How does digital card payment work?

How does online payment work? BY TIFFANY CHENG PHOTOGRAPHY BY ASHLEY WONG LAYOUT BY NINGJING HUANG AND AMELIA ORAM

We are all familiar with the process of online transactions: we are asked to insert our credit or debit card information, after clicking “pay now”, we may be prompted to verify our purchase by inserting a confirmation code that is sent to your phone. Finally, a confirmation message pops up on screen – “Purchase Complete!” But have you ever wondered: how are digital transactions actually made? What parties are involved to construct such convenient and quick operations? How do they interact with each other to ensure that transactions are completed in a timely, secure and efficient manner?

Online transactions allow businesses to accept credit or debit card payments online from customers. It involves numerous parties and many steps, all taking place in just a few seconds. There are seven main parties involved in a transaction: the customer, the merchant, the issuing bank (customer’s bank), the acquiring bank (merchant’s bank), the card network of both the issuing and acquiring bank, and the payment “gateway”.

First, the consumer is the person who makes the payment to purchase a good or service, while the merchant – the provider of the good or service – receives the payment from the consumers usually through a website or mobile application. Second, the issuing bank, or the customer’s bank, is the financial institution that provides the customer with the payment card, for example HSBC or BOC in Hong Kong. It is also responsible for approving or

declining purchase requests. Third, the acquiring bank, or the merchant’s bank, is the financial institution that allows the merchant to accept the payment from the issuing bank. Some issuing banks can also act as the acquiring bank, such as HSBC and BOC. Fourth, the card network is the financial institution which facilitates the transfer of messages and payments between the issuing bank and the acquiring bank. The leading card networks at the moment are Visa and Mastercard. Fifth, the payment “gateway”, provided by banks, or payment service providers such as PayPal and Stripe, acts as the messenger which transfers information between the parties.

The whole online payment ecosystem integrates all the parties mentioned above to facilitate a transaction. Take Liam buying a pair of sneakers from Nike’s online store as an example. This

example will be made under the premise that Liam, the consumer, uses a credit card issued by HSBC, with visa as its payment network. Nike, the merchant, uses a bank account under BOC, meaning BOC is the acquiring bank. Mastercard will be its payment network. Firstly, in the checkout page of Nike’s website, Liam types in the details of his HSBC credit card. After he clicks “pay now”, Nike’s website sends his transaction and his card information to the payment gateway. On the other side of the gateway is the BOC, who relays the information to Visa. Visa then transfers the card details he inputted to HSBC, verifying that Liam typed in the correct card details, and checking whether he has enough credit in his account to buy the sneakers. If he does, HSBC proceeds to send its approval to the payment gateway. The approval is received by Nike, which then prompts its website to produce an acceptance message. Nike also stores Liam’s purchase as an authorised transaction. In the case where Liam mistyped his credit card information, HSBC will disapprove his payment. The disapproving message will inform Nike to inform Liam that his payment has been rejected. At the end of the day, Nike sends all its authorised transactions, including Liam’s transaction to BOC, which relays these transactions to mastercard. BOC then deposits the total transaction amount into Nike’s account under the bank. Mastercard will debit the money from the issuing banks of the customers from the transactions and send the money to BOC. Customers who used debit cards will have their money debited, whereas customers who used credit cards, like Liam, will be sent a statement requesting the credit to be paid. Since customers are only actually paying at the end of the business day, online customers often have to be sent a separate email about a day later to have their purchase confirmed or declined. The customers who are sent a declined email at this stage are different from those who have received a disapproving message when they were in the checkout page. These customers are likely to have their payment blocked if their payment is considered fraudulent even though they entered the correct card details.

It may seem unsafe to enter your bank card details online, and have them sent to unspecified places on the internet. According to the Hong Financial Services Development Council, reported incidents of cyber crime rose from about two thousand cases in 2011 to about thirteen thousand cases in 2020 in Hong Kong. To battle such crimes, your browser and card network have been implementing new methods, while improving existing ones over the years to ensure a secure online payment environment. First, tokenization. Tokenization is a payment security to

decrease the vulnerability of payment details from being stolen and used. During the whole payment process, tokens, which are random characters, replace sensitive information such as credit card details. These tokens will be used as the language of communication between different parties in an online payment system. Tokenization reduces the chances of a data breach as these tokens can’t be deciphered and are worthless to fraudsters. Secondly, website encryption. This method allows customers’ payment information to be encrypted before being sent off to the payment gateway. It promises that such information is kept only between the merchant and the customer. Encryption is achieved through Secure Sockets Layer (SSL) and Transport Layer Security (TLS). TLS is the evolved counterpart of SSL, making it more secure and efficient. Merchants like Nike, who have an e-commerce website, have to obtain a SSL or TLS certificate from a trusted hosting provider. A verification process called “SSL Handshake” enables Liam’s browser to verify that Nike’s website is secure and using encryption. It is like a conversation between Liam’s brower and the server of the Nike website. Liam provides his cipher suites (algorithms that help secure network connection through SSL/TLS layer), which are verified by the server of Nike’s website. Liam’s brower in return, verifies Nike’s SSL/TLS certificate. Liam’s browser then generates a shared key using Nike’s public key. Nike decrypts Liam’s information with its private key. If Nike is able to decrypt the information, verification will be completed. All information sent between the two parties will be secured using the shared key. Aside from tokenization and encryption that run in the background, a further layer of security directly involving users can be added through two-factor authentication. An extra step will be added to Liam’s online payment to Nike, where HSBC will direct Liam to its verification page

after examining the card details he inputted and going over his available credit. When the verification page is prompted, Liam will have to enter the verification code sent from HSBC through text message. After HSBC verifies that the code entered is correct, the payment will be approved and Liam will be directed back to Nike’s website for the acceptance message. This process verifies if the payment is actually initiated by the cardholder, and prevents any payment from being made by unintended users, such as embezzlers or hackers. After all the talk about the payment ecosystem and security technologies, what future does online payment carry? According to Bloomberg Intelligence, e-commerce sales accounted for 24% of total U.S. retail sales in 2020, increasing from 18% in 2019 and 15% in 2018. The data suggests that the pandemic has accelerated the growth of e-commerce, and has forever changed consumer lifestyles and buying patterns. Businesses which previously only had a physical presence have been incentivized to open up online presence to reach consumers who are spending more time at home. This has also forced businesses to receive cashless payments. According to a survey conducted by visa in August 2020, the online expenses of Hong Kong consumers increased from 40% to 52% during the pandemic compared to pre-pandemic. What’s more, in 2021, the percentage of those who used cash dropped by 13% to 78%, and was taken over by credit/debit card usage which increased by 4% to 84%. To top it off, in 2020, 77% of the respondents preferred non-cash payment methods. With all this data indicating an escalation of online expenses and use of cashless payments, more businesses will start to modernise their payments to adopt cashless payments, both online and offline. What’s more, the proliferation of digital wallets such as Payme, Alipay, Tap&Go and Apple Pay have also contributed to the use of cashless payments. More merchants are adding digital wallets as a method of payment for making purchases on their websites. Previously, only bank cards were accepted.

With the surge of online purchases due to the pandemic and rise of digital wallets, the use of online payments are predicted to continue its elevation. Speaking from personal experience, as someone who doesn’t own bank cards, digital wallets have definitely increased my number of online purchases. Some digital wallets like Alipay accept top up with cash in convenient stores, so I often use this method to make personal purchases online. As it stands, the future of Hong Kong’s payment landscape looks to be digital.

Photography by Evelyn Kwan