Key components of e-commerce managed by the merchant (seller) include the products or services offered, the target audience, competitors, operational costs, and the online platform, which usually incorporates a payment gateway to facilitate transactions.
Commonly known as a Payment Gateway (PG), this technology enables customers to securely complete transactions using various payment methods. By enhancing payment security, it fosters customer trust and loyalty, which can lead to increased revenue for businesses.
A payment gateway serves as an essential conduit for securely exchanging payment data for processing between the merchant and the client. Through its connections to credit card networks or banks, it makes it easier for transactions to be approved or denied for online shops. By acting as a middleman, the payment gateway facilitates easy and secure communication between e-commerce platforms and payment processors, allowing for the seamless execution of transactions while safeguarding sensitive consumer information.
The payment gateway (PG) authenticates and verifies the transaction between buyers and sellers, ensuring the security and validity of the payment process.
Parties involved in processing of payment in PG
- Merchant (Seller)
- Customer (Card holder)
- Acquirer (Acquiring) Bank and Issuer (Issuing) Bank
- Payment Gateway
- Payment processor
A general purchase workflow is as follows:
- Customer visits e-commerce website
- Explores various options
- Compares them on various parameters
- Adds selected item to his shopping cart
- Proceeds with payment
- Enters the information for payment mode
- Places the order after successful completion of previous step
A general payment process workflow occurs after step 5 and at step 6 of the purchase workflow. The merchant redirects the customer to the Payment Aggregator’s page. It involves following:
- Collect: The online transaction is processed as a “Card-Not-Present” transaction. Once this information has been submitted, it is securely passed to the PG.
- Transfer: Prior to forwarding the encrypted card data (payment information) to the acquirer, the PG encrypts the card details and runs fraud checks. The acquirer securely sends the information to the card schemes (Visa, Mastercard, etc.) which carry out another layer of fraud check and transmits payment data to the issuer of the payment authorizer.
- Authorize: After screening, the issuer authorizes the transaction; namely it validates the transaction information to check if the card holder has adequate funds available in his account. The issuer’s approved or declined response is transferred to the acquirer. The PG received the same message from the acquirer and forwards it to the merchant.
- Complete: Based on the message received from the acquirer, through the PG, the retailer has two options; either show the customer a page confirming their payment or request that they use a different payment method.
- Settlement: If the payment is accepted, the acquirer places the funds “On Hold” in the merchant’s account after obtaining the payment amount from the issuing bank. The terms of the merchant’s agreement with his payment service provided will determine when the actual settlement takes place.
Along with the Payment Gateway, the Payment Aggregator also plays an important role for Authirization and Payment Settlement.
Basis of distinction | Payment Gateway | Payment Aggregator |
Primary function | Acts as an intermediary and back-end technology support. | Acts as an interface and as a front-end service. |
Multiple payment option | No | Yes |
Owned by | Banks, vendors, payment aggregators, etc. | Generally, fintech companies and financial service providers. |
Authorization | Payment Card Industry – Data Security Standard (PCI DSS) certification | Authorization by regulatory authorities may be required. |
Integrated solution | Relatively less integration as compared to aggregators | Full integration is available |
Role | Provide the technological infrastructure necessary to facilitate the processing of online payment instructions. They connect an online store or a merchant to a payment processor, allowing him to accept payment from a customer. | Third-party payment solution providers that offer merchant onboarding services and facilitate the collection of funds from customers through a variety of modes. They provide a single platform to connect multiple merchants to different payment processors. |
Funds Handling | Do not handle funds. | Do handle funds. They do this on behalf of the merchant and the same is stored in an escrow account. |
Based on the payment information flow, there are 3 types of PG models; Hosted PG, Self- Hosted (Own) PG, API driven PG
Basis of distinction | Hosted PG | Self- Hosted PG | API driven PG |
Also known as | Redirect PG | NA | NA |
Basics | After the payment details are entered by the customer on the merchant’s site, the merchant redirects him to a third party service provider (3rd PSP) to complete the transaction. | Enables merchants to process payments directly on their website. Payment details are collected by merchant and encrypted before being sent to 3rd PSP | Merchant integrates PG’s APIs into their website or app. Enables merchants to process payments directly on their website. |
Payment process takes place on | A secure page hosted by the PG and not on the page of the merchant’s website. | Merchant’s webpage | |
Flexibility of accepting payments | Limited flexibility in customization of payment modes. | Various payment options with higher flexibility in customization of payment modes. | Many payment options and customizable payment modes. |
Ease of integration | Easiest to integrate; the merchant needs to embed a code or use a plugin/ module for his ecommerce platform | Slightly complex | Technical skills required to integrate, as API integration has to be done in Merchant site. |
Speed | Swift integration and payment collection | Depends on the merchant’s server capabilities. | Can offer the fastest processing, depending on the merchant’s website. |
Costs | Low setup cost, Ongoing commissions on transactions, affordable start | High setup and maintenance costs, requires investment in customization. | Generally, no setup or integration costs, and lower commissions on transactions. |
Security and compliance | Provider ensures protocols and security methods such as PCI DSS, SSL, etc | Merchant ensures protocols and security methods compliance | High security and compliance with gateway service protocols. |
Success rates and Uptime | Reliable | Moderate | Highest |
Customer service | Generally good support, but limited branding | Variable | Variable support |
Easy reconciliation | Simplified process, but limited access to detailed transaction data | Extensive data access and complex reconciliation | Access to transaction data, but requires data handling, responsibly and securely. |
Pros | Offers user friendly solution for accepting payments and simplifying compliance and development efforts | Better control over user experience and check out process is faster.
Merchant has control over consumer and transaction data. |
-merchant spends less time maintaining payment system and users gets seamless experience.
|
Cons | -since it is external, the merchant does not have control over buyer’s checkout process
-merchant gets limited branding opportunity on final payment page hosted by the PG. |
-require technical expertise and effort to set up and maintain.
|
-require technical expertise |
The merchant needs to consider following factors while choosing a PG:
- Cost
- Supporting payment platforms
- Payment settlement cycle and holding time
- Multiple currency setup
- Recurring billing
- Hosted vs non hosted
- Security
- Scalability and future growth
- Limits
- Integration with other systems
- Cost:
Include set up fees, monthly maintenance fees and transaction fees. If volume is high and value per sale is low, then % option for transaction fees should be chosen else flat fees option should be chosen.
- Supporting payment platforms:
Consumers value convenience and a wide range of payment options. To reduce cart abandonment, offer multiple payment methods such as credit cards, debit cards, net banking, and more. Choose a payment gateway that supports diverse payment options and is flexible enough to adapt to future business models or technological advancements, ensuring long-term scalability and customer satisfaction.
- Payment settlement:
This will decide the speed of rotation of funds in the merchant’s account. After customer pays, the money is parked is an intermediary merchant account; which is a transition. The collection amount may be held in the intermediatory account for a few days to enable handling refunds and charge backs. The duration which it is hold for in called “settlement cycle”. Generally, it is 1-7 days depending on the PSP. Ideally select the PG which has lesser settlement cycle.
- Multiple currency support:
If the merchant has international spread and demand then he should choose a PG capable of having ease of converting the final payment amount to local currency. Always check for charges associated with foreign currency transactions.
- Recurring billing:
Relevant for all subscription-based services. Telephone, electricity, etc. The merchant who raises the bill is called a biller. Periodicity and payment method may be automated. PG should be able to store customer details for future transactions, charge at scheduled dates and offer option to retry in case transaction fails.
- Hosted (risk free) VS non-hosted (customizable):
As per points discussed in “Payment Gateway models”
- Security:
PCI DSS, SSL, storage in same geography, TLS, HTTPS, end to end encryption of data at rest and transit, adherence to risk monitoring measures
- Scalability and future growth:
PG’s ability to handle increased transaction volume, accommodate additional features, support expansion plans. Merchant to look for flexible pricing plans and upgrade options.
- Limits:
At times PGs set upper limit on transaction amount handled in a month. Merchant should check how it compares to the business volume.
- Integration with other systems:
Additional facility to connect to invoicing or accounting software so that the merchant’s books are automatically updated and thus save time.
Security affects all the stakeholders; merchant, customer and PG. Its framework for PG include:
- PCI DSS compliance (Payment Card Industry Data Security Standard): All companies who process CC/ DC must comply. Was formed by Visa, Mastercard, JCB, Amex and Discovery cards in 2006. Has 12 compliance standards. Its about setting up and maintaining firewall system for card holder’s information. Merchant classification is done on basis of transaction volume. Validation of compliance is done annually by self assessment or internal/ external accessor.
- SSL (Secured Socket Layer) and TLS (Transport Layer Security) protocol: SSL is encryption based internet security protocol and TSL is an improved version which also includes protocol for online communication. Its helpful for securing data transferred between browser and server. Eg: https or the lock symbol in website address.
- 3DS protocol (3 Domain Structure): XML based authentication protocol. It has 3 domains; merchants, issuers and interoperability. OTP is extra layer.
- 2FA (2 Factor Verification): Sub part of multi factor authentication. It corelates 3 things; something you know (password), something you have (text/ code sent to you) and something you are (biometric/ face/ retina)
- Tokenization: Process of replacing card details with unique code/ token which helps to not reveal sensitive data.
- AVS (Address Verification Check): Helps reduce charge back by checking billing address and card holder’s account information. It is an information sent back to merchant. It may not guarantee fraud prevention.
One needs to plan for preventing frauds in payment transactions. PG providers and merchants get direct loss and fines from authorities. And also have to bear the expenses of fixing problems. The customer get the loss associated with direct financial loss and cost related to alternate. They also have to bear the cost related to redressal of the problem. Overall the macro economy will have repercussion if companies cease operation.
Operational risk, malfeasance, strategic and legal risks are critical ones to consider while deciding course of action for frauds.
These risks can be solved using integrated IT Risk Management techniques like information and cyber security, disaster recovery, vendor and 3rd party management, project and change management, architecture, development and testing, data quality and governance, IT compliance
Frauds can be categorized as:
Details | Paying party | Guard | |
Identifying theft through stolen cards | Phishing scam, hacking, social engineering, card skimming, disposed documents | Merchant issues refund, covers charge backs, financial sanctions | ID verification
3Ds 2FA |
Chargeback fraud | Friendly fraud | Situational | Clear documented policies and processes, complete detailed transaction list. Merchant obtain sign from customer for receiving goods/ services, furnish tracking details, blacklist fraudsters. |
Card testing fraud | Criminals use automated programmed software to confirm authenticity of CC that they have stolen. | Situational | AVS, CVV, track trends, use ML and AI for fraud detection. |
Market place fraud | Listing counterfeit goods, vanish items in stock after payment, fictitious seller account | Situational | Strict onboarding requirements, identity checks, review seller performance and his credit history. |
Refund to alternate payment fraud | Fraudster willfully overpays and asks for refund in another payment method and then vanishes. | Undecided | Denying payments in alternate method. |
Proof of delivery can be included while contesting chargeback. Else it is adjusted in next billing cycle. Payment Aggregators need to also use sound underwriting methods, steer clear of dubious retailers or obtain security deposit to cover the losses from charge back. Merchant can find actual reason for chargeback, have friendly customer support, use deflecting tools for chargeback alerts, draw order insights, use recognizable merchant descriptor, use 2FA, maintain records etc. to reduce chargebacks.