The science behind fast, secure retail payments
“And that’s the job of a good payments service provider – keeping the technical complexity invisible while delivering the service in an industry benchmark time of 130 milliseconds,” explains Bosman.
He says that a decade ago, two or three seconds were considered acceptable. Today, he says, anything more than half a second causes customers to become frustrated.
“A payment provider obviously serves other businesses. In Ecentric’s case, we serve retailers. In fact, we have settled more than R10tn in payments, including the card payments for two-thirds of JSE-listed retailers. But what this means is that we also serve the customers of our customers – millions of people expecting, demanding, near-instant payments that work as they should, every time,” says Bosman.
He adds that while the service is designed to be invisible, it is highly complex.
“There’s far more going on than simply tapping a card or hovering a smartphone over a payment device. There’s an entire ecosystem of highly complex steps taking place. Every step in this process needs to happen so quickly that the wait is almost imperceptible to the customer,” says Bosman.
“The anatomy of a payment”
Describing the “anatomy of a payment”, Bosman provides a simple analogy for a complex process.
“Those 130 milliseconds encompass the anatomy of a payment. The simplest analogy in layman’s terms is to imagine an onion. Each layer, from the outermost to the core, is critical in ensuring the merchant’s customer walks away happy, keeping the merchant happy.
“The layers encompass legitimising the card and user the second they interact with the till, world-standard encryption and security for data travelling over the internet, authorisation and fraud checks, clearing and settlement between the customer’s bank and the retailer’s bank, all of which is underpinned by extensive compliance and ongoing certification,” says Bosman.
Bosman explains that the steps covered in those layers include the customer tapping, swiping or inserting at the terminal, the terminal sending transaction data through the payment switch, which then routes the encrypted request to the customer’s bank (which is called the issuing bank), the issuing bank then checks for funds and runs fraud and security checks before sending an approval or decline response back to the payment switch which, in turn, returns the response to the terminal.
If declined, the transaction ends with a decline code, but if it is approved, the transaction details are sent to the retailer’s bank, which is called the acquiring bank, for clearing and settlement.
“So, in a very short amount of time, and preferably within those 130 milliseconds, there are a lot of complicated steps which all form part of the ‘onion’ analogy – they happen in layers. The core of the onion is ensuring all these steps occur within a payment card industry data security standard (PCI DSS)-certified environment. This is a global security standard.
Certification with this standard is not a once-off process. It requires annual, intensive audits and covers people, process and technology. Additional certifications, such as those for devices and ongoing validation, are required. It is this continuous compliance that underpins trust and allows the payment ecosystem to function securely.
“When this doesn’t go according to plan, the customer is frustrated, the merchant is unhappy, and the reputation of the payment service provider suffers. And so, it is important for retailers to carefully consider the partner they choose to work with when planning their payments. A lot can go well, but equally, a lot can go wrong in just milliseconds,” says Bosman.