Payment Processing on the Web: Behind-the-Scenes

Transcript

1. Payment Processing on the Web: Behind-the-Scenes Joshua Silver VP, Product

   Development Patientco

2. Housekeeping Please REVIEW + COMMENT https://joind.in/13743

3. Agenda •  Background •  Payment Flow & Companies Involved • 

   Technical Concerns •  Rates & Risk •  Other Topics •  Questions

4. About Me •  CS degree from GA Tech •  Helped

   internationalize CareerBuilder.com platform •  Technical co-founder of Patientco •  Fun Fact: –  Travel junkie: 25 countries by the time I was 25

5. About Patientco •  Simplifies patient billing for healthcare providers • 

   Bills that patients can actually understand! •  Founded in 2009 in Atlanta •  Inc. 500 Fastest Growing Company •  We’re hiring: http://www.patientcolife.com

6. Payment Growth 2009-2015 2009-0 2009-1 2010-0 2010-0 2010-0 2010-1 2011-0

   2011-0 2011-0 2011-1 2012-0 2012-0 2012-0 2012-1 2013-0 2013-0 2013-0 2013-1 2014-0 2014-0 2014-0

7. Let’s Dive In

8. Payment Flow & Companies Involved

9. Credit  Card  Data     Some  URL     General

   knowledge of processing

10. Credit  Card  Data     Some  URL     General

    knowledge of processing

11. Credit  Card  Data     Some  URL     MONEY!

      General knowledge of processing

12. What Actually Happens •  Complex bi-directional process involving multiple companies

    •  Actually 2 distinct processes: 1.  Authorization Process 2.  Settlement Process

13. What Actually Happens 1.  Authorization Process –  Happens instantaneously – 

    Exchange data to answer questions: •  Is the card good? Is merchant okay? •  Does the cardholder have funds? 2.  Settlement Process –  Happens overnight / several days –  Actually moves money from the consumer to the merchant

14. Companies Involved •  eCommerce Merchant •  Payment Gateway •  Merchant

    Acquirer •  Merchant Processor •  Card Network •  Issuing Bank

15. Companies Involved •  eCommerce Merchant –  This is YOU! – 

    Credit card form on the checkout page •  Payment Gateway –  Accepts payment data in key/value pair, xml, json –  Converts data into proprietary format/socket stream –  Makes it easy to change payment processors (avoid VERY arduous ‘certification’ / integration process) –  Value adds: Card Vault, Recurring Payments, etc. –  Sample companies: Authorize.net, Braintree

16. Companies Involved •  Merchant Acquirer –  Sells credit card processing

    services –  Handles customer support, billing, chargebacks, etc. –  Offers Merchant Accounts (Merchant IDs: MIDs) –  Sample companies: tons of resellers (ISOs) •  Merchant Processor –  Provides actual processing services –  Connects to card brands –  Only about 10-15 major national players –  Sample companies: First Data, Elavon, Vantiv, TSYS

17. Companies Involved •  Card Network –  Connects all of the

    processors to issuing banks –  Visa, MasterCard, American Express, Discover •  Issuing Bank –  The bank that issued the consumer’s credit card –  (it’s why airlines partner with banks to issue cards) –  Sample companies: Bank of America, Suntrust, Chase, Capital One, Barclays

18. Authorization Process Payment   Gateway   Merchant   Processor  

    Card   Network   Issuing     Bank   eCommerce     Merchant   •  “SALE”  AcBon   •  AuthorizaBon  +  Capture  Request   •  Credit  card  number   •  ExpiraBon  Date   •  Security  Code   •  Cardholder  Address   •  Payment  Amount   •  Yes/No   •  If  Yes:    AuthorizaBon  Code  +    TransacBon  ID   •  If  No:      Decline  Reason   •  AVS  +  CVV  Response  Codes   Merchant   Acquirer  

19. Settlement Process Payment   Gateway   Merchant   Processor  

    Card   Network   Issuing     Bank   ACH   Network   •  “SETTLE”  AcBon   •  Batch  SeRlement  Request   •  TransacBons  to  seRle   Funds  (money!)   Merchant   Acquirer   Merchant   Bank  

20. Special Case: American Express Payment   Gateway   Merchant  

    Processor   Card   Network   Issuing     Bank   eCommerce     Merchant   Merchant   Acquirer  

21. Special Case: Amex OptBlue Payment   Gateway   Merchant  

    Processor   Card   Network   Issuing     Bank   eCommerce     Merchant   Merchant   Acquirer  

22. Special Case: Stripe Payment   Gateway   Merchant   Processor

      Card   Network   Issuing     Bank   Merchant   Acquirer   eCommerce     Merchant  

23. Special Case: PayPal, Square Payment   Gateway   Merchant  

    Processor   Card   Network   Issuing     Bank   eCommerce     Merchant   Merchant   Acquirer   Aggregators / Payment Facilitators Mini   Merchant  #1   Mini   Merchant  #3   Mini   Merchant  #2  

24. Technical Concerns

25. PCI Compliance •  Payment Card Industry Data Security Standard (PCI

    DSS) •  Regulations set forth by Visa, MasterCard, American Express, Discover •  Requires adherence to set of rules, various technical scans, audits, etc. •  PCI Level depends on annual card volume

26. Security: Data in Rest •  Regulations: – If storing full card

    #, must be encrypted – Prohibited from storing CVV code •  Best Practice: – Please… DON’T store the card yourself! – Use external vendor for tokenization

27. Avoid Storage: Tokenization Payment   Gateway   eCommerce    

    Merchant   Card  #:   4111-­‐1111-­‐1111-­‐1111   Exp:  12/2019   Token  #:     651132   Add Card Flow Payment   Gateway   eCommerce     Merchant   Token:  651132   Pmt  Amt:  $10.00   Charge Card Flow Acquirer/   Processor/etc.   Card  #:  4111-­‐1111-­‐…..   Exp:  12/2019   Pmt  Amt:  $10.00   Yes/No   Etc…  

28. Security: Data in Transit •  HTTPS / SSL is required

    at all steps •  What happens if private data is captured at any point (in memory, on queue, etc.) •  Best Practice: –  Avoid touching sensitive card data AT ALL –  Use Client-Side Submit or Transparent Redirect

29. Avoid Transit: Legacy Flow Payment   Gateway   eCommerce  

      Merchant   POST  DATA:   Card  #:  4111-­‐1111-­‐1111-­‐1111   Exp:  12/2019   Amount:    $10.00   Legacy Flows Client   Browser   POST  DATA:   Card  #:  4111-­‐1111-­‐1111-­‐1111   Exp:  12/2019   Amount:    $10.00   •  Yes/No   •  If  Yes:    Auth  Code  +    TransacBon  ID   •  If  No:      Decline  Reason   •  AVS  +  CVV  Response  Codes   •  Receipt  webpage  OR   •  Declined  Page  

30. Avoid Transit: Client-side submit Payment   Gateway   eCommerce  

      Merchant   (1)  AJAX  Post:   Card  #:  4111-­‐1111….   Exp:  12/2019   Client   Browser   (5)  Response:   Yes/No,  Auth  Code,  etc.   6)  Response:   Receipt  webpage  OR  Declined  Page   (2)  AJAX  Response:   Token:  632101   (3)  POST:   Token:  632101,  Pmt  Amt:  $10.00   (4)  POST:   Token:  632101   Pmt  Amt:  $10.00  

31. Avoid Transit: Transparent Redirect Payment   Gateway   eCommerce  

      Merchant   (1)  Setup  transacBon   Payment  amount,  etc.   Redirect  URL   Client   Browser   (2)  Receive  special   URL  to  submit  to   3)  Serve  up  payment  page   Form  acBon  submits  to  Special  URL   (5)  HTTP  Redirect   6)  HTTP  Redirect   (4)  POST:   Card  #:  4111-­‐1111….   Exp:  12/2019   7)  Finalize  transacBon  

32. Gateway Integration •  Be sure to add an abstraction layer

    •  Allows to “rip and replace” or load balance between gateways during growth

33. Payment Status •  Important to model as state diagram Unconfirmed

      Confirmed/ Scheduled   Canceled   Process   Declined   Approved   SeRled   Voided  

34. Payment Status •  Need to be careful in model to

    enforce proper state transitions (eg. can’t cancel once processed, but can void until settled) •  Think carefully about DB persistence •  Critical to be correct at ALL times

35. Reversals •  Not a “first class” state – actually a

    distinct transaction – More like “attribute of the payment”: amountRefunded or isRefunded •  Important to link to original payment – Avoid refunding more than original payment amount or refunding twice!

36. Error Handling •  Declines: –  Issues: invalid card, no funds,

    etc. –  Gateway: bad data format, etc. •  Special cases: –  Duplicate detection –  Fraud prevention •  Other failures: –  Network failures, failure midway through

37. Testing •  Hard to do well! •  Sample credit card

    numbers •  Forced error codes •  Simulate other types of errors (like network failure midway through transaction) •  Use mocks for unit tests •  Use sandbox environment for integration tests

38. Reconciliation •  Critical to be in sync with “source of

    truth” at all times •  Use gateway query api to compare you application DB vs gateway: –  Same transactions exist in both? –  Payment properties same (like amount, etc.)? –  Payment State?

39. Rates and Risk

40. Risks •  Payment processing rates all boil down to risk

    •  Chargeback Risk •  PCI Risk •  Fraud Risk

41. Rate Structures •  Fees Include: –  Discount Rate – percent

    of transaction (1-5%) –  Per Item Fee ($0.05-$0.50) •  Interchange Plus –  Interchange** + the acquirers markup (bps) •  Tiered –  Qualified, mid-qualified and non-qualified tiers

42. Who makes money on the fees? •  $100.00 – Transaction

    amount •  $2.76 – Total Fees (2.76%) Fee Type Who Keeps? Rate Subtotal Interchange Issuing Bank 2.10% + $0.10 $2.20 Assessments Visa 0.11% + $0.05 $0.16 Markup (the “plus”) Acquirer 0.20% + $0.10 $0.30 CC Fees: 2.41% + $0.25 $2.66 Gateway Fee $0.10 TOTAL FEES: 2.41% + $0.35 $2.76

43. Interchange •  Depends on: –  Type of card used (High-end

    rewards credit card vs. basic bank debit card, etc.) –  Entry method: •  card present / swiped – “retail” •  card not-present / keyed – “ecom/moto” –  Industry –  Payment Amount –  Metadata passed during transaction: •  AVS: address verification service •  Special fields for corporate purchasing cards

44. Interchange •  NOT affected by merchant processor (although they can

    mark it up in different ways) •  NOT affected by security code –  Although depending on industry and fraud rate, might be absolutely critical (or not)

45. Interchange •  BIN describes issuer and determines interchange rate hRp://www.dirigodev.com/blog/ecommerce/anatomy-­‐of-­‐a-­‐credit-­‐card-­‐number/

     

46. Other Topics

47. EMV •  “Chip-and-pin” in Europe •  Will be “Chip-and-signature” in

    USA •  Europay, MasterCard and Visa •  Makes card skimming / cloning harder •  Doesn’t affect online payments •  Is NOT encryption! •  October 2015 – Implementation date

48. Choose your own adventure •  Apple Pay / Google Wallet

    / Mobile Payments •  Marketplace payments (Amazon, eBay, etc.) •  Big players: PayPal, Square, Stripe •  How to get a merchant account? •  Underwriting, Funding Times, Chargebacks •  Card present / swipers / point-to-point encryption •  Other networks: ACH processing, Debit Card Network •  Advanced Features: Dynamic Descriptors, Partial Authorizations, Level 2 Processing for Corporate cards

49. Summary •  Payment processing is hard to do well • 

    Security, Security, Security! •  Don’t ever store credit card numbers! •  Know what you want: simplicity, rate, etc. •  Partner with good technology vendors •  System design is important for edge cases •  If payments is critical, find an expert •  Rates are never as simple as a fixed percent

50. Questions? [email protected] http://www.PatientcoLife.com/ https://joind.in/13743