Saturday, 21 May 2016

Why do most payment gateways use synchronous integration?

Question posted on stackexchange:


This question comes to my mind having just lost some money while ordering Pizza. Most internet merchants (atleast in India) use synchronous page redirection for integration with Banks and payment gateways. 
It works like this: when you visit a merchant site and checkout something it redirects you to the payment gateway passing along request as arguments in a POST or GET request, which redirects you to the bank, which redirects you to verified by Visa and then redirections all the way back. 
The problem is that often the redirection would fail or break due to a network error, slow connection, domain blocked by company firewall etc and the payment would get lost.
Off the top of my head, such integrations would be much better handled using an asynchronous MOM provider. Example: the merchant places a payment request message signed with his private key on Bank's MOM queue and asks the user to authorize the payment with his bank. The user opens Bank's mobile app or website and sees the request in list of pending payment requests. Once authorized the Bank places a message back on Merchant's MOM queue and all is done. 
From my primitive google-fu it seems not many payment gateways are providing asynchronous integration. 
Am I missing a web design principal here or is just mass incompetence? Why don't more gateways use an asynchronous approach?


The sort answer is 'history'. 
If you go back even just 10 years, banks only did payments at physical devices, terminals. Where you would have one terminal id per payment device. All transactions needed to supply this terminal id. Obviously, you couldn't leave the shop with your goods until you had successfully paid. Hence the synchronous nature of payments. The key thing here is a merchant can only use one terminal id at a time. 
Then the internet came along and merchant said "why can we not just do payments online?". So, the banks said, OK, send along everything you normally would, just flagged slightly differently (so we can charge you more). This bank message includes the terminal id. Therefore internet transactions inherited the synchronous nature of card present transactions. 
Then add on top fraud protection devices such as 3DS and CV2AVS, and changing becomes really difficult for the poor old banks. 
You will find newer banks will implement asynchronous payment methods which 'may' be a better model. But then you'll be fighting with two forces. 
  • Merchants saying, why do I have to change my payment model when moving from 'old bank' to 'cool bank'.
  • Customers saying "I've bought a pizza, but I'm scared because it did something I wasn't expecting and I don't know if I paid".
You cannot underestimate either of these effects. We're therefore left with majority of synchronous payment models throughout the internet. 
Don't jump straight on the ''incompetent'' camp, since it much easier to design how a perfect world would work when we don't have a real world to deal with. 
Hope this helps.

No comments:

Post a Comment