Payment Gateway

Make your business transparent with reporting capabilities

Functionality

• Reports include all technical and business relevant data for processed or declined transactions.
• Receive aggregated reports grouped by more than 20 dimensions from payment method to country and currency to date.
• Receive reports automatically or by download your individual report manually.
• Freely customize your export or select a template from pre-defined templates.
• Create and store customized reporting templates personalized to your needs.
• Reports are PCI-compliant, e.g. they either do not contain card data or card data are masked.
• Choose between different report file formats such as csv and excel.
• Use the reports for: o Reconciliation purpose such as system consolidations, o Operational processes such as tracking of processed/shipped orders, o Conversion rate analysis, e.g. which payment methods have the highest acceptance rates, o Chargeback analysis, e.g. monitor chargeback rates.

Technical features

• Single transactions export: o Includes all technical and business relevant data, o Automatic or manual export option.
• • Aggregated export: o Shows sums and volumes of processed payments o Manual export option.
• • Data warehouse analysis export: o Perform payment and chargeback analysis, by payment method, payment type, country, currency, chargeback reason codes, etc… o Multi-dimensional cube for analysis of top 5sales channel KPI, top regional or payment method figures, check conversions per scheme etc.. o Navigate through time and analyze chargeback and rejection rates and reasons o Presentation layer provides different graphical diagram templates serving any use case displaying the processing data in charts of column, line, pie or bar diagrams. o Manual export option.
• • XML query API: o Send real-time request xml queries for single and multi-transaction status

Simple PCI – from burden to benefit

Compliance core processes

• System and security engineers are on duty 24/7to react immediately to any kind of service or security event
• The processing system has to be located in PCI-compliant data centres that have video surveillance and access control through the use of a badge, PIN code and hand/palm scanner
• Implementation of an incident response plan, which describes procedures to be taken in the event of a security or data breach

Compliance core principles

• The ‘four-eyes principle’ is enforced throughout the company, including in the development and operations departments
• Cross-department workflows to ensure ‘four-eyes principle’ is implemented
• Need-to-know principle, in which all information is kept confidential
• Separation of operations and development to enforce need-to-know principle and strict security: for example, developers have no access to any live system nor do they know of any of the passwords used in the production environment
• Ongoing, company-wide security-awareness training
• Daily, ongoing processes like log-file monitoring, security and audit-logging reviews
• Regular security assessments and penetration tests by certified security engineers
• Standardised cross-department system-change-management processes

Technical compliance

• Redundant, multilayer external and internal firewalls
• Redundant Web application firewalls
• More than 25 security-monitoring servers in the production environment
• Passwords are one-way encrypted
• Instant notification of alerts via SMS and email to all operations members
• Segregation of duties (need-to-know principle)
• Multiple internal networks to segregate system components according to security levels
• Active–active load-balancer setup to optimise system performance and reliabilities
• Encrypted communication channels (VPN, SSLv3, etc.) between data centres
• DDOS mitigation solution to automatically detect and mitigate DDOS attacks on the payment system
• Encrypted storage of sensitive information like credit card numbers –encrypted, secure and verified backups
• Network intrusion detection systems (NIDS) on every network perimeter to detect dangerous and malicious traffic between every single system component
• Host intrusion detection systems (HIDS) on every single server node, for instance, to detect file manipulation and unlawful access attempts
• Real-time antivirus scanning on all APIs
• System components are always kept secure and up-to-date by means of regular system maintenance(security updates and patches) without downtime or impact on customers
• One functionality per server – decentralization of services to maximize security and transparency
• Internal security specialists (TISP, OPST etc.) to validate all system changes
• Real-time security monitoring, weekly internal and external security scans and penetration tests to ensure maximum security
• OWASP security training for developers to enforce secure programming based on standards set by security engineers around the world
• Pair programming to ensure high-quality application source code
• Every single line of source code is verified by a second engineer before it is applied to the system

Merchant-managed recurring billing

How it works

• The registration module collects all essential shopper data and payment methods used for regular payments, managing these in a secure way that is certified according topics (level 1). The registration data is abstracted via a token used for subsequent payment.
• The merchant calls the payment platform and requests to debit a shopper, referencing the registration details via the token provided; this initiates a recurring payment cycle.
• The merchant repeats the payment collection as defined by the shopper’s subscription agreement. For regular processing, merchants can adapt their marketing strategy with flexible price or product variations, which activate the shopper or initiate a reaction to competitors.
• In case the shopper cancels the service, the merchant deregisters the shopper in the registration module. All data will be deactivated and archived securely according to industry standards and regulations.
• In case the Account Updater service is supported by the issuer, expired card details can be automatically updated.

Recurring Billing with Stored Billing Plans

Easy recurring billing with a ready-to-use, PCI-compliant stored billing plan implementation

Functionality

• During shopper registration, the payment gateway collects all essential shopper and payment data, managing these in a secure way that is certified according to PCI. The registration data is represented via a token used for subsequent payments.
• Based on this registration, you can set up an automated billing plan by submitting a scheduling request to the gateway. In addition to the token, the scheduling request contains the amount, currency and description of the payment to be repeated, as well as the trial period, frequency, duration and an optional cancellation period for the billing plan.
• After the billing plan is set up, the gateway will automatically trigger recurring payments in regular intervals as defined in the billing plan for the duration of that plan. If an account updater service is supported by the issuer, expired card details can be automatically updated.
  You are free to change or cancel existing billing plans at any time by sending a rescheduling (change) or de-scheduling (cancellation) request to the gateway. Cancellations will become effective only after the cancellation period of the billing plan, if one was defined earlier on.
• Even after a billing plan has expired or has been cancelled, the same registration token can still be used for new billing plans or one-off payments until the merchant decides to de-register the shopper. In this case, all shopper data will be deactivated and archived securely according to PCI data security standards and regulations.

Technical details

• Multiple independent billing plans can be created for the same token, which allows the modelling of advanced recurring scenarios.
• The token and the payment data represented by it are stored independently from the billing plan and can be used for one-off payments in addition to the billing plan.

PCI-compliant tokenisation solution

Functionality

• Register account details and get a token returned
• No need to save account details in your system
• Matching token and account details is only possible in the highly secured gateway environment
• Less sensitive data like BIN, last 4 digits, holder or expiry date can be saved for identification reasons without breaching card industry standards
• Ideal supplement to the gateway’s hosted payment page solu¬tions for fully PCI-DSS-compliant processing with no hassle
• Captures and refunds, partial captures or receipts are fully available for tokenised accounts

Technical features

• The link between the token and the actual data exists only within the payment gateway.
• The payment platform is fully certified according to PCI-DSS Level 1, meets the highest security standards and is operated by a team of experts dedicated to security, privacy and compliance.
• The payment platform is operated in a data centre certified to PCI-DSS, ISO 27001 and ISO 9001 standards.
• The gateway and hence the tokenisation itself meets your highest demands in terms of availability, scalability and reliability.
• Intelligent clean-up routines ensure the availability of your data as long as required by your business.
• The gateway does not lock you in by holding your data hostage.

Smart Transaction Routing

Functionality

You can configure if, where and how transactionsare routed to different MIDs based on:

• Credit cardbrand
• Direct debitcountry
• Currency
• Credit card/debit card BIN country
• Credit card/debit card BIN or BIN range
• Clearing institute velocity
• Merchant account velocity1
• Weighting (e.g. 60%–40% split)
• First-timevs.returning/known shopper
• Recurring or one-time payment
• Ticket size (payment amount)

Technical features

Number or total volume of transactions per time unit.

Please refer to the following feature matrix to find out which routing options might best help you to maximise your profits.

Of course, different routing optionscan be combined to meet your specific business goals. For example, you may want to maintain a 50%–50% weighting between two MIDs but,at the same time,make sure that domestic transactions only go to the domestic acquirer based on the BIN country.

A credit card/debit card BIN consists of the first six digits of the card number and uniquely identifies the issuing bank, the country the card was issued in and the brand of the card.

Optimise profits through advanced risk management

Functionality

Our more than 120 internal risk management tools can be applied to transactions involving e-commerce, remittance, adult entertainment, MLM (multi-level marketing), travel, pharmacy, dating, gaming and gambling. We have several years’ experience in creating the perfect fit for your merchant’s risk set-up.

Technical features

To achieve a state-of-the-art risk management, all checks offered can be easily activated through the merchant backend platform. No technical configuration is needed. Activation of additional external risk checks is also available. All checks are executed and scored in real time.

• Data validation, like doublet checks, black and white lists
• General checks, like BIN checks, address verification
• IP-based checks, e.g. anonymous proxy or geo-location built on Neustar IP (formerly Quova)
• Plausibility and velocity checks
• Intelligent fraud detection algorithms
• Authentication checks, like 3-D Secure, email, SMS, bank account or credit card authentication
• Monitoring and control through data-mining correlation tests
• External risk checks, like Schufa, Info score, Threat Matrix, ReD Shield, Gatekeeper, Delta vista Transactions that are below a predefined and fully customisable threshold are declined; the rest are approved.

Maximise profits through modular risk intelligence

Functionality

The gateway serves a variety of payment and financial institutions worldwide. Therefore, our more than 120 internal risk management tools can be applied to transactions including e-commerce, remittance, adult entertainment, multi-level marketing, travel, pharmacy, dating, gaming and gambling and many more. We have abundant experience in creating the perfect fit for an optimal risk set-up. Validation and risk checks can be carried out in a stand-alone transaction, before the actual payment, to allow you to adapt your workflow according to the result. Stand-alone risk checks can be used to determine the payment method selection offered to a shopper. Shoppers with a low score value only have access to payment methods with little to zero risk, e.g. online bank transfer

Technical features

All checks are executed and scored in real time. Transactions that are below a customisable threshold are declined; the rest are approved. You can also choose to have transactions marked for manual review if they fall within a certain score range.

• Semantic customer validation
• Algorithmic and database account validation
• Black and white lists on account numbers, email addresses, IP addresses, BINs, etc.
• Payment type and ticket size restrictions
• Plausibility checks
• IP-based and geolocation checks built on Neustar IP (formerly Quova)
• Correlation checks
• Fraud-detection algorithms
• Velocity checks on accounts, merchants, IP and email addresses
• Authentication methods such as micro deposits, SMS, email, bank account or credit card authentication
• AVS verification
• 3D Secure (Verified by Visa / MasterCard Secure Code / J/Secure)
• Additional selection of third-party checks available

Merchant Payment Integration Options

Functionality

By applying COPY and PAY, our new merchant integration option, merchants can integrate a self-hosted payment page within minutes and still maintain full control on their look and feel. Alternatively to fit existing portfolios we continue to provide and support a classic hosted payment page. Both options require minimum PCI compliance efforts.
The XML and HTTP POST APIs allows merchants to send in online payment transactions while maintaining full end-to-end control over the user experience as well as integrating their back offices with the payment gateway.

For integrating your back office for example the logistics or order management solutions that generate large number of transactions at the same time, such as SAP R/3, there is a high-performance batch processing interface available

The virtual terminal user interface is optimized for fast data entry by call center agents.
Mobile Point of Sale (mPOS) allows merchants to accept card-present transactions at the point of sale on mobile devices using magnetic stripe readers as well as EMV certified Chip &PIN setups.
Mobile Commerce (mCommerce) allows shoppers to pay on their mobile devices in mobile applications from shopper apps to mobile wallets.
Merchant that use popular shop engines just download and install the appropriate payment plug-in.

Technical features

Please refer to the following feature matrix to help you find out which integration options fit your business best.

*For more information please refer to:https://www.pcisecuritystandards.org/documents/pci_dss_saq_instr_guide_v2.0.pdf

COPY and PAY

COPY and PAY, easy payment integration for merchants: Host your own payment page, in your own design within minutes

Product facts

Functionality

By applying the platform’s new merchant integration option “COPY and PAY”, you develop and host your very own payment page. In this case, you will not touch critical credit card data, as the form posts the data directly to the gateway’s servers, so PCI compliance is achieved with a minimum of effort.
A sophisticated widget library makes it easy to build the payment forms and handles the different workflows that come with different payment methods.

Technical details

It’s as easy as this:

•   You prepare a token for the payment by sending one request with credentials and unmodifyable data, such as an amount in a server-to-server call.
•   On the payment page, you either use one of the ready-made widgets to create a pre-integrated payment form, or have to include a simple JavaScript call to a form designed by you. The shopper then triggers the payment using the account details from the browser.
•   Finally, you easily get the result of the payment in a simple call either server-side or from the browser, using the token obtained earlier.

And as flexible as that:

What if you need a checkbox for a newsletter that needs to be sent right away along with the account details?
No problem: any merchant-defined parameters can be sent and are returned.

What if you want to send credentials from the server first and then collect the shopper’s address data in a browser form, calculate the final amount on the server and finally let the shopper enter the account details?
Not an issue: The payment session in “COPY and PAY “is accessible by a token until the payment is ultimately triggered. You are informed about data entered in each and every step.

What if you require the widget library to do something different than intended?
As easy as this: it’s just JavaScript and CSS; it is well designed and documented. It can be copied, modified or just used as a reference template – whatever is necessary to get the perfect result for the case at hand.

What if you want to integrate 3D Secure or asynchronous payment schemes?
No problem – the various call backs involved in complex asynchronous workflows automatically get handled by the COPY and PAY integration. For you, the workflow is the same, whether the payment scheme is asynchronous or not.

Try it out: https://sample.test.ctpe.info/Integrationguide/CopyandPay.html

Graphics: The platform’s widget library

Start off by using the platform’s widget library with the default style and JavaScript, and ultimately go on to host your own style and JavaScript.