Payment Processing Basics

Transcript

1. Payment Processing Basics Robert Brodie SUMO Heavy Industries

2. Players

3. Players • Cardholder • Merchant • Payment Gateway • Issuing

   Bank • Acquiring Bank

4. Cardholder A person who wants to make a purchase with

   their credit card

5. Merchant A person or company who is selling goods and/or

   services

6. Payment Gateway A service that communicates between the merchant and

   the issuing bank

7. Issuing Bank The bank that has issued the account to

   the cardholder.

8. Acquiring Bank The merchants bank that receives money from the

   issuing bank

9. Cardholder

10. Cardholder The cardholder approaches the merchant and wants to purchase

    goods and/or services. They present their card to the merchant.

11. Merchant

12. Merchant The merchant needs to find out if the cardholder’s

    account can be charged for the amount they want to spend, so they need to ask the Issuing Bank for authorization.

13. Payment Gateway

14. Payment Gateway The merchant sends information to the Payment Gateway

    through an API or device. The Payment Gateway then communicates with the issuing bank.

15. Issuing Bank

16. Issuing Bank • The issuing bank will attempt to authorize

    the cardholder’s account for an amount specified by the merchant. • This authorization is held for 1-5 days. (Some banks allow 30) • Once authorized, the merchant can capture at any time prior to the expiration of the authorization.

17. Settlement

18. Settlement Settlement occurs every night when the issuing bank transfers

    captured funds to the acquiring bank. This connection occurs through a payment network.

19. Final Transfer

20. Final Transfer The acquiring bank transfers the funds to the

    sellers regular bank account.

21. Charge Posted

22. Charge Posted The issuing bank will post the charge to

    the cardholder’s account.

23. PCI Compliance

24. PCI DSS Payment Card Industry Data Security Standards

25. Network Security • Work with your host or IT team

    to create a secure environment. • Set up a firewall • Never use default passwords

26. Protect Cardholder Data • Develop an encryption scheme • Encrypt

    all data transmission across public networks

27. Vulnerability Management • Use and update malware applications • Develop,

    maintain, and test secure environments

28. Access Control • Limit cardholder access to data to only

    the people who need it • Assign unique logins to all users • Restrict physical access to cardholder information

29. Network Monitoring • Create audit trails within your system •

    Create a plan to implement continuous testing and patching (software updates are released for good reasons)

30. The Four Levels

31. Level 4 Businesses processing less than 20,000 eCommerce transactions and

    less than 1 million other transactions per year. These businesses must complete a yearly risk assessment using one of the PCI Self-Assessment Questionnaire (SAQ) forms.

32. Level 3 Businesses generating between 20,000 and 1 million transactions

    per year require an annual risk assessment using one of the SAQ forms.

33. Level 2 Businesses generating between 1 million and 6 million

    transactions annually. A PCI SAQ must be completed every year.

34. Level 1 Businesses generating a minimum of 6 million transactions

    per year must conduct an annual internal audit with a qualified PCI auditor.

35. PCI Testing

36. PCI Scanners • Trustwave • McAfee