The duck on the financial payment pond: By Matthew Gaskell – Synthesis Security Analyst
We are constantly transacting. Today alone, you may have tapped your card to purchase your petrol and used that same card to purchase your groceries online. And you probably haven’t thought twice about these transactions – that is a sign of a successful, ubiquitous experience (a non-experience).
The aim is to get you the goods, not to make you stop and think. It is when you have to stop and think about the process and when the simplicity is lost, that something has gone wrong. You don’t want to have to call the bank and ask why the process broke down.
The less you have to think about this process, the better the technology behind it. If payments had a spirit animal, it would be a duck.
On the surface, it looks like it is effortlessly traversing the pond, but beneath those feet are furiously peddling.
The duck on the financial payment pond: What exactly lies beneath the surface?
On the surface it may seem like a simple exchange of goods for cash at the tap of a card but what exactly lies beneath?
A card is just a physical storage device of financial data used to enable a transaction. Every step in the process and the system cycle when you tap your card is there to protect your data. Modern day financial payment systems no longer involve moving money physically like taking R100 note from one bank’s safe to another bank’s safe every time you make a purchase. You are moving vast amounts of data (such and PINs and credit card information) that represent the movement of money.
This movement of information effects that one bank now has less R100 and another an additional R100. This is what the payment processor does – balances the inputs and outputs.
In this process which should feel like a non-event, there is the issuing bank which issued you the card. Then there’s the merchant’s acquiring bank that will receive the payment. This represents which account the money is being withdrawn and the account where the money is being deposited. This can often be the same bank.
Next, there is the card scheme such as Visa, Mastercard or American Express. These are central payment networks that process your credit or debit card when you make a payment.
Then there is the payments platform itself. This could be, for example, Halo Dot that lets you tap your card on a merchant’s phone, or the checkout function on Takealot.
To do this, there needs to be a payment gateway. A payment gateway is the technology that captures and transfers payment data when you use your card.
Connecting the two sides is the payment processor which is a company that acts as a mediator, moving money from your account or credit card to you’re the merchant’s account and ensuring it all balances up at the end of the day.
Regarding the technology, all this data moving from one place to another must be secure and protected. Everything has to be encrypted so that the communication is secure. Then everything needs to be validated to ensure it is coming from the right source and that the integrity of the transaction is protected. This is not just from bank to bank. It is from issuing bank card to payment provider to payment processor to platform to the holding bank and then all the way back.
Advanced cryptographic machinery is used such as Hardware Security Modules (HSMs) which generates keys. Cryptographic keys are a string of characters within an encryption algorithm which alter data so the data appears random except to the device that is meant to be receiving it – such as the merchant’s bank. These keys protect the communication and essentially establish trust between the various players in the payment pipeline.
There is also payment software that each component uses, and these components need to talk to each other. The communication between these components will need to be protected to ensure the integrity of the communication and that facilitate that software to run.
When you make that next transaction and it is simple, remember that underneath it’s peddling its feet.