Online shopping is almost as much a global staple as eggs today. It’s a worthwhile bet that the average, digitally-connected American spends more time online shopping than exercising. If you want a regular place on the consumer table, your online businesses needs to ensure safe, fast online journeys from login to cart—for everyone’s best interest.
In this post, we’ll discuss how e-commerce transactions work, what a payment gateway is, and how to keep your online payments secure. For the sake of the article, we’re sticking to security as it relates to payment gateways. (But check out our other resources!)
Online shopping is rooting into everyday habits…
- $4.8T – that’s how much online sales to expect by 2021 (Shopify)
- $2.95M dollars was spent in the US alone in 2018 – that’s almost $2,000 a person (Shopify)
- 30% of US adults are “almost constantly” online (Pew Research)
- By 2021, over 2.14 billion people worldwide are expected to buy goods and services online. ” (Statista)
But so are online breaches…
- Over $8M is the avg cost of a major data breach in the US (IBM)
- The average overall costs stand at a staggering $4 million. (SmallBizTrends)
- American companies pay 102% more in earning back customer trust after an attack (Big Commerce)
- 201 days is the average time it takes for a data breach to be detected (Digital Commerce 360)
- Over 31K records are breached in an average attack, costing up to approx.. $416/record (Digital Commerce 360)
There are expected to be almost 2 billion digital buyers worldwide in 2019. Take advantage of this trend to skyrocket online revenue. But do it safely. You want to be any online consumer’s safe bet and thereby guarantee return customers.
You also want to avoid the insurmountable costs of a data breach financially. Rebranding can’t save you there. In 2017, 1.4 billion passwords were hacked—and that racks up about $172 - $400+ per record stolen.
And the hackers are getting smarter, which is why cool new tech is too. We are all looking to the adoption of things like machine learning, threat intelligence, and smarter deployment. But it’s not enough to leave that to security companies. You have to protect your own interests. That starts here, with understanding.
You do the math.
Learn your threat landscape. (Here’s a dive into costs.)
Safe is good for everyone.
How Do E-commerce Transactions Work?
Before you can secure e-commerce transactions, you need to understand how they work. There are four stages in a typical payment:
- Undo (optional)
Let’s dive in.
When someone enters their credit card number and hits the “Buy” button, that triggers authorization. The authorization step involves sending the most sensitive data on a credit card on a journey from cart to completion of payment.
The purpose of the authorization is to answer two critical questions:
- Is the person using the card the actual owner (checking for fraud)?
- Does the cardholder have enough money (or credit)?
This process involves several parties: merchants, acquiring banks, creditors, and/or the purchaser’s bank.
When someone hits “buy”, a series of authorization events occur. Depending on how you have your payments set up, payment details will be sent for authorization by one of two means: via an acquiring bank; or directly to the creditor.
As a merchant, you likely have an acquiring bank. An acquiring bank receives funds on your behalf. In that case, the customer credit card or payment transaction data is first sent to that acquiring bank.
Otherwise, payment request information goes straight to the card association—Visa, MasterCard, Discover, etc. Then, either the acquiring bank or credit company contacts the purchaser’s bank to authorize the transaction.
Regardless, the payment gateway is a required portal that all transactions go through between the online purchase/merchant site and the acquiring bank or credit card association.
How safe is data during authorization?
The merchant sends the primary account number (also known as a PAN) along with the card verification value (CVV) or card verification code (CVC) to the acquiring bank or creditor. These values help to answer the question of whether the transaction is fraudulent.
For security purposes, the card verification value (CVV) in the magnetic strip is different than the CVV2 printed on the back of the card. If an attacker gets the magnetic strip information, they won’t be able to use the card online. If they get the data from a website, they won’t be able to create a cloned card because they won’t have the value on the magnetic strip.
Once the transaction is approved, the cardholder’s bank agrees to pay the merchant at a later step (called settlement).
The clearing step happens behind the scenes. The merchant sends all transactions from the day to their bank or credit card association.
The sensitive data like CVV is typically not sent with clearing requests. These only include the PAN and a reference number so the card scheme can refer to the correct transaction.
The settlement is the step where the money is sent to the merchant’s bank by the credit card association. The card association knows which banks to contact based on the PAN sent in the clearing step and retrieves the correct amount from each. It then forwards the money to the acquiring bank or merchant, completing the loop.
The clearing and settlement steps occur behind the scenes from the cardholder’s standpoint. E-commerce companies and anyone looking to sell products online should be aware of these steps, as we’ll see later on in this article.
If something goes wrong, there are two ways to reverse a transaction: a refund from the merchant or a chargeback based on a dispute.
When the merchant initiates a refund, they send a request to the cardholder bank, similar to the authorization request. A refund request doesn’t have the CVV/CVC data included, but merely the PAN, cardholder name, and expiration date of the card, along with the amount to be refunded.
A chargeback occurs when a cardholder disputes a charge and initiates its reversal. Chargebacks are often due to fraud or a complaint against the merchant. In this situation, the cardholder’s bank initiates a request to the merchant’s bank to return the money.
Chargebacks can be a bit more complicated than refunds. If the merchant bank doesn’t agree, it can go to arbitration where the card association decides whether or not to return the money. If the merchant agrees, a refund is issued.
Side tip for e-commerce companies: make your customers aware of your refund policy and give refunds to those who ask you for it. If they go to their bank first and issue chargebacks, it can hurt your reputation with card association and ruin your business.
What Is a Payment Gateway?
The payment gateway is a software service that connects the merchant to the acquiring bank or card association. Using one is required to run an e-commerce business and accept payments online.
Payment gateways handle the complicated paperwork and mechanisms to allow credit card transactions to go through. You could create an e-commerce website today and, as long as you have something to sell, start using a payment gateway to accept payments in minutes.
Payment gateways sit between the merchant and the acquiring bank/card association. The gateway handles all of the e-commerce transaction steps for you.
When someone enters their credit card number, the payment gateway handles the authorization, receives the settlement, then deposits the money where and when you specify.
Merchant advantages of a payment gateway.
A significant advantage of payment gateways is the abstraction they provide. It decouples the merchant from the bank, allowing them to route different transactions to different banks. Payment gateways allow you to decide which bank receives the money from each sale.
A significant benefit of payment gateways is their built-in security. They’re on the hook as much as you for keeping shoppers safe. They securely encrypt data and only keep what they need.
You should do the same. Don’t store what you don’t need. Make sure to use HTTPS for all communication with your payment gateway. Make customer security your way of doing business.
Payment Gateway Integration Options
The way you integrate payment gateways on your site will impact the user experience. Take time to think through how you want your checkout flow to function. There are also security and compliance implications for each option.
The first option is to redirect your user to the payment gateway website and have them enter their credit card details there.
The process goes like this:
- The user clicks a button to pay on the gateway site (you’ve likely seen the “Pay with PayPal” buttons in shopping carts).
- Your website redirects the customer to the gateway website.
- The user enters their credit card information and clicks "buy."
- The gateway site redirects the customer back to a page of your choosing.
Redirects make transactions very simple for you, but adds a second step for your users. Less computer-savvy users may be confused by the multiple redirects. You also lose control over the user experience once the user is on the gateway site.
Integration with Your Checkout
If you want some control over user experience, you can integrate your payment gateway with your checkout page. Your users enter their information on your page, and then your website sends the data to the gateway's API.
Here is the process:
- The user decides to check out on your site
- The user enters credit card details on your page and clicks “Buy.”
- Your website then sends the credit card information to the payment gateway, either through an API or another form of integration
- Your site shows a thank you page once the gateway completes the authorization
Third-party website building software, such as WordPress, ClickFunnels, and LeadPages, often have plugins that handle the communication between your site and your payment gateway. If you build your website from scratch, you'll have to write the integration code yourself.
Integrating a gateway with your checkout process makes for smoother user experience because they stay on your site. You still get the benefits of payment gateways without changing your checkout flow.
Using a payment gateway means hooking it up to your site and watching the money roll in, right? Not so fast. There is one crucial piece you need to figure out before your cart goes live.
PCI Compliance and Payment Gateways
Some think that all PCI compliance issues disappear when you use payment gateways. Unfortunately, that isn’t exactly true.
Once you know your gateway provider is PCI compliant, you need to check your systems. Whether or not your application is required to be PCI compliant depends on which option you choose to process transactions.
According to the PCI Security Standards Council:
“Maintaining payment security is required for all entities that store, process, or transmit cardholder data.“
Using a payment gateway eliminates the first two criteria, store and process, from being your responsibility. However, you may transmit cardholder data, which means you need to be compliant.
Redirecting your users to the payment gateway site will shield you from PCI requirements. Your servers are not seeing or transmitting cardholder data.
If you take card data on your site and then transmit it to the payment gateway, you will need some form of PCI compliance. There are various levels of PCI compliance, and the topic is out of scope for this article.
A great article from Magenest provides a more detailed look at PCI compliance issues with payment gateways.
Individual payment gateway companies have guidance on PCI compliance as well. Stripe has an excellent article about what you need to know about PCI compliance when using their gateway.
Payment Gateway Options
Many payment gateways exist, and most are well-known in the e-commerce industry.
PayPal is the granddaddy of payment gateways and helped to define online transactions. It was founded in 1998 and has grown to be one of the best and most popular payment gateways. It offers easy-to-use options to embed a button on your site or redirect to PayPal completely for payment. It features a rich API for more complex integrations.
Square offers a point-of-sale system along with a payment gateway for online companies. It provides many integrations will existing e-commerce platforms so you can add it to a site with a few clicks.
Stripe focuses on simplicity. You can sign up, create products, and start selling in a few minutes. Like Square, Stripe easily integrates with many platforms, so you don’t have to worry about building a shopping cart system from scratch.
Apple Pay offers a smooth, secure payment experience for Apple users. Use Apple Pay if you have a broad base of Apple users, and you want to accept payments via an app, iMessage, or over the Safari browser. Apple Pay is best as an additional option with one of the above being the primary.
Amazon Pay is a unique option. It offers shoppers the ability to use their existing Amazon accounts to pay you.
The flow goes like this:
- The user clicks the “Amazon Pay” button
- They log into their Amazon account
- The user chooses an existing payment method stored on their account
- They click to buy, and it’s all done
Amazon Pay opens up multiple channels for your business. Customers can order items with voice, mobile, or social shopping. By using Amazon Pay, you’ll make your shopping experience better for millions of Amazon users.
Braintree is a division of PayPal that is specifically designed for mobile. The platform boasts the most inclusive single integration for credit cards, debit, PayPal, Venmo, and most digital wallets. So, shoppers have a lot of payment options without creating a lot of work for merchants.
Cryptocurrency is another way retailers are expanding payment options, including the potential of creating platform-specific alt currency (think Facebook). While cryptocurrency is not yet globally popular, there are increasing hotspots and growing consumer interest based on the heightened security it offers and various other features.
Payment Gateways = Happy Customers and Happy Businesses
No matter which payment gateway works for you, keep security at the forefront of your mind.
Know whether you need to be PCI compliant. Take the necessary steps if you do. In fact, following the security best practices in the PCI standards is not a bad idea anyway. Most mature security programs should be doing these things anyway.
Most of all, keep your customers in mind. Use the payment gateway that gives them the best experience while keeping them secure. Take care of your customers online, and they’ll keep coming back.