Payment gateways

Payment gateways are a secure online link between a merchant and an acquiring bank. They act like a PDQ in a shop by validating and relaying a customers card details securely, before collecting payment and giving it to your internet merchant account (IMA).

Your payment gateway must be compatible with your eCommerce shopping cart. There are two types of gateway; hosted and integrated. Regardless of the eCommerce platform you must use a payment gateway.

If your website has an online shopping cart taking card payments in real-time, you need a payment gateway service in addition to an IMA. This is because the shopping cart applications are not allowed to communicate (send and receive the transaction information) to payment processors directly (for security reasons). Payment gateways protect credit card details by encrypting sensitive information, such as account numbers, to ensure that information is passed securely between the customer and the merchant and also between merchant and the payment processor. A payment gateway service company has gone through the extensive and lengthy process of getting approved to communicate with payment processors. A payment gateway company acts as the mediator for communicating the transaction information between the shopping cart application and payment processors. Even if you are taking payments by post, phone or fax, you still need a payment gateway.

How your payment gateway works

Your payment gateway conducts the flow of information between a payment portal (a website, mobile phone etc) and the front end processor or acquiring bank. When customers order a product or service from a payment gateway enabled merchant, the gateway carries out a series of tasks to process the transaction. The process works like this:

Customer places an order from a website or their card details are entered via a third party If the order is via a website, the customer's web browser encrypts the information to be sent between the browser and the merchant's web server. This is done via SSL (Secure Socket Layer) encryption

Merchant forwards transaction details to their payment gateway. This is another SSL encrypted connection to the payment server hosted by the payment gateway Payment gateway forwards the transaction information to the payment processor used by the merchant's acquiring bank The payment processor forwards the transaction information to the card association (Visa/MasterCard etc) The card association routes the transaction to the correct card issuing bank The card issuing bank receives the authorisation request and does fraud and credit or debit checks and then sends a response back to the processor (via the same process as the request for authorisation) with a response code (eg approved, denied). In addition to communicating the fate of the authorisation request, the response code is used to define the reason why the transaction failed (such as insufficient funds). Meanwhile, the credit card issuer holds an authorisation associated with that merchant and consumer for the approved amount. This can impact the consumer's ability to further spend (because it reduces the line of credit available or because it puts a hold on a portion of the funds in a debit account) The processor forwards the authorisation response to the payment gateway The payment gateway receives the response, and forwards it on to the website (or whatever interface was used to process the payment) where it is interpreted as a relevant response then relayed back to the merchant and cardholder. This is known as the authorisation or auth The entire process typically takes 23 seconds The merchant then fulfils the order and the above process is repeated but this time to 'clear' the authorisation by completing the transaction. Typically the 'clear' is initiated only after the merchant has fulfilled the transaction (eg shipped the order). This results in the issuing bank 'clearing' the 'auth' (ie moves auth-hold to a debit) and prepares them to settle with the merchant acquiring bank The merchant submits all their approved authorisations, in a batch (eg end of day), to their acquiring bank for settlement via its processor The acquiring bank makes the batch settlement request of the credit card issuer The credit card issuer makes a settlement payment to the acquiring bank (eg the next day) The acquiring bank subsequently deposits the total of the approved funds in to the merchant's nominated account (eg the day after). This could be an account with the acquiring bank if the merchant does their banking with the same bank, or an account with another bank The entire process from authorisation to settlement to funding typically takes 3 days

Payment gateways: making your choice

There are some fundamentals to bear in mind when considering a payment gateway. The most important is compatibility with your eCommerce platform, in other words, will it work with your shopping cart? Many of the shopping carts on the market automatically configure with the main payment gateways, but it would be wise to check with your web developer before signing up. Other things to consider are the level of support for any problems you encounter, length of the contract for the service and any hidden costs (such as extra security or mail order and telephone

payments) and the level of fraud protection the gateway provides. Most gateways will provide a dashboard to let you analyse sales figures and generate reports. The other factor to consider when choosing your payment gateway is whether it is hosted or integrated. When you set up a payment gateway, you can opt to have the payment page hosted by the payment service provider (PSP). By doing this you increase security as the PSP will have a high level of security in place. It will also save you time and hassle dealing with security updates or compliance issues. The alternative is an integrated payment gateway or application program interface (API), which gives you much greater flexibility and control over your payment page. It also means that shoppers never leave your site, so does provide a better branding experience. You are responsible for security compliance and will have the versatility to integrate your payment page with devices like mobile and tablets. Which option is best for you will depend on the level of technical nous you have. Hosted is faster to obtain and simpler. API is more flexible but requires advanced IT skills.

Help choosing your payment gateway

When evaluating the different payment gateways on the market, you should consider the following: Gateway features Your gateway should carry out transactions quickly and reliably without charging over the odds. The process should be hassle-free. Its a service after all, and one that you are paying for. Good payment gateways should dovetail with your business, security features and banking arrangements. eCommerce and site integration Weve said it before, lets say it again. Integration is everything with payment gateways. A good gateway will configure quickly with your shopping cart. Remember that your choice of hosted or integrated gateway will depend on the level of technical expertise you have. Always check with an IT specialist to make sure your chosen solution is compatible with the rest of your eCommerce platform. Support Even if youve bought a straightforward gateway from a reputable source, its inevitable that youll run into problems at some point. Having readily accessible support therefore is a must. Using your gateway Youve got to be able to use it, so make sure you can! Choose a product that is straightforward to understand and just as easy to use.

Payment security
The beauty of the internet is attracting customers from around the world unfortunately it also means attracting the attention of fraudsters. So its essential your payment security is fit-for-purpose.

If you take payments online you must comply with the PCI Data Security Standard. Penalties for security breaches can be severe (up to 500,000). Online fraud is lower than conventional retail fraud.

But fear not, because perception often gets in the way of fact. Online trading is less prone to fraud than conventional in-store trading. Research by global company Forrester found that for every 1000 worth of transactions, a company could lose 1 over the internet compared to 25 offline as a result of fraud. The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide security standard developed to protect cardholders' personal information. It includes requirements for security management, network architecture, software design, security policies and procedures, and other protection of customer account data. The standard is applicable to any organisation that stores, transmits or processes cardholder information. PCI DSS is a set of six principles that encompass these specific requirements. These requirements are applicable to any organisation holding personal information and are intended to reduce the organisation's risk of a data breach:

Build and maintain a secure network o install and maintain a firewall configuration to protect cardholders data o do not use vendor defaults for system passwords or other security actions Protect your cardholder data o protect any stored cardholder data o encrypt transmission of cardholders data across open, public networks Keep a vulnerability management plan o always use and regularly update anti-virus software o develop and maintain secure systems and applications Implement strong access control practices o limit access to cardholder data to only those who need to know o give every person with computer access a unique ID o limit physical access to cardholder data Monitor and test your networks on a regular basis o track and monitor all access to network resources and cardholder data

regularly test security systems and procedures Keep an information security policy o Always keep a policy that addresses information security

The Payment Card Industry Security Standard Council encourages businesses to comply with PCI DSS and become certified to help reduce financial risks from data compromises. But its the payment card schemes, eg MasterCard or Visa, that manage the actual compliance programme. Seek advice from your bank on your specific compliance obligations and how your business can become certified. Failure to be annually certified can become an issue if you have a security breach and your customers card details are stolen. Penalties levied by the card schemes can be heavy depending on the number of cards compromised. Even where a merchant is certified, this does not protect them from potential penalties if it is deemed that their own actions through negligence, omission or accident contributed to a breach. Where these breaches can occur:

Late night orders High-risk countries PO box addresses or hotels/guest houses Free/anonymous email addresses Express delivery High-quantity orders High-value orders Different shipping and billing addresses or IP country and billing/card issue country Frequent purchases Frequent contacts from anxious fraudsters Mobile rather than landline number Suspicious behaviour by the customer Indiscriminate purchases Inconsistencies in shopper details across multiple purchases, eg same shopper email address but differing name or address provided

Your website MUST be compliant in this area to trade online. The Information Commissioners Office (ICO) is responsible for enforcing this standard and can impose penalties of up to 500,000 for serious data breaches. So if youre not sure if your site complies, speak to a professional web security specialist. Or it could cost you!

Types of security encryption

Successful eCommerce is largely dependent on customers feeling safe and satisfied you are doing everything to protect their card details, personal data and transactional history. If you are them to protect your site, your customers can be satisfied that you are taking security seriously.

Encryption software such as SSL and the introduction of 3-D Secure protect online shoppers and their data. By integrating these types of security systems with your site, you will greatly reduce your exposure to the risk of attack from internet criminals stealing data or costs as a result of transactions that turn out to be fraudulent. Dont be complacent. But with the proper safeguards in place, your customers money as well as your business profits will be safe online.

Secure Socket Layer (SSL)

Customers shopping online need to be certain that you take the protection of their data seriously. Secure Socket Layer (SSL) is the standard security technology for establishing an encrypted link between a web server (where the payment is taken) and a browser (where the payment information is entered).

For security, websites taking payments need a Secure Socket Layer (SSL). Customer confidence is improved through presence of visible SSL Certificate. SSL Certificates use encryption techniques to protect data.

Encryption is the technical process that allows data to be transmitted securely over computer networks. It masks data so that unauthorised sources are unable to read or intercept it. Browsers supporting SSL display icons such as a padlock in the bottom task bar or a blue key to indicate that a secure session is in progress. 256-bit encryption is the highest standard of security on the market at the moment. Why you need SSL:

To authenticate the identity of your website to visiting browsers and your identity or business to the visiting customer To encrypt (protect) private information that's exchanged on your site, such as credit card numbers or customer account information

Secure Socket Layer (SSL) Certificates

SSL Certificates are issued to either companies or legally accountable individuals. Typically, an SSL Certificate will contain your domain name, your company name and full address details. It will also contain the expiry date of the certificate and details of who issued the certificate. When you have an SSL Certificate installed, your payment site will display:

A padlock symbol that appears in customers web browser when your site is opened The https prefix in front of your URL address in the browser

If you want to take customer payments on your own site (https), then you need to purchase an SSL Certificate. Although depending on the eCommerce platform you have or are considering, you may find an SSL Certificate included.

How does SSL work?

As a customer enters the secure area of a website to make payment (https), the browser will retrieve the SSL Certificate and check that it has not expired, it has been issued by a trusted certification authority and that it is being used by the website for which it has been issued. If it fails on any one of these checks, the browser will display a warning to the end user.

Validation
To obtain a SSL Certificate you must become validated by a relevant certificating authority. Once your certificate is installed on your server, customers can view your authenticated information by clicking on the padlock symbol in the browser and this will automatically display your qualifications to the public. A recent development has been extended validation (extended validation is restricted ask your SSL Certificate issuer for types of companies and sectors included). This turns the browser bar green (in newer versions of browsers) telling the visitor instantly that the site has the highest level of assurance.

Installation
SSL Certificates can be successfully installed on most websites, but your site must have a dedicated IP address. The validation process is fairly straightforward and can take as little as an hour to be carried out. Applying for an SSL certificate? You need:

A unique IP address for each certificate that you want to use. If you have multiple subdomains on one IP address, you will need to set up SSL host headers to do this. A certificate signing request (CSR) Correct contact information in WHOIS record. Business/organisation validation documents (in the case of high-assurance or extended verification certificates

Ordering your SSL Certificate

Ordering an SSL certificate is relatively simple if you create a certificate signing request (CSR) and submit your WHOIS (ownership and contact information associated with each domain name) record and company validation documents.

Prepare by getting your server set up and getting your WHOIS record updated, etc. Generate the CSR on the server Submit the CSR and other info to the Certificate Authority

Have your domain and company validated Receive and install the issued certificate

How long does it take to get my certificate?

The provider and type of certificate will dictate the length of time it takes to receive it. Times range from minutes to several weeks

Types of SSL certificates

Domain Validated Certificates issued with very little validation (usually automated). Simply prove that you own the domain by replying to an authentication email or call. These are low-cost but less secure and not so attractive to potential customers Extended Validation These are a relatively new type of certificate and not available to all businesses. There is a more detailed verification process and is a more expensive option. Turns the address bar green in modern browsers. Wildcard Certificates SSL certificates are exclusive to each domain name will display warnings if you try to use them with a variation of the url. Wildcards can be used to secure an unlimited amount of subdomains from a single domain name. SAN Certificates SAN certificates also allow you to secure multiple hostnames but not an unlimited number. Each hostname is specified in the Subject Alternative Name section of the certificate. The hostnames can be internal and include several different domain names. Code Signing Certificates These are different from other types of SSL certificates. They allow you to sign an application or executable so that users know the identity of the organisation that made the application and know that it wasnt tampered with. Self Signed Certificates These can be created for free by yourself, but your users will receive a warning that the certificate is not trusted.

3-D Secure
The 3-D Secure protocol was developed by Visa to improve the security of online payments. The protocol is offered with the service name Verified by Visa. MasterCard has also adapted a similar protocol called MasterCard SecureCode.

Extra security measure for card transactions. Essentially Chip and PIN for online payments. Reduces instances of fraudulent transactions.

Both allow authentication of cardholders by their issuers at participating merchants. The objective is to benefit all participants by providing issuers the ability to fully authenticate cardholders through the use of a password during online purchases, cutting down the chances of credit card fraud and improving card transaction efficiency. 3-D Secure ties the financial authorisation process with an online authentication. This authentication is based on a three-domain model (hence the 3-D in the name). The three domains are:

Acquirer domain (the merchant and the bank to which money is being paid) Issuer domain (the bank which issued the card being used) Interoperability domain (the infrastructure provided by the card scheme, credit, debit, prepaid or other type of finance card, to support the 3-D Secure protocol)

Interoperability domain includes the internet, MPI, ACS and other software providers The protocol uses XML messages sent over SSL connections with client authentication (this ensures the authenticity of both peers, the server and the client, using digital certificates). When you start a transaction using 3-D Secure it initiates a redirection to the website of the card issuing bank to authorise the transaction. This provides extra protection because correctly entering the security code during a purchase confirms that you are the authorised cardholder. If an incorrect security code is entered, the purchase will not be completed. Even if someone knows your credit or debit card number, the purchase cannot be completed without your security code. The process works in a similar way to a PIN number for your card.

A significant factor in adopting 3-D Secure is the reduction in disputed transactions and the handling and losses that come with those. Authenticated payment is expected to eradicate a substantial proportion of fraud, charge-backs and customer complaints. Much harder to predict is the effect 3-D Secure is having on consumer confidence. Greater confidence should mean increased sales, so any steps your business takes to protect data will have a positive impact on your business. 3-D Secure is compatible with most online payment solutions although some high-risk accounts may require the addition of a message passing interface (MPI). Benefits of integrating 3-D Secure:

Minimal impact on merchants interaction with consumer Customer confidence in your sites security Less risk of fraudulent transactions Fewer disputed transactions

Fraud prevention
When assessing security arrangements, retailers should be aware that they may be liable for losses if a transaction turns out to be fraudulent. Online card payments are classed as 'cardholder-not-present' (CNP), because you can't physically check the card or the cardholder.

Online fraud is reducing as security gets more stringent. Fraudulent transactions result in 'charge-backs'. This can adversely affect your internet merchant account status.

Recent figures from the Financial Fraud Action (FFA UK) show that CNP fraud is actually on the decrease, in most part due to increasing measures by both retailers and payment solution providers. If a transaction turns out to be fraudulent, the money will be reclaimed from your bank account known as 'charge-back'. Charge-back can also occur through customer refunds and its worth pointing out that the number of charge-backs you have can adversely affect your ability in obtaining an internet merchant account if you are not already using one. It is standard practice that payment solution providers will hold back a small rolling balance of your turnover (usually around 5%) to allow for paying out charge-backs, so it's best to check the small print of your agreement for this. You should also protect your business from online attacks aimed at obtaining card details or other data. If you suffer a serious breach, your reputation could suffer a setback that it doesnt recover from. Before concluding a transaction, you should consider the following:

Are the goods high-value or suitable for resale? Is the sale excessively high in comparison with your usual orders? Is the customer ordering many different items? Do they seem unlike your usual customer? Is the customer providing details of someone elses card Does the address provided seem suspicious? Has the delivery address been used before with different customer details? Is the delivery or contact address overseas? Is the customer being prompted by a third party while on the phone?

Is the customer attempting to use more than one card in order to split the value of the sale? Does the customer seem to lack knowledge of their account? Does the customer seem to have a problem remembering their home address or phone number? Does the customer sound as if they are referring to notes?

These are some of the common signs to watch out for that point towards CNP fraud. Of course, you can never be 100 per cent certain a fraud is taking place until after the event, but it pays to be vigilant. If you can answer yes to any of the above during a transaction conduct further checks! To protect the retailer against charge-backs from transactions that turn out to be fraudulent, a number of 3-D Secure authentication products are now on the market that can be integrated alongside any other security your site has. These include:

Address Verification Service (AVS) Card Security Code (CSC) MasterCard SecureCode Verified by Visa J/Secure SafeKey

If you suspect a CNP fraud is taking place, you should contact the police and complete a Reporting Suspicions of Card-Not-Present (CNP) Fraud form. For more information on online fraud prevention and security measures, go to: http://www.financialfraudaction.org.uk http://www.actionfraud.police.uk http://www.getsafeonline.org http://www.nfib.police.uk

Latest payment news

PayPal expands in-store retailing service in the US
Using PayPal in-store is now more widely available after the payment giant exp... Read More

Government payment services to go online

All government departments that handle payments from the public are planning t...

Read More

Sales boost for online SME businesses

New research carried out by Brass for Royal Mail, has found that more than half... Read More

Three reasons to compare

1. Find the best prices... 2. From leading providers... 3. Quickly and simply! Go

Risky business?
If you want an internet merchant account (IMA) from an acquiring bank, you will have to successfully complete your chosen banks application process. However, the criteria for acceptance is strict and the timescales involved may mean an IMA is not the right option for your business.

Banks consider internet merchant accounts as a line of credit. Your risk to the bank depends on the type of business you have and in what sector. 'High-risk' businesses can expect to pay more for transaction charges.

Your IMA application is also based on the risk you represent to whoever is providing the IMA. Your level of risk is calculated on a number of factors including the type of business you are, the sector you operate in and the volume of monthly transactions you carry out.

Your IMA and charge-backs

An IMA is basically a line of credit between you and the acquiring bank. An IMA is considered a line of credit because it is underwritten by the acquiring bank and because of the charge-backs (see below) your business might attract. If your IMA is approved, the bank will agree a monthly processing amount or volume (for example 10,000 per month). So assume that by the end of the month you sell 10,000 worth of goods and the money is deposited in your bank account. If every transaction results in a refund or charge-back, the bank will have to pay the 10,000 back to all the different cardholders. Your business may have used some if not all of that capital and the bank is now liable for the 10,000. And that line of credit is extended to you.

What are charge-backs?

Charge-back refers to the return of funds to a customer. Charge-backs can occur for many reasons. These are just some:

Customer or vendor has made a mistake at the point of sale (eg expired card) Transaction is disputed by cardholder or card issuer Transaction was fraudulent Duplicate transaction Transaction was not authorised due to insufficient funds The goods or services ordered have not been received

Goods were returned

Your business should take whatever steps it can to limit charge-backs as excessive numbers of these will adversely affect your IMA. Some card issuers like MasterCard and Visa fine merchants and their merchant account providers for having too many charge-backs. If you repeatedly have too many charge-backs (and the bank or card issuer is facing unrecovered losses as a result) then your IMA will be at risk of closure and you may be unable to accept credit card payments. Managing charge-backs, however they occur, is a vitally important part of your payment solution. Some of the ways to avoid excessive charge-backs include:

Use postal methods with tracking and proof of delivery Describe goods accurately on your website Deliver on time Make sure customers know about your returns policy Resolve customer complaints quickly.

Assessing your IMA application

When assessing your application for an internet merchant account (IMA), acquiring banks calculate their exposure to risk by examining the following elements:

Charge-backs the risk of refunds on your merchant account Forecast turnover figures higher turnover can generate higher exposure Average transaction size if you sell very high-value items (diamonds, cars) this will influence the risk analysis of your business Time from payment to order fulfilment the longer it takes to dispatch goods to a customer, the greater the risk of an order cancellation Length of trading record a start-up company is more risk than a well-established business Business sector classification different sectors have more or less risk associated with them (CDs can be resold for example but airline tickets need identification to use). Some banks have more than 700 different business sector classifications Safeguards you have in place security checks like verifying address details or phoning customers who place large or repeated orders will reduce the perceived risk You may be asked to put up a bond (insurance) by your acquirer to offset the risk you represent.

If your business operates in any of the high-risk categories then an IMA may not be available to you. Payment bureaus specialising in this area are out there, but you can expect to pay more for transactions and also be liable for interest payments as a result of settlement periods or overdrafts. Some of the businesses likely to be considered high-risk:

Dating services

Adult services Travel companies Online casinos Claims management Payday loans Membership and subscription services