Every year in the world there are more and more new payment methods. But there is still no universal method that is convenient for all users. In 2008, when we were just creating a billing system for Badoo, it seemed to us that the future lay in payment via SMS. But when faced with the realities of different countries, we realized that this is not the case.
Users preferences change depending on the country and device they use to access the site. Very close to the ideal were bank cards, whose popularity is growing from year to year, including in Russia. This is not only one of the most common payment methods, but also the most profitable of all available on the Badoo site, and there are more than 20 of them.
Today we will tell you in more detail what remains outside the scope of the previous article about billing: about processing payments using bank cards; what you need to know and what to prepare for if you are just going to connect them; how to increase their efficiency if you already have them. In general, the article is intended for untrained readers, but experts may also find something interesting for themselves.
It all started with the fact that four years ago we posted a form on our website for entering credit card details and started accepting payments. After a few months, it became clear that users are happy to pay for our services not only via SMS, but also by card, the volume of payments for which showed promising growth. We began to actively develop this area. Since then, we have reviewed a dozen payment gateways that offer acquiring services (i.e., accepting bank card payments), and now we are working with three of them simultaneously. We have made payment support with 3D Secure, set up a system that detects fraudulent transactions, and much more.
It would seem that this is difficult? One simple form where the user enters their bank card details and clicks pay. We process the request, send it to the bank — and that's it, soon the money will be in our account. In an ideal world, this happens, but in the real world-a little differently.
If you want to accept bank card payments, you must first ensure the security of your users ' data. For this purpose, major payment systems, such as Visa, Master Card, American Express, Diners, etc., have developed the payment card industry security standard — PCI DSS (Payment Card Industry Data Security Standard). This is a large list of requirements that the company must meet, as well as the application development process and the configuration of the hardware used.
The second problem is protection from fraudulent transactions, in other words, "fraud" (from the English fraud). After all, the site can be used not only by decent users, but also by fraudsters who use stolen credit card data when making purchases. After such a purchase, the cardholder will receive a statement with transactions that are not clear to them, go to the bank and demand a refund. After some time, the money will be returned to him, and the company receives a "minus in karma" and a fine from the payment system.
Last but not least on the list is the percentage of successful transactions. Even if there is enough money on the card and all the systems involved in making the payment work like clockwork, the bank that issued the card can simply reject the transaction if it does not like something or seems suspicious.
The main purpose of certification is to make sure that card data is stored securely, that an attacker can't break into your system, and that once they do, they can't easily get private information. All companies that process credit card data are required to pass it, even if this data is not stored during processing.
In the beginning, we saw certification as a formality, because we didn't keep our credit card details. Our app was only concerned with drawing a beautiful mold that fits the site's design. But gradually it developed, overgrown with business logic and" anti-fraud " checks. We have started storing users ' personal data and authorized information about their credit cards. As a result, we ourselves became interested in ensuring that our system was as secure as possible. Now PCI DSS is perceived not as a formality, but as an opportunity, albeit somewhat bureaucratic, to test yourself for strength.
Compliance with the standard must be confirmed annually. The requirements depend on the level assigned to the company. There are only four of them, and they are issued depending on the number of transactions processed per year. Recently, Badoo was assigned the first level, which is the highest and most secure. It has the most stringent certification requirements. To confirm them, you need to pass an external audit. For lower levels, completing a self-assessment sheet or performing an internal audit is sufficient. For a complete list of requirements, see the standard itself. We will also tell you what can simplify the certification process for any of the levels.
First, you need to remember that the card number (PAN) and the security code located on the back of the card (CVC) are not allowed to be stored anywhere. This is not a big deal, since this is not required for the app to work properly. When a request is received from the user, data is immediately forwarded to the aggregator and can only be stored in RAM, which is allowed by the standard. Only the first six and last four digits of the card number, the name of the cardholder, and the expiration date can be stored in permanent storage. At high levels, the standard still allows you to store the card number, but it must be encrypted with a strong algorithm or an irreversible hash function.
The next important thing is to reduce the scope that is subject to certification. If payment processing is not a direct business of the company, then there is not much point in extending strict PCI DSS security rules to the entire infrastructure. All you need to do is allocate separate servers and code repositories for the map processing application, which will only be accessible to a limited number of people. In addition to formally reducing the amount of work, this will also provide additional security for the entire system as a whole. Its components will be loosely connected, so if the main application is hacked, the attacker will not be able to access the credit card data.
The only way to avoid certification is not to process plastic card data yourself. For example, the simplest and most common method is to send the user to the payment gateway page. After payment, they will return to the site and you will receive a notification about the payment status. For those who still want to have their own payment form that fits seamlessly into the site design, there is a more complicated option. You can encrypt the card data in the browser using the public key and send the form directly to the payment gateway, which will decrypt it with the private key and process the payment.
Fraud is a type of fraud involving card data, aimed at illegal use of money from its account. The danger here lies not only for the user, but also for you as a seller. The user can request the bank to return their funds, and not only will you not receive money for your product or service, but you will also pay a fine for each such request, even if it is successfully challenged later. In addition, Visa, Master Card and other payment systems may impose additional penalties for high returns. If the penalty for a regular refund is usually no more than $ 10, then the penalty for a large volume can easily amount to hundreds of thousands of US dollars.
It is important to understand that there are two types of refunds: "refund" and "chargeback". The difference is that you do the refand yourself when the user applies, and the payment system forces you to make a chargeback. Therefore, fines and all possible sanctions are imposed only for chargebacks.
There are many ways to deal with fraud. The simplest and most effective one is 3D Secure. In fact, this is just an additional payment step, where the user must confirm that the payment is made by the cardholder (see the image below).
In addition to increasing security, conducting a transaction with 3D Secure shifts the responsibility for fraud on it to the shoulders of the bank that issued the card. This is because the confirmation step is completely under its control, and the transaction should not go through if the bank has any suspicions. But, despite all the advantages, this method of verification has one fatal drawback. Like any additional step, it has a very bad impact on the success rate of payments. To verify this, we conducted a series of experiments in different countries, the results of which are shown in the graph below.
The three arrows on the graph show the moment when we turned off the forced use of 3D Secure in the country. For example, 3D Secure was initially enabled in Russia. After disabling it, the share of successful payments increased by 20%. In Italy, on the contrary, we turned it on and saw a drop in the share of successful transactions by 10-15%. And only in the UK, user behavior has not changed.
We also conducted similar experiments in the United States, where users almost stopped paying after enabling 3D Secure, and in South African countries, which are traditionally considered a fraud stronghold, but where disabling 3D Secure had a positive effect.
After looking at the results, we decided not to force 3D Secure to be enabled for all transactions. But to keep chargebacks low, it was necessary to develop a system that could detect fraudulent transactions and block them. To begin with, we decided to create portraits of users who are most often sources of fraud on our site.
It turned out three groups:
To make the lives of such people more difficult, we started analyzing their behavior on the site and drawing up rules for our "anti-fraud" system. They are based on various transaction parameters, of which there are about 20, for example: the payment amount, the user's IP address and country of issue of the card, the number of cards used by this user, the number of transactions, and so on. Each triggered rule adds "fraud" points to transactions. After exceeding a certain level, it is considered suspicious, and we send it for additional verification via 3D Secure or simply block it.
If the fraudster managed to get through all our protection and we received information about the chargeback, then you can try to challenge it. In this case, we still pay the fine, but if we win the dispute, we will at least not lose the amount of the payment itself.
Particularly advanced aggregators can provide "insider" information about chargebacks received by the bank that have not yet reached the payment system. We use such messages for proactive protection against fraud. They are registered in our system, and we are trying to make a refand for these transactions. In this case, we still return the money to the user, but since we do this voluntarily, no additional sanctions or penalties are imposed on us. The total effect of such measures is not very large — you can save only a few percent of your income. But for Badoo, this is hundreds of thousands of dollars a year, which pays for all the costs.
On the way from the buyer to the bank that issued the card, the withdrawal request passes through many systems. In addition to the seller, the process involves:
At this stage, the code is under our control, and if there are any problems, we can fix them. Here, the most unpleasant type of errors is logical validation errors of the entered data. If when checking the name of the cardholder, it is obvious that it can be long or very short, with numbers, hyphens, and anything else that seemed appropriate to the parents, then when checking the card number, you need to be careful and know what it can and should be. For example, its length can be from 13 to 19 (depending on the card type), and not just 16 digits, as many people think. It is also advisable to check not only the length, but also the entire number using the Luhn algorithm. When checking the expiration date of the card, remember that it is valid until the last day of the specified month, and not until the beginning of the month.
The success of the transaction at this stage may depend on the frequency of payments and their amount, the country from which they come, the type of card, and much more. Unfortunately, we can't influence this in any way, so at these stages there is a very high percentage of failures due to false positives of the anti-fraud systems of one of the participants in the process. But we managed to find two parameters that we can control and that strongly affect the share of successful payments. This is using a local processing center and a proper MCC.
MCC (from the English Merchant Category Code, literally — the seller's category code) is issued to anyone who wants to accept card payments. Any website or even a store around the corner has it. It is used in online banks that provide statistics on your expenses broken down into categories, in various promotions, for example, when the bank returns you part of the money when buying food or cat food. But the most interesting thing for us is that it participates in the algorithms of anti-fraud banks.
Initially, we had the code 7273 Dating and Escort Services, and the share of successful payments was about 50%. And if dating can still be attributed to Badoo, then escort services are definitely not about us. When we decided that this wasn't right, we went to our partners and insisted that we need a different, more appropriate code. Finally, our attempts were successful, and in one of the countries we received the code 4814-Telecoms (telecommunications services). As a result, the share of successful payments increased by 30%. We were not going to stop there and continued to look for what other MCC we can use. It turned out to be 8641-Social, Civic and Fraternity services " (social services), which increased the share of successful payments by another 10%.
Having selected a suitable code for us, we were still not satisfied with the performance of some countries. For example, in France, the share of successful payments did not want to rise above 50-60%. The reason was that the national payment system Carte Bleue is very popular there. To accept their cards, the processing center used (acquiring bank) must be connected to it. As a rule, suitable banks are located in the same country where you need to improve your performance. This gives an additional bonus in the form of reducing the suspicion of a transaction for the anti-fraud systems of issuing banks in this country and leads to an increase in the share of successful payments.
After we started using local processing connected to Carte Bleue, we got a 30% increase in the share of successful payments in France. In the US, where there are no local payment systems, this method gave a slightly smaller increase — about 20%.
Beyond the scope of the article is a story about the platform we developed, which allowed us to conduct all the experiments described above easily and without additional programming. If you want to read about it, write in the comments and we will prepare a separate article. Perhaps you have some interesting experience in the payment card industry — welcome to the comments, we will be very interested to talk about this topic.
(c) Anatoly Panov
Lead Developer
Users preferences change depending on the country and device they use to access the site. Very close to the ideal were bank cards, whose popularity is growing from year to year, including in Russia. This is not only one of the most common payment methods, but also the most profitable of all available on the Badoo site, and there are more than 20 of them.
Today we will tell you in more detail what remains outside the scope of the previous article about billing: about processing payments using bank cards; what you need to know and what to prepare for if you are just going to connect them; how to increase their efficiency if you already have them. In general, the article is intended for untrained readers, but experts may also find something interesting for themselves.
It all started with the fact that four years ago we posted a form on our website for entering credit card details and started accepting payments. After a few months, it became clear that users are happy to pay for our services not only via SMS, but also by card, the volume of payments for which showed promising growth. We began to actively develop this area. Since then, we have reviewed a dozen payment gateways that offer acquiring services (i.e., accepting bank card payments), and now we are working with three of them simultaneously. We have made payment support with 3D Secure, set up a system that detects fraudulent transactions, and much more.
Why is it difficult to accept payments with plastic cards?
It would seem that this is difficult? One simple form where the user enters their bank card details and clicks pay. We process the request, send it to the bank — and that's it, soon the money will be in our account. In an ideal world, this happens, but in the real world-a little differently.
If you want to accept bank card payments, you must first ensure the security of your users ' data. For this purpose, major payment systems, such as Visa, Master Card, American Express, Diners, etc., have developed the payment card industry security standard — PCI DSS (Payment Card Industry Data Security Standard). This is a large list of requirements that the company must meet, as well as the application development process and the configuration of the hardware used.
The second problem is protection from fraudulent transactions, in other words, "fraud" (from the English fraud). After all, the site can be used not only by decent users, but also by fraudsters who use stolen credit card data when making purchases. After such a purchase, the cardholder will receive a statement with transactions that are not clear to them, go to the bank and demand a refund. After some time, the money will be returned to him, and the company receives a "minus in karma" and a fine from the payment system.
Last but not least on the list is the percentage of successful transactions. Even if there is enough money on the card and all the systems involved in making the payment work like clockwork, the bank that issued the card can simply reject the transaction if it does not like something or seems suspicious.
Why pass PCI DSS certification?
The main purpose of certification is to make sure that card data is stored securely, that an attacker can't break into your system, and that once they do, they can't easily get private information. All companies that process credit card data are required to pass it, even if this data is not stored during processing.
In the beginning, we saw certification as a formality, because we didn't keep our credit card details. Our app was only concerned with drawing a beautiful mold that fits the site's design. But gradually it developed, overgrown with business logic and" anti-fraud " checks. We have started storing users ' personal data and authorized information about their credit cards. As a result, we ourselves became interested in ensuring that our system was as secure as possible. Now PCI DSS is perceived not as a formality, but as an opportunity, albeit somewhat bureaucratic, to test yourself for strength.
Compliance with the standard must be confirmed annually. The requirements depend on the level assigned to the company. There are only four of them, and they are issued depending on the number of transactions processed per year. Recently, Badoo was assigned the first level, which is the highest and most secure. It has the most stringent certification requirements. To confirm them, you need to pass an external audit. For lower levels, completing a self-assessment sheet or performing an internal audit is sufficient. For a complete list of requirements, see the standard itself. We will also tell you what can simplify the certification process for any of the levels.
First, you need to remember that the card number (PAN) and the security code located on the back of the card (CVC) are not allowed to be stored anywhere. This is not a big deal, since this is not required for the app to work properly. When a request is received from the user, data is immediately forwarded to the aggregator and can only be stored in RAM, which is allowed by the standard. Only the first six and last four digits of the card number, the name of the cardholder, and the expiration date can be stored in permanent storage. At high levels, the standard still allows you to store the card number, but it must be encrypted with a strong algorithm or an irreversible hash function.
The next important thing is to reduce the scope that is subject to certification. If payment processing is not a direct business of the company, then there is not much point in extending strict PCI DSS security rules to the entire infrastructure. All you need to do is allocate separate servers and code repositories for the map processing application, which will only be accessible to a limited number of people. In addition to formally reducing the amount of work, this will also provide additional security for the entire system as a whole. Its components will be loosely connected, so if the main application is hacked, the attacker will not be able to access the credit card data.
The only way to avoid certification is not to process plastic card data yourself. For example, the simplest and most common method is to send the user to the payment gateway page. After payment, they will return to the site and you will receive a notification about the payment status. For those who still want to have their own payment form that fits seamlessly into the site design, there is a more complicated option. You can encrypt the card data in the browser using the public key and send the form directly to the payment gateway, which will decrypt it with the private key and process the payment.
What is the danger of fraud and how to reduce it?
Fraud is a type of fraud involving card data, aimed at illegal use of money from its account. The danger here lies not only for the user, but also for you as a seller. The user can request the bank to return their funds, and not only will you not receive money for your product or service, but you will also pay a fine for each such request, even if it is successfully challenged later. In addition, Visa, Master Card and other payment systems may impose additional penalties for high returns. If the penalty for a regular refund is usually no more than $ 10, then the penalty for a large volume can easily amount to hundreds of thousands of US dollars.
It is important to understand that there are two types of refunds: "refund" and "chargeback". The difference is that you do the refand yourself when the user applies, and the payment system forces you to make a chargeback. Therefore, fines and all possible sanctions are imposed only for chargebacks.
There are many ways to deal with fraud. The simplest and most effective one is 3D Secure. In fact, this is just an additional payment step, where the user must confirm that the payment is made by the cardholder (see the image below).
In addition to increasing security, conducting a transaction with 3D Secure shifts the responsibility for fraud on it to the shoulders of the bank that issued the card. This is because the confirmation step is completely under its control, and the transaction should not go through if the bank has any suspicions. But, despite all the advantages, this method of verification has one fatal drawback. Like any additional step, it has a very bad impact on the success rate of payments. To verify this, we conducted a series of experiments in different countries, the results of which are shown in the graph below.
The three arrows on the graph show the moment when we turned off the forced use of 3D Secure in the country. For example, 3D Secure was initially enabled in Russia. After disabling it, the share of successful payments increased by 20%. In Italy, on the contrary, we turned it on and saw a drop in the share of successful transactions by 10-15%. And only in the UK, user behavior has not changed.
We also conducted similar experiments in the United States, where users almost stopped paying after enabling 3D Secure, and in South African countries, which are traditionally considered a fraud stronghold, but where disabling 3D Secure had a positive effect.
After looking at the results, we decided not to force 3D Secure to be enabled for all transactions. But to keep chargebacks low, it was necessary to develop a system that could detect fraudulent transactions and block them. To begin with, we decided to create portraits of users who are most often sources of fraud on our site.
It turned out three groups:
- carders. These are specialists in stealing bank card data. They check the health of their database and often use bots;
- spammers. They buy stolen card details and make their profile popular. Then they place ads or ask users for money (for example, to treat a serious illness);
- unsatisfied users. These are people who used paid services, but they didn't like something, or they just forgot that they paid on our site, or they just want to get the services for free.
To make the lives of such people more difficult, we started analyzing their behavior on the site and drawing up rules for our "anti-fraud" system. They are based on various transaction parameters, of which there are about 20, for example: the payment amount, the user's IP address and country of issue of the card, the number of cards used by this user, the number of transactions, and so on. Each triggered rule adds "fraud" points to transactions. After exceeding a certain level, it is considered suspicious, and we send it for additional verification via 3D Secure or simply block it.
If the fraudster managed to get through all our protection and we received information about the chargeback, then you can try to challenge it. In this case, we still pay the fine, but if we win the dispute, we will at least not lose the amount of the payment itself.
Particularly advanced aggregators can provide "insider" information about chargebacks received by the bank that have not yet reached the payment system. We use such messages for proactive protection against fraud. They are registered in our system, and we are trying to make a refand for these transactions. In this case, we still return the money to the user, but since we do this voluntarily, no additional sanctions or penalties are imposed on us. The total effect of such measures is not very large — you can save only a few percent of your income. But for Badoo, this is hundreds of thousands of dollars a year, which pays for all the costs.
Why aren't all payments successful?
On the way from the buyer to the bank that issued the card, the withdrawal request passes through many systems. In addition to the seller, the process involves:
- a payment gateway or aggregator that can also provide other payment methods;
- acquiring bank — a bank that is connected to various payment systems and provides payment processing services only for plastic cards;
- payment systems (Visa, Master Card, etc.);
- issuing bank — the bank that issued the card that the user is trying to use to pay for the service.
- Each stage of a transaction contains its own points that can affect its success.
User — Site
At this stage, the code is under our control, and if there are any problems, we can fix them. Here, the most unpleasant type of errors is logical validation errors of the entered data. If when checking the name of the cardholder, it is obvious that it can be long or very short, with numbers, hyphens, and anything else that seemed appropriate to the parents, then when checking the card number, you need to be careful and know what it can and should be. For example, its length can be from 13 to 19 (depending on the card type), and not just 16 digits, as many people think. It is also advisable to check not only the length, but also the entire number using the Luhn algorithm. When checking the expiration date of the card, remember that it is valid until the last day of the specified month, and not until the beginning of the month.
Website-Payment Gateway-Acquiring Bank-MPS-Issuing Bank
The success of the transaction at this stage may depend on the frequency of payments and their amount, the country from which they come, the type of card, and much more. Unfortunately, we can't influence this in any way, so at these stages there is a very high percentage of failures due to false positives of the anti-fraud systems of one of the participants in the process. But we managed to find two parameters that we can control and that strongly affect the share of successful payments. This is using a local processing center and a proper MCC.
MCC (from the English Merchant Category Code, literally — the seller's category code) is issued to anyone who wants to accept card payments. Any website or even a store around the corner has it. It is used in online banks that provide statistics on your expenses broken down into categories, in various promotions, for example, when the bank returns you part of the money when buying food or cat food. But the most interesting thing for us is that it participates in the algorithms of anti-fraud banks.
Initially, we had the code 7273 Dating and Escort Services, and the share of successful payments was about 50%. And if dating can still be attributed to Badoo, then escort services are definitely not about us. When we decided that this wasn't right, we went to our partners and insisted that we need a different, more appropriate code. Finally, our attempts were successful, and in one of the countries we received the code 4814-Telecoms (telecommunications services). As a result, the share of successful payments increased by 30%. We were not going to stop there and continued to look for what other MCC we can use. It turned out to be 8641-Social, Civic and Fraternity services " (social services), which increased the share of successful payments by another 10%.
Having selected a suitable code for us, we were still not satisfied with the performance of some countries. For example, in France, the share of successful payments did not want to rise above 50-60%. The reason was that the national payment system Carte Bleue is very popular there. To accept their cards, the processing center used (acquiring bank) must be connected to it. As a rule, suitable banks are located in the same country where you need to improve your performance. This gives an additional bonus in the form of reducing the suspicion of a transaction for the anti-fraud systems of issuing banks in this country and leads to an increase in the share of successful payments.
After we started using local processing connected to Carte Bleue, we got a 30% increase in the share of successful payments in France. In the US, where there are no local payment systems, this method gave a slightly smaller increase — about 20%.
Beyond the scope of the article is a story about the platform we developed, which allowed us to conduct all the experiments described above easily and without additional programming. If you want to read about it, write in the comments and we will prepare a separate article. Perhaps you have some interesting experience in the payment card industry — welcome to the comments, we will be very interested to talk about this topic.
(c) Anatoly Panov
Lead Developer
