Payment Processing in a Nutshell: Core Concepts Explained

💡 Bookmark This Guide

In this post I will break down some of the key concepts in payments into easy to digest explanations.

This guide is evolving. I will be adding new definitions and covering more concepts, so you can come back anytime for more.

Each of these topics deserves separate article, but treat this post as accessible pocket-size handbook that you can share with anyone, anytime.

Contents:

• Authorization

• Capture

• Cancel (Authorization release/Authorization voiding)

• Refund

• Preauthorization

• Payment Service Provider (PSP)

• Payment Gateway (& Payment Processor)

• Alternative payment methods

• Processor tokenization (PCI tokenization, Vault tokenization)

• Card on File

• Network tokenization
  

Authorization

Process of confirmation by the issuer that the customer has enough funds in their bank account to make a payment. This also involves a fraud risk check. 

Successful authorization request results in authorization hold for the requested amount on  customer’s bank account. Merchants need to capture the authorization before it expires (usually between 7 - 30 days, depending on the issuer).

Payment processing chain during card-based transaction authorization:

• Authorization request

Customer → Merchant → PSP → Acquirer → Card network → Issuer

• Authorization response

Customer ← Merchant ← PSP ← Acquirer ← Card network ← Issuer

Capture

Request made by the payment processor on behalf of the merchant to move the funds from the customer account in issuing bank to merchant’s bank account in acquiring bank. A capture can be only made for the amount that is not exceeding the authorization amount.

There are a few types of capture techniques in online payments processing:

1. Manual capture - Capture request as a separate operation from authorization

2. Automatic capture - There is no separation between authorization and capture.

3. Capture delay - Configurable delay after which capture request is triggered. Allows for additional checks in the process between payment authorization and capture.

In case of manual (separate) capture, when part of the order or service is not available and cannot be delivered to the customer it is possible to capture less money then authorized and release the rest of the authorization amount.

Cancel (Authorization release/Authorization voiding)

An operation that cancels authorization and releases the funds of the customer on their bank account. Cancelling authorization is only possible before capture. After capture is processed the only way to return money to the customer is a refund.

Refund

Refunding money to the customer once it has been captured. Payments that have not been captured yet can be canceled.
Due to the fact that refund takes place after capture and settlement - it is more complex and costly operation than cancel where authorization can be voided like it never happened.

Preauthorization

Type of authorization that allows for changing authorization amount. Possible with certain card networks and for certain Merchant Category Codes as this is more popular for certain types of services like restaurants or transportation.

Use cases could be for example driving application that has a functionality to tip the driver and increase original authorization amount by including the tip on top of the payment.

Payment Service Provider (PSP)

Company that is responsible for accepting and processing payments on behalf of the merchant. PSP enables integration of merchant platform through single API and offer variety of payment methods to customers like credit/debit cards, digital wallets or bank transfers.
Payment Service Provider can be an acquirer itself or partner up with local acquirers on different markets to process payments.

Example PSPs are: Adyen, Stripe, Checkout.com, Paypal.

They also provide for the merchant additional features:

• Fraud protection

  • In house solutions: Stripe’s radar, Adyen’s revenue protect

  • Alternatively, through partnerships with 3rd party Fraud Risk Management software

• Compliance with PCI DSS

• Compliance with other local/global regulations (e.g. PSD2 regulation mandating implementing 3D Secure protocol)

• Reporting and analytics

PSPs abstract out the complexity of the payment process fulfilled by various payment methods under the single API integration. They have direct relationship with the many acquirers and other payment processors in different geographical regions, so that merchant don’t have to and they can focus on building their business.

Payment Gateway (& Payment Processor)

Payment Gateway is a service initiating payment requests, collecting payment information from the customer and securely (often using encryption) sending it to Payment Processor which is responsible for processing the payment which involves sending it further down to participants involved in payment processing chain.

Modern PSPs usually cover both parts (Payment Gateway + Payment Processor) and they expose:

• Browser-side SDK to connect ecommerce checkout to the gateway component

• Server-side API to connect ecommerce backend to Payment Processor

Payment Gateway component is also connected to Payment Processor on PSP side so that in most cases merchant platform does not need to handle sensitive payment information.

Payment Service Provider = Payment Gateway + Payment Processor (Integrated components of the PSP system)

Merchant Checkout connects to Payment Gateway via browser-side SDK

Merchant Backend connects to Payment Processor via server-side API

Alternative payment methods

All payment methods except “traditional” payment methods which in the area of online payments are credit or debit cards.

Alternative payment methods include following sub-categories:

- Wallets: Apple Pay, Google Pay

- BNPL (Buy Now Pay Later): Klarna, Affirm, Afterpay

- Account to Account (A2A) payments: iDEAL, Paypal (or Direct Debit solutions)

Alternative payment methods are a strong offering when it comes to available payment methods in ecommerce checkout due to enhancing very important aspects:

• Customer experience: They offer better customer experience with fast and frictionless checkout

• Payments localization: They’re favored by customers in specific regions

Brief explanations and features of sub-categories of alternative payment methods:

Wallets - Safely store credit or debit card information along with customer billing and shipping address information. Usually based on tokenization of card information.

• Faster checkout due to stored payment information

• Increased security due to tokenization

• Increased security and reduced costs for the merchants due to network tokenization 

BNPL - Form of delayed financing options that allow to pay customers for the order using installments instead of paying the full amount upfront.

• Increased Average Order Value for merchants, because customers can buy more expensive products with additional financing

• Reaching new segments of the customers interested in this types of payments

A2A - Form of payment where funds are transferred directly from one account to another without debit/credit card involved. Facilitated by separate network connecting and settling transactions between participants e.g. multiple banks.

• Reduced processing costs for the merchants due to bypassing card schemes.

• Faster payment processing (Less participants involved in transaction processing chain in comparison to card payments)

The paradox of the name “alternative” payment methods is that they are often more popular than traditional payment methods. Merchants partner up with PSPs so that they can offer particular payment methods in the regions in which they are loved and recognized the most.

Processor tokenization (PCI tokenization, vault tokenization)

Service offered by PSPs based on exchanging card information for the unique identifier referred to as token. 

They bring value in crucial aspects of payment processing:

• Enhanced customer experience: customers don’t need to re-enter their card details every time if they are tokenized

• Security - Tokens minimize the exchange of sensitive card information and they are bound to the merchant account with a certain PSP so they are useless when stolen. It’s not possible to derive any sensitive information out of token value.

Card on File

It’s when PSP stores customer’s payment card data during the checkout with customer’s consent. During future payments customer can re-use stored card information without need to re-enter all of the details each time which results in faster checkout and better experience for the customer. 

It’s important to note that PSP or any other entity storing sensitive card information needs to be PCI DSS compliant. 

Card on File usually works hand in hand with tokenization, once the card information is stored “on file” - is is exchanged for the token that will be used from now on to increase security.

Note: on the diagram above Merchant Platform is separate from Payment Gateway, but Payment Gateway is usually provided by the PSP and integrated as a component of the checkout on Merchant Platform.

Network tokenization

Next level tokenization standard which involves cooperation between Card Network and Card Issuer in order to generate a token. Network tokens replace sensitive card information already on PSP-level which reduces parts of the payment chain handling sensitive card information in comparison to processor tokenization.

Features of network tokens:

• Enhanced security due to minimized exposure of sensitive card information in the payment processing chain. Network token itself does not contain any sensitive information.

• Cost optimization due to reduced transaction fees. Visa announced that transactions using network tokens will be charged smaller fees giving a strong signal in favour of network tokens.

• Improved customer experience

  • Wallet payment methods, Card on File - Network tokens do not change when underlying card information change (e.g. due to card expiration) - no update action required by customer

  • Recurring payments - Similar to the wallet payment methods, no update action required from customer side to keep recurring subscription payments working, which is also great news for the merchants who will not lose recurring revenue because of the friction caused by need to update stored payment method.

• Interoperability - Network tokens can be used to process transactions across different PSPs as they are not generated on PSP level and bound to single PSP account, but on Card Network & Issuer level.
  This opens the door for 3rd party services routing payment transactions between different processors to optimize for costs and acceptance rates also referred to as payment orchestration.