Payment Service Providers 101

Published in

Feedzai Techblog

9 min readApr 7, 2022

Global eCommerce showed a 14% YoY increase in 2021, as the worldwide economy slowly started recovering from COVID-19 pandemic, exceeding US$5.3 trillion in transaction value. According to WorldPay, point of sale (POS) acquiring recovered strongly from COVID’s recessionary impact in 2021, as 13% YoY market growth surpassed 2019’s market size much sooner than expected.

But regardless of whether they transact on eCommerce or with POS environments, today’s consumers are becoming more demanding. At the same time, payment methods are becoming more complex. More entities are stepping up to accommodate new payment types, technologies, and systems. Payment Service Providers can enable merchants to deliver the experiences and payment methods that their customers have come to expect while removing friction from the payment chain.

The payment chain typically includes four main players.

What is a Merchant?

Merchants are either physical or eCommerce stores, and provide consumers with products or services in exchange for payment. To accept payments, merchants must become a client of the acquirer and open a merchant account — a merchant ID (MID).

What is a Card Network?

Also known as card brand or card flag, a card network provides the rails to connect acquirers with issuer banks to process a card payment. To access it, the acquirer must pay the card network a fee, i.e. an interchange fee. Card networks offer a standard communication mechanism (often based on ISO 8583 protocol) for acquirers and issuers to transmit payment information, as well as to settle the funds between the two entities. Networks also define processes and rules to manage payment disputes, such as chargebacks. Generally speaking, we can also refer to this entity as a payment network when talking about non-card or alternative payment methods.

What is an Issuer Bank?

The issuer bank, or issuer, is a financial institution that issues cards to consumers, providing them with credit or debit accounts. Essentially an issuer sponsors a consumer into the payments ecosystem. The issuer is ultimately responsible for approving or rejecting a payment based on the customer’s available credit or funds, among other risk checks and data validations. After a merchant has requested a payment, the issuer sends the authorization response back to the acquirer through the card network, including a code for approval or the decline reason.

What is an Acquirer?

An acquirer is a bank or financial institution that processes credit or debit card payments on behalf of a merchant, passing the merchant’s transactions through the card network to the applicable issuing bank to receive payments.

The acquirer sponsors a merchant into the payment ecosystem and offers it a MID which allows them to collect payments on the merchant’s behalf. After collecting payments, acquirers pay the merchant for its activity’s net balance — that is, gross sales minus interchange fees, and acquirer fees.

We now have a good understanding of the four main players in the payment chain and have explored how merchants can process payments by entering into a contract with acquirers. However, there are several intermediary companies that provide additional value to the payment chain, and merchants typically will look for more extensive solutions to cover their needs, such as a Payment Service Provider (PSP).

What is a Payment Service Provider?

A Payment Service Provider (PSP) is a broader term for a third-party company that assists businesses in facilitating payments safely and securely. A PSP usually offers value-added services for their merchants such as risk management, reconciliation tools, disputes management and sometimes even a back office for orders management. PSPs can also be acquirers, but not necessarily.

However, there are other terms that make the payment chain more complex:

Payment Processor

As a general term, a Payment Processor provides technology that allows payments to flow in and out of the relevant payment schemes and networks.

Payment Gateway

Traditionally, a payment gateway provided technology for merchants to send Card Not Present (CNP) transactions to their Acquirer. Now, the term is widely used to describe an organization that provides access to payment networks.

Both Payment Processors and Payment Gateway companies work under different models:

ISO

An independent sales organization (or ISO) is a company that sells credit card processing services independently from a financial firm or a bank. In other words, an ISO is a third-party company that can sign up your business with acquirers to accept credit cards but does not own a payment institution or an acquiring license.

PayFac

A Payment Facilitator Model (PayFac) provides merchants with their own MID under a master account, onboarding merchants on a sub-merchant platform.

Aggregator

A Payment Aggregator Model is a financial services provider that signs up merchants directly under its own MID.

If you’re a bit confused, don’t worry! It gets even more confusing! There are several situations where the terminology deviates.

Issuing banks sometimes manage cards on behalf of the networks. For example, Discover and American Express, who are both issuers, acquirers, and card networks at the same time.

Also, some financial institutions are both acquirers and issuers. These banks operate on behalf of both the consumer and the merchant; E.g. Bank of America, Citi Bank, Barclays, Chase, and Wells Fargo. All issue cards to consumers as well as offer merchants the ability to process payments.

Hopefully, to solve the confusion, FinTechs such as Adyen and Stripe have evolved the industry, simplifying the number of relationships merchants require with regard to receiving payments, providing a “one-stop-shop” for all payments processing needs. These FinTechs will provide the gateway services, fraud & risk services, and acquiring services by connecting to multiple processors in different regions and for multiple payment types.

These models have blurred the lines between the previous categories that fall under the term PSP. Payment Gateways become Acquirers, Acquirers become Payment Gateways, Payment Aggregators become PayFacs, PayFacs become Acquirers, etc. As a result, companies like Braintree, Stripe, and Adyen position themselves as eCommerce platforms rather than gateways, offering a full suite for merchants.

Cybersource, traditionally a gateway, is getting omnichannel capabilities through partnerships with firms such as Verifone. Meanwhile, Ingenico, a POS hardware provider, has transitioned itself into an acquirer and processor in both eCommerce and physical stores through the merger and acquisition of multiple companies.

So what do all these companies have in common?

The answer is simple, they all underwrite merchants, and need a way to mitigate the risk of their merchant portfolio.

Underwriting is the process in which a PSP accepts liability and guarantees payment in the event of fraud. Imagine a merchant sells €1 million a month in concert tickets. Suddenly, because of a catastrophe, all concerts get cancelled. As a result, the merchant cannot deliver value to its customers and declares bankruptcy. The consumers will complain to their bank and easily get their money back from the card issuer.

However, someone has to pay the €1 million. If the merchant is bankrupt, the PSP has the liability to pay. This is the risk that payment providers accept. Merchants have different products of both physical and virtual goods, diverse delivery cycles, operate in different industries, and all have different risk levels. This means PSPs must have a method to detect a merchant’s risk.

But, bankruptcy is not the only risk for them. PSPs must protect their merchants from fraud and protect themselves from fraudulent merchants, across all the stages in the lifecycle of the relationship.

1. Merchant Onboarding

Onboarding is the first stage in the relationship with new clients. The PSPs must understand the risk of the merchants they are onboarding, steering clear of fraudulent ones. The process of merchant onboarding typically includes understanding several aspects of the merchant, such as:

Industry: understanding the goods or services that are sold and to whom;
Billing method: how often do consumers pay and how;
Expected volumes: as we saw in the example above, the higher volume, the higher risk;
Historical business information: the longer in business, the lower risk;
Historical chargeback information: what is the chargeback rate for this merchant?;
Ultimate business owner: what is the business owner(s) credit score?

2. Transaction Fraud

As I previously explained, after the merchant starts processing payments with the PSP, the latter becomes liable for fraud and losses. It, therefore, becomes crucial for the PSP to know which payment transactions to accept and which ones to decline. Traditionally, the PSPs looked into implementing rules to minimize risky traffic, such as limiting volumes on a daily, weekly, or monthly basis. Other methods include velocity thresholds to avoid BOT attacks or carding scenarios, and blocking traffic from specific risky countries. This forces PSPs to choose between competing goals.

In order to prioritise merchant risk management, PSPs traditionally were forced to add friction to the payments journey, requesting out-of-band authentications such as 3-D Secure (3DS), or drastically declining transactions after specific amounts or monthly volumes. These measures have a massive negative impact on conversion rates and merchant growth, as well as consumer experiences.

Nowadays, with the inclusion of 3DS 2.0 and sophisticated risk management solutions such as Feedzai that are powered by machine learning, PSPs are able to create more accurate profiles of their consumers and use hundreds of data points as an advantage to minimize false positives. The usage of geo-location, behavioral biometrics and device information as a way to secure digital trust, instead of traditional limiting rules, has given a significant advantage to PSPs to find the optimal balance between risk management and revenue growth.

3. Merchant Monitoring

As I mentioned before, PSPs must protect their merchants from fraud, but equally important is to protect themselves from merchants that behave fraudulently or present a financial risk. For this reason, it is crucial to have the ability to quickly and accurately recognize and monitor changes in merchant behavior.

By implementing a behavioral analysis over their complete merchants’ portfolio, PSPs can spot abnormal merchant behavior and act before more fraud and damages occur. As a result, PSPs are able to prevent losses in money chargebacks and in the case of merchant bankruptcy, and reduce the risk of reputation damage. To do this, PSPs typically perform the following activities:

Proactively look for patterns of fraudulent activities and take preemptive action to reduce losses;
Track merchants’ performance and create alerts to decide which merchants are worth keeping and which jeopardize the PSP’s reputation;
Ensure that merchants are compliant with regulations and policies regarding risk exposure, such as network rules or PSD2;
Regularly consult merchants’ information and alerts in a case management tool.

These activities, help PSPs detect merchant risk into the following four categories:

Merchant Bankruptcy: When a merchant cannot repay its debts. This fraud scenario can be detected through indicators such as days with no transactions, reported chargebacks/fraud, fluctuations in the daily/weekly amounts, transactions placed using the merchant’s own card, or fluctuations in the non-delivery exposure index (NDX).
Excessive Chargeback risk: When a merchant has a high risk of chargebacks. This scenario can be detected through indicators such as reported chargebacks, 3D Secure disabled or riddled with errors, fluctuations in the NDX, and increased fraud rate when compared to the merchant’s typical behavior and to the behavior of similar merchants in the same industry.
Collusive/Fraudulent merchant: When a merchant commits fraud using its customers’ (cardholder) accounts and/or personal information. This fraud scenario can be detected through indicators such as auto-decline rate, heavy fluctuations in transaction volume, and increased fraud rate when compared to the merchant’s typical behavior and to the behavior of similar merchants with the same Merchant Category Code (MCC).
Money laundering: When a merchant processes unknown transactions on behalf of another business. This scenario can be detected through indicators such as the number of transactions linked to blacklists (terrorists, politically exposed persons (PEPs), or sanction lists), transactions placed using the merchant’s own card, transactions with related entities, or merchants with a very large percentage of purchases of the same few products.

However, these three stages in the lifecycle of a Merchant-PSP relationship shouldn’t work independently. The best strategy is to create a holistic view of the merchant risk across all different touchpoints with the PSP, leveraging data across different stages and channels.

The payments landscape is rapidly evolving. All of these different companies and products must work together in favor of consumers, by delivering the best experience to buyers, lowering friction, and maximizing sales — all while keeping the bad actors out of the ecosystem.