Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Payment Processing on the Web: Behind-the-Scenes

Payment Processing on the Web: Behind-the-Scenes

Working on your first payment processing project? Mystified by MIDs, interchange rates, AVS results, PCI, or payment gateways? Curious about Apple Pay or the United States' transition to EMV (chip-and-signature) credit cards? Learn the nuts and bolts of payment processing on the web and walk away with a plethora of resources to use on your next eCommerce or payment processing project. I'll discuss what actually happens behind the scenes as a card is processed and outline best practices – both technical and operational – for achieving a secure, compliant, and robust processing environment.

Joshua Silver

May 22, 2015
Tweet

More Decks by Joshua Silver

Other Decks in Programming

Transcript

  1. Agenda •  Background •  Payment Flow & Companies Involved • 

    Technical Concerns •  Rates & Risk •  Other Topics •  Questions
  2. About Me •  CS degree from GA Tech •  Helped

    internationalize CareerBuilder.com platform •  Technical co-founder of Patientco •  Fun Fact: –  Travel junkie: 25 countries by the time I was 25
  3. About Patientco •  Simplifies patient billing for healthcare providers • 

    Bills that patients can actually understand! •  Founded in 2009 in Atlanta •  Inc. 500 Fastest Growing Company •  We’re hiring: http://www.patientcolife.com
  4. Payment Growth 2009-2015 2009-0 2009-1 2010-0 2010-0 2010-0 2010-1 2011-0

    2011-0 2011-0 2011-1 2012-0 2012-0 2012-0 2012-1 2013-0 2013-0 2013-0 2013-1 2014-0 2014-0 2014-0
  5. Credit  Card  Data     Some  URL     MONEY!

      General knowledge of processing
  6. What Actually Happens •  Complex bi-directional process involving multiple companies

    •  Actually 2 distinct processes: 1.  Authorization Process 2.  Settlement Process
  7. What Actually Happens 1.  Authorization Process –  Happens instantaneously – 

    Exchange data to answer questions: •  Is the card good? Is merchant okay? •  Does the cardholder have funds? 2.  Settlement Process –  Happens overnight / several days –  Actually moves money from the consumer to the merchant
  8. Companies Involved •  eCommerce Merchant •  Payment Gateway •  Merchant

    Acquirer •  Merchant Processor •  Card Network •  Issuing Bank
  9. Companies Involved •  eCommerce Merchant –  This is YOU! – 

    Credit card form on the checkout page •  Payment Gateway –  Accepts payment data in key/value pair, xml, json –  Converts data into proprietary format/socket stream –  Makes it easy to change payment processors (avoid VERY arduous ‘certification’ / integration process) –  Value adds: Card Vault, Recurring Payments, etc. –  Sample companies: Authorize.net, Braintree
  10. Companies Involved •  Merchant Acquirer –  Sells credit card processing

    services –  Handles customer support, billing, chargebacks, etc. –  Offers Merchant Accounts (Merchant IDs: MIDs) –  Sample companies: tons of resellers (ISOs) •  Merchant Processor –  Provides actual processing services –  Connects to card brands –  Only about 10-15 major national players –  Sample companies: First Data, Elavon, Vantiv, TSYS
  11. Companies Involved •  Card Network –  Connects all of the

    processors to issuing banks –  Visa, MasterCard, American Express, Discover •  Issuing Bank –  The bank that issued the consumer’s credit card –  (it’s why airlines partner with banks to issue cards) –  Sample companies: Bank of America, Suntrust, Chase, Capital One, Barclays
  12. Authorization Process Payment   Gateway   Merchant   Processor  

    Card   Network   Issuing     Bank   eCommerce     Merchant   •  “SALE”  AcBon   •  AuthorizaBon  +  Capture  Request   •  Credit  card  number   •  ExpiraBon  Date   •  Security  Code   •  Cardholder  Address   •  Payment  Amount   •  Yes/No   •  If  Yes:    AuthorizaBon  Code  +    TransacBon  ID   •  If  No:      Decline  Reason   •  AVS  +  CVV  Response  Codes   Merchant   Acquirer  
  13. Settlement Process Payment   Gateway   Merchant   Processor  

    Card   Network   Issuing     Bank   ACH   Network   •  “SETTLE”  AcBon   •  Batch  SeRlement  Request   •  TransacBons  to  seRle   Funds  (money!)   Merchant   Acquirer   Merchant   Bank  
  14. Special Case: American Express Payment   Gateway   Merchant  

    Processor   Card   Network   Issuing     Bank   eCommerce     Merchant   Merchant   Acquirer  
  15. Special Case: Amex OptBlue Payment   Gateway   Merchant  

    Processor   Card   Network   Issuing     Bank   eCommerce     Merchant   Merchant   Acquirer  
  16. Special Case: Stripe Payment   Gateway   Merchant   Processor

      Card   Network   Issuing     Bank   Merchant   Acquirer   eCommerce     Merchant  
  17. Special Case: PayPal, Square Payment   Gateway   Merchant  

    Processor   Card   Network   Issuing     Bank   eCommerce     Merchant   Merchant   Acquirer   Aggregators / Payment Facilitators Mini   Merchant  #1   Mini   Merchant  #3   Mini   Merchant  #2  
  18. PCI Compliance •  Payment Card Industry Data Security Standard (PCI

    DSS) •  Regulations set forth by Visa, MasterCard, American Express, Discover •  Requires adherence to set of rules, various technical scans, audits, etc. •  PCI Level depends on annual card volume
  19. Security: Data in Rest •  Regulations: – If storing full card

    #, must be encrypted – Prohibited from storing CVV code •  Best Practice: – Please… DON’T store the card yourself! – Use external vendor for tokenization
  20. Avoid Storage: Tokenization Payment   Gateway   eCommerce    

    Merchant   Card  #:   4111-­‐1111-­‐1111-­‐1111   Exp:  12/2019   Token  #:     651132   Add Card Flow Payment   Gateway   eCommerce     Merchant   Token:  651132   Pmt  Amt:  $10.00   Charge Card Flow Acquirer/   Processor/etc.   Card  #:  4111-­‐1111-­‐…..   Exp:  12/2019   Pmt  Amt:  $10.00   Yes/No   Etc…  
  21. Security: Data in Transit •  HTTPS / SSL is required

    at all steps •  What happens if private data is captured at any point (in memory, on queue, etc.) •  Best Practice: –  Avoid touching sensitive card data AT ALL –  Use Client-Side Submit or Transparent Redirect
  22. Avoid Transit: Legacy Flow Payment   Gateway   eCommerce  

      Merchant   POST  DATA:   Card  #:  4111-­‐1111-­‐1111-­‐1111   Exp:  12/2019   Amount:    $10.00   Legacy Flows Client   Browser   POST  DATA:   Card  #:  4111-­‐1111-­‐1111-­‐1111   Exp:  12/2019   Amount:    $10.00   •  Yes/No   •  If  Yes:    Auth  Code  +    TransacBon  ID   •  If  No:      Decline  Reason   •  AVS  +  CVV  Response  Codes   •  Receipt  webpage  OR   •  Declined  Page  
  23. Avoid Transit: Client-side submit Payment   Gateway   eCommerce  

      Merchant   (1)  AJAX  Post:   Card  #:  4111-­‐1111….   Exp:  12/2019   Client   Browser   (5)  Response:   Yes/No,  Auth  Code,  etc.   6)  Response:   Receipt  webpage  OR  Declined  Page   (2)  AJAX  Response:   Token:  632101   (3)  POST:   Token:  632101,  Pmt  Amt:  $10.00   (4)  POST:   Token:  632101   Pmt  Amt:  $10.00  
  24. Avoid Transit: Transparent Redirect Payment   Gateway   eCommerce  

      Merchant   (1)  Setup  transacBon   Payment  amount,  etc.   Redirect  URL   Client   Browser   (2)  Receive  special   URL  to  submit  to   3)  Serve  up  payment  page   Form  acBon  submits  to  Special  URL   (5)  HTTP  Redirect   6)  HTTP  Redirect   (4)  POST:   Card  #:  4111-­‐1111….   Exp:  12/2019   7)  Finalize  transacBon  
  25. Gateway Integration •  Be sure to add an abstraction layer

    •  Allows to “rip and replace” or load balance between gateways during growth
  26. Payment Status •  Important to model as state diagram Unconfirmed

      Confirmed/ Scheduled   Canceled   Process   Declined   Approved   SeRled   Voided  
  27. Payment Status •  Need to be careful in model to

    enforce proper state transitions (eg. can’t cancel once processed, but can void until settled) •  Think carefully about DB persistence •  Critical to be correct at ALL times
  28. Reversals •  Not a “first class” state – actually a

    distinct transaction – More like “attribute of the payment”: amountRefunded or isRefunded •  Important to link to original payment – Avoid refunding more than original payment amount or refunding twice!
  29. Error Handling •  Declines: –  Issues: invalid card, no funds,

    etc. –  Gateway: bad data format, etc. •  Special cases: –  Duplicate detection –  Fraud prevention •  Other failures: –  Network failures, failure midway through
  30. Testing •  Hard to do well! •  Sample credit card

    numbers •  Forced error codes •  Simulate other types of errors (like network failure midway through transaction) •  Use mocks for unit tests •  Use sandbox environment for integration tests
  31. Reconciliation •  Critical to be in sync with “source of

    truth” at all times •  Use gateway query api to compare you application DB vs gateway: –  Same transactions exist in both? –  Payment properties same (like amount, etc.)? –  Payment State?
  32. Risks •  Payment processing rates all boil down to risk

    •  Chargeback Risk •  PCI Risk •  Fraud Risk
  33. Rate Structures •  Fees Include: –  Discount Rate – percent

    of transaction (1-5%) –  Per Item Fee ($0.05-$0.50) •  Interchange Plus –  Interchange** + the acquirers markup (bps) •  Tiered –  Qualified, mid-qualified and non-qualified tiers
  34. Who makes money on the fees? •  $100.00 – Transaction

    amount •  $2.76 – Total Fees (2.76%) Fee Type Who Keeps? Rate Subtotal Interchange Issuing Bank 2.10% + $0.10 $2.20 Assessments Visa 0.11% + $0.05 $0.16 Markup (the “plus”) Acquirer 0.20% + $0.10 $0.30 CC Fees: 2.41% + $0.25 $2.66 Gateway Fee $0.10 TOTAL FEES: 2.41% + $0.35 $2.76
  35. Interchange •  Depends on: –  Type of card used (High-end

    rewards credit card vs. basic bank debit card, etc.) –  Entry method: •  card present / swiped – “retail” •  card not-present / keyed – “ecom/moto” –  Industry –  Payment Amount –  Metadata passed during transaction: •  AVS: address verification service •  Special fields for corporate purchasing cards
  36. Interchange •  NOT affected by merchant processor (although they can

    mark it up in different ways) •  NOT affected by security code –  Although depending on industry and fraud rate, might be absolutely critical (or not)
  37. EMV •  “Chip-and-pin” in Europe •  Will be “Chip-and-signature” in

    USA •  Europay, MasterCard and Visa •  Makes card skimming / cloning harder •  Doesn’t affect online payments •  Is NOT encryption! •  October 2015 – Implementation date
  38. Choose your own adventure •  Apple Pay / Google Wallet

    / Mobile Payments •  Marketplace payments (Amazon, eBay, etc.) •  Big players: PayPal, Square, Stripe •  How to get a merchant account? •  Underwriting, Funding Times, Chargebacks •  Card present / swipers / point-to-point encryption •  Other networks: ACH processing, Debit Card Network •  Advanced Features: Dynamic Descriptors, Partial Authorizations, Level 2 Processing for Corporate cards
  39. Summary •  Payment processing is hard to do well • 

    Security, Security, Security! •  Don’t ever store credit card numbers! •  Know what you want: simplicity, rate, etc. •  Partner with good technology vendors •  System design is important for edge cases •  If payments is critical, find an expert •  Rates are never as simple as a fixed percent