Online Payment Ecosystem 101: Things everyone needs to know
The online payment ecosystem is too big and complex. This article gives a brief but holistic overview of the online payment ecosystem — understanding end-to-end flow and all the actors involved.
Last year, I was working on one of the e-commerce projects as a Product and Program Manager — the task was to create an e-commerce platform, end to end. While reviewing various electronic payment gateway for our particular use case, I had an insane thought — why can’t we create our electronic payment gateway? One may think what is insane in this! Well, I thought the same, but when I explored and tried to understand the online payment ecosystem, that time I understood the insanity of my thought.
In this article, I will not focus on the payment gateway but will try to give a brief but holistic overview of the online payment ecosystem. Generally, people start with different actors and terminology involved, but I prefer taking one end-to-end flow and discussing the various terms and actors as and when they come.
Online Payment Ecosystem:
Consider a customer “Jane Doe” who goes on an e-commerce website and is about to buy product “X” of the merchant XYZ Corp. Let us say she is going to use her credit/debit card for the purchase. For that, she has to enter her card details. Depending upon the e-commerce site, she can enter her card details on the e-commerce platform or the next screen. Most likely, she will be redirected to an external site/platform to enter her card details, for example, CC Avenue, PayU, RazorPay, PayPal, etc. This external platform is famously known as Electronic Payment Gateway. The below diagram describes the whole flow. We will go step by step.
Electronic Payment Gateway (EPG): As the name suggests, this is the gateway to the payment ecosystem. Its main task is to encrypt the customer’s sensitive data and pass it to the payment processors (another entity in the ecosystem). EPG provides tokenization. Tokenization, the process of protecting sensitive data by replacing it with a token, is often used to prevent credit card fraud. In credit card tokenization, the cardholder’s primary account number is replaced with the token. The token is then passed through the various networks needed to process the payment, but actual bank details are never exposed because they are held in a secure token vault. This is not the exhaustive list of the services provided by the EPG. Businesses that handle cardholder information must comply with the Payment Card Industry Data Security Standard or PCI DSS. This requires lots of technical expertise and infrastructural investment.
Payment Processors (PP): They are the main worker or the main brain of the ecosystem. Processors are the entities that handle the movement and verification of transaction data between the merchant and the other parties (acquirer, card networks, issuing bank) involved in the execution and settlement of transactions. They provide the technical capabilities and connectivity to the card networks for transaction authorization, clearing, and settlement. When PP receives inputs from the EPG, the first thing they do is to authenticate that the payment is sent by the claimed source. Please note authentication is different than authorization. Once authenticated, PP passes the information to the card networks/associations, which passes the information to the Issuing Bank.
Before moving ahead, it’s important to discuss the Merchant Acquirers. Because many times, PP is confused for the Merchant Acquirers and vice-versa.
Merchant Acquirers: In simple words, MA is nothing but the Merchant’s Bank. The bank that holds the merchant’s account, accepting the deposits from the merchant’s transactions. Also knowns as the Acquiring Bank. Not every bank is an acquiring bank. Acquiring banks are members of card networks, such as Visa and Mastercard. As entities that are licensed to enable merchants’ access to the payments system, acquiring banks must follow regulations from the card networks. They bear financial responsibility for their merchants’ credit card transactions, so they are responsible for underwriting and performing ongoing due diligence on their merchant customers.
Merchant Account: A merchant account is a type of business bank account that allows a business/merchant to accept and process electronic payment card transactions. In layman’s terms, it is the merchant’s account in the Acquiring Bank.
Many big Merchant acquiring banks provide the Payment Processor service too. Hence, people get confused and think both are the same. When Acquiring Bank provides the Payment Processor services too then it is called — Merchant Acquirer. As it was not already confusing!
Now, coming back to our original flow. PP passes information to the Card Networks. Let us see who they are?
Card Networks: The card networks (Mastercard, Visa, Discover, American Express, etc.) are a critical piece of the payments puzzle. They provide the infrastructure needed to clear and settle transactions between issuing and acquiring banks. They provide “Network” hence the name card network. Visa’s network is known as VisaNET. In addition to this, they provide other features such as fraud security, etc. The card networks manage the interchange system — a system of fees that acquirer banks pay to the issuing banks — and set interchange rates. They establish and enforce the rules and regulations that businesses operating within the payments ecosystem are all required to follow. Their mandate is to protect the consumer, ensure security and reliability in the systems used for payment transactions, and engender trust in those systems.
The networks also work to drive card usage by developing new products and services and promoting brand awareness and acceptance.
As we know there are only a few Card Networks, they have almost a monopoly over the market. Hence, they dictate the terms.
Issuer/Issuing Bank: The request reaches the Customer Bank also known as the Issuing Bank. The bank authorizes the request — Card number, CVV, does customer has the funds, etc. Nowadays, most banks will send second verification with an OTP or 3d secure password. If everything is correct, then the issuing bank authorizes the payment request.
The authorization response goes back to the Payment Processors via Card Network. It passes back the response to the EPG and then it’s displayed back to the e-Commerce site. Generally, the e-Commerce platform will have small logic written in place, to display the response in a customer-friendly manner.
Depending upon the arrangement and agreement — If the authorization was successful, PP passes this information to the Merchant and the Acquiring bank too. Payment Processor uses the same card network and receives the funds from the issuer bank. And deposits money into the merchant’s bank account. This completes the whole cycle of the payment. Please note this is just one example, based on country, different parties this can vary a lot.
What is the source of Revenue for each party?
As you must have guessed, each and every party that touches the transaction charges some fee for providing their services. There are way more than different types of fees and structures involved in the ecosystem. So we won’t go deep but just cover a few at a high level.
Usually, each party involved charges some commission which can vary drastically from 0.5% to 5%.
Merchant’s Bank: They charge a monthly fee and take commission per transaction from the merchant.
Merchant Discount Rate: This is the fees charged by the Payment Processors to the merchants. If the acquiring bank and payment processors are the same then they combine the fees.
Markup Fees: Many times, the Merchant Discount rate is also called a Markup fee. But markup fees contain commission of the Electronic Payment Gateway too. for example, 0.25% + $0.10.
Assessment Fees: The credit card networks/association (Visa, MasterCard, etc.) also charges a fee, called an assessment. For example, 0.10% + $0.02. This rate is usually bundled with (and called the same thing as) the interchange fee.
Interchange Fee: The issuer/Issuing Bank gets paid by taking a percentage of each sale, called the interchange. This fee varies depending on a bunch of things, such as industry, sale amount, and type of card used. Till a few months back there were almost 300 different interchange fees! The fee could look like this: 2.0% of the volume + $0.10 per transaction.
High Barrier to Entry:
As we can see even the simplest flow had so many parties involved. And it’s not the technology but the business networking and partnership-driven ecosystem needing lots of investment. If anyone wants to enter into this ecosystem, let’s say as a new EPG, then they need to partner with Payment Processors. If PP agrees, then also the new EPG has to set up all the infrastructure. And develop the tech solution which is in compliance with the PCI DSS. These all take 6 months to 12 months time to develop. The cost can start from $250K plus (a rough estimate). Now you know why I said my idea of creating EPG was insane!
A shift in the Ecosystem:
Though in recent times a new entity/party has come into the ecosystem. They are known as Payment Facilitators.
The payment facilitator model was created in order to streamline the process for businesses to begin accepting electronic payments. Traditionally, merchants who wanted to begin accepting credit card transactions needed to set up an account with a merchant acquirer, which is a bank or a bank-sponsored firm. One of the issues that merchants experienced with the traditional model is that obtaining a merchant account from an acquirer could often be a time-consuming and complex process, impeding their speed to getting up and running as a business. Payment facilitators solve this problem by setting up a master merchant account through an acquirer and then using this account to allow their customers to accept payments — creating a more frictionless road to credit card acceptance for sellers. Maybe I will cover this in detail in my next blog as there is a whole ecosystem built around the Payment Facilitators.
Conclusion:
The idea of this article was to get everyone familiar with the online payment ecosystem. This is in no way an exhaustive analysis of the payment industry. This can be used as the first step to knowing the payment industry. I hope this article added to your knowledge.
References:
Investopedia: https://infinicept.com/payment-facilitator/learn/get-started/how-does-a-payment-gateway-work/
Paypal: https://www.paypal.com/us/brc/article/how-online-payments-processing-works
Softjourn: https://softjourn.com/insights/how-to-build-your-own-payment-gateway
Infinicept: https://infinicept.com/payment-facilitator/learn/get-started/how-does-a-payment-gateway-work/
