Credit & Debit Card Processing for Beginners
Many companies that have traditionally dealt with account customers are now increasingly moving towards accepting payments by credit and debit cards. The reasons may vary but typically include;
- improved cash flow means that it is possible to offer more competitive rates to trade customers
- less credit control overheads
- less risk
- growing markets, potentially reached through an eCommerce-enabled web site, means new customers, and payment by card can avoid the need to open credit accounts, speeding up the supply of the first order
- increasing numbers of smaller businesses are finding it hard to pass the level of credit checks necessary to get trade accounts
- businesses are moving from trade-only to a combination of trade and retail
Whatever the reasons, moving into card payment processing for the first time can involve a daunting range of new terminology.
When you wish to begin accepting payment cards, you will sign up for an account with an Acquiring Bank, who will collect the funds on your behalf. Acquiring banks and their "brands" include, for example, Lloyds CardNet and NatWest Streamline.
The Issuing Bank is the bank that issued the credit card to your customer.
When you sign up with an Acquiring Bank, your account is called a Merchant Account and you are referred to as the Merchant.
When the customer is stood in front of you and physically hands over their card, this is a Customer Present or Point of Sale transaction. Since the advent of Chip and Pin, this is almost always processed through a Payment Terminal, although these are often referred to as PDQ Machines, but this is a brand name and so is akin to referring to a vacuum cleaner as a hoover.
When the customer is not stood in front of you (i.e. you do not physically see the card) then this is a Customer Not Present transaction, often abbreviated to CNP.
CNP transactions fall into two types - those originating via the Internet are called eCommerce transactions whilst all other CNP transactions are called MOTO transactions. MOTO stands for Mail Order/Telephone Order.
Payment Service Providers
It is not possible for ordinary companies to interface their IT systems to those of the Acquiring Banks. When you want your software systems to collect payment details and pass them on to your Acquiring Bank to collect the funds, you must go through an intermediary. These intermediaries are called Payment Service Providers, or PSPs.
Latest information on the PSPs supported by axis diplomat and/or axis vMerchant can be found on the Payment Service Provider PSP Interfaces module overview.
How Do PSPs Work?
As far as your Acquiring Bank is concerned, the PSP is emulating a Payment Terminal (or PDQ machine). The card details are collected by the PSP. The PSP sends the details, including transaction details, such as the total amount, to the Acquiring Bank and receives either Approved or Declined, and passes these details back to your own IT system.
Authorised and Paid Transactions
When your PSP contacts your Acquiring Bank with the details of a transaction, it can do one of two things - it can Authorise the transaction or it can collect the funds with a Payment transaction. Authorised transactions do not result in the transfer of funds, but are merely a check on the validity of the card details supplied, and that the customer has sufficient funds available. It does result in a "shadow" being placed on the available funds for the amount being authorised. For example, if a customer has £1250 of credit available and you authorise a £400 transaction then his available credit drops to £850.
When you ship the goods against an authorised transaction, your software will then contact the PSP to arrange collection of the funds at that point.
A credit limit "shadow" will last for a varying length of time, depending on the issuing bank. Typically this is around 10 days.
How Secure Is It?
In order to be allowed to communicate with the Acquiring Banks, a PSP's own systems must be incredibly secure. Once your PSP has collected the information from the shopper, or your telesales operator, the PSP will return a unique reference so that your systems do not need to know the card details, only the PSPs reference number. This eliminates the need to hold customer's card details on your own system.
When you are interacting with a secure web site, it's address will begin https:// instead of http:// and the web browser will show a padlock icon (where exactly will depend on the browser - browsers such as the later versions of Internet Explorer, Firefox and Google Chrome show the padlock in the top right corner, at the end of the address bar, earlier browsers showed it in the lower right corner).
The ability to secure a web site in this way is provided by having an SSL Certificate installed on the web server that confirms the identity of the web site owner (or publisher).
Not all SSL Certificates are the same, however - some are more secure than others. This is not a feature of the technology behind the certificate itself so much as the processes the owner had to go through in order to obtain the certificate (in other words, the application process is more rigorous for some certificates than others). Newer browsers identify the more secure SSL certificates by changing the colour of the address bar. These newer more secure certificates are known as EV SSL.
The level of certificate security that is appropriate to your business may well be governed more by the expectations of your customers than by the realities of the security of the site. In other words, your customers may begin demanding the highest level of SSL security so that they know you are who you say you are. This will be particularly true of businesses that rely on passing trade (e.g. people finding the site via search engines) rather than regular loyal customers.
In order to address merchants concerns over card security, two schemes have been introduced by the card issuers - one by MasterCard, called MasterCard SecureCode and one by Visa called Verified by Visa. Collectively, these are known as 3D Secure. These schemes work at the checkout pages of a web site by taking the shopper to an extra page that is supplied by their own issuing bank, which asks them for details that supposedly only the true owner could know.
From the merchant's point of view, the advantage of 3D Secure is that you can be more sure that the person placing an order is who they say they are since they have been through that additional verification process. Generally, if a transaction has been verified by 3D Secure and subsequently proves fraudulent then the issuing bank will accept liability. If a fraudulent transaction had not been verified by 3D Secure then the merchant must accept liability. Since 3D Secure only applies to eCommerce transactions, this means that web transactions can have a lower risk than MOTO transactions.
How Much Does It All Cost?
Your Acquiring Bank will have negotiated a rate with you, which will typically be a fixed fee for processing debit cards and a percentage rate for processing credit cards. The rate will be based on their assessment of the number of transactions you are likely to process (generally speaking, the more you put through, the cheaper each transaction gets), the perceived risk of your transactions and your own credit rating. Expect to pay in the region of 2.5% for processing a MOTO credit card transaction.
When you process payments via a PSP, you still pay the usual transaction charges to your Acquiring Bank but, in addition, the PSP will make a handling charge on the transaction as well. This will normally be a flat charge (typically around 10p) per transaction, regardless of whether it is a credit card or a debit card but expect a flat monthly fee if your transaction levels are low (typically around £20 per month).