Online retailers who wish to sell products online must be integrated with Payment Gateway Service Providers in order to accept cards, authorise them and finally deduct the required amount.
A Payment Gateway is a mediator between your acquiring bank and online store. They are those people who collect the card details submitted to them via the website, check them for fraud, contact the card issuer's bank to see if the required funds are available and finally deduct the amount and send it to your bank.
They also perform security checks based on the rules which you can define. Most of there security checks consist of checking:
- Whether the card number matches the registered address of the card holder
- Whether the CV2 (last 3 digits from the back of the card) matches the card number
- Whether the expiry date/ issue number matches the card number
There are additional checks such as check to see if the registered card address and the delivery address match, etc. Based on these checks, you can define whether to accept the transaction, put a high/low risk mark against them or reject it altogether.
Making your online store transaction-ready:
Usually, this process involves opening an Internet Merchant Account, which similar to opening a bank account. Only here, you will be supplied with a MID (Merchant ID) which acts like your account number.
You then supply this MID to your chosen Payment Gateway Services Provider by signing up for their services. Few popular Payment Gateway Service Providers are Sage Pay (Protx), WorldPay, ePDQ, HSBC Secure ePayments, PayPal, Google Checkout, NoChex, etc.
Based on this, the payment gateway service provider will set up an account which will be integrated with your bank and then pass on the integration guide-lines that you need to follow in order to send transactions from your website.
Most Payment Gateways provide two different integration methods:
1) In-Direct: Here, the customer visits your online store, browses through products, adds them to the cart, fills his billing/delivery address details and hits checkout. The customer then is transferred to the Payment Gateways pages where card details will be entered. Once this is done, the payment gateway will provide results based on processing the card and accordingly, the customer is directed to the “Thank You” page on your website, or an "Error Page" mentioning details on why the card failed.
By using this method, you will not have to worry about the security details. As the payment pages will be hosted at the service provider’s end, security will be taken care by them. Usually these companies are set up to process heavy transactions and are totally geared-up when it comes to the security
Users getting diverted away from your website make the process look jerky. One moment, they are on this nicely layout out website and all of a sudden they are transferred to the blank "enter your card details" page. Most of the Payment Service Providers are addressing this issue by allowing you to design a template which is similar to your website by following their guidelines. You then submit this HTML design to them and they make it LIVE upon approval. Sage Pay (Protx) is one provider that offers this feature for sure. You will have to check with other providers to see if they support this.
Some In-direct Methods:
SAGE Pay Server, Barclay’s ePDQ CPI, Google Checkout, PayPal Website Payments Standard
2) Direct: Here, all the payment pages are hosted on your server. Customer will never leave the website and he enters the card details on your website. These details are submitted to the Payment Gateway behind the scene and results are obtained in the same manner. This integration is also called as Full API integration and is more complicated to integrate compared to the in-direct method.
Customers stay on your website all the time. You have more control over the transaction as the payment details will be entered at your end.
This method is more complicated to integrate and usually involves in the use of more than one technology (like XML, PHP, etc). As you are collecting card details on your website, you need to install an SSL certificate on all the payment pages. Now, you will also have to be PCI-Compliant (https://www.pcisecuritystandards.org/) when your server is dealing with LIVE transactions. SSL certificate usually cost from £150 P.A. and can be obtained from companies like Thawte, VeriSign, Comodo, etc.
Some Direct Methods:
Sage Pay Direct, ePDQ MPI, PayPal Website Payments Pro, HSBC Full API
3D Secure & Verified By Visa
These are additional checks required by the customer’s bank when placing an order on the internet. As of now, these checks are compulsory for all Maestro and MasterCard transaction.
The scheme which includes Maestro and MasterCard is called "3D Secure" and for Visa cards, it is "Verified By Visa".
When customer is using a card which falls into these schemes, he gets an additional registration page directly from the issuer bank asking him to register and create a password for the first time. Subsequently, the customer will be asked to enter the password to complete the transaction.
This feature adds additional security and helps in fraud prevention for both the online retailer and the customer.
Most of acquiring banks have made this compulsory and both direct/in-direct payment methods must provide this feature. (This complicates the direct integration further as in the in-direct method, the payment provider takes care of this integration)
Also, a major set-back of this method is the ability to take orders over the phone. If you are set up to take order via the phone and use your website to place orders on behalf of the customer, with "3D Secure & Verified By Visa" you will no longer be able to do so. As, for security purposes, customers will not and should not give their secure passwords to the retailer.
In order to over come this, you must obtain a MOTO account from your acquiring bank which defines your company as "Mail Order Telephone Order" registered. You then need to pass this MOTO number to your Payment Gateway, who in-turn integrate it into your account and then give you guide-lines on what values you need to pass in order to over-ride the "3D Secure & Verified By Visa" authentication.
So it takes all this to sell stuff on-line. But once you are set up, you can provide a seamless shopping experience to your customers irrespective of the payment method/service provider you choose.
As of today, all online retailers must be PCI-Complaint. This involves in scanning your server and online store for various vulnerabilities and security threats. It also check to see if payment card details are being stored on your store and if they are being stored, it check if they are being done in the correct way. More details can be found here: https://www.pcisecuritystandards.org/
There are several companies that provide the PCI-Complaint scans for a small amount and then issue your with a authenticated badge which can be displayed on your website. Customers can click on this badge and verify the certificate. SecurityMetrics is one such company that offers this service: https://www.securitymetrics.com/
- Ravi Adloori
[Tags: Online shop, Payment Gateway, Payment Gateway Service Provider, Sage Pay, ePDQ, Google Checkout, PayPal, 3D Secure, Verified by Visa, PCI-Compliance]