How to accept credit card payments - Badoo experience

    Every year, more and more new payment methods appear in the world. But there is still no universal, convenient method for all users. In 2008, when we were just creating a billing system for Badoo, it seemed to us that the future would be paid via SMS. But, faced with the realities of different countries, we realized that this is not so.

    User preferences vary depending on the country and the device from which they access the site. Very close to ideal were bank cards, the popularity of which is growing from year to year, including in Russia . This is not only one of the most common payment methods, but also the most profitable of all available on the Badoo website, and there are more than 20 of them.

    Today we will tell you more about what remains beyond the scope of the previous billing article: on processing payments through bank cards; what you need to know and what to prepare for if you are only going to connect them; how to increase their effectiveness if you already have them. In general, the article is intended for unprepared readers, but specialists may find something interesting for themselves.

    It all started with the fact that four years ago we posted on our website a form for entering credit card details and started accepting payments. After a few months, it became clear that users are happy to pay for our services not only via SMS, but also with cards, the volume of payments for which showed a promising growth. We began to actively develop this area. Since then, we have reviewed a dozen payment gateways that offer acquiring services (i.e., accepting payments by bank cards), and now we are simultaneously working with three of them. We made payment support with 3D Secure, set up a system that catches fraudulent transactions, and much more.

    Why is it difficult to accept payments with plastic cards?

    It would seem that here is complicated? One simple form in which the user enters their card details and clicks the pay button. We process the request, send it to the bank - and that’s all, soon the money will be in our account. This is what happens in an ideal world, but in a different world.

    If you want to accept payments by credit card, you must first ensure the security of user data. For this, large payment systems such as Visa, Master Card, American Express, Diners, etc., have developed the security standard for the payment card industry - PCI DSS (Payment Card Industry Data Security Standard). This is a large list of requirements that a company must meet, as well as the application development process and the configuration of the equipment used.

    The second problem is protection against fraudulent transactions, in other words, “fraud” ( from the English fraud). After all, the site can be used not only by respectable users, but also by fraudsters who use stolen credit card data when shopping. After such a purchase, the cardholder will receive a statement with transactions incomprehensible to him, go to the bank and demand a refund. After some time, the money will be returned to him, and the company receives a “minus in karma” and a fine from the payment system.

    And last, but not least, is the proportion of successful transactions. Even if there is enough money on the card and all the systems involved in making the payment work like a clock, the bank that issued the card may simply reject the transaction if it does not like something or seems suspicious.

    Why get PCI DSS certified?

    The main purpose of certification is to make sure that card data is stored safely, that an attacker will not be able to penetrate your system, and having penetrated, he will not be able to easily obtain private information. All companies that process credit card data are required to go through it, even if this data is not saved during processing.

    In the beginning, certification was perceived by us as a formality, because we did not store credit card details. Our application was only involved in drawing a beautiful form suitable for the design of the site. But gradually it developed, overgrown with business logic and "anti-fraud" checks. We began to store user personal data and permitted information about their credit cards. As a result, we ourselves became interested in making our system as safe as possible. Now PCI DSS is perceived not as a formality, but as an opportunity, albeit somewhat bureaucratic, to test for strength.

    It is necessary to confirm compliance with the standard annually. Requirements depend on the level assigned to the company. There are only four of them, and they are issued depending on the number of transactions processed per year. Badoo has recently been assigned the first level, which is the highest and safest. He has the most stringent certification requirements, to confirm them you need to go through an external audit. For lower levels, filling out a self-assessment sheet or performing an internal audit is sufficient. A full list of requirements can be found in the standard itself . We will talk about what can simplify the certification process for any of the levels.

    First you need to remember that the card number (PAN) and the security code located on the back of the card (CVC) are not allowed to be stored anywhere. There is nothing to worry about, since this is not required for the normal operation of the application. Upon receipt of a request from the user, the data is immediately sent to the aggregator and can only be stored in RAM, which is permitted by the standard. Only the first six and last four digits of the card number, the name of the card holder and its expiration date can be stored in permanent storage. At high levels, the standard still allows you to store the card number, but it must be encrypted with a robust algorithm or an irreversible hash function.

    The next important thing is to reduce the area that is subject to certification. If payment processing is not a direct business of the company, then it makes little sense to extend the strict PCI DSS security rules to the entire infrastructure. It is enough to select an application that processes maps, separate servers and a repository with code, access to which will have a limited circle of people. In addition to a formal reduction in the volume of work, this will also provide additional security for the entire system as a whole. Its components will be loosely coupled, therefore, by breaking into the main application, an attacker will not be able to access credit card data.
    The only way to avoid certification is not to process the plastic card data yourself. For example, the easiest and most common way is to send the user to the payment gateway page. After payment, he will return to the site, and you will receive a notification about the status of the payment. For those who still want to have their own payment form, which would organically fit into the site design, there is a more complicated option. Card data can be encrypted in a browser using a public key, and send the form directly to the payment gateway, which will decrypt them with a private key and process the payment.

    Why is fraud dangerous and how to reduce it?

    Fraud is a type of fraud with card data aimed at the illegal use of money from its account. The danger here lies not only for the user, but also for you as a seller. The user can request the bank to return their funds, and you will not only not receive money for your product or service, but also pay a penalty for each such request, even if it is later challenged. In addition, Visa, Master Card and other payment systems may impose additional fines for a high level of returns. If the penalty for a regular return, as a rule, does not exceed $ 10, then the fine for a large amount can easily amount to hundreds of thousands of US dollars.

    It is important to understand that there are two types of returns: “refund” ( from the English refund) and “chargeback” ( from the Englishchargeback). The difference is that you do the refand yourself when you contact the user, and the payment system forces you to make a chargeback. Therefore, fines and all kinds of sanctions are imposed only with chargebacks.
    There are many ways to deal with fraud. The easiest and most effective is 3D Secure. In fact, this is just an additional step when paying, in which the user must confirm that the payment is made by the cardholder (see the picture below).

    In addition to increasing security, conducting a transaction with 3D Secure transfers responsibility for fraud on it to the shoulders of the bank that issued the card. This is because the confirmation step is completely under his control, and the transaction should not go through if the bank has any suspicions. But, despite all the advantages, this verification method has one fatal flaw. Like any additional step, it has a very bad effect on the share of successful payments. To make sure of this, we conducted a series of experiments in different countries, the results of which are presented in the graph below.

    Three arrows on the graph indicate the moment when we turned off the forced use of 3D Secure in the country. For example, in Russia, 3D Secure was initially included. After its disconnection, the share of successful payments increased by 20%. In Italy, on the contrary, we turned it on and saw a 10-15% drop in the share of successful transactions. And only in Britain user behavior has not changed.

    We also conducted similar experiments both in the USA, where after turning on 3D Secure users almost stopped paying, and in the countries of South Africa, which are traditionally considered the stronghold of the fraud, but where disabling 3D Secure gave a positive effect.

    After looking at the results, we decided to abandon the forced inclusion of 3D Secure for all transactions. But in order to keep the chargebacks at a low level, it was necessary to develop a system that could detect fraudulent transactions and block them. To begin with, we decided to make portraits of users, who are most often the sources of fraud on our website.

    It turned out three groups:
    • carders. These are specialists in theft of bank card data. They check the performance of their base and often use bots;
    • spammers. They buy stolen card data and make their profile popular. Then they advertise or beg for money from users (for example, to treat a serious illness);
    • unsatisfied users. These are people who used paid services, but they didn’t like something, or they just forgot that they paid on our website, or just want to get services for free.

    To make the life of such people more difficult, we began to analyze their behavior on the site and make rules for our anti-fraud system ( from the English anti-fraud). They are based on various transaction parameters, of which there are about 20, for example: payment amount, user IP and card issuing country, number of cards used by this user, number of transactions, etc. Each triggered rule adds fraud point transactions. After exceeding a certain level, it is considered suspicious, and we send it for additional verification via 3D Secure or simply block it.

    If the fraudster managed to get through all our defense and we received information about the chargeback, then you can try to challenge him. In this case, we still pay a fine, but if we win the dispute, then at least we will not lose the amount of the payment itself.

    Particularly advanced aggregators can provide "insider" information about the chargebacks received by the bank, which have not yet reached the payment system. We use such messages for proactive defense against fraud. They are registered in our system, and we are trying to make a refund on these transactions. In this case, we still return the money to the user, but since we do it voluntarily, no additional sanctions and penalties are imposed on us. The total effect of such measures is not very large - you can save only a few percent of income. But for Badoo, this is hundreds of thousands of dollars a year, which pays for all costs.

    Why aren't all payments successful?

    On the way from the buyer to the bank that issued the card, the withdrawal request goes through many systems. In addition to the seller, the process involves:
    • a payment gateway or aggregator that can provide other payment methods;
    • acquiring bank - a bank that is connected to various payment systems and provides payment processing services only with plastic cards;
    • payment systems (Visa, Master Card, etc.);
    • issuing bank - the bank that issued the card with which the user is trying to pay for the service.
    • Each stage of a transaction contains its own moments that can affect its success.

    User - Website

    At this stage, the code is under our control, and if any problems arise, we can fix them. Here the most unpleasant kind of errors are logical errors of validation of the entered data. If when checking the name of the card holder it is obvious that it can be long or very short, with numbers, a hyphen and anything that seemed appropriate to parents, then when checking the card number you need to be careful and know what it can and should be. For example, its length can be from 13 to 19 (depending on the type of card), and not just 16 digits, as many people think. It is also advisable to check not only the length, but the entire number using the Luhn algorithm . When checking the expiration date of the card, you need to remember that it is valid until the last day of the specified month, and not until its beginning.

    Website - Payment Gateway - Bank Acquirer - MPS - Issuing Bank

    The success of the transaction at this stage may depend on the frequency of payments and their amount, the country from which they come; type of card and more. Unfortunately, we can’t influence this in any way, therefore, at these stages the percentage of failures is very high due to false alarms of antifraud systems of one of the process participants. But we managed to find two parameters that we can control and which strongly affect the share of successful payments. This is the use of a local processing center and the right MCC.

    MCC ( from the English Merchant Category Code,literally - the seller’s category code) is issued to anyone who wants to accept card payments. Any site and even a store has it around the corner. It is used in online banks that provide statistics on your expenses by category, in various promotions, for example, when a bank returns part of the money to you when you buy food or cat food. But the most interesting thing for us is that he participates in the antifraud algorithms of banks.

    Initially, we had the code 7273 Dating and Escort Services, and the percentage of successful payments was about 50%. And if “dating” can somehow be attributed to Badoo, then escort services are definitely not about us. Having decided that this was not correct, we went to our partners and began to insist that we need another, more suitable code. Finally, our attempts were successful, and in one of the countries we received the code 4814 - Telecoms (telecommunication services). As a result, the share of successful payments increased by 30%. We were not going to stop there and continued to search for what other MCC we could use. It turned out to be 8641 - Social, Civic and Fraternity services "(social services), which increased the share of successful payments by another 10%.

    Having picked up the code suitable for us, we were still not satisfied with the performance of some countries. For example, in France, the share of successful payments did not want to rise above 50-60%. The reason turned out to be that the national payment system Carte Bleue is very popular there. To accept their cards, the processing center used (bank-acquirer) must be connected to it. As a rule, suitable banks are located in the same country where you need to improve performance. This gives an additional bonus in the form of reducing transaction suspiciousness for antifraud systems of issuing banks of this country and entails an increase in the share of successful payments.

    After we began to use local processing connected to Carte Bleue, we received an increase in the share of successful payments in France by 30%. In the United States, where there are no local payment systems, this method gave a slightly smaller increase - about 20%.

    Outside of the article, there was a story about the platform we developed, which made it possible to carry out all the above experiments easily and without additional programming. If you have a desire to read about it, then write in the comments, and we will prepare a separate article. Perhaps you have your own interesting experience in the payment card industry - welcome to comments, it will be very interesting for us to talk about this topic.

    Anatoly Panov
    Lead Developer

    Also popular now: