A payment gateway is an e-commerce application service provider service that authorizes payments for e-businesses, online retailers, bricks and clicks, or traditional brick and mortar. It is the equivalent of a physical point of sale terminal located in most retail outlets. Payment gateways protect credit card details by encrypting sensitive information, such as credit card numbers, to ensure that information is passed securely between the customer and the merchant and also between merchant and the payment processor.
How It Works?
A payment gateway facilitates the transfer of information between a payment portal (such as a website, mobile phone or IVR service) and the Front End Processor or acquiring bank. When a customer orders a product from a payment gateway-enabled merchant, the payment gateway performs a variety of tasks to process the transaction:
* A customer places order on website by pressing the 'Submit Order' or equivalent button, or perhaps enters their card details using an automatic phone answering service.
* If the order is via a website, the customer's web browser encrypts the information to be sent between the browser and the merchant's webserver. This is done via SSL (Secure Socket Layer) encryption.
* The merchant then forwards the transaction details to their payment gateway. This is another SSL encrypted connection to the payment server hosted by the payment gateway.
* The payment gateway forwards the transaction information to the payment processor used by the merchant's acquiring bank.
* The payment processor forwards the transaction information to the card association (i.e., Visa/MasterCard)
* If an American Express or Discover Card was used, then the processor acts as the issuing bank and directly provides a response of approved or declined to the payment gateway.
* Otherwise, the card association routes the transaction to the correct card issuing bank.
* The credit card issuing bank receives the authorization request and sends a response back to the processor (via the same process as the request for authorization) with a response code. In addition to determining the fate of the payment, (i.e. approved or declined) the response code is used to define the reason why the transaction failed (such as insufficient funds, or bank link not available)
* The processor forwards the response to the payment gateway.
* The payment gateway receives the response, and forwards it on to the website (or whatever interface was used to process the payment) where it is interpreted as a relevant response then relayed back to the cardholder and the merchant.
* The entire process typically takes 2–3 seconds
* The merchant submits all their approved authorizations, in a "batch", to their acquiring bank for settlement.
* The acquiring bank deposits the total of the approved funds in to the merchant's nominated account. This could be an account with the acquiring bank if the merchant does their banking with the same bank, or an account with another bank.
* The entire process from authorization to settlement to funding typically takes 3 days.
Many payment gateways also provide tools to automatically screen orders for fraud and calculate tax in real time prior to the authorization request being sent to the processor. Tools to detect fraud include geolocation, velocity pattern analysis, delivery address verification, computer finger printing technology, identity morphing detection, and basic AVS checks.
Security:
* Since the customer is usually required to enter personal details, the entire communication of 'Submit Order' page (i.e. customer - payment gateway) is carried out through HTTPS protocol.
* To validate the request of the payment page result, signed request is often used - which is the result of the hash function in which the parameters of an application confirmed by a «secret word», known only to the merchant and payment gateway.
* To validate the request of the payment page result, sometimes IP of the requesting server has to be verified.
* There is a growing support by acquirers, issuers and subsequently by payments gateways for Virtual Payer Authentication (VPA), implemented as 3-D Secure protocol - branded as Verified by VISA, MasterCard SecureCode and J/Secure by JCB, which adds additional layer of security for online payments. 3-D Secure promises to alleviate some of the problems facing online merchants, like the inherent distance between the seller and the buyer, and the inability of the first to easily confirm the identity of the second.
How It Works?
A payment gateway facilitates the transfer of information between a payment portal (such as a website, mobile phone or IVR service) and the Front End Processor or acquiring bank. When a customer orders a product from a payment gateway-enabled merchant, the payment gateway performs a variety of tasks to process the transaction:
* A customer places order on website by pressing the 'Submit Order' or equivalent button, or perhaps enters their card details using an automatic phone answering service.
* If the order is via a website, the customer's web browser encrypts the information to be sent between the browser and the merchant's webserver. This is done via SSL (Secure Socket Layer) encryption.
* The merchant then forwards the transaction details to their payment gateway. This is another SSL encrypted connection to the payment server hosted by the payment gateway.
* The payment gateway forwards the transaction information to the payment processor used by the merchant's acquiring bank.
* The payment processor forwards the transaction information to the card association (i.e., Visa/MasterCard)
* If an American Express or Discover Card was used, then the processor acts as the issuing bank and directly provides a response of approved or declined to the payment gateway.
* Otherwise, the card association routes the transaction to the correct card issuing bank.
* The credit card issuing bank receives the authorization request and sends a response back to the processor (via the same process as the request for authorization) with a response code. In addition to determining the fate of the payment, (i.e. approved or declined) the response code is used to define the reason why the transaction failed (such as insufficient funds, or bank link not available)
* The processor forwards the response to the payment gateway.
* The payment gateway receives the response, and forwards it on to the website (or whatever interface was used to process the payment) where it is interpreted as a relevant response then relayed back to the cardholder and the merchant.
* The entire process typically takes 2–3 seconds
* The merchant submits all their approved authorizations, in a "batch", to their acquiring bank for settlement.
* The acquiring bank deposits the total of the approved funds in to the merchant's nominated account. This could be an account with the acquiring bank if the merchant does their banking with the same bank, or an account with another bank.
* The entire process from authorization to settlement to funding typically takes 3 days.
Many payment gateways also provide tools to automatically screen orders for fraud and calculate tax in real time prior to the authorization request being sent to the processor. Tools to detect fraud include geolocation, velocity pattern analysis, delivery address verification, computer finger printing technology, identity morphing detection, and basic AVS checks.
Security:
* Since the customer is usually required to enter personal details, the entire communication of 'Submit Order' page (i.e. customer - payment gateway) is carried out through HTTPS protocol.
* To validate the request of the payment page result, signed request is often used - which is the result of the hash function in which the parameters of an application confirmed by a «secret word», known only to the merchant and payment gateway.
* To validate the request of the payment page result, sometimes IP of the requesting server has to be verified.
* There is a growing support by acquirers, issuers and subsequently by payments gateways for Virtual Payer Authentication (VPA), implemented as 3-D Secure protocol - branded as Verified by VISA, MasterCard SecureCode and J/Secure by JCB, which adds additional layer of security for online payments. 3-D Secure promises to alleviate some of the problems facing online merchants, like the inherent distance between the seller and the buyer, and the inability of the first to easily confirm the identity of the second.