Inside the Black Hole

Payment gateway is a web-based service that transmits transaction information between an e-commerce website and the merchant’s processing bank. It is the e-commerce equivalent of the physical point-of-sale (POS) terminal used by brick-and-mortar merchants in card-present transactions. To protect sensitive account information, the data that the gateway collects from the website is SSL-encrypted before transmittal.

The payment gateway integrates with the website’s shopping cart and activates once a customer places an order. The card-not-present transaction process goes through the following stages:

• A customer places an order on an e-commerce website and provides his or her card information for payment.
• The payment information is SSL-encrypted and sent to the merchant’s hosting server.
• The payment gateway then gathers the submitted data and, after another SSL encryption, transmits it to the processing bank’s server.
• The processing bank then sends the payment details to Visa or MasterCard.
• If the cardholder used a Discover or an American Express card, the processing bank serves as an acquiring bank and makes a decision on whether or not to authorize the transaction; then forwards the response to the merchant.
• Visa or MasterCard forward the transaction to the card issuer.
• The card issuer either authorizes or declines the transaction and sends a response (approval or decline) back to the processing bank. The responses for declined transactions provide details for the reason the transaction did not get approved.
• The processing bank then sends the response to the payment gateway.
• The payment gateway sends the response on to the merchant’s website and it is presented to the cardholder.
• The whole process, from submitting the payment information to receiving the response, takes seconds.
• At the end of the business day, all authorized transactions (also called a “batch“) are submitted to the processing bank for settlement.
• The processing bank then deposits the total transaction amount, minus the interchange fees and processing costs, into the designated merchant’s bank account.
• The entire process, from authorization to settlement, takes approximately 2-3 business days.

Processing banks typically provide payment gateways as part of their processing services. They charge a monthly fee for the service ($10 – $25) and may charge a fee for the set up as well. Every major gateway supports the latest fraud prevention solutions, including the Address Verification (AVS) and card security code (CVC 2, CVV2, and CID) validation services.

Payment gateways provide merchants with other ways to process card-not-present payments too. The gateway’s virtual terminal offers merchants the processing capabilities of a POS terminal through an internet browser. It is typically used by direct marketing (mail order and telephone order) merchants to process payments they receive over the phone or in the mail. The customer’s payment information is entered into a web interface and the payment gateway then handles it in the way described above.

Many virtual terminals offer managed billing and customer profile management services. The profile management tool enables merchants to store customer account data on the payment gateway’s server for completing transactions faster. The managed billing solution enables merchants to use the stored customer profiles for setting up recurring and installment billing plans and to process deferred payments automatically.

Accept card payments quickly and safely

Accept online payments via credit and debit cards and electronic checks at the lowest processing costs. You will get:

• Free merchant account and Authorize.Net gateway set-up.
• No monthly merchant account or gateway fees.

When a customer has made his or her selection and is ready to place an order on an e-commerce website, the check-out payment information form should be designed to collect all data that is needed to enable the merchant to validate that both the card and the cardholder are genuine and to decide whether or not to proceed with the processing of the transaction.

In order to limit your risk exposure and the potential losses associated with it, you should define the data fields that will help you identify high-risk transactions, and require that customers complete these fields before making a purchase.

• Key data fields you should require in your check-out information form:
  • Telephone number. If a transaction is identified as high-risk, you can validate the phone number using reverse directories.
  • Email address. Anonymous email services typically present higher risk.
  • Cardholder name and billing address. As with telephone numbers, the cardholder’s name and billing address can be validated using directory look-up services when needed.
  • Shipping name and address. If the shipping name and address are different from the billing information, the transaction’s risk level raises substantially. Some merchants have decided not to accept orders where the shipping information does not match the billing data.
  • Card Security Codes (CVV2, CVC 2 and CID). Card security codes are the three-digit numbers found in the signature panels on the back of Visa, MasterCard and Discover cards and the four-digit numbers found slightly above and to the right of the account numbers of American Express cards. These numbers were introduced to help e-commerce and mail order and telephone order (MO / TO) merchants verify that their customers are in a physical possession of their cards at the time of the transaction. You should attempt to review, rather than automatically decline, mismatches when no other risk characteristics are present.
• Indicate which data fields your customers must complete. Once you have decided which data fields should be required in your order check-out forms, you should indicate that they must be completed before the form is submitted. You can use color to highlight them or bold fonts, or asterisks to achieve that. You should also provide an explanatory note to your customers, informing them that the highlighted fields are mandatory.
• Verify required data and allow editing in real time to reduce risk exposure. In particular, consider implementing the following procedures:
  • Instantly notify your customers when required data fields are incorrect or incomplete.
  • Ask your customer to correct the data he or she provided if it was not complete or submitted in the required format.
  • When requesting that your customer returns to the form and make corrections, identify the fields that require completion or correction. Again you can use color to highlight them or bold fonts, or asterisks to do that.
  • When corrections are required, allow your customer to fill out the incomplete or omitted fields while retaining the previously entered information. Customers are easily (and justifiably) annoyed when they are sent back to the payment form and have to fill it out all over again, just because they missed a single field.

Accept card payments quickly and safely

Accept online payments via credit and debit cards and electronic checks at the lowest processing costs. You will get:

• Free merchant account and Authorize.Net gateway set-up.
• No monthly merchant account or gateway fees.

Recently MasterCard has been reported to crack down on online casino deposits. The action was seen as a sign that banks and payment companies are preparing for implementation of America’s Unlawful Internet Gambling Enforcement Act (UIGEA), which bans the facilitation of online gambling by payment companies. The Act was originally supposed to have been enforced from 1 December 2009, although the US treasury later approved a delay allowing companies until 1 June 2010 to comply.

The issue that prompted the crackdown was the widespread practice of online casino operators coding online gambling transaction as other kinds of online commerce, in order to manipulate the system.

Let’s take a look at how online gambling transactions are classified at present and how the payment card industry has mandated their processing.

Online casinos are processing what are known in the payment card industry as “unique transactions.” Unique transaction is a transaction that cannot be categorized as a retail sale or a cash advance, and for which there are special merchant classification codes (MCCs). Merchants processing unique transactions are required to follow card acceptance procedures that may differ from the ones needed in regular transactions. All unique transactions must be properly identified as such in all authorization and clearing messages.

Online casinos must incorporate the following requirements into their payment acceptance procedures:

• All cardholders must be required to identify the state or foreign country where they are physically located at the time of the transaction. The response must be recorded and kept, along with the cardholder’s account number, the transaction amount, and the date. This information must be retained for a minimum of one year from the transaction date and provided to the acquiring bank on request.
• In order to establish a merchant account with a U.S. processing bank, online casino merchants must post a notice on their websites (in a position such that the notice will be displayed before requesting a card account number, such as a click-through notice) stating that assertions have been made that online gambling may not be lawful in some jurisdictions, including California, and suggesting that the cardholder check whether online gambling is lawful under applicable law.
• Online casino merchants must not sell chips or other value that can be used, directly or indirectly, to gamble other than at a merchant that sells such chips or other value.
• Online casino merchants must not credit winnings or unspent chips or other value usable for gambling to a cardholder’s card account.

The fact remains, however, that in the U.S. payment companies are banned from processing online gambling transactions and internet casinos will have to find other ways to collect payments.

Accept card payments quickly and safely

Accept online payments via credit and debit cards and electronic checks at the lowest processing costs. You will get:

• Free merchant account and Authorize.Net gateway set-up.
• No monthly merchant account or gateway fees.

When a cardholder uses a credit or debit card for payment, the processing bank reimburses the merchant for the transaction’s amount, after subtracting its processing fees. The processor then clears and settles those funds by presenting the transaction to the card issuing bank. Clearing is the exchange of transaction information between the processing bank and the card issuing bank, through Visa’s or MasterCard’s payment systems. Settlement of a card payment is the process of exchanging funds between the card issuer and the processor to complete a cleared transaction.

The clearing and settlement of a card transaction are facilitated through an interchange, which is the electronic infrastructure that Visa and MasterCard set up to process financial and non-financial transactions between their member banks. The clearing and settlement of a transaction occur simultaneously. The settlement process may vary slightly from one processing bank to another but it generally goes through the following stages:

1. When a service has been provided to a customer or a product has been shipped (in card-not-present transactions, the transaction date is the date on which the product has been shipped), the merchant captures the transaction’s payment information and submits it, together with all other transactions captured this day (forming what is known as a “batch“), to its acquiring bank (processing bank) for settlement.
2. The processing bank then submits the transaction information to the Credit Card Association (Visa or MasterCard) whose card was used for settlement.
3. The Credit Card Association sends the transaction information to the card issuer and then settles it by crediting the merchant processing bank’s account and debiting the card issuer’s account. The amount that is debited from the card issuer’s account is equal to the transaction amount, minus the interchange fees (the processing fees, established by Visa and MasterCard, which processing banks pay to card issuing banks). The amount credited to the processing bank is equal to the transaction amount, minus interchange, minus the association fee (the fee that Visa and MasterCard charge for facilitating every card transaction).
4. The processing bank receives its funds, usually within 24 hours of the transaction, and credits the merchant’s account, usually within 48 hours of the transaction. The merchant receives an amount that is equal to the amount credited to the processing bank’s account, minus payment processing costs (the rates and fees that the merchant has agreed to pay for card processing services).
5. The card issuer posts the transaction information on its cardholder’s account and sends a monthly statement. The cardholder has the option to pay the full amount or a lesser amount, but no less than a minimum amount, established in the cardholder agreement. If the cardholder chooses to pay an amount, lesser than the full amount, the remaining balance will be charged an interest rate.

Accept card payments quickly and safely

Accept online payments via credit and debit cards and electronic checks at the lowest processing costs. You will get:

• Free merchant account and Authorize.Net gateway set-up.
• No monthly merchant account or gateway fees.

What is MasterCard SecureCode? MasterCard SecureCode is a security feature, available for merchants operating in a card-not-present environment that enables cardholders to authenticate themselves to their MasterCard card issuer through the use of a preselected personal code. MasterCard SecureCode protects e-commerce merchants from “cardholder unauthorized” or “cardholder not recognized” chargebacks.

How does MasterCard SecureCode work? When a cardholder is ready to check out at a participating merchant, the MasterCard SecureCode service takes the consumer through the following steps to ensure that he or she is authorized to use the card:

1. Once a consumer is taken to a participating merchant’s check-out page, he or she is prompted to enter their MasterCard credit or debit account number.
2. At this time a new window opens up and the card issuer requests the cardholder’s preselected SecureCode. After the SecureCode is submitted, the issuer will authenticate the transaction and confirm that the cardholder is authorized to make the purchase.
3. Once the cardholder’s identity is authenticated, the online transaction can be completed.

Card activation. Before a MasterCard SecureCode can be used to authenticate a cardholder, the card needs to be activated. There are several ways to do that:

1. MasterCard provides a step-by-step activation procedure on its website – MasterCard SecureCode activation.
2. MasterCard card issuers provide online activation on their websites and cardholders can contact their customer service representatives for details.
3. Merchants may also provide activation on their websites.

Benefits of using MasterCard SecureCode. Merchants benefit from MasterCard SecureCode in multiple ways:

• Participated merchants are protected from “cardholder unauthorized” chargebacks for fully compliant transactions. By limiting their chargeback exposure, merchants reduce processing costs.
• Participation in MasterCard SecureCode shows that you are serious about transaction security and promotes consumer confidence, which makes it more likely that customers will make a purchase on your website.
• Participating merchants can expand their geographic reach by selling to customers in countries where online debit cards are used more widely than credit cards. In addition to added protection against chargebacks for these customers, you will be able to process their Maestro debit transactions.
• MasterCard offers participating merchants free advertising on its consumer website.

Visa’s equivalent to MasterCard SecureCode is Verified by Visa.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).