Let’s start with a picture with a payment gateway since “a picture is worth a thousand words”.
A Payment Gateway can be seen as the online equivalent of a physical POS terminal in a shop or restaurant. Like the POS terminal which captures card information, encrypts and sends it securely to the acquirer, the Payment Gateway allows cardholders to enter their payment card details (on e-commerce Website or interactive voice response service) and securely submit this sensitive financial information to the acquirer and the card network. It is located between the Merchant and the Acquiring Bank and acts like a bridge between these two players. The cardholder goes to the merchant’s e-commerce website, chooses products and adds them to the shopping cart. After viewing the shopping cart and choosing to checkout, he is redirected to the Payment Gateway where he can enter and submit the card information. Payments initiated on a e-commerce website are referred to as host-capture transactions, the host being the Payment Gateway.
Card information is very sensitive data that should be kept confidential. Unencrypted data sent over the Internet can be intercepted by hackers with serious consequences. Payment gateways are used to ensure that merchants comply with security standards and PCI DSS regulation. PCI DSS stands for Payment Card Industry Data Security Standard. The purpose of PCI DSS guidelines and rules is to ensure that merchants provide the maximum security when processing customer payments or handling customer data.
Payment Gateways do more than taking care of security requirements. Many also provide tools to automatically screen orders for fraud in real time before forwarding the authorization request. Procedures and tools to detect fraud include among others:
- Geolocation: If one transaction is initiated in Germany and another one half an hour later in the USA with the same card, then obviously something is wrong and the transaction should be blocked.
- Velocity pattern analysis: This consists in checking the historical shopping patterns of a customer and matching that record against current purchases to detect irregularities (if the number of orders by the cardholder do match up for example).
- OFAC list lookups: OFAC stands for Office of Foreign Assets Control. As can be read on the US Treasury Website, OFAC publishes a list of individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries. It also lists individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific. Collectively, such individuals and companies are called “Specially Designated Nationals” or “SDNs.” Their assets are blocked and U.S. persons are generally prohibited from dealing with them.
- Blacklist lookups: Merchants record personal information and transaction history of untrustworthy clients in blacklists. If there is a match during the lookup, the related transactions will be rejected.
- Delivery address verification: the customer address is checked against the address known at the issuing bank and transaction is rejected if there is mismatch.
- computer fingerprinting technology: Device fingerprinting relies on the principle of uniquely identifying computers, tablets and mobile phones based on various attributes such as browser version, screen dimensions, list of installed fonts, etc. If fingerprinted device is used to commit a fraud that is detected, the device “fingerprint” will be used to detect and reject other transaction from the same device,
- and so on.
When a check fails, the transaction is immediately suspended or rejected and the merchant is notified with as much information as possible.
More specifically, Payment Gateways are hardware and software that implement and provide the services and functionalities described above. Merchants can implement a payment gateway themselves. But there is business case if they don’t process high volumes of transactions. In general, they use the services of an external payment gateway, provided by their banks or specialized financial service providers, which charges either a very small percentage of transaction amounts or a fixed amount for each processed transaction.
Payment Gateways are not used only during transaction authorization. If you are interested in the details of what happens during the authorization process, read the the following article. Since merchants should not store card data unencrypted, the storage of transaction information is usually done by the Payment Gateway as well (Remember it is stored in the POS terminal for transactions initiated in a shop). The batch processing is then performed by the Payment Gateway at demand of the merchant or at a defined frequency agreed with the merchant.
To conclude, a Payment Gateway is the online POS terminal of an e-commerce website where cardholders can enter their payment card information, so that it is transmitted securely to the acquirer and the card networks. In compliance with PCI DSS requirements, the payment gateway stores and forwards transaction information in secured way and performs the batch processing of card transactions. I refer you to the following article if you want to know in detail what happens during clearing and settlement.
Other major players in card payments are the payment processors. What are they and where do they fit in the Four Corner Model? That will be considered in the next article.