You may be surprised at the number
of steps involved - and at the critical role played by
an Acquiring Processor such as First Data. Credit card
sales that are processed through a terminal also complete
the same process as described below for an internet transaction
but the security issues are not as detailed.
1. A consumer decides to buy something - On the
internet the merchant's commerce-enabled Web site prompts
the customer for credit card information as well as "bill-to"
and "shipping" addresses.
(At the storefront location the Merchant simply swipes
the credit card on the POS system magnetic stripe card
reader or credit card terminal for an authorization that
the funds are good.)
2. On the internet the customer enters the information
into a form secured by the SSL (Secure Sockets Layer)
protocol - SSL encrypts the transaction data and sends
the secured form over the Internet to the merchant. The
form should appear on a webpage with HTTPS. The "S" means
the page is secure. If there is no "S" in the HTTP, then
the consumer should NOT enter any private information
including credit card information. In addition, email
is not a secure method of sending credit card information.
If a form is being sent to the Merchant via email to obtain
the credit card information then this is a huge red flag.
Credit card information should also not be stored on the
server of the Merchant as this opens the Merchant to both
hackers and employee theft.
3. Using the payment software incorporated into the merchant's
Web server, the encrypted transaction data is now sent
to the acquiring processor, (i.e. First Data Merchant
Services), for authorization - The merchant can send the
data via an Internet gateway service, which will reformat
the information so that it is compatible with the acquiring
processor's systems. Alternatively, in cases where the
merchant has installed software on its Web server, which
is compatible with and approved by the acquiring processor,
the transaction data can be sent directly to the processor
via a private dial or leased line.
(At the storefront location the POS system or credit card
terminal communicates through a dial up phone line connection.
More and more Merchants are moving to an internet connection.)
4. Whether a storefront or over the internet, the acquiring
processor then communicates the transaction data to the
consumer's (issuing) bank - The issuing bank now authorizes
a certain amount of money and issues an authorization
code, or declines the transaction. The authorization decreases
the customer's available credit, but does not yet put
a charge on his bill or move the money to the Merchant.
At this point, the Acquiring Processor will communicate
with the Merchant's Web site, which will notify the consumer
that the purchase has been approved.
(At the storefront location the POS system or credit card
terminal receives an approval code back from the Acquiring
Processor that the funds are good.)
5. Once the transaction has been authorized, the next
step is a capture - After authorization and prior
to capture, the Merchant is still able to "void" a transaction
without paying discount fees. The capture uses the information
from the successful authorization to charge the authorized
amount of money to the consumer's credit card. In line
with bank card (VISA®/MasterCard®) association
rules, a merchant may not capture a transaction until
the goods have been shipped. So there may be a lag time
between authorization and capture.
6. The last step in the process is to settle the transaction
between the merchant and the acquiring processor -
As captures and credits come in, the merchant accumulates
them into a batch, which will then be settled as a group.
When submitting a batch, the merchant's payment-enabled
Web server connects with the acquiring processor (i.e.,
First Data) to finalize the transactions. If the merchant
is using an Internet gateway service, such as Cardservice
International's LinkPoint Secure Payment Gateway, it will
decrypt the transaction and reformat it for the acquiring
processor. When the acquiring processor receives the information
and settles the batch, it sends payment instructions to
the issuing and merchant banks, which will result in monies
being transferred to the merchant's bank account.(If the
consumer should return the goods after the transaction
has been captured, a "credit" should be generated which
typically will have the same discount and transaction
fees as the original captured transaction. This means
the Merchant pays double for credits.) |
|
|
