All about online card payment services

July 2, 2021 • 6 min read

Online payment services

Online payments, also commonly referred to as CNP or Cardholder not present, are those that provide the capability for a purchase to be made without physically being face to face with the seller, be that a purchase over the internet, over the telephone or by mail order.

It is important to remember, as with any payment service, that there are 2 aspects involved in an online payment, these are;

  • Processing — This is the part of the transaction that gets the customer making the purchase routed through to the acquiring bank. It is essentially the software application that provides multiple options to take payment and routes those payments through to the acquiring bank.
  • Acquisition — This is simply the banking aspect of the online payments service. When the payment service provider processes the transaction, it is passed through to an acquiring bank for the credit or debit card transaction to be processed.

This process is essentially no different to a face to face transaction replacing the physical terminal for a software application to deliver the capability to process a card transaction and deliver it to the acquiring bank. Some suppliers can process on behalf of all major acquiring banks, as well as being able to provide the acquisition service directly.

It is important to note that a standard face to face MID (Merchant ID number) cannot be used with online payments and a specific MID setup for an online service must be provided.

Online payments are split into 2 different types;

eCommerce payments

Depending on the supplier there are a number of ways you would be able to integrate with their services and process eCommerce payments.

Hosted form payments

Hosted Form integration is one of easiest and quickest ways to integrate with a suppliers payment service, if you don’t operate a shopping cart or you have a shopping cart that is not supported with a plugin. Some suppliers provide both a HTTP redirect hosted form as well as a Hosted iFrame that can be embedded within your existing website to maintain brand continuity.

With a hosted form solution, a customer goes through the purchasing process on your site completing any purchase information required, and when they reach the payment stage they are passed to the supplier via secure HTTPS With iFrame functionality the payment process is embedded within your existing website, this provides seamless integration of the payment process without leaving your website but still ensuring the card detail is being submitted within the supplier’s secure network.

When using a redirect service, along with the request passing them to the supplier’s secure payment page, information for the transaction including their name, address and the transaction value can also be provided. This information is encrypted at submission and is then used to dynamically populate a payments page. To be able to do this, your supplier will provide you with a set of encryption keys when the service is activated.

The hosted payments page in both cases will give the customer the opportunity to input their credit or debit card information and submit the transaction for processing. When the payment has been authorised, you have the option to forward the customer a “Thank you” page in the case of a redirect installation. This method ensures you can accept card payments without having to have credit or debit card numbers keyed in to your website, relaxing your obligations under PCI DSS.

API (Application Protocol Interface)

The API option is for those who want to take advantage of greater flexibility and are happy to assume greater responsibility when processing payments. The beauty with an API is that it enables payment functionality to be integrated into any application, not just a website. With the growth of mobile applications that incorporate payment functionality, the API provides the ability for payments to be taken in any environment. If you have a desire to take a card payment within any application without limitations, then the API is the option for you. You would typically take the card information over your website or application and then submit a secure request to the suppliers SSL infrastructure.

Shopping cart plugins

As the eCommerce opportunity has grown, so has the number of shopping carts available ‘off the shelf’. These solutions provide a cost effective way to quickly establish an online shop. Even some of the largest sites on the internet use an off the shelf eCommerce solution. Most suppliers create plugins for some of the most popular solutions to allow those using these off the shelf eCommerce applications to easily integrate as a payment option. Shopping cart plugins are not provided instead of Hosted Form or API features. Instead they use this technology to integrate with the shopping cart software.

MOTO payments

MOTO, or mail order/telephone order, payments can usually be provided either independently or as part of eCommerce payment services. MOTO transactions are performed over the internet using a “virtual” terminal with the customer either being on the end of the phone or having submitted their credit or debit card details via a mail order. A virtual terminal is effectively a secure payment screen within a web browser that enables you to input the various personal details of the customer, including their credit or debit details and submit them to your supplier for processing.

Jargon buster

3-D Secure

3-D Secure is a protocol designed to be an additional security layer for online credit and debit card transactions. It was developed by Visa and MasterCard with the intention of improving the security of Internet payments and is offered to customers under the name Verified by Visa.

API – Application Programming Interface

An API specifies how software components should interact with each other. A practical example would be an API to enable eCommerce integration of online payments capability into the majority of eCarts used on the web today.

CNP – Card not Present

Card Not Present (CNP) transactions occur where there is no card or cardholder present, i.e. orders via mail, telephone, fax as well as Internet/eCommerce payments.

CV2 – Card Verification Value

All credit and debit cards carry a security code number. This number is known to the bank and printed on the card, but is not stored or printed anywhere else. Therefore, it can be used as a check that when you make your purchase you are in physical possession of the card, or have at least seen the card at some time.

GUI – Graphical User Interface

A GUI is a type of user interface that allows users to interact with electronic devices through graphical icons and visual indicators. Examples of GUI’s most familiar to people today would be Microsoft Windows or Apple macOS for desktop and laptops. Blackberry OS, Android and Apple iOS for handheld devices (smartphones/tablets).

Hosted Form

A solution which enables a customer to go through the purchasing process on a merchant’s website either being redirected to a payment page or using an embedded solution such as a hosted iFrame. When the payment stage
is reached, they are passed to the payment service provider gateway via HTTPS where the customer inputs their credit or debit card information and submits the transaction for processing.

This method enables you to accept credit and debit card payments quickly and easily with very little integration, but also importantly without having to handle or store card information and as a consequence relaxes PCI DSS compliance obligations surrounding the storage of
card information.

MOTO – Mail Order / Telephone Order

MOTO transactions are performed over the internet by using a ‘virtual terminal’ with the card holder either being on the end of the phone or having submitted their credit or debit card details via a mail order. A ‘virtual terminal’ is effectively a secure payment screen within a web browser that enables the merchant to input the various personal details of the consumer and card details, then passing them to the payment service provider’s gateway for processing

PCI DSS – Payment Card Industry Data Security Standards

PCI DSS is a proprietary information security standard for organisations that handle cardholder information for the major debit, credit, prepaid, ATM, and POS cards.

Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually.