logo
Whether you are ordering food via your smartphone or paying for a subscription to your favorite streaming service, the convenience of making instant payments online has made them commonplace in modern life.
However, most people give little to the complex process that happens behind the scenes when you confirm a payment. From security systems that spring into action to routing tables that direct your payment request to its proper destination, the few seconds you wait for authorization are filled with a whirlwind of activity across numerous hidden servers.
To help you better understand how transactions happen and how they are kept secure, we will outline exactly what happens in the background when you make an online payment below.
Pre-Payment: Payment Card Industry Data Security Standard
One of the most important things to understand about your online payments is that they can only occur on websites or platforms that are compliant with the Payment Card Industry Data Security Standard (PCI DSS).
Adherence to PCI DSS is compulsory for any business that processes, collects, transmits, or stores cardholder data from visitors. As such, any business that is not PCI DSS compliant is often restricted from engaging in these activities and may be blacklisted by payment gateways and processors.
To remain compliant with PCI DSS, platforms need to follow a comprehensive list of requirements that is continually updated to mitigate emerging threats. Among the common practices required are the installation of a firewall, ensuring encryption during transmission of data and while storing it, and regular updates of anti-virus programs and other security monitoring systems.
Furthermore, regulations also stipulate restrictions on access to data, how monitoring of data should be undertaken, and require regular testing of all security systems. These minimum requirements apply to all vendors that accept online payments.
For Level 1 merchants, such as online casinos where you can deposit money or high-volume merchants like Amazon, stricter measures are enforced. These platforms are required to provide an annual Report on Compliance (ROC) and perform quarterly network scans undertaken by an Approved Scanning Vendor (ASV).
Initiation on the Merchant Platform
Assuming that your chosen vendor is PCI DSS compliant, the start of your payment’s journey occurs when you initiate the payment by clicking or tapping a button that says “Pay Now,” “Place Order,” or something similar.
When this occurs, the merchant that you are intending to pay immediately takes your card information and transmits it to a payment gateway. At this point, your information is outside the control of the merchant, and the site you are paying has nothing more to do with the payment except to await confirmation of its success or failure.
Request Creation via Payment Gateway
The request for money to be moved from your account to the merchant’s account is only generated once your initiation reaches the payment gateway. The gateway, which can be seen as the intermediary between the merchant and the payment processor, is dependent on the payment method you use and with whom the merchant site has registered its payments.
Upon receiving the initiation request from a merchant, the payment gateway verifies the information received and then encrypts it to maintain security. While doing this, many payment gateways also perform rudimentary fraud checks to ensure the initiation received is legitimate.
Once this is complete, the gateway sends the encrypted request to the payment processor and awaits a response, which it will then send back to the merchant site to confirm if the payment was successful or declined.
Payment Processor’s Initial Task
The payment processor is the intermediary that deals with the acquiring (merchant) bank and issuing (customer) bank. It starts working as soon as a request for payment is received by a payment gateway.
When a request is received, a payment processor checks its validity and that all required information is present. At the same time, further checks to detect fraud are undertaken. Payment requests are then securely forwarded to the acquiring bank.
At this stage, the payment processor’s initial work is done. However, it will be used again once the payment has worked through the following steps.
Acquiring Bank and Card Network Routing
When an acquiring bank receives a payment request from a payment processor, it verifies that all necessary information is present. This includes the reason for the payment, the amount, the card details for the payment to be processed, and the personal information needed for verification.
If all this information is valid, the acquiring bank will forward the request to the issuing bank via the relevant card network (e.g., Visa, Mastercard, American Express). These card networks act as bridges between acquiring and issuing banks and ensure that all payment requests are correctly routed.
Issuing Bank Decision
Upon receiving a request via a card network, an issuing bank will perform multiple checks. Among these are the validity of the information provided (such as the card information and status), the availability of funds required for the transaction, and further checks to help identify possible fraud.
These checks, which are practically instantaneous, also include checking the transaction request against the account holder’s typical habits and historical records. In order to offer enhanced security, transactions that appear vastly different from normal usage are flagged for further monitoring.
This process, which often means a transaction will be manually inspected by a member of a bank’s fraud department, occurs quickly behind the scenes.
Issuing Bank Response
If everything in a payment request is verified and the availability of the funds is confirmed, the issuing bank will decide to approve the transaction. In instances where funds are not available or verification fails, it will be rejected.
When approved, the issuing bank will generate a unique authorization code. This code is then sent back via the card network to the acquiring bank, signifying that the payment request has been validated and that the issuing bank confirms that the transaction can proceed.
Payment Processor’s Final Task
After receiving this authorization code, the acquiring bank will forward this code to the payment processor, which then records the payment’s success or failure for the merchant. This record forms part of the reporting process that payment processors are required to provide to merchants.
Irrespective of success or failure, the payment processor will forward the result of the request back to the payment gateway. Upon receiving the status of the request, the payment gateway will then forward the result to the merchant site, where you will see whether your payment was successful.
Conclusion
Despite the complex process of ensuring your payment is secure and that all information is verified at every level, online payments typically take only a few seconds to process and provide a result. This incredible convenience, which is offered while maintaining stringent security, is one of the many reasons online payments have grown increasingly popular and continue to do so.
