A payment service provider (PSP) is a third-party company that allows businesses to accept electronic payments, such as credit card and debit card payments. PSPs act as intermediaries between those who make payments, i.e. consumers, and those who accept them, i.e. retailers. [1]
They will often provide merchant services and act as a payment gateway or payment processor for e-commerce and brick and mortar businesses. They may also offer risk management services for card and bank based payments, transaction payment matching, digital wallets, reporting, fund remittance, currency exchange and fraud protection. The PSP will typically provide software to integrate with e-commerce websites or point of sale systems. [2]
PSPs establish technical connections with acquiring banks and card networks, enabling merchants to accept different payment methods without the need to partner with a particular bank. They fully manage payment processing and external network relationships, making the merchant less dependent on banking institutions. [3]
PSP can also offer risk management services for card and bank based payments, transaction payment matching, reporting, fund remittance and fraud protection. Some PSPs provide services to process other next generation methods (payment systems) including cash payments, wallets, prepaid cards or vouchers, and even paper or e-check processing.[ citation needed ]
PSP fees are typically charged in one of two ways: as a percentage of each transaction, or as a fixed cost per transaction. [ citation needed ]
US-based online payment service providers are supervised by the Financial Crimes Enforcement Network (or FinCEN), a bureau of the United States Department of the Treasury that collects and analyzes information about financial transactions in order to combat money laundering, terrorist financiers, and other financial crimes. [ citation needed ]
European payment service providers are supervised based on the European Payment Services Directive. [4]
Each merchant remains responsible for his own actions and must accordingly ensure that the selected provider observes the guidelines, e.g. with regard to data protection. Compliance with PCI DSS guidelines is important. There are four levels of PCI compliance, that must be respected by the PSP. Depending on the volume of transactions as well as other details about the level of risk assessed by payment brands, the payment service provider has to follow higher standards.
The levels are as follows:
As of 2022 [update] , there were more than 900 payment providers in the world. More than 300 offer services just for Europe [6] and North America. The global payment service provider market is expected to reach $US88 billion by 2027 from $US40 billion in 2019. [7]
The examples and perspective in this article may not represent a worldwide view of the subject.(May 2024) |
In 2010, the People's Bank of China issued administrative measures regarding online non-financial payment services. [8] : 33 These measures retroactively recognized the legal status of online third-party payment platforms like Alipay. [8] : 33 Prior to the 2010 measures, these services existed in a legal grey area. [8] : 32
Tokenization, when applied to data security, is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no intrinsic or exploitable meaning or value. The token is a reference that maps back to the sensitive data through a tokenization system. The mapping from original data to a token uses methods that render tokens infeasible to reverse in the absence of the tokenization system, for example using tokens created from random numbers. A one-way cryptographic function is used to convert the original data into tokens, making it difficult to recreate the original data without obtaining entry to the tokenization system's resources. To deliver such services, the system maintains a vault database of tokens that are connected to the corresponding sensitive data. Protecting the system vault is vital to the system, and improved processes must be put in place to offer database integrity and physical security.
Mobile payment, also referred to as mobile money, mobile money transfer and mobile wallet, is any of various payment processing services operated under financial regulations and performed from or via a mobile device. Instead of paying with cash, cheque, or credit card, a consumer can use a payment app on a mobile device to pay for a wide range of services and digital or hard goods. Although the concept of using non-coin-based currency systems has a long history, it is only in the 21st century that the technology to support such systems has become widely available.
An e-commerce payment system facilitates the acceptance of electronic payment for offline transfer, also known as a subcomponent of electronic data interchange (EDI), e-commerce payment systems have become increasingly popular due to the widespread use of the internet-based shopping and banking.
A payment gateway is a merchant service provided by an e-commerce application service provider that authorizes credit card or direct payment processing for e-businesses, online retailers, bricks and clicks, or traditional brick and mortar. The payment gateway may be provided by a bank to its customers, but can be provided by a specialised financial service provider as a separate service, such as a payment service provider.
A merchant account is a type of bank account that allows businesses to accept payments in multiple ways, typically debit or credit cards. A merchant account is established under an agreement between an acceptor and a merchant acquiring bank for the settlement of payment card transactions. In some cases a payment processor, independent sales organization (ISO), or member service provider (MSP) is also a party to the merchant agreement. Whether a merchant enters into a merchant agreement directly with an acquiring bank or through an aggregator, the agreement contractually binds the merchant to obey the operating regulations established by the card associations. A high-risk merchant account is a business account or merchant account that allows the business to accept online payments though they are considered to be of high-risk nature by the banks and credit card processors. The industries that possess this account are adult industry, travel, Forex trading business, multilevel marketing business. "High-Risk" is the term that is used by the acquiring banks to signify industries or merchants that are involved with the higher financial risk.
An acquiring bank is a bank or financial institution that processes credit or debit card payments on behalf of a merchant. The acquirer allows merchants to accept credit card payments from the card-issuing banks within a card association, such as Visa, MasterCard, Discover, China UnionPay, American Express.
Shopping cart software is a piece of e-commerce software on a web server that allows visitors to have an Internet site to select items for eventual purchase.
Heartland Payment Systems, Inc. is a U.S.-based payment processing and technology provider. Founded in 1997, Heartland Payment Systems' last headquarters were in Princeton, New Jersey. An acquisition by Global Payments, expected to be worth $3.8 billion or $4.3 billion was finalized on April 25, 2016.
The Payment Card Industry Data Security Standard is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the card brands. It was created to better control cardholder data and reduce credit card fraud. Validation of compliance is performed annually or quarterly with a method suited to the volume of transactions:
The payment card industry (PCI) denotes the debit, credit, prepaid, e-purse, ATM, and POS cards and associated businesses.
The Payment Card Industry Security Standards Council was formed by American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. on September 7, 2006, with the goal of managing the ongoing evolution of the Payment Card Industry Data Security Standard.
Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.
A credit card is a payment card, usually issued by a bank, allowing its users to purchase goods or services or withdraw cash on credit. Using the card thus accrues debt that has to be repaid later. Credit cards are one of the most widely used forms of payment across the world.
A payment processor is a system that enables financial transactions, commonly employed by a merchant, to handle transactions with customers from various channels such as credit cards and debit cards or bank accounts. They are usually broken down into two types: front-end and back-end.
A card security code is a series of numbers that, in addition to the bank card number, is printed on a credit or debit card. The CSC is used as a security feature for card not present transactions, where a personal identification number (PIN) cannot be manually entered by the cardholder. It was instituted to reduce the incidence of credit card fraud. Unlike the card number, the CSC is deliberately not embossed, so that it is not read when using a mechanical credit card imprinter which will only pick up embossed numbers.
Worldpay, Inc. is an American payment processing company and technology provider. In February 2024, it was separated from Fidelity National Information Services (FIS) to become an independent company once again. It is majority owned by private equity firm GTCR. It is headquartered in the greater Cincinnati, Ohio area. Worldpay, Inc., is the largest U.S. merchant acquirer ranked by general-purpose transaction volume.
Ukrainian Processing Center is a Ukrainian company founded in 1997 which provides processing services and software for banks. UPC was the first Ukrainian company within the sphere of processing that received MSP and TPP status in Visa and Mastercard. In April 1997 UPC processed the first ATM EC/MC card transaction. Since 2005 UPC has become part of the Raiffeisen Bank International. The head office of UPC is based in Kyiv. Ukrainian Processing Center provides services to banks in Central and East Europe in the sphere of processing payment cards, merchant acquiring and ATM channel management. UPC also offers integrated IT systems for electronic commerce, card transactions monitoring systems of fraud prevention, card issuing system and SMS banking service. Moreover, UPC was the initiator of the establishment of the united ATM network "ATMoSphere", which consists of payment cards issuing banks. Annually UPC processes more than 400 million of payment card transactions.
Point-to-point encryption (P2PE) is a standard established by the PCI Security Standards Council. Payment solutions that offer similar encryption but do not meet the P2PE standard are referred to as end-to-end encryption (E2EE) solutions. The objective of P2PE and E2EE is to provide a payment security solution that instantaneously converts confidential payment card data and information into indecipherable code at the time the card is swiped, in order to prevent hacking and fraud. It is designed to maximize the security of payment card transactions in an increasingly complex regulatory environment.
Unified Payments Interface, commonly referred to as UPI, is an Indian instant payment system as well as protocol developed by the National Payments Corporation of India (NPCI) in 2016. The interface facilitates inter-bank peer-to-peer (P2P) and person-to-merchant (P2M) transactions. It is used on mobile devices to instantly transfer funds between two bank accounts. The mobile number of the device is required to be registered with the bank. The UPI ID of the recipient can be used to transfer money. It runs as an open source application programming interface (API) on top of the Immediate Payment Service (IMPS), and is regulated by the Reserve Bank of India (RBI). Indian Banks started making their UPI-enabled apps available on Google Play on 25 August 2016.
The Central Electronic System of Payments (CESOP) regime is an automatic exchange of information regime being introduced in the European Union from 1 January 2024. The rules were introduced by Council Directive 2020/284, amending the EU's Value-added tax Directive.