Payments are the last mile of e-commerce, and only when they are successfully completed online credit card payment gatewaycan real business value be generated. Then, for merchants, the most secure payment functionality needs to be provided to users at the lowest cost and fastest speed.
Since e-payments need to support multiple types of bank cards and third-party payments, and need to meet high security requirements and technical standards, payment gateways are often used to implement them. However, the wide variety of payment gateways, their complex functionality, varying security standards, and various integration methods often create significant hassles for merchants when choosing one.
Based on ThoughtWorks' experience in helping customers provide different types of payment gateways and in helping customers develop and maintain payment gateways with millions of monthly transactions, we help merchants understand and quickly choose the right payment gateway for them in terms of functionality, security, and integration.
We divide the functions of payment gateways into core enterprise management functions cnc machined aluminumand value-added functions. Core technical functions mainly include payment system functions for end-users and acquiring services for merchants; value-added functions include various support functions provided to support as a more complete business.
The payment function is the core of the payment gateway. The payment function includesWhatsminer M31S+ the types and numbers of banks, card organizations and third-party payments supported, as well as technical indicators such as payment success rate, payment processing speed and system stability. The larger the payment gateway, the wider the coverage of its banks and third-party payment categories, the more reliable the technology, the higher the cost, and the limited support for small local banks.
Due to legal regulation and banking requirements, if merchants need to receive payments via e-payments, they need to open a special bank account with the receiving bank: the merchant account. The payment gateway provides merchants with billing services, significantly reducing the cost of negotiation, account application and communication between merchants and banks.
Payment gateways are also differentiated by the type of value-added features they offer: such as pre-authorization, refunds, cancellation of payments, batch payments, timed automatic payments, dynamic currency conversion, multi-currency pricing, reports, inquiries, etc.
For enterprise core payment functions, we recommend that you can choose according to the actual development of the student's own business and users.
For local business, even if it is sufficient to offer the most popular local third-party payments, it is better to choose a small or medium-sized payment gateway with a good brand reputation and more friendly support for local banks. Of course, if the small payment gateway chosen does not support international services well, the payment gateway may become a constraint when the service is expanded in the future. We often see examples of projects where customers need to change payment gateways for this reason. Therefore, early in the code design, prior design and isolation should be done to best prepare for this.
If the business or users are involved abroad, then you need to understand the payment habits of users in different countries and regions and provide the local payment methods that users prefer. At this point, we recommend that you choose a payment gateway bundled with the mainstream third-party payments from each region so that it can be integrated once and applied multiple times. We started a project to help our client integrate Paypal and WorldPay, retaining the extended interface in the early code design. Later, when business expansion required support for Alipay and WeChat, only few configuration changes and very little development and testing work went live, eliminating a lot of business negotiation, technical research, and integration testing from scratch.
For acquiring business, we recommend you to give priority to payment gateway acquiring service. This way, as a merchant, you only need to deal with the payment gateway family, which saves you a lot of trouble in terms of process, technology, communication, etc.
For the consideration of information technology development indicators, our country must know that any payment, in the middle, involves the integration of multiple management systems, and it is very normal for problems to occur. In the process of helping to improve our customers to carry out maintenance of the network payment gateway, a team of about 7 people is often overwhelmed by the various online education issues in the community. As a merchant, the following points can be analyzed by helping you minimize your losses.
We should not only look at the technical specifications promised by the payment gateway website, but also sign a clear SLA with it to protect our rights.
Add effective monitoring and logging to your system, which can provide enough valuable information to help the payment gateway detect and locate problems together
Testing the stability of the payment gateway's interface, detecting payment gateway failures in a timely manner, and taking appropriate measures.
Implement your own set of scientific and reasonable fallback mechanism, such as the payment security gateway that can be carried out in time to hide the problem, switch to another way payment gateway or third-party mobile payment, etc., in order to reduce its impact on business and users.
For various value-added functions, we recommend that you review them as needed, and if they are not core business, they can be gradually incorporated into the delivery plan as a category other than MVP.
Thoughts on Payment Gateway Security Performance
Because of the annual losses caused by payment fraud, it is the biggest headache for most merchants in online payment. Security incidents such as payment data leaks can also cause reputational damage and legal risks to businesses. Therefore, when we choose a payment gateway, security should be an important consideration.
We present the further development of PCI DSS, 3D Secure, credit card anti-fraud and payment tokenization, and give a suggestion of our recommendations.
Payment Card Industry Data Security Standard
Pci dss is a third-party payment industry data security standard developed by the Payment Card Industry Security Standards Council, which presents a set of technical and operational benchmark requirements for protecting cardholder data in terms of information security management systems, network security, physical security and data encryption. After the audit, the corresponding security level qualification certificate will be provided to the certified companies.
3D Secure (Triple Domain Security, hereinafter referred to as 3DS) is a security verification service introduced to cardholders by international card organizations to improve the security of online credit card payments. It stipulates that when using a credit card to make a payment, information that only the cardholder knows must be entered, such as the payment password and cell phone verification code, to verify the user's identity.
For merchant companies, 3DS is a double-edged sword. If 3DS is used, it means a more reliable verification of the cardholder's identity, and if we develop future complaints about chargebacks, the cost will be borne by the card issuing bank rather than many merchants; however, students need to jump to the card issuing bank's website to be able to perform social identity verification in the payment business process, from the user experience and technology will affect the loss of having a certain payment conversion rate; at the same time, the Merchants also need to pay time costs for this additional layer of security management to protect people. In some other countries or regions (such as some European), major commercial banks, payment gateways and merchants must provide support for 3DS is already a legal system requirement in the field of payment technology.
Credit card anti-fraud refers to the use of technology to reduce the incidence of payment fraud by filtering suspicious situations before they occur. In one of the most common scenarios, if an anti-fraud system detects that the same ip address is trying to make a payment using a different card number within a short period of time and most attempts fail, it quickly determines that the ip is involved in fraud to prevent all subsequent requests from that ip.
Payment for tokenization technology is an important technology officially adopted and released by the International Chip Card Standardization Management Organization in 2014. The principle is that after the first verification of the user's personal identity, the payment gateway generates and provides an enterprise unique token for each of our Chinese bank card numbers and returns it to the merchant as a credential that can represent the card information in the process of subsequent payment services for students, so as to avoids the risks associated with frequent input of card information socially.
For pci dss, the PCI security certification of the payment gateway can be the strongest proof of its security in terms of technology, infrastructure and processes. When selecting one, we will carefully review their PCI security level qualification.
For 3ds, we recommend that you choose a payment gateway that supports 3ds functionality and makes it a must-have for users. Not only does it eliminate legal risk now and in the future, but it is the most effective means of protection against payment fraud.
In the project of maintaining payment gateways, we deal most with customers who are attacked because they are not using anti-fraud services. Usually when this happens, payment requests from all users of the merchant are temporarily disabled until the attack stops, causing a significant impact on normal business. Therefore, we recommend that you do not skimp on your investment and always choose a payment gateway or professional anti-fraud service provider that can provide effective anti-fraud capabilities.
For enterprise payment tokenization, if your users manage to make online payments mainly through the use of credit card risks, then it is we recommend that you choose to develop a payment gateway that provides payment tokenization capabilities so that students can allow users to be able to make electronic payments using saved card information technology, which can greatly enhance the user service experience for loyal users. For the examination of payment tokenization in China, the focus needs to be on whether the content of the card information behind it is stored in the payment gateway's own database, and if so, whether it meets the PCI Level 1 standard needs to be further determined.
When a user confirms an order on the merchant's website and clicks the "Continue Payment" button, the browser will jump directly from the merchant's website to the payment page provided by the payment gateway, where card information can be entered and payment made.
When the user confirms the order through the merchant's website information and clicks the "Continue to develop payment" button, it directly affects the popup box on the current page to select a payment function module provided by the payment security gateway management, and the user data can be used by students to make online payments without leaving the merchant's website. The most typical example is PayPal in-context checkout.
The payment gateway extracts the part containing the entered card information and the payment button into a public component, allowing the merchant to load the payment component into the page as an iFrame when rendering the payment page.
When a user enters payment information in the merchant's website and clicks on the payment button, an API request is sent directly from the backend of the merchant's website to the payment gateway.
The choice of how to proceed depends entirely on the social real-life situation and is not good or bad. We have the following recommendations for response.
For those who can afford to meet pci dss and have some technical ability to integrate APIs, the best API integration method and user experience is the best option.
Pop-up or hosted payment pages are a good option for businesses that want to move away from pci oversight altogether or want to provide payment functionality as soon as possible and don't need much of a user experience
For most businesses, iFrame is the best choice for most scenarios, as it not only helps businesses avoid PCI, but also has a better user experience and faster integration.
In addition to going through the above core points of examination for enterprises, the following influencing factors not only provide side evidence of the payment gateway's business and technology development capabilities, but are also important aspects that need to be considered when using the services of a web-based payment gateway.
The clarity and speed of the processes on board.
Whether its technical documentation is adequate, accurate and includes the necessary details and whether it provides a well-designed client software package ;
whether a sandbox environment and test accounts are available for our automated and manual tests in the test environment
Whether the technology can support the business in a professional, timely and effective manner.
We hope that through this article you have some understanding of payment gateways also have enough knowledge and skills to choose the right payment gateway.