20 Important concepts of Payment Process you must know

What are Payments?

A payment is a voluntary exchange of money, goods, or any other valuable asset between two parties which they have agreed upon in advance. This exchange is termed as ‘transaction’.

What is an Acquirer?

An acquirer is a bank or a financial institution which creates a merchant account for a merchant for the purpose of letting them collect or ‘acquire’ card payment from his customers. Acquirer is responsible in ensuring that the money is safely collected on behalf of a merchant and then deposit it in merchant’s bank account when a customer makes a purchase. Visit [11] and [12]

What is an Issuer?

In simple terms, customer’s bank account. A bank or a financial institution which ‘issues’ the debit/credit card to the card-holder is called issuer. The issuer is responsible for authorising payments for the customers. Whenever a customer has made a purchase, the issuer validates whether there are enough funds for the transaction, perform fraud check and other verifications and then authorise the payment. [13]

What is Merchant Account?

Merchant account is an account that merchants open with an acquiring bank which lets merchants collect credit card/debit card payment. It is NOT an actual bank account which can store funds. In fact, it can automatically transfer funds to merchant’s actual bank (which might be in a different bank) at the end of each day (or the agreed upon time between the merchant and the Payment Processor). [14] 
 
 Sometimes, a merchant does not directly go to an acquirer, but signs up or deals with a Payment Processor company which is associated (has a contract) with its own acquirer. The Payment Processor, onboards and approves the merchant after which merchant can start accepting card payments. Since the payment processor takes the responsibility of transferring the funds from the issuer to the merchant’s bank account, it is supposed to be PCI Compliant.

What is MOTO (Mail Order Telephone Order)?

We have talked about merchant account. There are mainly 3 types of merchant accounts –

a. Retailer — This means that you, as a merchant are collecting the payments in-person. In this you have a shop, store, physical location where customers use their cards to shop.

b. E-Commerce — This means you, as a merchant have a website where customers are paying you online. They visit your website and make a purchase. They use payment gateway to enter their card details and pay.

c. MOTO — This stand for Mail Order or Telephone Order. Consider the case when a merchant does not fall in either of the above categories a or b, which means a merchant neither has a physical store nor has an online website. Examples of such merchants are — freelancers, lawyers, electricians, plumbers etc. In this case, the customers place the order by ‘mail’ or ‘telephone’. Thus, this type of merchant account is called Mail Order Telephone Order. Refer [20]

What is a Payment Processor?

A payment processor is a service which acts as a mediator between the payment gateway and the financial institutions (acquirer and issuer banks).In general, a merchant can integrate with card payments in two ways — one: it can go to an acquiring bank and open a merchant account or two: it can sign up or integrate with a Payment Processor which has its own acquirer and takes the responsibility of transfer of funds.

Payment Gateway and Payment Processor are two different services. Generally, companies provide both services of Payment Gateway as well as Payment Processor, example — PayPal, RazorPay, CCAvenue, Paytm etc. It is mostly suggested to integrate same company’s Payment Gateway as well as Payment Processor because as a merchant if something goes wrong, then there are two different parties involved where sometimes conflicts or disputes occur.

What is a Payment Gateway?

Let’s say you recently started an online business today where you want to sell gifts to the customers who want to purchase from your website. So, some customer comes to know about your amazing website, he goes through various items and selects a gift he wants to purchase. You are a merchant right now and the user who wants to purchase online is a customer, but the question is how will he pay you online? How are you going to accept the payment online? Also, you don’t know how will the customer pay you — Net banking, Credit card, UPI, Debit card? As a merchant you should be able to propose all these options for the payments, right? As a merchant, you need to offer a solution on your website that allows them to pay for the product. Here comes the role of the Payment Gateway.

A payment gateway is a tunnel between the merchant and customer to complete a transaction. It is an application interface where a customer can select the payment option and proceed with the transaction. From a merchant’s perspective, it is a platform on which they can collect payments online. When a customer selects an item online, proceeds for check out, enter card details, and then clicks ‘Pay’, the data is sent to a payment gateway which will encrypt the data and further send it to a payment processor. Note that, a payment gateway can also offer the entire checkout experience as well, therefore a merchant simply needs to worry about listing its item online and when the customer clicks ‘Buy Now’ or ‘Pay Now’, payment gateway takes care from there on.

Traditionally, payment gateways were provided by banks in earlier days but now many third-party private companies have come in foray. The online businesses that accept payments are called merchants. In the above example, ‘you’ are the merchant as you have an online business where you are selling gifts.

Why Payment Gateways were introduced?

Before the world of e-commerce, where merchants could sell offline, there were only physical transactions being made. These included cash transactions, card-present transactions (also called, chip-n-pin transactions) which involved the customer to pay using the card by physically swiping, tapping or inserting it into the payment machine. These transactions (card-present) transactions do not require payment gateway.

When the world was introduced with e-commerce, where merchants could sell and customers (buyer) could buy online, it produced the need for a way to accept payments for the merchants and perform transactions. The transactions that occur online are called card-not-present transactions. Thus, Payment Gateway to the rescue. It is a platform that allows the merchants to accept payments.

Payment Processor vs Payment Gateway

A payment gateway is a platform which allows customers to make payments online by offering multiple payment options. It does not get involved in the payment itself. Customers, generally when reach a checkout page, they select their payment option and enter card details (or UPI id etc.) and then proceed to pay. This action invokes the payment gateway which securely takes the card data, encrypts it and sends this data to ‘payment processor’ to further facilitate the payment.

A payment processor is the actual entity that communicates with the acquirer and initiate the payment. Whether the payment has been successful or not, the payment processor transfers this info back to the payment gateway. The payment gateway then displays the appropriate message (of success or declined transaction) on the merchant page.

Why does a merchant require approval from Payment Processor?

Payment Processor onboard merchants and provide them payment solutions. Similar to how loan approvals, the payment processor needs to approve the merchants before they create a merchant account. Let’s understand with an example why is it so –

Say you are owning a furniture store and you are selling sofas at 1000$. Several customers come in and buy the product. They use their credit card to pay and you assure them that their sofas will be delivered in 2 weeks. Within 2 days, your payments are settled by payment processor and you have the funds in your bank account. However, in some days you realize the sofa suppliers falls through and fails to supply the sofa. Now the customers are angry and demand a refund. They think that you have cheated them.

Now who is responsible to do the refund: Payment Processor. It is the payment processor who takes all such risks in case of refund and chargeback scenarios. Since the payment processor is involved with such high risks, it requires a merchant approval before onboarding, where it looks into your business and various other metrics before onboarding.

What is a Card Network (also known as Card Scheme)?

Every bank partner with a card network when it issues a credit or a debit card to its customers. Example — Mastercard, Visa, Rupay, AmEx (American Express), Discover, etc. The card network provides a secure network for the communication between the acquirer and issuer. They also detect whether the transaction request is valid and it is not a fraud transaction. They verify the issuer’s authentication results.

Deviations

The roles and terminology of service providers are not rigidly defined therefore there are various scenarios which can be seen deviating from the standards defined here –

1. Acquirer can also provide Payment Processing services therefore acting as a Payment Processor as well.

2. A company can act as both Payment Processor and Payment Gateway. This means merchant can choose a single company to provide both — Payment Processing services and Payment Gateway Services. This is mostly common.

Connecting the Dots: Understanding the entire card payment process

Before we understand that, we need to know the players –

1. Issuer or Issuing Bank

2. Acquirer or Acquiring Bank

3. Payment Processor

4. Card Network

5. Merchant

6. Customer

Now that we know actors, let’s understand the flow –

Step 1 — The customer visits the merchant’s website, selects one or more items to purchase. Goes to the checkout page. selects a payment option, say credit card and enters the card details on the merchant website. Proceeds for payment. These card (or UPI etc.) details is sent to payment gateway.

Step 2 — The payment gateway takes this payment request, encrypts the card details, tokenises the payment option (by saving CVV, or account no., etc.) for faster access subsequent times, performs validations and then sends the encrypted card details and transaction details to the payment processor.

Step 3 — The payment processor sends these details to the acquirer to initiate the payment request.

Step 4 — The acquirer takes the request, verifies the card details and confirms the account of the merchant and sends the customer’s card details and transaction details to the card network specified on the card.

Step 5 — The secure card network performs fraud check by running a series of fraud tools. The card network sends the transaction details to the issuer for confirmation.

Step 6 — The issuer upon receiving the transaction details verifies the customer’s accounts

and …

3D Secure Step — When the issuer gets card holder’s details, it will perform one additional security check by asking the customer to enter pin or OTP etc. This step is called Authentication. Once approved by customer

Step 7 — Issuer checks whether the customer’s bank account has enough funds to pay for the desired transaction amount. If yes, the issuer, blocks that amount (not deducts), guaranteeing the fulfilment of the payment and then it sends an approval response. Note that at this point, the customer receives the email and/or SMS notification from the issuer about the transaction. If no, it sends a declined response. Note that, there are other factors like currency mismatch, server down, international transaction, over the limit expense, etc. that can cause transactions to decline. The response is sent back to the card network. This step is called the Authorization.

Step 8 –The Card Network company receives the approval/declined response and forwards the response to the acquirer.

Step 9 — The Acquirer on receiving the response conveys the response to the payment processor which forwards the response to the payment gateway.

Step 10 — The Payment Gateway displays the success or declined response to the customer on the merchant webpage or mobile application.

Step 11 — The merchant and customer have now seen the transaction status and assuming that it is successful, for merchant and customer the transaction is done. Customer’s order is placed and the merchant gives the bill. However, right now the funds have not been transferred from one bank to another.

Step 12 — In case it is an offline store with POS device or Card Machine, at the end of the day the POS will send a batch of all-day transactions to the payment processor and then the payment processor, now on behalf of merchant, raises the request to acquirer to collect the fund.

Step 13 — The acquirer then requests the card network which in turn places a request to issuer for the funds, after which the actual transfer of funds take place. Now the acquirer receives the fund and payment processor will take and deposit it in the merchant’s bank account. This step is called the Settlement.

What is 3DS Secure?

3DS Secure is an authentication protocol written in XML which adds an additional layer of security over online card transactions. It was developed by Visa. When you turn on 3D Secure, you’ll be asked to validate every transaction with your PIN code. The Payment Gateway that works under this 3D Secure Protocol are called, 3D secure Payment Gateway. The ‘D’ in 3D stands for Domain. All the other major card networks like MasterCard, American Express, etc. use this protocol.

The 3Ds are

a. Issuing Domain (Access Control Server)

b. Acquiring Domain (Merchant Plug-in)

c. Interoperability Domain (Directory Server)

Ø Issuing Domain — The issuing domain is where the issuing banks operate. They are the ones who issue cards to cardholders, who then use the card to purchase goods and services. The issuing bank needs to deploy an Access Control Server, also known as “ACS”, in order to receive 3D Secure messages, process the messages, and authenticate the card user.

Ø Acquiring Domain — The acquiring domain is where the merchant, payment gateway, and acquiring banks sit. They initiate the transaction, which they wish to be authenticated. In order to do so, entities in the acquiring space need to deploy a “merchant plug-in”, also known as “MPI”.

Ø Interoperability Domain — The interoperability domain consists of just the Directory Server, which is deployed by card networks, and can be considered the glue between the acquiring and issuing domains. If a merchant wants to authenticate a credit card and its user, how do they know which issuing bank to contact? The answer is simple: they send a message to the card network’s Directory Server, which holds a “directory” of all the BIN ranges corresponding issuing banks. The Directory Server will receive the message from the MPI, check the card number against the BIN range directory that it holds, and forward that message onto the correct issuing bank. The issuing bank would then proceed with authenticating the card user.

[BIN Range — Bank Identification Number is a 4-to-6-digit number that identifies the financial institution that issues the card]

What is PCI Compliance?

PCI (Payment Card Industry) Compliance is regulation/protocol that companies must have by following the PCI DSS (Payment Card Industry Data Security Standard).

PCI DSS is a standard set of rules established to ensure capturing, storing and transmitting card details in a safe and secure way to minimize the risk of compromising sensitive cardholder data. Major Card Networks like Mastercard, Visa, AmEx (American Express) came together to form a body named PCI SSC (Payment Card Industry Security Standards Council) which aimed to defined the PCI DSS. All payment gateways (who act as a payment processor) and payment processors must be PCI Compliant and ensure encryption and card data protection. Visit [18] and [5]

PCI Compliance applies to –

1. All payment processors.

2. All payment service providers.

3. All merchants that accept, transmit or store credit/debit card information regardless of scope and size.

PCI compliance is not the same for all business but varies on the type of business. It will be different for an online retailer as compared to a brick-and-mortar store (offline store).

PCI compliance process involves answering a questionnaire based on your business, how it processes payments, stores customer data and may also include scanning software and hardware components.

What is POS System?

POS (Point-Of-Sale) is a system of inter-connected devices meant to facilitate day to day transactions in retail stores. It can be a an I-Pad or a fully functioning computer attached with bar-code, printer etc. which the cashier uses to collect cash or cashless payments. [19]

What is Refund?

A refund is a merchant initiated voluntary reversal of a payment to the customer under certain circumstances. When a customer is unsatisfied with the product or the service provided by the merchant, they ask for their money back from the merchant. This is called a refund. Examples can be — poor quality product, defected product etc. Note that, a refund discussion is completely between merchant and customer. It is the responsibility of the merchant to take care of customer satisfaction.

What is Chargeback?

Chargeback is ‘refund’s angry elder brother’. Imagine a case where a merchant refuses to give a refund to the customer, in this case customer contacts its bank (or card ‘issuer’) to get the money back. [15]

Chargeback is an action that the customer can take for the reimbursement of a transaction if he considers it to be illegitimate. The customer may dispute the charge if there is unfamiliar or inappropriate transaction in their bank account. If they dispute a charge, they generally bring it into the notice of their issuer (card provider). In this case, the amount is immediately removed from the merchant’s (business’) bank account. In order to resolve the dispute, the business is supposed to provide adequate proof of this transactions which includes documentations like original receipts, delivery report, etc.

Chargeback can be issued for several reasons like — fraud transactions, refund refused, continued billing even after cancelling subscriptions, defective products, etc.

Chargeback was introduced for consumer protection but an abuse of this is a risk that merchant is willing to risk when he wants to cater card/online transactions. As a merchant or a business, it is very important that you don’t have many chargebacks. Low chargebacks are a good metric for a business and it instills confidence in the financial institutions (like banks) to work with your business. High chargebacks damage your business reputations. There are certain tips to ensure low chargebacks. Refer [15.2]

Chargeback vs Refund

The key difference between a refund and a chargeback is that a refund is a merchant-initiated payment reversal whereas a chargeback is an issuer or bank-initiated reversal. Moreover, a refund is a closed matter between a merchant and a customer without involvement of banks.

Generally, when a customer feels that it needs to be refunded for a payment from a merchant, it asks the merchant directly for the refund. The merchant collects more information and initiates the refund. However, in certain cases, when a merchant refuses the refund, the customer raises the issue to its bank (issuer) and now the bank initiates the chargeback where merchant has to provide proofs of the legitimacy of the payment. [15.1] [15.2]

As a merchant it is highly beneficial to provide a refund than to deal with a chargeback. This is because a chargeback damages the reputation and higher the chargeback-ratio, more is the chargeback fees. A chargeback fees is the amount that the merchant has to pay to the payment processor as agreed upon.

Why chargeback fees?

Naturally, every time a chargeback takes place, the payment processor has to take the responsibility for the reversal of the payment and settle the dispute. Hence payment processor imposes a fee on the merchant whenever a chargeback occurs, called the chargeback fees.

What is Friendly Fraud?

When a customer raises a chargeback for a genuine issue and is not trying to exploit the merchant, it is called a friendly fraud. This happens when a customer will buy an item online, and then raise the chargeback for a number of reasons, but the intention is not to cheat the merchant. For example, when the product is actually defective or unsatisfactory. One distinction between friendly fraud and chargeback fraud is that when a customer raises a chargeback for the intention of taking an advantage of the merchant.

Let’s consider the case — “Order not delivered” chargeback claim.

Friendly Fraud — when the customer has actually not received the order and there is some problem with the shipping process.

Chargeback Fraud — when the customer has received the order but falsely claiming the money back.

What is Chargeback Fraud?

Chargeback fraud is when a customer intends to take advantage of the merchant by raising a false chargeback. When a customer purchases an item with the purpose of cheating the merchant by keeping the item and also ask for chargeback, it becomes a fraud. Common chargeback fraud claims are –

1. “I purchased an item and it was not delivered”

2. “The merchant did not cancel my recurring billing cycle”

3. “I did not authorise the payment”.

How to prevent such chargeback frauds?

1. Firstly, if you are charging customers for service in recurring billing cycle, notify them when their new cycle begins.

2. Have deliver confirmation system in place, such that when the item is delivered, there is a signed confirmation between both the parties.

Not having measures to validate whether a chargeback raised by a consumer is legitimate or a fraud, will result in high chargebacks along with bad business reputation.

What is AVS (Address Verification Service)?

AVS is a tool offered by most payment processor (also sometimes called credit card processors) to validate the address of a credit card. Let’s say you have accepted a credit card payment and now you have to ship the item to the customer but you are not sure if the customer is legitimate. While asking a customer about the credit card details, the merchant can ask for the billing address. Once that transaction is approved, AVS sends a response code validating the address. Example — ‘X’ for exact match, ’N’ for no match. Note that, AVS does not impact the approval of the transaction. This means that the merchant can still ship the item even if the address does not match or else, the merchant can cancel the order and refund the customer stating the reason. AVS does not verify the card holder name. [23]

What is Payment Link?

A payment link — also referred to as a checkout link — is a clickable link or scannable code that allows a customer to complete a purchase. Payment links are offered in the form of digital links, buy buttons, or QR codes, and are used across websites, social media platforms, apps, messaging tools, and in person. 
 When a customer uses a payment link, they’re typically taken to the merchant’s online checkout page to complete their transaction. [25]

References

[2] Payment Process Flow for offline store or chip-n-chip — https://www.corporatetools.com/credit-card-processing/payment-process/

[3] Payment Processors Definition — https://www.chargebackgurus.com/blog/payment-processors

[5] PCI Compliance — https://razorpay.com/learn/payment-compliance-secure-payments/

[10] Visa School of Public Policy explaining the payment process — https://www.youtube.com/watch?v=s5HrEyEStYE

[11] Why do you need an Acquiring Bank? — https://www.youtube.com/watch?v=8MuP_2i0JWM&t=98s

[12] Acquirer — https://www.youtube.com/watch?v=e60ZFUqApOA

[13] Issuer — https://www.youtube.com/watch?v=CebbIAE7Cq8

[14] Merchant Account — https://www.youtube.com/watch?v=KscD7nh_X3E

[15] What is a chargeback — https://www.youtube.com/watch?v=Abxe1zpZyho

[15.1] Tips to avoid chargebacks — https://www.helcim.com/guides/what-is-a-chargeback/

[15.2] Chargeback vs Refund 1 — https://midigator.com/blog/chargeback-vs-refund/

[15.3] Chargeback vs Refund 2 — https://www.chargebackgurus.com/blog/chargebacks-vs-refunds-whats-the-difference

[16] What is a charge back fraud — https://www.youtube.com/watch?v=iISHAeQRJWs

[17] Why do merchant accounts need to be approved — https://www.youtube.com/watch?v=lcgyEaQVHcg

[18] PCI Compliance Video — https://www.youtube.com/watch?v=uT5a76m20DE

[19] What is POS System — https://www.youtube.com/watch?v=rGNWjmpATtg

[20] What is MOTO — https://www.youtube.com/watch?v=sgBrGHBcBoU

[21] What is Friendly Fraud? — https://www.youtube.com/watch?v=l2lEq3uahi8&t=14s

[22] What is CVV? — https://www.youtube.com/watch?v=3CISy7aK8PE

[23] What is AVS (Address Verification Service) — https://www.youtube.com/watch?v=V34F85sksPQ

[25] What is Payment Link? — https://squareup.com/us/en/townsquare/what-are-payment-links#:~:text=A%20payment%20link%20%E2%80%94%20also%20referred,messaging%20tools%2C%20and%20in%20person.