Multi-Processor Payment Routing and Fraud Prevention: Strengthen Payment Security

Payment security is a key consideration for today’s digital merchants, as acquiring a reputation for not protecting customers’ payment details can be an existential threat. That said, all merchants have to balance the need for security with providing a superior customer experience, which can have a critical impact on successfully closing transactions. Using multiple payment service providers (PSPs), while potentially adding complexity to the payment system, can contribute to each of these competing imperatives.

What is Multi-Processor Payment Routing?

All merchants must engage with at least one PSP, which acts as the intermediary between the merchant and the remainder of the payment ecosystem, routing transactions through the various parties involved (gateways, card networks, issuing and acquiring banks, among others). Many merchants initially engage with a single, full-service PSP, accessing a broad range of services and paying a relatively simplified, flat processing fee for each sale. However, as they seek greater flexibility, and leverage to negotiate processing fees, many merchants find it valuable to engage with multiple processors; this allows (and requires) them to orchestrate each payment, directing it to the processor whose services are the most beneficial. Such multi-processor payment routing can aid in directing sales to the PSP that is the most likely to be able to process the payment; offers the lowest processing rates; or provides a security layer appropriate to the sale.

What Are the Threats to Payment Security?

Fraudulent payments can be a threat to merchants and consumers alike. When a fraudulent payment is processed it can result in 

• Financial difficulty for the consumer, such as pushing an account over its credit limit;
• Processing fees for the merchant, which still must be paid after a refund is processed; 
• Chargeback fees for the merchant when the consumer seeks to reverse the payment through their issuing bank or card network

Additionally, the reputational damage to a merchant that suffers a hack, data leak, or other fraud attack can devastate their growth plans.

Bad actors can attack the payment process from a number of vectors, including, among many others:

• Stealing credit card numbers and other consumer information, then ordering goods with them 
• Setting up algorithms to guess at valid credit card numbers, then making purchases
• Hacking into merchant databases and stealing payment information, which they can then use at that or another retail location

How Multi-Processor Payment Routing can Weaken Payment Security

When a merchant is looking to add one or more additional PSPs to their original payment partner, they have to plan for how to manage stored payment information: consumers expect and require merchants to allow them to store their details so they only have to enter payment information once.

When merchants make the decision to store cardholder data within their own environment, it can create a very dangerous attack vector: even when data is held in an encrypted form, hackers can either steal or calculate the decryption key, transforming all the information back to plain text, and making it usable. In order to avoid this eventuality, merchants who store this sensitive data are required to comply with the PCI-DSS regulations, which can be an onerous and expensive proposition - and, as numerous very public reports of data breaches demonstrate, not necessarily a foolproof one. Either way, as merchants transition from their initial full-service PSP to an orchestrated multi-processor payment routing approach, ensuring that consumer data is fully protected is vital.

Additional Steps can be Added to Strengthen Payment Security

While each PSP offers some set of security services, they don’t necessarily include everything a given merchant might need. Merchants might look for providers that, for instance, scan transactions for unusually high amounts, transactions arriving in suspicious volumes from a single buyer, or don’t fully match stored mailing addresses. Similarly, they might subscribe to services like credit card updaters outside their PSPs’ areas of control. In order to achieve any of this, merchants must, almost by definition, commit to multi-processor payment routing, in order not to have to default to whatever is offered by their one and only payment partner.

In order to execute this shift to multi-processor payment routing, merchants must first have access to the true customer cardholder data, in order to submit it to their security partners prior to transmitting it to the payments ecosystem. Doing so requires the merchant to either

• Store and manage cardholder data within their own payment system. This provides full access, but places the entire system in PCI-DSS scope, obligating costly and time-consuming compliance work; or
• Store and manage cardholder data within a programmable payment vault, such as the one offered by Basis Theory. This delivers the flexibility to select preferred payment partners, as well as shifting the burden of protecting consumer sensitive data to the vault provider.

With full control over their customers’ cardholder data, merchants can institute sophisticated decisioning for each and every transaction, improving payment security by

• Inserting any security check they deem necessary into the process, not actually submitting sales for processing until the system has reduced the chances of fraud to an acceptable level
• Transmitting details securely, especially when working with a payment vault, which keeps the merchant’s system out of PCI-DSS scope by never sharing the actual cardholder data with the merchant, instead providing an unencryptable token

Additionally, the decisioning engine can route each transaction to the right payment partner, based on whatever instructions have been configured by the merchant. Making the choice in a multi-processor payment routing environment may be based on

• Potential to close the transaction: PSPs closer to the buyer’s geography, or offering a payment method known to be popular in that locale, may have a higher likelihood of closing the deal;
• Processing fees: different PSPs may offer different rates, for instance, between credit and debit cards, or for using digital wallets;
• Ability to re-present soft declines: when a transaction fails for what may be a transient reason (e.g., the card has expired, or the account is at its credit limit), the decisioning engine should know to give the processing another try in a couple of days

Multi-Processor Payment routing can Strengthen Payment Security - When done Well

Using a multi-processor payment routing strategy is unequivocally beneficial for the merchant, with its ability to increase close rates and decrease aggregated processing fees. Done right, though, it also delivers strong security benefits for consumers, as additional transaction monitoring and approval steps can be added to the overall payment process. Merchants going this route have one core decision to make: store cardholder data locally and commit to the risky and expensive processes required to protect that information, or contract with a third-party token vault provider so they can focus on their core business.