Technical aspects of payment gateways

Mutt

Mutt

Professional
Messages
1,369
Reaction score
912
Points
113
Payment gateways are critical systems that enable online transaction processing by connecting online stores, issuing banks, payment systems (Visa, MasterCard) and customers. They perform data transfer, authentication, authorization and transaction security functions. In the context of fraud prevention, including carding using Non-VBV, Auto-VBV or Non-MCSC bins, payment gateways play a key role by integrating anti-fraud systems and supporting standards such as PSD2. Below, I will describe in detail the technical aspects of payment gateways, their architecture, processes and security methods, while maintaining an educational context.

1. What is a payment gateway?​

A payment gateway is a hardware and software complex that:
  • Accepts card data from the buyer (number, expiration date, CVV, cardholder name).
  • Transmits requests between the store, the issuing bank (the bank that issued the card), and the acquiring bank (the bank that services the store).
  • Ensures transaction security through encryption, tokenization and authentication.
  • Confirms or rejects transactions based on bank checks and anti-fraud systems.

Examples of popular payment gateways: Stripe, Adyen, PayPal, Braintree, Authorize.net, Worldpay.

2. Technical architecture of the payment gateway​

Payment gateways act as intermediaries in the online payment ecosystem. Their architecture includes the following components:

a) Interface for the store​

  • API: Payment gateways provide API (REST, SOAP or GraphQL) for integration with the store's website or app. The API allows you to send transaction data (amount, currency, card details) and receive a response (approved/rejected).
  • Hosted Payment Pages: Some gateways offer ready-made payment pages where the user is redirected to enter card details (e.g. PayPal Checkout).
  • SDKs and Libraries: To simplify integration, gateways provide libraries for JavaScript, Python, PHP, and other languages.

b) Encryption and data transmission​

  • Security Protocols: Card data is transmitted over secure connections (HTTPS with TLS 1.2/1.3). Gateways use AES-256 encryption to protect data during transmission.
  • PCI DSS: Payment gateways are required to comply with the PCI DSS (Payment Card Industry Data Security Standard), which regulates the processing and storage of card data. This includes:
    • Encryption of card data at all stages.
    • Restricting access to data (for example, only tokens are stored in the store database).
    • Regular security audits.

c) Transaction Routing​

  • The gateway sends an authorization request through the payment system (Visa, MasterCard) to the issuing bank.
  • Protocols such as ISO 8583 are used to exchange data between the gateway, the acquiring bank and the issuing bank.
  • The gateway supports routing for optimization: for example, choosing the acquiring bank with the lowest commission or the highest probability of approval.

d) Anti-fraud modules​

  • Built-in anti-fraud systems analyze transactions in real time using machine learning, rules and behavioral analysis.
  • Examples: Stripe Radar, Adyen RevenueProtect, Kount, Sift.

e) Tokenization​

  • Once the card details are entered, the gateway replaces them with a unique token that is used for subsequent transactions. This reduces the risk of data leakage.
  • Example: Stripe generates a token for the card, which the store stores instead of the actual data.

3. Transaction processing process​

Processing a transaction through a payment gateway involves the following steps:
  1. Data entry:
    • The user enters card details (number, expiration date, CVV, name) on the store website or on the gateway page.
    • Data is transmitted via a secure connection (HTTPS/TLS).
  2. Encryption and tokenization:
    • The gateway encrypts the card data and, if necessary, replaces it with a token.
    • The token is sent to the store for storage, and the actual card data is not stored.
  3. Authentication (3D-Secure):
    • If required (e.g. in Europe under PSD2), the gateway initiates 3D-Secure (Verified by Visa, MasterCard SecureCode).
    • The user is redirected to the bank's page to enter the OTP (SMS code, push notification) or biometric verification.
    • 3DS 2.0 uses Risk-Based Authentication (RBA), analyzing up to 100+ parameters (IP, device, sum) to determine if full authentication is needed.
  4. Authorization:
    • The gateway sends an authorization request through the payment system (VisaNet, MasterCard) to the issuing bank.
    • The bank checks:
      • Sufficiency of funds.
      • Matching CVV and address (AVS — Address Verification System).
      • Anti-fraud parameters (geolocation, transaction history).
    • The bank returns a response: approved, rejected, or additional verification required.
  5. Anti-fraud analysis:
    • The gateway applies its own anti-fraud rules:
      • IP and geolocation check (for example, via GeoIP or MaxMind databases).
      • Device Fingerprinting (device analysis: OS, browser, screen resolution).
      • Behavioral analysis (input speed, patterns on the site).
    • If a transaction is marked as suspicious, it is rejected or sent for manual review.
  6. Confirmation to the store:
    • The gateway returns the result (approved/rejected) to the store via API.
    • The store notifies the user and completes the order.
  7. Calculations:
    • After authorization, the gateway initiates the transfer of funds from the issuing bank to the acquiring bank (usually takes 1-3 days).
    • The gateway charges a fee (e.g. 2.9% + $0.30 for Stripe).

4. Technical aspects of safety​

Payment gateways use multi-layered mechanisms to prevent fraud, including carding with Non-VBV, Auto-VBV or Non-MCSC bins:

a) 3D-Secure 2.0​

  • Mechanism: 3DS 2.0 support is mandatory in Europe (under PSD2) and is increasingly being used globally. Gateways integrate 3DS via API, redirecting the user to the bank's authentication page.
  • Impact on carding: Non-VBV bins become ineffective because 3DS requires OTP or biometrics, which are not available to carders. Auto-VBV bins can only work for low-risk transactions, but anti-fraud systems often block them.
  • Technical details:
    • The gateway sends transaction data (amount, IP, device) to the 3DS system.
    • The issuing bank returns the status: "Frictionless" (no verification for low risk) or "Challenge" (OTP/biometrics required).
    • Example: Stripe Checkout automatically initiates 3DS if the store is located in the EEA.

b) Anti-fraud systems​

  • Machine learning:
    • Gateways like Stripe Radar or Adyen RevenueProtect use AI to analyze transactions:
      • Training on historical data (legitimate and fraudulent transactions).
      • Detect patterns (e.g. multiple attempts from one card, suspicious IPs).
    • Example: If a Non-VBV bin is used with an IP from a region that does not match the map, the system assigns a high risk and rejects the transaction.
  • Rules and filters:
    • Gateways allow stores to set up rules such as:
      • Blocking transactions from certain IPs (VPN, Tor).
      • Limit transactions by amount, region or BIN.
      • Requiring CVV or AVS for all transactions.
    • Example: Stripe allows blocking transactions if CVV does not match, even for Non-VBV binaries.
  • Behavioral analysis:
    • Analysis of user actions: time on site, data entry speed, page sequence.
    • Example: If a user goes straight to payment without viewing products, this may be a sign of automation (bot).

c) Tokenization​

  • Mechanism: The gateway replaces the card details with a token that is unique to the specific store and transaction.
  • Impact on carding: Even if a carder intercepts the token, it is useless outside of a specific store.
  • Technical details:
    • Tokens are generated using cryptographic algorithms (eg HMAC).
    • Example: Stripe returns a token tok_123 instead of a card number, which the store uses for repeat payments.

d) Device Fingerprinting​

  • Mechanism: The gateway collects unique device characteristics (browser, OS, fonts, screen resolution) to create a "fingerprint".
  • Impact on carding: Carders using VPNs or disposable devices are easily identified as their fingerprint does not match the typical cardholder profile.
  • Example: Adyen uses device fingerprints to match transactions with user history.

e) Geolocation and IP analysis​

  • Mechanism: Gateways integrate with databases (MaxMind, GeoIP) to check whether an IP address matches a map region.
  • Impact on carding: Non-VBV bins are often rejected if the IP does not match the region (eg US card with Russian IP).
  • Technical details:
    • The gateway checks the ASN (autonomous system) of the IP to detect VPNs or anonymizers.
    • Example: Stripe Radar may block a transaction if the IP is associated with a known fraudulent pool.

5. Integration with PSD2 and impact on Non-VBV bins​

In Europe, PSD2 (Payment Services Directive 2) requires mandatory two-factor authentication (SCA) via 3D-Secure for most online transactions. Payment gateways play a key role in implementing this standard:
  • SCA and 3DS 2.0:
    • Gateways automatically initiate 3DS for transactions within the EEA, making Non-VBV bins virtually useless as OTP or biometrics are required.
    • Example: Adyen redirects the user to the 3DS page if the transaction falls under PSD2, even for Non-VBV beans.
  • Exceptions to SCA:
    • Gateways support PSD2 exceptions (e.g. transactions up to €30 or repeat payments) but use anti-fraud analysis to assess risks.
    • Example: Stripe may allow 3DS for a €20 purchase, but only if the user's IP, device, and behavior match the cardholder's profile.
  • Anti-fraud measures:
    • Even if Non-VBV bin is used in SCA exception, gateway applies additional checks (CVV, AVS, geolocation), which reduces the probability of successful carding.
    • Example: Braintree will reject a transaction with a Non-VBV bin if the IP points to a region with high fraud rates.

6. Practical impact on carding​

Payment gateways make it much more difficult to use Non-VBV, Auto-VBV and Non-MCSC bins in fraudulent schemes:
  • 3DS 2.0: Mandatory authentication in Europe (and increasingly in other regions) makes Non-VBV bins ineffective as they require access to the owner's phone or biometric data.
  • Anti-fraud systems: Machine learning, Device Fingerprinting and geolocation identify suspicious transactions even when 3DS is not required.
  • Tokenization: Carders cannot reuse stolen card data as tokens are tied to a specific store.
  • Chargeback Monitoring: Gateways monitor chargebacks, blocking cards and IPs associated with fraud.

Example: A carder attempts to use a Non-VBV bin (e.g. 479126, ESL FCU, USA) in a European store via Stripe. The gateway initiates a 3DS (under PSD2), and if the transaction falls under an exception, Stripe Radar checks the IP, device, and behavior, rejecting the transaction if there are any discrepancies.

7. Modern trends and improvements​

Payment gateways are constantly evolving to counter new threats:
  • AI and Machine Learning: Improving algorithms to detect complex fraud schemes such as automated attacks or the use of "clean" devices.
  • Biometrics: Integration of behavioral biometrics (mouse movement analysis, input speed) for additional verification.
  • Global Standardization: 3DS 2.0 expansion beyond the EEA, making Non-VBV bins less effective even in the US and Asia.
  • API for anti-fraud services: Gateways integrate with external platforms (Sift, Kount), enhancing protection.
  • Dynamic Routing: Selecting the acquiring bank with the best anti-fraud protection for a specific transaction.

8. Ethical and legal aspects​

  • Privacy: Gateways collect a lot of data (IP, device, behavior), which raises privacy concerns. They are required to comply with GDPR (in Europe) and other data protection laws.
  • Erroneous Blocks: Anti-fraud systems sometimes reject legitimate transactions, requiring a balance between security and convenience.
  • Legal implications for carders: Gateways actively cooperate with banks and law enforcement agencies by transmitting data on fraudulent transactions, which increases the risks for carders.

Conclusion​

Payment gateways are complex systems that provide security, authentication and transaction processing using APIs, encryption, tokenization and anti-fraud mechanisms. Their integration with 3D-Secure 2.0, PSD2 support and the use of AI make them a powerful barrier to carding, especially with Non-VBV, Auto-VBV and Non-MCSC beans. Technical aspects such as Device Fingerprinting, geolocation and behavioral analysis minimize the fraudsters’ opportunities, while tokenization and 3DS practically exclude the successful use of stolen data in Europe. Global trends point to further strengthening of security, which makes carding more complex and risky.

If you want to dive deeper into a specific aspect (for example, how Stripe Radar works or 3DS integration via API), let me know!
 
You must log in or register to reply here.

Similar threads

Mutt
How does PSD2 work in Europe and does it affect Non-VBV BINs?
Replies
0
Views
39
Mutt
Mutt
Mutt
How are banks and stores improving anti-fraud systems?
Replies
0
Views
123
Mutt
Mutt
Mutt
How Non-VBV, Auto-VBV, Non-MCSC BINs Work
Replies
0
Views
46
Mutt
Mutt
Cloned Boy
Evolution of Payment Card Fraud: From Magnetic Stripes to EMV Skimming
Replies
2
Views
311
Cloned Boy
Cloned Boy
chushpan
How to create your own 2DS payment system?
Replies
1
Views
916
Man
Man
Back
Top