divided into two major phases or steps: authorization and settlement. Authorization verifies that the card is active and that the customer has sufficient credit available to make the transaction. Settlement involves transferring money from the customer's account to the merchant's account. Online payment processing may also allow you to set up automatically recurring billing payments, if your payment processing service provider offers this feature.
5.2.3 Payment Processing-Authorization 5.2.3.1
Online
1. Customer decides to make a purchase on Merchant's Web site, proceeds to check-out and inputs credit card information.
2.The Merchant's Web site receives customer information and sends transaction information to Payment Processing Service.
3. Payment Processing Service routes information to the Processor.
4. Processor sends information to the Issuing Bank of the Customer's credit card. 5. Issuing Bank sends transaction result (authorization or decline) to the Processor. 6. Processor routes transaction result to the Payment Processing Service.
7. Payment Processing Service passes result information to Merchant.
8. Merchant accepts or rejects transaction and ships goods if necessary. Because this is a "card not present" transaction, the Merchant should take additional precautions to ensure that the card has not been stolen and that the customer is the actual owner of the card
5.2.3.2
Brick and Mortar
1. Customer selects item(s) to purchase, brings them to cashier, and hands credit card to Merchant.
2. Merchant swipes card and transfers transaction information to a point of sale terminal. 3. Point of sale terminal routes information to the Processor via dial-up connection (for the purposes of the graphic above, the point of sale terminal takes the place of the Payment Processing Service in the offline world).
4. Processor sends information to the Issuing Bank of the Customer's credit card. 5. Issuing Bank sends transaction result (authorization or decline) to the Processor. 6. Processor routes transaction result to the point of sale terminal.
7. Point of sale terminal shows Merchant whether the transaction was approved or declined. 8. Merchant tells the Customer the outcome of the transaction. If approved, Merchant has the Customer sign the credit card receipt and gives the item(s) to the Customer.
5.2.4 Payment Processing-Settlement
The settlement process transfers authorized funds for a transaction from the customer's bank account to the merchant's bank account. The process is basically the same whether the transaction is conducted online or offline.
Chapter - 6
Payment Card Industry Security
Standards
PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect cardholder data. The standards globally govern all merchants and organizations that store, process or transmit this data, and include specific requirements for software developers and manufacturers of applications and devices used in the transaction process. Compliance with the PCI security standards is enforced by the major payment card brands who established the Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
PCI Standards Include:
6.1 PCI Data Security Standard:
The PCI DSS applies to any entity that stores, processes, and/or transmits cardholder data. It covers technical and operational system components included in or connected to cardholder data. If your business accepts or processes payment cards, it must comply with the PCI DSS. PIN Transaction Security Requirements: The PCI PTS applies to manufacturers who specify and implement device characteristics and management for personal identification number (PIN) entry terminals used for payment card financial transactions.
Payment Application Data Security Standard: The PA-DSS is for software developers and integrators of applications that store, process or transmit cardholder data as part of authorization or settlement. It governs these applications that are sold, distributed or licensed to third parties.
PCI DSS is a set of 12 requirements designed to secure and protect customer payment data, as most security breaches could be avoided if merchants:
Remove sensitive authentication data and limit data retention Protect the perimeter, internal and wireless networks
Secure applications
Protect through monitoring and access control
6.2 12 requirements that meet the standards
PCI DSS features a group of principles and a set of requirements that aim to safeguard sensitive card data across the card payment industry:
Build and maintain a secure network
1. Install and maintain a firewall configuration to protect cardholder data
2. Don't use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications Implement strong access control measures
7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data
Regularly monitor and test networks
10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes
Maintain an information security policy
Chapter - 7
Card Present and Card Not Present
Transactions
Card present transactions are those in which both the card and card holder are present at the point of sale. The Merchants are required to take all reasonable steps to assure that the card, card holder, and transaction are legitimate. Proper card acceptance begins and ends with sales staff and is critical to customer satisfaction and profitability.
On the back of every credit and debit card, is a magnetic stripe. The stripe contains the cardholder name, card account number, and expiration date, as well as special security information designed to help detect counterfeit cards. When the stripe is swiped through the terminal, this information is electronically read and relayed to the card issuer, who then uses it as crucial input for the authorization decision. Merchants are charged different levels of fees by the card transaction proccessors (such as Visa, MasterCard), depending on the level of fraud risk. Card present transactions, because the card is available for inspection, are considered less risky and therefore carry lower fees than online or phone transactions.
On the other hand, Card Not Present (CNP) is a credit card purchase made over the telephone or over the Internet where the physical card has not been swiped into a reader. It is a major route for credit card fraud. If a fraudulent transaction is reported, the bank that hosted the merchant account that received the money from the fraudulent transaction must make restitution.
7.1 Credit Card Authorization –
Each credit card transaction goes through a three-stage process that begins with the authorization of the payment by the card issuer. Authorized transactions are then processed by the merchant and submitted to the processing bank for clearing and settlement.
Authorization is the process of approving or declining by a card issuer of a sales transaction involving one of the bank’s payment cards. In a face-to-face setting, the authorization occurs immediately after a card is swiped through a point-of-sale (POS) terminal. In a card-not-present setting, the authorization takes place immediately after the credit card information is submitted by the customer online or over the phone.
All non-swiped transactions must be authorized before being processed. For swiped transactions, the merchant is only required to receive an authorization approval for amounts that are above the merchant’s “floor limit” – a dollar figure stated in the processing agreement. So if the floor limit is
$25, all transactions for up to $24.99 would not need an authorization approval, while these of $25.00 and above would require it.
Merchants can request partial authorization approvals for debit or prepaid cards, if the transaction amount exceeds the funds available on the card. If this is the case, the merchant is allowed to split the transaction between the card for which a partial authorization approval was received and another form of payment, which can be another card. This is called a split-tender sale. However, merchants are not allowed to split sales with the goal of avoiding authorization limits.
7.2 Authorization Responses and Actions
Once the transaction information is sent to the card issuer, it is reviewed and a response code is sent back to the processing bank and the merchant. The format of the response may vary, but it communicates the following information:
Response Explanation and Recommended Action
Approved The transaction is authorized. If the transaction review process raises no suspicions, the payment can be completed.
Declined The transaction is not authorized. Do not complete the
transaction. Request that your customer presents an alternative