Everything you need to know about 3D Secure in the US
For online merchants in the US, the modern version of 3D Secure offers a powerful upgrade to payment security.
Today, digital payments account for $11.5T in commerce. And for some businesses, they are responsible for 100% of their revenue. But facilitating digital payments is difficult—that is, if you want strong coverage, good security, and low merchant fees.
For small organizations, the woes of digital payments are a forgivable line-item. They tend to stick with a single payment gateway (e.g. Stripe or Square) and strictly accept global credit cards like VISA or Mastercard. But larger organizations have global clientele, and those merchant fees account for millions (and occasionally billions) of lost revenue.
The solution has been multi-payment processor systems (sometimes known as multi-payment gateways). Multi-payment processor systems integrate multiple payment providers to handle transactions. These systems boost coverage to local populations and minimizes net transaction fees. The issue? They are considerably harder to implement.
Today, we’ll explore the benefits and costs associated with multi-payment processor systems. We’ll also visit our own design choices behind Evervault (we’re an encryption provider that specializes in payments); we’re acutely familiar with what security techniques are necessary to streamline implementing multi-payment processor systems.
A straight forward payments infrastructure would use a single payment service provider (or PSP) to handle customer transactions. A multi-payment processor system is a system that scaffolds around multiple PSPs. For example, a stack that routes payments both over Stripe and WorldPay would be considered a multi-payment processor system.
There are four distinct benefit categories for multi-payment processor systems: (i) coverage, (ii) costs, and (iii) resilience. Let’s discuss all three of these in-depth.
By offering multiple payment gateways, companies can service more global audiences. While some payment networks are fairly worldwide (e.g. VISA or Mastercard), many users prefer other payment options, like local bank deposits, mobile payments, or cryptocurrencies. For some users, it may be a make-or-break issue before making a purchase; for others, it’s a preference and vote of confidence. Either way, by supporting more payment options, companies encourage conversion and build trust amongst users.
The flip-side is also true. Some payment gateways are more likely to reject transactions that aren’t familiar. For instance, a debit card issued in Uruguay may not clear a network used to American credit cards. But with a multi-payment processor system, companies can route charges to maximize approval rates.
Multiple payment gateways enable businesses to do least-cost routing, where transactions fees are minimized on a per-transaction basis. This could shave between 0.1% — 0.5% off payment fees for some transactions.
Transaction fees are particularly important for businesses with high volume and/or tight margins. For instance, if your business is doing lots of $1-20 transactions, then merchant fees are significant given static cost (most merchant fees use a X% + ¢Y format).
Additionally, for take-rate businesses like Uber and Lyft, their margins are tight, and merchant fees bite into them.
Payment networks can fail. ACH transfers via TCH had an outage in 2023, VISA failed in 2018, and Optus stumbled last year. And when networks fail, revenue is lost.
However, with multi-payment processor systems, companies have a lower chance of suffering a full financial outage, instead being able to rely on the remaining systems.
While multi-processor payment set-ups do offer incredible benefits, they can be difficult to set-up and maintain. In a nutshell, multi-payment processor systems are complex. They require a whole additional layer of management that’s not relevant to single processor setups. These issues could be organized into four categories.
Because each payment provider has its own nuances and charge flows, implementing them in parallel with other payment options can be tricky. It’s not just about building alternative payment paths, but also accounting for users floating between them.
For instance, users may expect to modify payment methods for subscription products, where payments may shift rails in-between months. Users may also expect to change payment methods for older purchases, requiring complex refund and re-charge logic.
In general, supporting more providers means more API connections to write and more edge cases to consider. This can add significant engineering overhead.
With more processors involved, there are more attack vectors for a potential data breach. Different processors support different features. Consequently, API design may sharply differ across providers.
This makes security tricky. Each payment gateway needs to be secured, but security may need to be customized for the blindspots of each payment gateway.
Additionally, additional payment providers makes compliance trickier, particularly PCI compliance. Each individual set of payment rails must meet compliance standards. This includes ensuring no payment data is ever vulnerable in plaintext and that access to each system is locked down. Compliance is already tricky with just one system; it dramatically compounds with multi-payment processor systems.
Finally, multi-payment processor systems scatters data. With financial information spread across various payment platforms, it becomes harder for teams to get a unified view of transactions. This poses a problem when companies need to track and analyze payment data. And in the case of a bug, it becomes harder to trace and understand where behavior went eschew.
Without tooting our horn too much, we want to visit Evervault’s design that was directly inspired by these sub-problems. Evervault is not an opinionated multi-payment processor system. Instead, it’s a set of encryption tools that makes implementing multi-payment processor systems significantly easier.
From securing sensitive payment data to simplifying PCI compliance, Evervault makes it easier to protect transactions while maintaining flexibility and efficiency.
Evervault provides easy-to-integrate, pre-built UI components to easily get started with a multi-payment processor approach. This eliminates the need for custom-built security solutions. Once collected, data can be decrypted and shared across various payment processors seamlessly using Evervault’s Relay system. Evervault’s SDKs, offered in all widely used programming languages and application frameworks, make it possible to integrate with Evervault with just a few lines of code.
Evervault ensures that sensitive payment data is encrypted at the field level as soon as it’s collected, keeping cardholder information protected at rest, in transit, and in use. This is necessary when creating a CDE (Cardholder Data Environment).
Evervault encryption happens before the data even touches the company’s infrastructure, minimizing the risk of data breaches across all payment processors. The encryption is managed through the Evervault’s Relay system, which decrypts the data only when it reaches the designated payment processor, maintaining both security and flexibility in payment routing. Evervault also provides support for strong authentication mechanisms like 3D-Secure, helping businesses comply with regulations and reduce fraud.
Evervault simplifies PCI DSS compliance by encrypting cardholder data from the point of collection, reducing the need for businesses to handle plaintext payment data at any point in their payment workflow. By using Evervault’s platform, companies can minimize their PCI compliance scope to just the simplest level (SAQ A), eliminating the majority of security controls they’d otherwise need to manage. Evervault’s encryption covers all stages of data flow, ensuring businesses remain compliant with PCI DSS while Evervault handles encryption and decryption in secure environments like AWS Nitro Enclaves.
Evervault’s Inspect API gives businesses richer card data by performing a Bank Identification Number (BIN) lookup on card details. This lookup provides key information such as the card’s issuer, brand, currency, and country of origin. With these insights, businesses can make smarter decisions on which payment gateway to use for each transaction, optimizing processing for factors like cost, acceptance rate, or regional preference.
Multi-payment processor systems offer amazing advantages. They expand the amount of potential customers, they minimize costs, and they boost resilience to network failures. However, they’re tough to set-up, lock-down, and maintain.
Thankfully, solutions like Evervault make security and PCI compliance significantly easier when standing up multiple payment provider systems. By simplifying encryption and compliance, Evervault helps businesses focus on their core operations without worrying about the technical and regulatory burdens of handling sensitive payment data across different platforms.
From securing sensitive payment data to simplifying PCI compliance, Evervault makes it easier to protect transactions while maintaining flexibility and efficiency.
Learn more