John: Dad!! Can you give me your credit card? I’ll buy your medicines. My card isn’t working.
Jacob: Could you bring me some juice on your way back from the pharmacy?
John: No. I am ordering the medicines online. I’ll get you the juice after I am done.
Jacob: Online!! And how is the credit card supposed to work here? Where are you going to swipe it?
John: (giggling) No dad, you don’t need to swipe the card. You just give them your card details and the money gets deducted from your bank account.
Jacob: (puzzled) So this “online pharmacy” is connected to my bank and all the other banks in the country?
John: No Dad, that’s not how it works. They use payment gateways to get connected to the banks.
Jacob: A payment gateway? What’s that?
John: Well, a payment gateway is an online application that connects your online merchant from where you buy your goods, to the bank that issues you the card.
Jacob: (intrigued) Interesting!! So how do these gateways work?
John: (settling down to explain) Simple. When you enter your card details like Card Number, ACH numbers, CVV2, Expiry date etc in the merchant website, you know from whomever you are willing to buy a product, they are sent to the payment gateways through a secured channel called a Secure Socket Layer (SSL). They do not send them directly, but in the form of an encrypted code because these details are sensitive.
Once the payment gateway receives these details, they, in turn, send them to the corresponding bank to confirm the details. Again, this is done through a secured channel (SSL) and in an encrypted form. When the bank receives these details, it checks whether they are authorised and the balance is sufficient or not. The banks send the corresponding reply (authorised or declined) to the payment gateways. This process is called the “auth”, short for authentication. If the bank’s response is positive, the customer’s payment process is done and the banks pay the merchant directly.
Jacob: Wow! That is interesting. So, it is these gateways that are linked with all the banks and not the merchant?
Jacob: So, you buy from some online page and pay for it somewhere else?
John: (giggling) No dad, you buy and pay at the same place. You don’t need to go and find the payment gateway. They are integrated with the merchant’s webpage.
Once you click the “CheckOut” or equivalent buttons, you will be automatically redirected to the payment gateway. Sometimes, it happens in the same merchant’s webpage. These are called integrated payment gateways.
However, sometimes, they redirect you to a different page where you might be asked to create an account for them and then proceed with the payments. This type of gateways is called hosted gateways. They are on their own but provide service to the merchant, you know like PayPal.
Jacob: I see. So it is somebody else that does the service for the both of us. Is it really safe to trust a third-party application with your card details like that? Won’t they misuse them for money?
John: (nods understandingly) I see where you are going with that Dad. But, no problem. Yeah, as you said, it is very easy for anyone to misuse data as confidential as credit card and CVV numbers. But, they follow certain protocols to avoid these frauds.
- Data Encryption: Once you enter your card details, they are in encrypted to code by the payment gateways and they can only be decrypted by the bank. No other party will be able to decode these details.
- PCI DSS compliance: The Payment Card Industry Data Security Standard has set certain obligations for the payment gateways to ensure the security of the customers. They need to be compliant with these rules in order to retain their license to continue to do so.
Regular checks for this compliance are conducted at every quarter by the Internal Security Assistant of the company and once a year by the External Security Officer.
- Secure Socket Layer: When details of our card are passed from the merchant to the gateway and from the gateway to the bank, they use secure channels called the Secure Socket Layer which is not accessible by any party in the middle. Only the two-end users can make use of these details.
- Batch clear: Despite transferring the data securely, the payment gateways are supposed to “clear” all card information saved in their servers. This is usually done in batches at the end of the day in batches and hence is called “batch clear”
So, you can rest assured that all your credit card information is safe and not misused. There are a little too few chances of fraud with them.
Jacob: That’s great. It kind of gives some confidence in their security. But still, even though it is minute, there is a chance of fraud isn’t it?
John: Yeah. No one can absolutely guarantee that no fraud ever occurs. But you know something? In recent times, these payment gateways and in fact many other online payment services are trying to use something called 3D secure Protocol also called as Virtual Payer Authentication.
It adds an additional layer of security and also eliminates other problems faced by merchants, such as inherent distance between seller and buyer, and the inability of the seller to confirm the identity of the buyer etc.
I really hope they succeed in implementing it. It’s going to ensure a lot of security of users than it currently does.
Jacob: (Nods like he understood). Nice. A middle-man that provides both service and security. That must cost them a fortune, isn’t it?
John: (laughing) I really don’t know if what the charge is a fortune or not, but I know that a payment gateway charges three types of fee from the merchant.
Jacob: Three types? Really?
John: Yeah. First, they charge a small setup/registration fee to agree to provide them with the services.
Second, they charge a monthly fee for providing the service throughout the month.
The third is a transaction fee that charges a percentage of every transaction they process to-and-from the bank and the merchant.
Jacob: That’s a lot of money.
John: But dad, they deserve it. Because they not only provide necessary security for the user details, but they also make sure that the entire authorisation and transaction process is done within 2-3 seconds. They really deserve the charge for that fast a service.
Jacob: Now that’s a pretty quick service. I agree with you.
Here, take my card. Make sure you return it to me in 2-3 seconds
John: (flabbergasted) Dad!! you’ll need to pay me for that quick a service
Jacob: I don’t quite feel secured with you knowing my credit card details.
(Both of them laugh together while buying Jacob’s medicines online.