A transaction gateway is a unified interface towards numerous payment schemes. The function of a gateway is to accept various formats of data from a client, format it according to rules and regulations set by the respective payment system, and then forward it to the respective payment system. After receiving a response from the payment gateway, it formats it according to rules set for different schemes and sends it to the client.
For example, when an American Express cardholder is shopping online, he/she must key in various details-name of the card issuer (say VISA), type of card (gold/premier/green), number, expiry date etc. If the system is set up to accept American Express transactions, the gateway will send these details to American Express payment processing engine and receive a response in return within nanoseconds. It then sends another formatted message to another payment system or bank that processes MasterCard transactions.
There are three types of payment gateways-
- Hosted: These are operated by the merchant and the payment card companies do not have any ownership or control over these systems. The merchant is responsible for the security of these systems.
- 3rd party: These are owned and operated by a company that is not affiliated with either the merchant or the payment card company. The 3rd party operator makes payment more convenient for the card-accepting merchant and the payment card company by providing them with tools to promote their products or services, but they are not directly involved in the transaction process.
- Card Not Present (CNP): These are transactions wherein cardholder is not present during the transaction. Examples include online purchases and mail order/telephone order (MOTO) transactions.
The main advantage of using a payment gateway is that it provides a secure way for businesses to accept payments over the Internet. Payment gateways are also essential for merchants who want to offer their customers the option to pay with credit cards, as most credit card companies do not allow merchants to ask their customers for sensitive credit card information, such as the CVV, expiration date and card number. Payment gateways protect all customer information with strong 128-bit Secure Sockets Layer (SSL) encryption.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements developed by the payment card industry to ensure that ALL parties involved in accepting, processing, storing or transmitting credit card information maintain a secure environment.
PCI DSS has specific requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The PCI Security Standards Council (PCI SSC) provides resources and support for merchants, banks and other payment card processors so that they can become PCI DSS compliant.
Some of the key requirements of PCI DSS are as follows:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes