Online payment processing explained (part 1 - basics)

Online payment processing explained (part 1 - basics)

Alexander Nikolov's photo
Alexander Nikolov
·

17 min read

Table of contents

Online payment processing is the backbone of modern commerce, enabling the seamless transfer of funds between buyers and sellers across digital platforms. Every time you make a purchase online, whether it's ordering food, paying for a subscription, or buying clothes, payment processing technology ensures that the transaction happens securely and instantly. It involves a complex system of banks, card networks, and digital gateways that work behind the scenes to authorize, transfer, and settle payments within seconds. This invisible infrastructure allows millions of transactions to take place globally, powering the e-commerce industry.

The impact on our everyday lives is profound; online payment processing has made shopping more convenient, accessible, and efficient. We no longer need to carry cash or visit physical stores to make purchases. With a few clicks or taps, we can pay bills, buy groceries, or send money to friends, all from the comfort of our homes. It also fosters global connectivity, enabling us to do business with companies and individuals from any part of the world. For businesses, it opens up opportunities to reach new markets, scale operations, and offer seamless customer experiences. Ultimately, online payment processing is at the heart of our increasingly digital world, shaping how we live, work, and interact with commerce every day.

What a payment gateway is?

A payment gateway is like a virtual version of the physical card reader or Point of Sale (POS) terminal you use in stores. When you buy something online, instead of swiping your card at a checkout counter, the payment gateway handles that process digitally. It’s a piece of software that works in the background to transfer your payment details from the website to the bank.

Just like a POS terminal checks your card in a store, the payment gateway checks your information online, making sure everything is correct and secure. If approved, it allows the payment to go through, just like the beep you hear when your card is accepted at a store.

In simple terms, it acts as the online cashier, handling the transaction securely and quickly so you can shop from anywhere. This software abstraction is what makes it possible for you to pay online without ever needing to physically swipe your card. It turns your online payment into the digital equivalent of paying at a store, keeping your information safe while ensuring your purchase is processed.

Payment methods

A typical payment gateway supports a variety of payment types to accommodate diverse customer needs.

The most common methods include credit and debit cards, with major providers like Visa, MasterCard, American Express, and Discover being universally accepted.

Another fundamental option is bank transfers, which allow customers to directly transfer funds from their bank accounts to complete transactions, such as ACH payments in the U.S. or SEPA transfers in Europe.

Beyond these, a growing section of payment methods falls under the category of Alternative Payment Methods (APMs). In this category, digital wallets like PayPal, Apple Pay, Google Pay, and Samsung Pay provide seamless transactions through mobile devices and web platforms. Many businesses also accept cryptocurrencies, with Bitcoin and Ethereum being popular choices among digital currency enthusiasts. Additionally, Buy Now, Pay Later (BNPL) services such as Afterpay, Klarna, and Affirm have become increasingly popular, allowing customers to split payments into installments. Prepaid options, like gift cards and prepaid cards, provide another APM for customers who prefer to manage spending through stored value. eChecks and ACH payments are electronic check alternatives that offer an automated way to clear funds from a customer’s bank account. Mobile payments, through carrier billing or mobile apps, allow for quick transactions via smartphones. Lastly, subscription billing facilitates recurring payments for subscription services, ensuring that customers are automatically charged at regular intervals without needing to re-enter their payment details.

The availability and popularity of payment methods often depend on factors such as the customer's location, local regulations, and preferred currencies. Additionally, specific payment methods may be favored based on industry requirements, transaction sizes, or the type of business, making it crucial for merchants to offer a diverse range of options tailored to their audience.

How does credit card transaction processing work?

Lets start with a brief explanation of each party involved in card payment processing:

  • Cardholder (Customer):
    The cardholder is the individual or business using a credit or debit card to make a purchase. This person initiates the transaction by providing card details at checkout.

  • Merchant (Business):
    The merchant is the business that sells goods or services online or in-store. They receive payment from the cardholder and are responsible for initiating the transaction via the payment gateway.

  • Payment Gateway:
    The payment gateway is the service that securely captures and encrypts the cardholder’s payment details and forwards the transaction data to the acquiring bank. It acts as a bridge between the merchant and the acquiring bank, ensuring that sensitive card information is handled securely.

  • Acquirer (Acquiring Bank):
    The acquiring bank is the financial institution that processes card transactions on behalf of the merchant. It sends the transaction details to the card network and ultimately settles the funds into the merchant's account after deducting fees.

  • Card Network (Card Schemes):
    Card networks such as Visa, MasterCard, and American Express are responsible for routing transaction data between the acquiring bank and the issuing bank. They facilitate communication, ensure compliance with security standards, and manage the settlement of funds between banks.

  • Issuer (Issuing Bank):
    The issuing bank is the cardholder’s bank that issued the credit or debit card. It verifies the cardholder’s information, checks the account balance or credit limit, and approves or declines the transaction request based on these checks.

  • Payment Processor or Payment Service Provider (PSP):
    The payment processor is a company that manages the actual transaction flow between the merchant, acquiring bank, card networks, and issuing bank. It handles the back-end technology that facilitates the movement of transaction data and may also provide other services like fraud detection. PSPs offer a more comprehensive package, encompassing the services of a payment processor as part of a broader payment solution. Payment Processors are more specialized and handle only the core transaction processing aspect

  • Payment Facilitator (PayFac):
    A PayFac simplifies payment processing for merchants by allowing them to be onboarded as sub-merchants under the PayFac’s master merchant account. PayFacs are responsible for underwriting, risk management, and aggregating transactions from all sub-merchants. This is ideal for small businesses or merchants who want quick access to payment processing without setting up a dedicated merchant account.

Payment Processors are more appropriate for larger merchants which have the resources to manage their own merchant accounts and require highly customized payment processing systems due to their high transaction volumes, complex needs, and desire for lower transaction fees due to their scale. These larger businesses need more control over their payment processes and often negotiate directly with processors to optimize costs and performance.

Big PSP providers might even support multiple payment processors and apply certain routing logic, for example based on weights, to prioritize different processors based on various factors such as cost, reliability, or performance. The idea is routing to the most suitable processor for a given situation.

Payment Facilitators (PayFacs) are more appropriate for smaller businesses, startups, or independent merchants like local coffee shops, food trucks, or small online retailers, which prioritize ease of use and fast access to payment services. These businesses often lack the resources, time, or technical knowledge to manage their own merchant accounts and navigate the complexities of traditional payment processing setups. PayFacs offer a streamlined onboarding process, allowing merchants to quickly start accepting payments without the need for lengthy underwriting or individual merchant account applications.

Now having all parties involved, here is an extended description of the payment flow, with the actions specified for each party involved:

  1. Customer Initiation (Cardholder):

    • The customer initiates a purchase by entering their card details (name, card number, expiration date, CVV) on the merchant's payment page.

    • This information is securely passed to the Payment Gateway, depending on the merchant’s integration setup (e.g., hosted payment page, server-to-server integration, or client-side encryption).

  2. Payment Gateway Encryption and Fraud Checks (Payment Gateway):

    • The Payment Gateway encrypts the card details to ensure they are transmitted securely.

    • It performs preliminary fraud checks, such as verifying the CVV code and card expiration date, before passing the encrypted card data to the Acquirer.

  3. Acquirer Sends Data to Card Schemes (Acquiring Bank via PP/PSP/PayFac):

    • The Acquirer (the merchant’s bank) securely transmits the transaction data to the Card Networks (e.g., Visa, MasterCard).

    • The Card Networks conduct another layer of fraud checks, including security screenings like velocity checks and geographic mismatches.

  4. Card Schemes Forward to Issuer for Authorization (Card Networks):

    • The Card Networks forward the transaction request to the Issuer (the cardholder’s bank) for authorization.

  5. Authorization by Issuer Bank (Issuer Bank):

    • The Issuer reviews the transaction for potential fraud and confirms whether the cardholder has sufficient funds available.

    • If the card is valid and there are no issues (e.g., insufficient funds, fraud triggers), the Issuer authorizes the transaction.

    • The Issuer then sends an authorization response (approved or declined) back to the Card Networks.

  6. Card Networks Relay Response to Acquirer (Card Networks):

    • The Card Networks relay the authorization response (approved or declined) back to the Acquirer.

  7. Acquirer Informs Payment Gateway (Acquiring Bank):

    • The Acquirer sends the response back to the Payment Gateway, which processes it.

  8. Payment Gateway Response to Merchant (Payment Gateway):

    • The Payment Gateway relays the authorization response (approved or declined) to the Merchant.

    • Depending on the outcome, the customer is either shown a payment confirmation page (if approved) or prompted to try another payment method (if declined).

  9. Settlement Process Begins (Acquirer and Issuer Banks):

    • Once the payment is authorized, the Acquirer collects the payment amount from the Issuer (the cardholder’s bank).

    • The funds are placed on hold in the Merchant Account, awaiting final settlement.

  10. Settlement to Merchant (Acquiring Bank):

    • The actual settlement occurs based on the merchant’s agreement with their Payment Service Provider. The Acquirer settles the funds to the merchant’s bank account after deducting fees.

    • The merchant receives the funds, usually within 1-2 business days, completing the transaction.

  11. Reconciliation

    A process performed periodically where the merchant and their PSP/PayFac compare and verify that the payments processed match the actual funds received in the merchant’s bank account. This process ensures that all authorized and settled transactions have been accurately recorded, and any discrepancies (such as chargebacks or refunds) are identified and resolved. During reconciliation, the merchant also reviews any fees deducted by the PSP/PayFac or acquirer, ensuring that the net amounts received are correct and match the transaction history.

A PSP (Payment Service Provider) or payment processor must comply with a range of regulations to ensure security, privacy, and the proper handling of financial transactions. These compliance requirements vary depending on the region of operation and the services provided, but here are the key areas a PSP must cover:

Global/International Standards:

  • PCI DSS Compliance (Payment Card Industry Data Security Standard):

    • Ensure secure storage, processing, and transmission of cardholder data.

    • Apply strong encryption methods for data storage and transmission.

    • Implement measures like firewalls, anti-virus software, and access controls.

    • Regular security audits and vulnerability assessments.

  • GDPR (General Data Protection Regulation) (for businesses in or processing data from the EU):

    • Protect personal data and privacy of individuals.

    • Ensure transparency in data collection and processing practices.

    • Implement strong consent management for data usage.

    • Notify authorities and affected parties in case of data breaches.

U.S. Specific Regulations:

  • GLBA (Gramm-Leach-Bliley Act):

    • Implement safeguards to protect the confidentiality of consumers’ personal financial information.

    • Provide clear privacy notices to customers explaining information-sharing practices.

  • FFIEC (Federal Financial Institutions Examination Council) Standards:

    • Follow best practices in cybersecurity risk management and consumer protection for financial institutions.

  • Sarbanes-Oxley Act (SOX):

    • Ensure proper financial reporting and internal controls to prevent fraud in publicly traded companies.

Europe-Specific Regulations:

  • PSD2 (Payment Services Directive 2):

    • Provide Strong Customer Authentication (SCA) to enhance security during electronic transactions.

    • Ensure transparent pricing and conditions for payment services.

    • Comply with open banking requirements for secure data sharing with third parties.

  • EBA Guidelines (European Banking Authority):

    • Follow guidelines on security measures, including fraud detection and risk management procedures.

    • Implement incident reporting for payment service providers.

Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) Compliance:

  • AML/CFT Regulations (Globally enforced by local regulators such as FinCEN in the U.S., FCA in the UK, and AUSTRAC in Australia):

    • Perform thorough customer due diligence (CDD/KYC—Know Your Customer).

    • Report suspicious activities to appropriate regulatory bodies.

    • Monitor transactions for signs of money laundering or terrorism financing.

  • FATF (Financial Action Task Force) Recommendations:

    • Implement comprehensive anti-money laundering and anti-terrorism financing measures.

    • Establish internal controls to mitigate financial crime.

Consumer Protection and Financial Conduct:

  • FTC (Federal Trade Commission) Guidelines (U.S.):

    • Follow regulations aimed at protecting consumers from unfair or deceptive business practices.

  • FCA (Financial Conduct Authority) Compliance (UK):

    • Adhere to stringent guidelines for consumer protection, transparency, and financial stability.

Data Privacy and Security:

  • HIPAA (Health Insurance Portability and Accountability Act) (if handling health-related payments):

    • Protect the privacy of patients' medical and payment data.

  • CCPA (California Consumer Privacy Act):

    • Grant consumers the right to access, delete, or opt out of the sale of their personal data.

Risk Management and Security Compliance:

  • ISO/IEC 27001 Certification:

    • Implement a robust Information Security Management System (ISMS) to protect customer data and ensure operational resilience.

Other Industry-Specific and Regional Regulations:

  • FINTRAC Compliance (Canada):

    • Implement procedures for preventing money laundering and terrorist financing.

  • CPSL (China's Cybersecurity Law):

    • Apply strict data localization and security requirements if operating within China.

Alternative payment methods

APMs, or Alternative Payment Methods, refer to any payment methods that are not traditional credit or debit card transactions. These methods are particularly popular in regions or markets where cards are not the primary means of online payment. APMs provide consumers with diverse payment options that cater to local preferences, enhance convenience, and expand global reach for merchants.

Common Types of APMs:

  1. Digital Wallets: These include services like PayPal, Apple Pay, Google Pay, and AliPay. Digital wallets allow users to store payment details and make transactions through a mobile device or computer, offering a fast and secure way to pay online and in stores.

  2. Bank Transfers: APMs like iDEAL (Netherlands) and SOFORT (Germany) enable consumers to make direct bank transfers without the need for card details. These methods are particularly popular in European countries.

  3. Buy Now, Pay Later (BNPL): Services like Klarna, Afterpay, and Sezzle allow consumers to purchase goods immediately and pay in installments or at a later date, usually without interest if paid on time.

  4. Mobile Payments: In some regions, mobile-based payment methods like M-Pesa (Africa) or WeChat Pay (China) dominate. These services allow transactions directly through mobile phones, either via apps or SMS.

  5. Prepaid Cards and Vouchers: Services like Paysafecard allow users to purchase prepaid cards or vouchers that can be used online, providing an extra layer of security by not revealing bank or card details.

  6. Cryptocurrency: Some merchants accept payments in cryptocurrencies like Bitcoin, Ether, or stablecoins as an alternative form of payment.

Importance of APMs:

  • Regional Preferences: Different regions have distinct payment preferences. For instance, in China, AliPay and WeChat Pay are dominant, whereas in Europe, bank transfers like iDEAL and Giropay are more common than credit cards.

  • Enhanced Security and Convenience: Many APMs offer increased security compared to traditional payment methods, using encryption, two-factor authentication, and bypassing the need to share sensitive card information.

  • Increased Conversion Rates: Offering APMs can reduce cart abandonment and increase sales by providing customers with their preferred payment options.

Why PSPs Offer APMs:

PSPs integrate APMs into their offerings to cater to global customers and ensure merchants can accept payments through methods their target audiences are comfortable with. Supporting multiple APMs allows merchants to expand into new markets, reduce friction in the checkout process, and ultimately drive more sales​

Transaction types

In the world of payments and financial services, several types of transactions occur between merchants, customers, and payment processors. These transactions serve different purposes, including depositing funds, withdrawing funds, handling disputes, and adjusting for errors or fraud. Here’s a breakdown of the most common types:

1. Purchase/Payment Transaction

  • Description: This is the most common type of transaction, where a customer uses a payment method (credit card, debit card, APM, etc.) to pay for goods or services.

  • Example: A customer pays $50 using a credit card to purchase items from an online store.

2. Deposit

  • Description: A transaction where money is added to an account. In the context of PSPs, deposits usually refer to the process of crediting funds to a merchant’s account after a successful transaction.

  • Example: After a customer purchases a product, the amount (minus fees) is deposited into the merchant’s bank account.

3. Withdrawal

  • Description: A transaction where funds are removed from an account. This can be initiated by the account holder or triggered by automated processes, such as payouts or refunds.

  • Example: A freelancer withdrawing $500 from their payment processor account to their personal bank account.

4. Refund

  • Description: A transaction where the merchant returns money to the customer, typically due to a product return, service cancellation, or overcharge.

  • Example: A customer returns a product, and the merchant refunds the $100 paid for the item back to the customer’s card.

5. Chargeback

  • Description: A reversal of a payment initiated by the cardholder's issuing bank. Chargebacks are typically the result of disputes, such as fraudulent transactions or dissatisfaction with a purchase. When a chargeback occurs, the customer is refunded, and the merchant is debited the amount in question, often along with additional fees.

  • Example: A customer disputes a $200 charge for a product they claim they didn’t receive, and the bank initiates a chargeback to refund the customer.

6. Reversal

  • Description: A transaction that cancels a previously authorized transaction before settlement occurs. This can happen due to errors or when a customer cancels an order before it is completed.

  • Example: A customer realizes they made an error in their order and cancels the payment before the funds are deducted from their account.

7. Authorization

  • Description: A transaction where the customer’s payment information is validated, and funds are held but not yet transferred. This step checks if the customer has sufficient funds and can pay, but the money is not yet moved to the merchant.

  • Example: When booking a hotel room, the hotel might authorize $200 on the customer’s card to ensure the funds are available for the booking.

8. Capture

  • Description: This occurs after authorization when the funds are actually transferred from the customer’s account to the merchant’s account. A capture finalizes the transaction.

  • Example: After authorizing $200 for a hotel booking, the hotel charges (captures) the $200 once the stay is confirmed.

9. Void

  • Description: A void cancels a transaction that has been authorized but not yet captured. It prevents the funds from being debited from the customer’s account.

  • Example: A customer changes their mind after authorizing a $100 payment, and the merchant voids the transaction before the money is withdrawn.

10. Dispute

  • Description: A formal complaint made by a customer to their card issuer, contesting a charge on their statement. This often leads to chargebacks or resolution processes between the customer, the merchant, and the bank.

  • Example: A customer files a dispute over a $75 charge for services they claim were never rendered.

11. Pre-Authorization

  • Description: Similar to an authorization, but used in scenarios where the exact amount of the transaction isn’t known initially. Common in industries like car rentals or hotels where final costs may vary.

  • Example: A car rental company pre-authorizes $300 on a card to cover potential charges, including fuel or damages, but the final charge may be lower.

12. Settlement

  • Description: The final step in a transaction where funds are transferred from the customer’s account to the merchant’s account. Settlement occurs after the capture and often includes the clearing of funds through the payment network.

  • Example: A merchant receives $50 in their bank account after a customer completes a purchase and the settlement process is completed.

13. Payout

  • Description: A type of transaction where the PSP transfers accumulated funds (e.g., sales revenue) to the merchant’s bank account, typically after settlement or on a scheduled basis.

  • Example: A PSP sends weekly payouts of a merchant’s accumulated sales revenue minus fees.

14. Partial Refund

  • Description: A transaction where only part of the charged amount is refunded to the customer. This might occur when a customer returns only part of their purchase.

  • Example: A customer returns one item from a two-item order, and the merchant issues a partial refund of $50.

15. Adjustment

An adjustment transaction refers to a financial action taken by a payment processor, merchant, or financial institution to correct an error or make changes to a previous transaction. Adjustments are usually made when there are discrepancies in the amounts, incorrect charges, or when operational issues require manual intervention.

fintech