Understanding the Basics of Online Payments

Types of Online Payment Methods

Online payments come in many different flavors. As new payments tech emerges, merchants are incorporating a variety of options to offer consumers more choices. Some of the most common types of online payments include credit and debit cards, digital wallets, instant bank payments and the ACH network.

Credit/Debit Card Online Payments

Credit cards (and debit cards) are the most common way people pay online. Consumers can enter credit and network-branded debit cards into online checkout systems or keep cards on file for ultra-fast one-click checkouts. While new payment options mean additional convenience and choice, there is no evidence that cards will become obsolete any time soon.

Digital Wallet Online Payments

Digital wallets like Google Pay, Apple Pay and Samsung Pay are applications that allow users to store digital copies of their payment and loyalty cards as well as additional information typically needed to to check out online, such as a mailing or a billing address. 

A digital wallet effectively replaces a physical one (with the added convenience of storing necessary information), enabling users to make payments online or in person with their phones or smart devices. Digital wallets are now standard on all Apple and Android devices and many computers, which has increased their adoption significantly.

Instant Online Payments

Instant payments are immediate direct transfers between two bank accounts. Traditionally, direct bank payments have been slow (with the exception of expensive wire transfers). Instant payments, however, use new payment rails to settle the transaction within seconds, expediting the multi-day wait for funds to arrive in a bank account.

Today instant payments are still predominantly used for peer-to-peer payments. With these types of payments being relatively new and, well, instant, they may present new challenges to merchants, consumers and banks. These challenges need unique solutions which can include:

• Accommodating different risk and fraud management frameworks
• Creating scalable workflows for erroneous payments
• Improving the merchant and consumer experience
• Embedding payments everywhere business is conducted (including in-app and software-based transactions)

Instant payments aren’t common in ecommerce today, but that may change as the new instant payment networks mature and reach more scale. 

Online ACH Payments

The Automated Clearing House (ACH) network is an account-to-account payment system that clears through the Fed instead of directly between banks as instant payments do. ACH payments are commonly referred to as echecks, and serve a similar function as paper checks. Payments go from bank account to bank account and generally take a couple of days to fund. Certain providers can now also offer same-day or next-day ACH if a transaction is batched by the correct cutoff time. ACH payments can accommodate both credits and debits and are well integrated into business workflows, especially for B2B or large ticket verticals. 

How Online Payment Processing Works

In most cases, processing an online payment works the same way as processing an offline payment, but everything is done using software. Online, there is no need for specialized payment hardware. Here’s a rough breakdown of the payment flow that happens when a customer makes a payment online with their credit card or a card stored in their digital wallet:

Step 1 — Submission: The customer inputs their card details or uses a card saved in an account or digital wallet. The payment information enters the merchant’s payment gateway through the checkout page and is encrypted for security.

Step 2 — Authorization: Next, the payment gateway sends the payment information to the merchant’s acquiring bank, which then sends it to the relevant card network (like Visa or Mastercard). Afterward, the network sends it to the cardholder’s issuing bank, which determines whether or not the customer has enough available credit. The issuing bank approves or declines the payment.

Step 3 — Verification: Once a payment is authorized, the merchant and customer’s banks determine whether or not it’s legitimate. During this step, the banks verify the payment data or other complementary information such as IP address and make sure it matches the expected cardholder information. They also ensure the payment doesn’t trigger any fraud warnings. If everything looks good, authorization is sent back through the payment gateway.

Step 4 — Clearing: To clear payments, the merchants’ software sends batches of transactions to the card network, typically via a payment gateway through a payment processor. The card network then sorts the payments and sends each one to the relevant issuing bank for settlement.

Step 5 — Settlement: The next step is for the customer’s issuing bank to send the funds from a payment to the merchant’s acquiring bank. This generally takes two to three days, although in some cases merchants can get access to their funds earlier through services like next-day and same-day funding.

Step 6 — Funding: During the final funding phase, the issuing bank sends money to the merchant’s acquiring bank, which then sends the final funds to the merchant’s bank account. Typically, the acquiring bank will also bill the merchant for any related fees, which are debited from the merchant’s bank account.

Security in Online Payments

Online payments are known as “card-not-present” payments because the merchant never sees the physical card being used. That creates a higher potential for fraud as bad actors can anonymously run transactions with stolen cards. As a result, anti-fraud measures are even more important online than in-store. Data security is another crucial factor because stored customer payment information is a high-value target for cybercriminals.

Common Online Payment Security Measures 

SSL/TLS Encryption: Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption are the web-wide standard and the baseline security required for safe online payment processing. They’re also required to comply with industry standards set by the major card networks.

Tokenization: Tokenization is a more advanced method of securing payment data that goes beyond standard encryption. It replaces a customer’s card information with “tokens” that can’t be decrypted to reveal sensitive payment data. Even if a bad actor did manage to steal the tokenized data, it would be completely useless to them.

PCI DSS Compliance: The Payment Card Industry Data Security Standard (PCI DSS) is a set of security protocols developed and enforced by the PCI Security Standards Council, a global forum whose goal is to safeguard customer payment data, define roles and responsibilities of ecosystem participants, and define rules of engagement. PCI DSS covers 12 areas, including online and physical security, and it must be followed by every party that interacts with or stores credit card data.

3DSecure: 3DSecure is a form of cardholder authentication and is an additional security layer that requires customers to enter a password or one-time code before paying. That makes it more difficult for bad actors to use stolen cards. Verified by Visa and Mastercard SecureCode are two examples of 3DSecure authentication.

Automated Fraud Screening: Automated anti-fraud tools check each online transaction in real-time to identify any red flags that might indicate fraud. The most basic tools use predefined rules and basic information. Meanwhile, more advanced fraud protection tools like Kount use AI to check payments against databases generated from billions of prior transactions.

Common Business Models for Online Payments

A company’s business model determines how it processes online payments. Depending on how a merchant sells, they may need to offer different payment methods or require specific payment technology.

Business-to-Consumer (B2C)

The most common type of online sales is B2C, which means a business is selling directly to a consumer. This includes everything from major retailers like Amazon and Walmart to small web stores, direct-to-consumer manufacturers and beyond. 

Modern consumers expect businesses to provide safe, convenient payments. That means the more payment options a merchant can offer, the better. Credit cards are the bare minimum, but newer options like digital wallets, point-of-sale financing and buy now, pay later (BNPL) are becoming more common.

Business-to-Business (B2B)

B2B payments involve transactions between two businesses. Many businesses still prefer to pay with credit cards, but accepting a B2B payment online may require the seller to have Level 3 payment processing capability. Level 3 processing collects additional data that makes it easier to reduce fraud potential and minimize processing costs. The more a purchase costs or the more accountable an organization is, the more likely Level 3 will be required. Many businesses also use ACH to pay, and instant account-to-account (A2A) payments using RTP rails are an emerging option.

Subscriptions and Recurring Payments

Subscription merchants take recurring monthly payments without requiring action from the customer. That means storing customer payment data for automatic use — a risky proposition. It also means expired cards can interrupt a customer’s service and hurt revenue. To get around these problems, subscription merchants use services like off-site card data storage, tokenization and automatic card updating to keep revenue flowing.

Embedded Online Payments

Embedded payments move the entire payment process into the software platforms that businesses and consumers use regularly. For instance, a Software-as-a-Service (SaaS) provider for a dental office can build embedded payment processing directly into its office management software and the interface their patients interact with. The clinic can then accept payments without the hassle of juggling additional solutions or vendors.

Choosing the Right Online Payment Processing Options

When deciding which online payment options to offer, merchants and their payment partners will need to weigh a variety of factors, including:

• Customer preferences and expectations
• Ideal experience and features
• Existing tech systems, and more 

Ultimately, the best thing merchants, software platforms and payment providers can do is find a payments partner that inherently offers flexibility and choice by being able to accommodate their ideal customer experience today while being able to grow and evolve their business in the future. 

That’s where NMI comes in.

NMI’s comprehensive embedded payments solutions give providers turnkey access to everything they need to offer merchants a full range of payments, whether they sell online, in-store, on their devices or anywhere else. To find out more about NMI’s modular digital payments platform, reach out to a member of our team.