Guest Checkout Solution - Alt ID

  


On July 28, 2022, the RBI issued a notification under Payment and Settlement Systems regarding restrictions on the storage of actual card data:

No entity in the card transaction/payment chain, other than the card issuers and/or card networks, shall store CoF (Card on File) data, and any such data stored previously shall be purged.

Let us try to understand the basic flow of this awesome security feature in the simplest form ever. 

When making a payment using your credit card on a merchant website, you may have noticed an option to save your card information. By selecting this option, you are giving the merchant consent to tokenize your actual card number and store it. This allows you to avoid entering your full card number again for future transactions.

But what if you do not want your card information stored, even if it is tokenized? In that case, you will need to enter your card details each time you make a purchase. This is known as acting as a "guest," hence the term "Guest Checkout."

"𝘛𝘰𝘬𝘦𝘯 𝘪𝘴 𝘢𝘯 𝘪𝘥𝘦𝘯𝘵𝘪𝘧𝘪𝘦𝘳 𝘵𝘩𝘢𝘵 𝘳𝘦𝘱𝘭𝘢𝘤𝘦𝘴 𝘢 𝘳𝘦𝘢𝘭 𝘤𝘳𝘦𝘥𝘪𝘵 𝘤𝘢𝘳𝘥 𝘯𝘶𝘮𝘣𝘦𝘳 𝘸𝘪𝘵𝘩 𝘢 𝘶𝘯𝘪𝘲𝘶𝘦 𝘯𝘶𝘮𝘣𝘦𝘳 𝘵𝘰 𝘱𝘳𝘰𝘵𝘦𝘤𝘵 𝘴𝘦𝘯𝘴𝘪𝘵𝘪𝘷𝘦 𝘤𝘢𝘳𝘥 𝘥𝘢𝘵𝘢 𝘥𝘶𝘳𝘪𝘯𝘨 𝘵𝘳𝘢𝘯𝘴𝘢𝘤𝘵𝘪𝘰𝘯𝘴. 𝘛𝘩𝘦 𝘱𝘳𝘰𝘤𝘦𝘴𝘴 𝘵𝘰 𝘱𝘳𝘰𝘷𝘪𝘥𝘦 𝘛𝘰𝘬𝘦𝘯 𝘪𝘴 𝘬𝘯𝘰𝘸𝘯 𝘢𝘴 𝘛𝘰𝘬𝘦𝘯𝘪𝘻𝘢𝘵𝘪𝘰𝘯."

But RBI the Big Boss says, even in the case of Guest Checkout, card numbers cannot be stored, and tokenization is required to complete the transaction. Now this is some trick question came point blank to all the entities involved into the Payment chain.

Why did they want to store card numbers in the first place, and why was tokenization necessary? Why is the RBI introducing this change and trying to disturb an already established ecosystem that is just running smoothly.

Let me give the answer on behalf of RBI 😉 Entities in the payment chain wanted to store card numbers for backend processes such as refunds and chargebacks. However, there have been many incidents in the past where merchant databases were compromised, leading to the leakage of original card numbers (PAN). The RBI decided to address this issue by mandating a solution.

And the solution was Tokenization of Card number, meaning providing a different set of number which will look like the Card number but it is not a card number. In all the messages (via API) instead of PAN the Token will travel (of course until Card Network).

To answer the "Guest Checkout" challenge, the solution is an Alt ID (Alternative ID).

(These functions similarly to tokenization but is differentiated by the term "Alt ID" for ease of differentiating between regular tokenization and Guest Checkout.)

1/ Who creates the Alt ID – Card Network

2/ Who can view the clear Card Number (PAN) – Card Network and Issuer

3/ Who cannot store the clear PAN – Merchant, Payment Gateway, Payment Aggregator, Acquirer

Alt ID Provisioning


1/ Cardholder enters clear Card number on merchant website lets say amazon.in
2/ Merchant will send this info to the Payment Gateway.
3/ Payment Gateway will ask Card Network to create an Alt ID (Token) and provide it to the Payment Gateway (PG).
4/ Card Network will ask Issuer to verify the Card Details. Issuer confirms the card details positively.
5/ Card Network creates an Alt ID (Token) and sends back to the Payment Gateway (PG).
6/ Payment Gateway shares this info with Merchant.


                                   Transaction Flow using Alt ID


Read after the Provisioning

1/ Merchant will send the Alt ID which they received during the Provisioning to Payment Gateway.
2/ Payment Gateway will send this Alt ID to Acquirer.
3/ Acquirer will send this Alt ID to the Card Network.
4/ Card Network will decrypt the Alt ID (via Token Vault) and sends clear Card Number (PAN) to Issuer for Authorization.
5/ Issuer Authorizes the Transaction and sends clear Card Number (PAN) to the Card Network.
6/ Card Network encrypts the clear Card Number (PAN) and sends the Alt ID to the Acquirer. 
7/ Acquirer sends the Alt ID to Payment Gateway subsequently to the Merchant.
8/ Based on the Authorization result, Cardholder gets the Approval or Decline message on the Merchant website. 

Disclaimer:

  • The process flow diagrams included in this blog are original creations by the author, Neeraj Singh. Any reproduction or use of these diagrams requires prior permission from the author.
  • Mentions and images of Amazon, Visa and Discover logo are the property of their respective organizations and have been sourced from Google search. All rights to these trademarks and logos belong to their respective organizations.
Location: Mumbai, Maharashtra, India

Comments

Post a Comment

Popular posts from this blog

3D Secure (Online / Card Not Present / eComm) Transaction Flow

Image
  While making an online payment, have you ever seen any of the following on the OTP page, depending on the card network you use? Visa - Verified by Visa Mastercard - Mastercard SecureCode American Express (Amex) - Safekey Discover and Diners Club International (DCI) - ProtectBuy Have you ever wondered what these mean? All of them are the proprietary names given by their own networks. Basically they are the 3D Secure protocol.😀 Let us decode them today in this article in the simplest form possible (only functional). I will explain the step-by-step transaction flow of eCommerce / Card Not Present (CNP) / Online transactions. When you see any of the above logo on the web page where you are making a payment, it means that your transaction is protected by the 3D Secure protocol. This security protocol adds an additional layer of authentication for online transactions to reduce fraud. If a transaction has happened on 3D Secure protocol, then in case of Chargeback, liability is shifted to
Read more

Card Payments - Part 1 (Auth)

Image
  Image Courtesy:https://paytechlaw.com/ Card Payments is a very vast domain and covering it through a blog becomes more challenging. This blog aims to give a high-level understanding of Card Payments in the most structured and organized way. Today world is moving at a great pace and hence stress would be laid in bestowing benefits to almost all groups influenced by Card Payments under professional and domestic growth. The topic will focus gradually on exploring the functionality and the mechanism behind this one of the most used methods of the payment system.   Participants Acquirer An Acquirer is a financial institution that processes transactions on behalf of a merchant. It holds the merchant's bank account and facilitates the acceptance of payment cards. Merchant A merchant refers to a business, either physical (Card Present) or online (Card Not Present), where a customer makes a purchase using a card issued by a financial institution (Issuer). The Point of Sale (POS) terminal
Read more

Decoding Basic Structure of ISO8583 (MTI, Bitmap and Data Elements)

Image
The way we speak in a certain language to make our life easier by communicating with each other, payments also have various languages. For Card Payment it is ISO8583. This language keeps the Card Payment world connected with each other. Let us try to understand the basic structure of this beautiful language in the simplest form ever.  Imagine an ISO8583 message as a structured sentence where different parts tell a story about a transaction. Each message is made up of 1/  MTI (Message Type Indicator) - Like a title it tells you what type of message it is (e.g. a payment request) 2/  Bitmap - A map that shows which parts of the message are included 3/  Data Elements - The actual details of the transaction like the card number, amount and date etc Detailed Explanation 1/ Reading the MTI (Message Type Indicator) The MTI is a 4 digit code that specifies the type of message. For example, 0200 indicates a financial transaction request (authorization) 1.1/ Breakdown of 0200: 0 - Tells you whi
Read more