• Credit/Debit cards • Electronic Fund Transfer (EFT Bank Transfer) • Bitcoin and other digital currencies • On the spot loans Instruments of Online Payment
than having intrinsic value like the gold standard of olden days • Digital currency has a limited supply that increases at a known rate • Exchanges have been set up to buy/sell digital currency for tradiKonal paper money • Unlike cash there is a trail for every coin that tracks back to a wallet Digital currency
SA • They take about 3-‐5 days to transfer the money • It costs less than £3 using Bitcoin and takes 1 day for the money to land in my account Actual example of Bitcoin usage
are not a payment processor ourselves • That requires cerKficaKon that we comply with Payment Card Industry Data Security Service rules • This cerKficaKon is expensive to get and the margin on processing payments is low – about 3-‐5% if you’re lucky • We send consumers to a payment processor • Rest of this lecture focuses on credit cards only Online Payments at Brightsource
up online and offline data • Chameleon acts as a payment gateway • They mediate between us and the processor • They also send data to Woods on our behalf Valldata / Chameleon / Woods
The card associaKon fines the processor • The processor fines the merchant • If there are too many chargebacks the card associaKon will disavow the processor • Avoiding them makes financial and reputaKonal sense for the merchant • Fraud detecKon systems like Maxmind exist to help merchants avoid submiYng fraudulent transacKons Chargebacks
• Alice’s bank is called the issuing bank • Bob is a seller who is selling goods or services • Bob’s bank is called the acquiring bank Actors involved (2)
• Alice’s bank is called the issuing bank • A payment gateway will acquire her details securely on behalf of Bob • Bob is a seller who is selling goods or services • Bob’s bank is called the acquiring bank Actors involved (3)
• Alice’s bank is called the issuing bank • A payment gateway will acquire her details securely on behalf of Bob • The payment processor will communicate between the banks and actually do the transacKon • Bob is a seller who is selling goods or services • Bob’s bank is called the acquiring bank Actors involved (4)
• Alice’s bank is called the issuing bank • A payment gateway will acquire her details securely on behalf of Bob • The payment processor will communicate between the banks and actually do the transacKon • A card associaEon (like Mastercard or Visa) defines rules of transacKons and helps the processor find which banks are involved • Bob is a seller who is selling goods or services • Bob’s bank is called the acquiring bank Actors involved (5)
merchant who is selling something • The issuing bank who gave the consumer a card • The acquiring bank who will eventually receive the fund • A merchant account which will store the funds unKl they’re withdrawn to the acquiring bank • The payment processor and payment gateway • A card associaKon like Visa or Mastercard that defines the rules of transacKons Recapping who’s who in the zoo
between the merchant and the payment processor • A payment processor sits between the issuing and acquiring bank and transacts the payment • This disKncKon does not have to exist • Paypal and Stripe for example perform both funcKons Payment Gateways and Processors
The bank offering them underwrites the liability • Excessive chargebacks or refunds • Anybody wanKng to accept funds must have a merchant account • Payment Processors will have their own account and can hold funds on behalf of their clients • They must negoKate liability with their own bank • They must saKsfy financial intelligence laws for every jurisdicKon they operate in Merchant Accounts
is hosted by the payment gateway away from Bob’s site 2. The payment gateway passes the details to the payment processor 3. The payment processor uses the card associaKon network to find the issuing bank for the card 4. The payment processor queries the issuing bank to find out if the card is valid 5. If it is valid the payment processor either: 1. puts an authorizaKon hold on the funds, or 2. Captures the funds and transfers them to the acquiring bank where they will be placed in the merchant account Lets recap slowly
page on the merchant site that indicates the transacKon status • This page does not trigger any processing, it is for display only • The payment processor also securely contacts the merchant site directly • This message can be verified by the merchant • This message tells the merchant to process the transacKon Lets recap slowly (2)
There are variaKons of this pafern • We could accept the credit card details ourselves and then pass them to the processor without storing them ourselves (PCI DSS C) • We could create a form to capture the credit card details that submits them to the processor directly (PCI DSS A-‐EP) • Instead of being noKfied separately by the gateway we could use the success page to complete the transacKon • It’s technically simpler • It’s significantly more open to abuse to the point that most payment gateways will not offer it as an opKon VariaKons to the pafern