Payment Architecture

Saravanan Kulanthaivelu
Who am i?

• Currently employed as Cyber Forensic Senior Specialist for Standard Chartered Global
Business Service
• more than 20 years of experience in the IT industry, with experience in forensics, incident
response, network security, malware analysis and threat intelligence.
• Worked as consultant with Mandiant (FireEye) and was stationed in one of the largest bank
in Malaysia as resident incident response and forensic consultant, providing global threats
advisory services.
• Worked in the law enforcement sector, Malaysian Communication and Multimedia
Commission (MCMC) which monitors threats towards Malaysian network and advise the
relevant bodies on mitigation strategies.
• Master in Science, Universiti Sains Malaysia.
• Bachelor in Computer Science with Honors, Universiti Sains Malaysia.
• Member of
• HTCIA
• GIAC Advisory Board
• UKM Fellow
• Certifications

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 1

EXTERNAL
Contents

1. Introduction
2. Payment Card Architecture
3. Payment Gateway
4. Digital Wallet
5. Risks and Mitigations (discussions)

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 2

EXTERNAL
Payment Cards

• Payment cards are part of a payment system issued by financial institutions, such as
a bank, to a customer that enables its owner (the cardholder) to access the funds in the
customer's designated bank accounts, or through a credit account and make payments
by electronic funds transfer and access automated teller machines (ATMs). Such cards
are known by a variety of names including bank cards, ATM cards, MAC (money
access cards), client cards, key cards or cash cards.

Source: WIkipedia

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 3

EXTERNAL
Types of payment cards

• Credit cards:
•allow the cardholder to spend up to a specified credit limit
•offer the account holder an interest-free period
•require the account holder to repay at least the minimum amount each month, but charge
interest on the unpaid balance
•incur no interest if the bill is paid in full by the specified date
• Debit cards:
•are issued in conjunction with a bank or building society current account
•limit the cardholder to the funds available in that account plus any overdraft, if available
• Charge cards:
• Pre-paid cards:
• Business travel cards:
• Purchasing cards:

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 4

EXTERNAL
Payment card techs

• Signature
• Magnetic stripe (Magstripe)
• EMV (Chip on Pin)
• NFC
• Virtual

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 5

EXTERNAL
What is stored in the card?- Front

https://kalyan-city.blogspot.com/2012/01/what-is-credit-card-meaning-definition.html

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 6

EXTERNAL
What is stored in the card?- Back

https://kalyan-city.blogspot.com/2012/01/what-is-credit-card-meaning-definition.html

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 7

EXTERNAL
MagStripe: Track 1 and Track 2

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 8

EXTERNAL
How it works?

Coffee & Bread It will RM 4.50 Will pay by card Ready!

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 9

EXTERNAL
The transaction logic

Can you pay me

RM 4.50 from buyer’s
account?

Authorization request

Authorization response

OK, I will pay later

Payment card
read for I want money Is it the real buyer?
buyer account for my product Or is it fraud?
info
If it the real buyer,
does he have enough
money or credit?

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 10

EXTERNAL
Transaction steps

Chargeback
Authorization Clearing Settlement & Refunds
(Undo)

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 11

EXTERNAL
Reading Payment Card (Authorization)

EMV and PIN Contactless

Magnetic Stripe

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 12

EXTERNAL
Authorization

Authorization Request

Merchant ID, PAN, Name, Amount, PIN

Payment reference and response

Merchant Authorization Response Issuer’s Bank

Buyer’s Bank

• Check if it’s real request

• Check sufficient fund or credit

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 13

EXTERNAL
Merchant’s dilemma

Nor’s Bank

Existing contract needed

Merchant
Abu’s Bank

Mani’s Bank

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 14

EXTERNAL
Acquirer/Issuer partnering

Merchant Acquirer Issuer Buyer

Mani’s Bank
Mani

Merchant’s Bank
Merchant
Mei Lee’s Bank
Mei Lee

Ali’s Bank Ali

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 15

EXTERNAL
In real world

Merchant Acquirer Card Scheme /Brand Issuer Buyer

Mani’s Bank
Mani

Mei Lee’s Bank

Mei Lee

Ali’s Bank Ali

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 16

EXTERNAL
Authorization Complete

Merchant has a
Buyer got the
legal contract to
purchase good or
settle the purchase
service
from buyer’s bank

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 17

EXTERNAL
Clearing and Settlement

Chargeback
Authorization Clearing Settlement & Refunds
(Undo)

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 18

EXTERNAL
Clearing

Merchant Acquirer Card Scheme /Brand Issuer

Buyer1 Bank

5533237612360874 R2901 RM 4.50 5533237612360874 R2901 RM 4.50

4118298317308462 R2903 RM 12.20

4118298317308462 R2903 RM 12.20

Buyer2 Bank

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 19

EXTERNAL
Settlement

Merchant Acquirer Card Scheme /Brand Issuer

Buyer1 Bank

5533237612360874 R2901 RM 4.50 R2901 RM 4.50

4118298317308462. R2903. RM 12.20

R2903 RM 12.20

Buyer2 Bank

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 20

EXTERNAL
Chargeback & Refunds

Chargeback
Authorization Clearing Settlement & Refunds
(Undo)

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 21

EXTERNAL
Chargeback-Buyer initiate

Buyer Issuer Card Scheme /Brand Acquirer Merchant

Unsatisfied
Scammed
Return PAN, Merchant ID, Reason, Amount

Mani
Mani’s Bank

Agree to return, amount transferred back

Disagree on the reason, Dispute channel is open for discussion

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 22

EXTERNAL
Refund-Merchant initiate

Merchant Acquirer Card Brand Issuer Buyer

Agrees to
refund for
any PAN, Name, Expiration Date Merchant ID, Name, Reference, Amount
reasons

Mani’s Bank Mani

Amount refunded with reference

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 23

EXTERNAL
Payment gateway

• A payment gateway is a merchant service provided by an e-commerce application

service provider that authorizes credit card or direct payments processing for e-
businesses, online retailers, bricks and clicks, or traditional brick and mortar.[1] The
payment gateway may be provided by a bank to its customers, but can be provided by a
specialised financial service provider as a separate service, such as a payment service
provider.
• A payment gateway facilitates a payment transaction by the transfer of information
between a payment portal (such as a website, mobile phone or interactive voice
response service) and the front end processor or acquiring bank.

Source: WIkipedia

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 24

EXTERNAL
Payment Service Provider (PSP)

• A payment service provider (PSP) offers shops online services for accepting electronic
payments by a variety of payment methods including credit card, bank-based payments
such as direct debit, bank transfer, and real-time bank transfer based on online banking.
Typically, a software as a service model and form a single payment gateway for their
clients (merchants) to multiple payment methods.
• Also known as Payment Facilitator (PF)

Source: WIkipedia

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 25

EXTERNAL
Customer Not Present (CNP) Transactions

• Card Present
•A transaction is only considered to be “card present” if payment details are captured in person, at
the time of the sale. This occurs when cards are physically swiped, tapped or dipped through a
reader or if an EMV chip is processed.
• Card Not Present
•A card-not-present (CNP) transaction occurs when neither the cardholder nor the credit card is
physically present at the time of the transaction. It’s most common for orders that happen
remotely — over the phone or by fax, internet, or mail.
• Types of CNP
•Online purchases, when a customer buys goods on the internet or through an e-commerce
transaction.
•Phone orders, when a customer provides the credit card information over the phone to your
business.
•Recurring payments that are set up to bill automatically.
•Invoices that are paid online.

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 26

EXTERNAL
Transaction steps

Chargeback
Authorization Clearing Settlement & Refunds
(Undo)

Capture

There is a delay from the purchase is made and the service/goods delivered
UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 27
EXTERNAL
Buyer, Payment Gateway & Merchant

Authorization
Capture

Buyer Payment Gateway Issuer

Acquirer Card Scheme

Merchant

Authorization

PAN, CVV2, Cardholder name, Expiration Date Merchant ID, Name, Amount, Reference

Capture

PAN, Reference

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 28

EXTERNAL
Buyer, PSP and Merchant

Authorization
Capture
Payment
Gateway

Buyer

Issuer
PSP

Merchant Acquirer Card Scheme

Authorization

PAN, CVV2, Cardholder name, Expiration Date Merchant ID, Name, Amount, Reference

Capture

PAN, Reference

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 29

EXTERNAL
ATM Transactions

Cardholder
bank

Card Holder
Other
Banks

ATM
Operators

UKM –PAYMENT ARCHTECTURE IN FINANCIAL TECHNOLOGY 30

EXTERNAL