a topic I had no idea I was casually interested in & wanted to read books about despite the fact that I have no plans to work in this sector, my favorite (not sarcastic at all)
- void, a refund on authorization
- account verification, used to store a card, without authorization
- card on file, a stored card
- BIN, bank identification number
- POS, a payment in store, physical terminal
- card not present, payment from distance (ecom, moto)
- moto, mail order, telephone order
I dig this as a quick intro. I've worked directly with payments at several orgs now, and yet didn't really grok payments until I read Payments Systems in the U.S. - Third Edition: A Guide for the Payments Professional. Afterward, I was actually able to understand how the pieces fit together. It is concise, and highly recommended to anyone working with payment systems.
It would be cool if there was a unified payments API interface that payment providers (paypal, cashapp, stripe, ccbill, payment cloud, segpay, epoch, whatever) would agree to use. Hopefully, users would drive adoption, and feel free to swap providers. Also, platform agnostic (apple ios, android, web, etc). I dunno, just thinking out loud.
Building such a thing would be extremely difficult. When you start getting to the local level with banks, networks, and governments, there are all kinds of different things you have to deal with.
You have all the different forms of payment that exist (credit card, banks, prepaid, ewallets, and even cash (reference number flows where the user takes a QR code into a store or kiosk, scans it, then pays in cash)). Then the details within those flows vary greatly by country/region. Credit cards have 3DS flows, plus CIT/MIT information. Banks want to do all kinds of 2FA, regularly they want the user to be redirected to their website to complete it. And on mobile, you could redirect to a bank or ewallet's app to confirm the payment. Then beyond that, you have various risk signals that different countries want to fight fraud. Some are lax, some are extremely invasive.
Once a payment has been initiated, knowing that it is Completed/Accepted can be really complicated. Credit cards, once you have an auth, a capture is all but guaranteed, but you still have chargebacks to deal with. ACH has a fuzzy window about when it can be reversed. Various other forms of payment have anti-fraud mechanisms that allow payments to be reversed with various windows about when that can happen.
You will always have various governments come in and force new rules that don't play nicely with whatever uniform API you create. For example, the Royal Bank of India forcing all storage of credit card numbers to happen within their country's boundries (data localization). This all of a sudden may force a flow that was using credit cards just fine to now require you to use tokens in their place.
It feels like the payments space should be easier than it is, but various regulations and security/privacy measures that change by region regularly will mess with such an API.
Edit: to add some more fun examples: it's also good to understand that some payment systems in the world are still very manual. There are people with spreadsheets that generate reports. So as a processor, you can get a response from a bank where 2 numbers are transposed in a report. Or you get reports where you aren't given a transaction_id, just a date and amount and you have to figure it out (see the UK's BACS DDICA reports).
On paper it looks kinda nice. I've seen some discussion about implementing it from the payment method perspective.
Problem is that Google would be massively privileged, as browser orchestrates the process and payment methods aren't necessarily looking for the fair compromise either.
That sounds like a protocol. It would be nice. Someone got downvoted for mentioning Bitcoin, but blockchains are protocols capable of transferring value.
I had this idea once for a Wordpress plugin for Woocommerce websites. A plugin that would abstract all providers APIs to Woocommerce. Paid versions of the plugin would allow the merchant to work with several providers in parallel in order to reduce transaction fees (increasing the operational margin then).
Not bad, but this is very high level. In Payments, the devil is in the details. Things like tokenization, security authorization, fraud detection, various kinds of payments rails, recurring payments, cross border payments, etc often matter.
I was under the assumption that Stripe, PayPal, Square, etc are not payment processors but either payment facilitators or payment gateways (depending on the platform) in that they don't actual process the payments but rather provide a convenient PCI-compliant way of moving the transactions to the actual payment processor (Something like NCR, GlobalPay, Elvaon, etc). In Stripe's case in particular I thought they were a payment facilitator and as a payment facilitator they board you as a sub-merchant which makes the process of getting an MID easier. Is that right or does Stripe actually process payments?
Stripe is a Payment Facilitator, and they pioneered the modern PayFac model. That’s one of the reasons that the word Stripe appears on your credit card statement when you pay someone that is using Stripe. Additionally it means they front the risk of accepting payments on your behalf. They are also a payment processor. Those aren’t exclusive operating models, at least in the US.
Agree. But covered cards because it is the most complex form of payment with a lot of intermediaries. So understanding the longest path, will help to prepare as developer for payments industry
> a Non-PCI compliant merchant's website cannot directly accept the card data from the user (on the frontend user interface)
This needs rewording, I am not sure if they're trying to make a subtler point but on the surface this is not correct - you can of course accept card data from the user in your frontend and then send it to e.g. a Stripe-like PCI compliant service directly without it ever touching your servers.
The point is it must not touch your servers. This might be the subtlety in the wording here - the differentiation of frontend and backend and user interface. As long as 'the frontend' runs only in the user's browser, it is completely fine.
I would prefer to see a process based approach to a terminology approach. Since payments are transactions, it would be better understood if explained in the form of steps.
[+] [-] Johnie|2 years ago|reply
For people interested in FinTech/Payments, here's a great compendium and resources for the field: https://fintechgtm.substack.com/p/us-fintech-and-payments-cr...
I would also recommend the three books highlighted:
* Field Guide to Global Payments
* Anatomy of a Swipe
* Payment Systems in the US
[+] [-] RheingoldRiver|2 years ago|reply
[+] [-] manojr13|2 years ago|reply
[+] [-] robertpohl|2 years ago|reply
- void, a refund on authorization - account verification, used to store a card, without authorization - card on file, a stored card - BIN, bank identification number - POS, a payment in store, physical terminal - card not present, payment from distance (ecom, moto) - moto, mail order, telephone order
....and alot more
[+] [-] manojr13|2 years ago|reply
But will definitely cover tm in 102
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] tibbon|2 years ago|reply
https://amzn.to/447BLVI
[+] [-] krick|2 years ago|reply
[+] [-] game_the0ry|2 years ago|reply
It would be cool if there was a unified payments API interface that payment providers (paypal, cashapp, stripe, ccbill, payment cloud, segpay, epoch, whatever) would agree to use. Hopefully, users would drive adoption, and feel free to swap providers. Also, platform agnostic (apple ios, android, web, etc). I dunno, just thinking out loud.
[+] [-] kyrra|2 years ago|reply
You have all the different forms of payment that exist (credit card, banks, prepaid, ewallets, and even cash (reference number flows where the user takes a QR code into a store or kiosk, scans it, then pays in cash)). Then the details within those flows vary greatly by country/region. Credit cards have 3DS flows, plus CIT/MIT information. Banks want to do all kinds of 2FA, regularly they want the user to be redirected to their website to complete it. And on mobile, you could redirect to a bank or ewallet's app to confirm the payment. Then beyond that, you have various risk signals that different countries want to fight fraud. Some are lax, some are extremely invasive.
Once a payment has been initiated, knowing that it is Completed/Accepted can be really complicated. Credit cards, once you have an auth, a capture is all but guaranteed, but you still have chargebacks to deal with. ACH has a fuzzy window about when it can be reversed. Various other forms of payment have anti-fraud mechanisms that allow payments to be reversed with various windows about when that can happen.
You will always have various governments come in and force new rules that don't play nicely with whatever uniform API you create. For example, the Royal Bank of India forcing all storage of credit card numbers to happen within their country's boundries (data localization). This all of a sudden may force a flow that was using credit cards just fine to now require you to use tokens in their place.
It feels like the payments space should be easier than it is, but various regulations and security/privacy measures that change by region regularly will mess with such an API.
Edit: to add some more fun examples: it's also good to understand that some payment systems in the world are still very manual. There are people with spreadsheets that generate reports. So as a processor, you can get a response from a bank where 2 numbers are transposed in a report. Or you get reports where you aren't given a transaction_id, just a date and amount and you have to figure it out (see the UK's BACS DDICA reports).
[+] [-] jagan120|2 years ago|reply
[+] [-] koromak|2 years ago|reply
[+] [-] dzikimarian|2 years ago|reply
On paper it looks kinda nice. I've seen some discussion about implementing it from the payment method perspective.
Problem is that Google would be massively privileged, as browser orchestrates the process and payment methods aren't necessarily looking for the fair compromise either.
[+] [-] thedangler|2 years ago|reply
So a project would use omnipay and then select what processors they want their clients to be able to use. Clients bring their own API keys or OAuth.
I believe it's in PHP and Ruby.
[+] [-] manojr13|2 years ago|reply
[+] [-] scarface74|2 years ago|reply
https://developer.mozilla.org/en-US/docs/Web/API/Payment_Req...
It works on Safari/iOS/MacOS and Chrome/Android (but weirdly enough, Firefox doesn’t support it).
[+] [-] m_sahaf|2 years ago|reply
[+] [-] simpsond|2 years ago|reply
[+] [-] alexanderscott|2 years ago|reply
API + unified card tokenization
[+] [-] rodolphoarruda|2 years ago|reply
[+] [-] thunkshift1|2 years ago|reply
[+] [-] bndw|2 years ago|reply
[+] [-] Scubabear68|2 years ago|reply
[+] [-] manojr13|2 years ago|reply
[+] [-] yeouch|2 years ago|reply
[+] [-] JoBrad|2 years ago|reply
https://stripe.com/payment-facilitation https://stripe.com/guides/payfacs
[+] [-] zeroxfe|2 years ago|reply
[+] [-] rowls66|2 years ago|reply
[+] [-] pc86|2 years ago|reply
[+] [-] manojr13|2 years ago|reply
[+] [-] cat-whisperer|2 years ago|reply
[+] [-] Johnie|2 years ago|reply
[+] [-] davnicwil|2 years ago|reply
This needs rewording, I am not sure if they're trying to make a subtler point but on the surface this is not correct - you can of course accept card data from the user in your frontend and then send it to e.g. a Stripe-like PCI compliant service directly without it ever touching your servers.
The point is it must not touch your servers. This might be the subtlety in the wording here - the differentiation of frontend and backend and user interface. As long as 'the frontend' runs only in the user's browser, it is completely fine.
[+] [-] JoBrad|2 years ago|reply
[+] [-] JLCarveth|2 years ago|reply
[+] [-] rodolphoarruda|2 years ago|reply
[+] [-] manojr13|2 years ago|reply
[+] [-] wiseowise|2 years ago|reply
[+] [-] arvindnata123|2 years ago|reply
[+] [-] Nars088|2 years ago|reply
[+] [-] Nars088|2 years ago|reply
[+] [-] gen_greyface|2 years ago|reply
[+] [-] rupalsaini|2 years ago|reply