How to accept credit card payments - Badoo experience

Every year more and more new payment methods appear in the world. But there is still no universal, convenient for all users method. In 2008, when we were just creating a billing system for Badoo, it seemed to us that the future was in payment through SMS. But, faced with the realities of different countries, we realized that this is not so.

User preferences vary depending on the country and the device from which they access the site. Very close to the ideal were bank cards whose popularity is growing from year to year, including in Russia . This is not only one of the most common payment methods, but also the most profitable of all available on the Badoo site, and there are more than 20 of them.

Today we will talk in more detail about what remained beyond the framework of the previous article about billing : about processing payments using bank cards; what you need to know and what to prepare for if you are just going to connect them; how to increase their effectiveness if you already have them. In general, the article is intended for unprepared readers, but specialists may also find something interesting for themselves.

It all started with the fact that four years ago we placed on our website a form for entering credit card details and started accepting payments. After a few months, it became clear that users are happy to pay for our services not only via SMS, but also with cards, the volume of payments for which showed promising growth. We began to actively develop this area. Since then, we have reviewed a dozen payment gateways offering acquiring services (i.e., accepting payments by bank cards), and now we are simultaneously working with three of them. We did support payments with 3D Secure, set up a system that detects fraudulent transactions, and much more.
')

Why is it difficult to accept payment with plastic cards?

It would seem that there is difficult? One simple form in which the user enters their card details and presses the pay button. We process the request, send it to the bank - and that’s all, soon the money will be in our account. In an ideal world, this is what happens, but in the real world it is a little different.

If you want to accept payments by credit card, then first of all you must ensure the safety of user data. For this, large payment systems, such as Visa, Master Card, American Express, Diners, and others, have developed a security standard for the payment card industry - PCI DSS (Payment Card Industry Data Security Standard). This is a large list of requirements that the company must meet, as well as the application development process and the configuration of the equipment used.

The second problem is protection against fraudulent transactions, in other words, “fraud” ( from English fraud). After all, the site can be used not only by respectable users, but also by fraudsters who use stolen credit card data when shopping. After such a purchase, the cardholder will receive an extract with transactions that he does not understand, will go to the bank and demand a refund. After some time, the money will be returned to him, and the company will receive a minus in karma and a fine from the payment system.

And last but not least, this is the proportion of successful transactions. Even if there is enough money on the card and all the systems involved in making a payment, work like a clock, the bank that issued the card may simply reject the transaction if it doesn’t like something or seems suspicious.

Why get certified PCI DSS?

The main purpose of certification is to make sure that card data is stored securely, that an attacker will not be able to penetrate your system, and, once penetrated, will not be able to easily obtain private information. All companies that process credit card data are required to pass it, even if the data is not stored during the processing.

At the beginning, certification was perceived by us as a formality, because we did not keep credit card details. Our application was engaged only in drawing a beautiful form suitable for the site design. But gradually it developed, overgrown with business logic and "anti-fraud" checks. We began to store personal user data and authorized information about their credit cards. As a result, we ourselves became interested in ensuring that our system was as secure as possible. Now, PCI DSS is perceived not as a formality, but as an opportunity, albeit somewhat bureaucratic, to test oneself for strength.

Confirmation of compliance with the standard is necessary annually. Requirements depend on the level assigned to the company. There are only four of them, and they are issued depending on the number of transactions processed per year. Recently, Badoo was assigned the first level, which is the highest and safest. It has the most stringent certification requirements, for their confirmation you need to undergo an external audit. For lower levels, filling out a self-assessment sheet or performing an internal audit is sufficient. A complete list of requirements can be found in the standard itself. We will talk about what can simplify the process of passing certification for any of the levels.



First you need to remember that the card number (PAN) and the security code located on the back of the card (CVC) are not allowed to be stored anywhere. There is nothing wrong with that, since this is not required for normal operation of the application. Upon receiving a request from the user, the data is immediately sent to the aggregator and can only be stored in RAM, which is allowed by the standard. Only the first six and last four digits of the card number, the name of the card holder and the expiration date of the card can be stored in the permanent storage. At high levels, the standard still allows you to store the card number, but it must be encrypted with a robust algorithm or an irreversible hash function.

The next important thing is to reduce the area that is subject to certification. If payment processing is not a direct business of a company, then there is not much point in extending strict PCI DSS security rules to the entire infrastructure. It is enough to allocate to the application that processes the maps, separate servers and a repository with a code that only a limited number of people will have access to. In addition to the formal reduction of the scope of work, this will give additional security to the entire system. Its components will be weakly connected, therefore, hacking the main application, the attacker will not be able to access the data of credit cards.
The only way to avoid certification is not to process the data of plastic cards yourself. For example, the easiest and most common way is to send a user to the payment gateway page. After payment, he will return to the site, and you will receive a notification about the status of payment. For those who still want to have their own payment form, which would organically fit into the design of the site, there is a more difficult option. Card data can be encrypted in the browser using a public key and sent to the form directly to the payment gateway, which will decrypt it with the private key and process the payment.

What is dangerous fraud and how to reduce it?

Fraud is a type of card data fraud aimed at illegally using money from her account. The danger here lies not only for the user, but also for you as a seller. The user may request from the bank to return their funds, and you not only do not receive money for your product or service, but also pay a penalty for each such request, even if it is then successfully challenged. In addition, Visa, Master Card and other payment systems may impose additional penalties for a high level of returns. If the fine for a normal return, as a rule, does not exceed $ 10, then a fine for a large amount can easily amount to hundreds of thousands of dollars.

Here it is important to understand that there are two types of returns: “refand” ( from the English refund) and “chargeback” ( from the English. Chargeback). The difference is that you do the refand yourself when the user contacts you, and chargeback forces you to make the payment system. Therefore, fines and all sorts of sanctions are imposed only with chargebacks.
There are many ways to fight fraud. The easiest and most effective is 3D Secure. In fact, this is just an extra step when paying, in which the user must confirm that the payment is made by the cardholder (see the picture below).



In addition to increasing security, conducting a transaction with 3D Secure shifts the responsibility for fraud on it to the shoulders of the bank that issued the card. This is because the confirmation step is completely under its control, and the transaction should not go through if the bank had any suspicions. But, despite all the advantages, this method of verification has one fatal flaw. Like any additional step, it is very bad for the share of successful payments. To verify this, we conducted a series of experiments in different countries, the results of which are shown in the graph below.



Three arrows on the graph show the moment when we turned off the forced use of 3D Secure in the country. For example, in Russia, 3D Secure was initially enabled. After its disconnection, the share of successful payments increased by 20%. In Italy, on the contrary, we turned it on and saw a drop in the share of successful transactions by 10-15%. And only in Britain, user behavior has not changed.

We also conducted similar experiments in the United States, where after enabling 3D Secure, users almost stopped paying, and in South African countries, which are traditionally considered a fraud stronghold, but where disabling 3D Secure had a positive effect.

Looking at the results, we decided to abandon the forced inclusion of 3D Secure for all transactions. But to keep chargebacks at a low level, it was necessary to develop a system that could detect fraudulent transactions and block them. To begin with, we decided to create portraits of users who most often are sources of fraud on our website.

It turned out three groups:

• carders. These are specialists in stealing bank card data. They check the performance of their base and often use bots;
• spammers. They buy stolen card data and make their profile popular. Then they advertise or solicit money from users (for example, to treat a serious illness);
• unsatisfied users. These are people who used paid services, but they didn’t like something, or they just forgot that they paid on our site, or just want to get services for free.

To make the life of such people more difficult, we began to analyze their behavior on the site and draw up rules for our anti-fraud system ( from the English anti-fraud). They are based on various transaction parameters, of which there are about 20, for example: the amount of payment, the user's IP and country of issuing the card, the number of cards used by this user, the number of transactions, etc. Each rule that has been triggered adds fraud points to the transaction. After a certain level is exceeded, it is considered suspicious, and we send it for an additional check via 3D Secure or simply block it.

If the fraudster managed to get through our entire defense and we received information about chargeback, then we can try to challenge him. In this case, we still pay a fine, but if we win the dispute, then at least we will not lose the amount of the payment itself.

Particularly advanced aggregators can provide “insider” information about chargebacks received by the bank, which have not yet reached the payment system. We use such messages for proactive anti-fraud protection. They are registered in our system, and we are trying to make a refand for these transactions. In this case, we still return the money to the user, but since we are doing this voluntarily, no additional sanctions and penalties are imposed on us. The total effect of such measures is not very large - you can save only a few percent of income. But for Badoo, it's hundreds of thousands of dollars a year, which pays for all the costs.

Why not all payments are successful?

On the way from the buyer to the bank that issued the card, the withdrawal request passes through many systems. In addition to the seller, participate in the process:

• payment gateway or aggregator, which can provide other payment methods;
• acquiring bank - a bank that is connected to various payment systems and provides payment processing services only by plastic cards;
• payment systems (Visa, Master Card, etc.);
• issuing bank - the bank that issued the card with which the user is trying to pay for the service.
• Each stage of the transaction contains its own points, which may affect its success.

User - Site

At this stage, the code is under our control, and if there are any problems, we can fix them. Here the most annoying type of error is the logical error of validation of the entered data. If, when checking the cardholder's name, it is obvious that it can be long or very short, with numbers, hyphens and anything that seemed appropriate to parents, then when checking the card number you need to be careful and know what it can and should be. For example, its length can be from 13 to 19 (depending on the type of card), and not just 16 digits, as many people think. It is also advisable to check not only the length, but the whole number, using the Luhn algorithm . When checking the expiration date of the card, you must remember that it is valid until the last day of the specified month, and not before it starts.

Website - Payment Gateway - Acquiring Bank - IPS - Issuing Bank

The success of a transaction at this stage may depend on the frequency of payments and their amount, the country from which they come; card type and much more. Unfortunately, we cannot influence this in any way, therefore at these stages the percentage of failures is very high due to the false positives of the anti-fraud systems of one of the participants in the process. But we managed to find two parameters that we can control and which strongly influence the share of successful payments. This is using the local processing center and the correct MCC.

MCC ( from the English. Merchant Category Code, literally - the seller’s category code) is issued to anyone who wants to accept card payments. He has any site and even a store around the corner. It is used in Internet banks, which give statistics on your expenses broken down into categories, in various promotions, for example, when the bank returns some of your money when you buy groceries or cat food. But the most interesting thing for us is that he participates in the bank antifraud algorithms.

Initially, we had the code 7273 Dating and Escort Services, and the proportion of successful payments at the same time was about 50%. And if “dating” can somehow be attributed to Badoo, then escort services are definitely not about us. Deciding that this is not correct, we went to our partners and began to insist that we need another, more suitable code. Finally, our attempts were crowned with success, and in one of the countries we received the code 4814 - Telecoms (telecommunication services). As a result, the share of successful payments increased by 30%. We did not intend to stop at our achievements and continued to search for what other MCC we can use. They turned out to be 8641 - Social, Civic and Fraternity services "(social services), which increased the share of successful payments by another 10%.



Having chosen the code suitable for us, we were still not satisfied with the performance of some countries. For example, in France, the share of successful payments did not want to rise above 50-60%. The reason was that the national payment system Carte Bleue is very popular there. To accept their cards, the processing center used (acquiring bank) must be connected to it. As a rule, suitable banks are located in the same country where you need to improve performance. This gives an additional bonus in the form of a decrease in the suspiciousness of a transaction for antifrod systems of issuing banks in this country and entails an increase in the share of successful payments.

After we began to use local processing connected to Carte Bleue, we received a 30% increase in the share of successful payments in France. In the USA, where there are no local payment systems, this method gave a slightly smaller increase - about 20%.



Outside the article was a story about the platform we developed, which allowed us to carry out all the above experiments easily and without additional programming. If you have a desire to read about it, then write in the comments, and we will prepare a separate article. Perhaps you have your own interesting experience in the payment card industry - welcome to the comments, it will be very interesting for us to talk on this topic.

Anatoly Panov
Lead Developer