online payments working

How online payments work?

Online shopping is convenient and super fast. As quick and easy as it looks, there is a lot that happens in the background. Removing the layer of abstraction here from how the online payments work. It all starts with one click of button, Buy Now! Almost five entities are involved to encrypt, validate, authenticate and complete the transaction in the background. Thus, making online payments safe, convenient and quick. Diving deeper, let’s see what goes in the online payments’ process.

Information in the network

The customer provides the credit/debit card or net banking credentials and initiates payment. The information is normally encrypted through SSL (Secure Socket Layer). SSL is a transport layer security protocol which secures communication over the internet. In case of payment processing, the information can be directly sent to the payment gateway from the customer. The bypass reduces the merchant’s requirement to be PCI DSS compliant.

PCI DSS Compliance

The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard set up by card schemes like VISA, MasterCard and other. To process an online payment, the organization has to abide by the security standards. CitrusPay takes the burden of PCI DSS compliance thus making online payments secure and saving the merchant from the hassles of the compliance.

Payment authentication

The payment gateway forwards the information to the payment processor i.e. the acquiring bank. The acquiring bank communicates with card association i.e. VISA, MasterCard etc. The card association gets authentication done from the issuing bank (bank of the customer). The issuing bank authenticates the account and debits the amount. The transaction success or failure is communicated back to the card association. Then to the acquiring bank and further to the merchant and finally showing the status to the customer.

Securing the transactions

The payment gateway first comes in, to validate the payment request. We do this through a unique HMAC signature which is a message authentication code for each transaction. It involves a cryptographic hash function combined with a secret cryptographic key. The signature is created using various parameters like Transaction ID, Security Key, Access Key, Merchant Transaction ID, Currency, Transaction amount etc. The parameters needed for signature depends on the type of payment method used i.e. CitrusPay Hosted Checkout, Merchant Hosted Checkout or Mobile app payments. For web based payments, signatures are sent along with the payment request. For mobile based payments a merchant hosted bill generator is used to authenticate the transaction.

For every transaction the signature is verified. If there is mismatch in the signature, the payment request is rejected. Similarly, during response handling the signature is verified on the merchant’s side. This is to see if the request was processed properly.

The merchant passes the information through a POST method. The information goes through the payment gateway through the PCI DSS requirements. The card details are stored using tokenization. Card details are converted into generic tokens, and then saved on the payment gateway’s database.

Authenticating the transaction

Next, the multi-factor authentication helps in preventing credit/debit card fraud. It is done through MPI (Merchant Plug-in). MPI is a software module designed to facilitate 3D secure verification. The MPI identifies the account number and verifies with the card association if the account is enrolled for the 3D-Secure program. If the account is enrolled in the 3D-Secure program, the MPI returns the web site address of the issuer access control server (ACS).

Card issuers maintain an ACS to support cardholder authentication. The ACS is authenticated by username and password and ACS signs the result with a success or failure. The signature is sent through the customer’s browser to the MPI. The plug-in verifies the ACS signature and decides if the transaction has to be proceeded or not.

Payment Settlement

The response of the payment request begins from the issuing bank. The issuing bank is with which the customer has the bank account. The issuing bank debits the amount from the customer’s account and sends the amount to the card association. Card association further transfers the amount to the acquiring bank, which sends the money to payment gateway. The payment gateway keeps the money in a nodal account. A nodal account is where the amount is held by the payment gateway until it is settled with the merchants. The settlement amount is remitted to the merchant in T+2 days or in case of a marketplace it is remitted whenever the Settlement API is called.

And that’s how the payment cycle works! Sign up with CitrusPay for a robust and easy payment gateway integration. Stuck somewhere in implementing the code? Get it solved in the CitrusPay Developer Forum.