Payment Gateway Solutions

Payment Gateway Solutions

Asseco SEE in Turkey Payment Gateway Solutions 12 years of experience in Card Not Present (CNP) Payment Processing Payment Gateway Solutions in Turkey, Poland, Romania, Cyprus and Russia One and only independent e-payment Gateway in Turkish Market More than 15.000 e-merchants 6 million card transactions per month 39% market share in Turkey 3D Secure solutions (90% market share) Multi-national customer base PCI - DSS certified Joined Asseco SEE in July 2010

Service & Product Portfolio 1. Hosted Payment Gateway Services 2. Professional Services 3. Packaged Solutions 4. Customer Support Services

Customer Base Hosted Payment Gateway Software Solutions

Payment Gateway Solutions

Trends in e-commerce e & Online Payments Samile Mümin Business Development Director samile.mumin@est.com.tr

Source: Internetworldstats

Global e-commerce Trends Global e-commerce market expected to grow at a 19,4 CAGR from 2010 to 2013 Source: J.P. Morgan

e-commerce Trends in USA Source:The Department of Commerce, Internet World Stats, J.P. Source: Forrester Research

e-commerce Trends in Europe Source: The emarketer View Source: The Centre for Retail Research Source: Innopay

e-commerce Volume in Turkey ($000,000) 12.000 10.000 10.153 8.000 6.000 4.000 2.000 925 1.609 3.691 6.059 6.849 0 2005 2006 2007 2008 2009 2010 Source: BKM (Interbank Card Center of Turkey)

and Poland Russia, Poland and the Czech Republic are the leading B2C E-Commerce countries in Eastern European region. ystats.com In Poland, online share of retail trade expected to go up to 3,5% in 2011 The Centre for Retail Research In whole Europe; Poland will witness the highest increase in online sales in 2011 (up 36% - European average expected to be 18.7%) Kelkoo The Polish e-commerce has registered an 18% growth in earnings in 2010, with the sector expected to earn around USD 1.65 million. If online auctions are added, the expected amount is set to reach USD 4.94 million Warsaw Business Journal The number of Polish e-stores has seen a 28% growth in 2010 Euromonitor International

Types of e-commerce B2C (Business-to-Consumer) Direct sales to final customer (typically retail trade over the Internet) Standart list prices, no negotiation, relatively smaller ticket size E.g: Amazon.com, Home Depot, Toys R Us, thy.com B2B (Business-to-Business) e-commerce transactions between businesses, such as between a manufacturer and a wholesaler, or between a wholesaler and a retailer. Unlike B2C, price may vary based on order amount and can be subject to negotiation. E.g: Alibaba.com

Types of e-commerce C2C (Consumer-to-Consumer) C2C is an Internet-facilitated medium that involves transactions between consumers utilizing a third-party. The most common example of C2C is the online auction (e.g: ebay, Allegro) P2P (Peer-to-Peer) Peer-to-peer (P2P) e-commerce concept refers putting individuals in direct contact with each other and enable them share/trade over the Internet. No intermediary unlike C2C(e.g: Napster, gnutella) G2C (Government to Citizen / Government to Customer) General description of individual transactions made with Government over the Internet. (e.g: Tax payments, online fee / licence payments, fines settlements etc.) C2B (Consumer-to-Business) Individuals offer products and services to companies and the companies pay them(e.g:elance.com)

Most Common Beginner Mistakes 1- No Concrete Business Model / Insufficient Analysis of Revenue Model 2- Key Strengths / Competitive Advantages (cheaper, faster, unique, better?) 3- Website Design Mistakes: Make it user friendly, clear, precise, and easy to find. Keep your links up to date. Design your content so that an elementary school kid can understand your site 4- Unclear, inconsistent product & service categories. Poor product definitions and catalogues. 5- Logistics: Delivery problems, delays, problems with inventory items 7- Waiting for the customers to come to your store. 8- Only focusing Success Stories

Mostly Sold Items? Electronics & Computer (and parts) 50,8% Outfit & Accesories Books, CD, DVD, Games Health & Cosmetic Products Flights & Travel Food Order Accomodation Car Rental Others 29,5% 21,3% 18,0% 16,4% 8,2% 6,6% 4,9% 27,9% Source: The Interbank Card Center (BKM)

Latest Developments in e-commerce Group Buying Generic is Dead, Long Live Niche!.. s-commerce, m-commerce, t-commerce Watch Cosmetics, Clothing and Food! e-commerce Customer Services Professional Executives Get Involved with e-commerce Foreign Investment Inflow e-auctioneers Gets More Pro!.. Exit Strategies for e-commerce Investors

Show Me The Money!

NestPay - Virtual POS Solution Acquirer Bank or Processor Issuer Bank Shared VPOS Platform Bank & Merchant Integration Payment Authorization Request 7 x 24 Support Payment Confirmation Fraud&Security (3D Secure) Reporting 21

Hosted Payment Gateway - Value Proposition New Revenue Source Fast Enterance to the market Low Cost of Ownership High ROI No system development cost We adopt to the bank We maintain competitive advantage for the bank No additional personnel We integrate the merchants We train the merchants We support the merchants

Merchant Safe: Credit Card Data Matching & Secure Storage ASEE moves cardholder data from Merchant s environment to EST s PCI DSS compliant storage facility EST Process ecommerce payments via unique identifiers created by Merchant Safe for each card. Significantly reduces the scope of PCI-DSS compliance Eliminates manual tasks related to card data storage and transaction Liability shift related to card data theft (from merchant to EST) Easier monitoring of recurring payments Card data can be matched with any parameter (Insurance Number, Mobile etc.)

MassPay: High Volume Payments Solutions for institutions that accept high volume of scheduled payments. e.g. Insurance companies, associations & clubs collecting periodical fees and all sort of companies that sell on scheduled installments The solution allows merchants to instruct the system on how and when to process the payment: Once the instructions are transferred to MassPay, the payments are processed by the system, avoiding resource inefficiency and manual processes. Increase efficiency, eliminate manual processes. Handle various payment scenarios like uncollected funds, multiple cards etc.

e-goverment Collections e-collection of Taxes Number of Tax e-payments Motor vehicle tax payments by using Credit Crads via internet EST Integrated PGW on Web Channel 514 Tax Office + 7 Banks + 3000 VPOS * As on March 12th 2009 ** 3 month average 2009 574,827 2010 1,313,798 2011Q1 769,673 2011P 3,540,000 3D Secure Infrastructure Online Fine Payment Custom Reconciliation Reports

e-goverment Collections Tax Restructuring About 860,000 Turks have applied for a tax restructuring program that reduces some debts and allows others to be paid in installments EST will integrate PGW on Web Channel for participating banks +6000 tax office integration 3D Secure Infrastructure Custom Reconciliation Reports

B2B Payments NestCollect: Specific Solution for Dealer & Agent Payments 1. Dealer serches its due amount of monthly payment to HQ. 2. Dealer/Agent enters its ID. NestCollect lists all pre-registered cards that can be used for the payment Dealer can create optimum payment mix by choosing different aquirerers based on loyalty campaigns, card limit, campaigns etc. Dealer can create payment simulation Can be integrated to company B2B platform

Sector Specific Solutions - 1 Airlines Mitigating Fraud and Easing Operations EST led the project for the airline company to mitigate fraud and ease their operations. 3D Secure Verified by Visa and MasterCard SecureCode EST Integrated 3D Secure infrastructure allowing easy process for cardholders and blocking fraudsters. EST Integrated flight information with payment and fraud systems to better combat fraud The airline company is much better equipped with consolidated views to fight fraud Example: Customer; - from Egypt IP address, - using a credit card issued in South Africa - getting a ticket from Istanbul to Pakistan - flight departs in next 2 days,

Sector Specific Solitions - 2 Pay & Pass Petrol Stations Loyalty Card = Credit Card Buyer matches his credit card with his Loyalty Card at the station using VPOS infrastructure Following paymens are done via Loyalty Card at the pump. No need to leave the car! Scope o First Pay & Pass Project o 1068 Station o 9912 of card matching in 2011Q1 RFID Technology EST stores card data (Merchant Safe) Customer earns both Loyalty Card points and Credit Card points Same Loyalty Card can be matched with more than one Credit Card

Sector Specific Solutions - 3 Mobile Number & Credit Card Matching Mobile No = Credit Card Data Scope Turkey s No:1 Mobile Network Operator o 33 Million Potential Customer Customer can get his mobile number matched to his credit card EST stores card data (Merchant Safe) Infrastructure for Mobile Payments via CC No transaction amount limitation unlike Direct Billing or SMS payments Enable MNO to create its own merchant network

Sector Specific Solutions - 4 Municipalities - City Cards Automated Collections Scope Customer: 12 City Municipalities Card owners can Top-Up their city cards with their credit cards o 14.000 top-up in 2011Q1 EST stores card data (Merchant Safe) No development or customization on bank side No need for ticket, coins or change Quick collection in public transport Transparency on public transportation tevenues

Coming Soon Physical Shopping With Virtual POS Infrastrucure Enabling physical shops to use Virtual POS infrastructure to manage their Card Present transactions Suitable for merchants with many distributors/agents in different locations VPOS Merchant Advantages: Central control and monitoring, one only card payment infrastructure (as oppose to various POS machines) standard reporting, ease of secondary transactions (cancellations, credit etc..) Merchants want to get same central management functionality for physical transactions too. So, they can get rid of a big portion of manual work of dealing with each and every single POS machine but rather have a central control over one POS network.

Coming Soon CNP Payments via Mobile Phones No downloads stored on phone No pre-registration or wallet required Payments charged direct to credit/debit card No purchase value constraints (no micro-payment limit or premium sms level) PCI DSS Level 1 compliance

To be continued VAT Refunds Social Insurance Payments Legal fee and stamp duty payments Integration With Other Payment Methods (etransfers, dtransfers) s-payments Post Delivery e-payments

Trends in e-commerce e & Online Payments Samile Mümin Business Development Director samile.mumin@est.com.tr

Emre Özpınar emre.ozpinar@est.com.tr e-payments

ecommerce Payment 1. Credit and Debit Cards with VPOS 2. Bank transfers 3. Standardized bank transfers: ideal, Giropay... 4. Electronic money 5. Mobile Operator Invoice

What is a vpos Counterpart of physical POS in an online world, helps merchants to acquire money by using payment schemes networks. It has an online reporting interface which helps merchants to query their past sales. It also has security and fraud features. Supports everything a physical POS can do, supports loyalty mechanisms (bonus points), supports instalment payments

Merchant MOTO Domain Consumer Telephone, call center agents VPOS Retail Banking Acquiring Institution Visa, MasterCard Diners, Discovery, American Express Issuing Institution

Merchant VPOS Domain Consumer Shopping Cart and ecommerce Software VPOS Retail Banking Acquiring Institution Visa, MasterCard Diners, Discovery, American Express Issuing Institution

Merchant VPOS Domain with 3D Secure Consumer Shopping Cart and ecommerce Software MPI VPOS Directory Retail Banking Acquiring Institution Visa, MasterCard Diners, Discovery, American Express ACS Issuing Institution

Issues in VPOS? Charge-back Credit and debit card sales are not final, cardholders may reject the sale marking it fraud. Each card brand has its own procedures and protections for end users. At the end merchants lose money for the goods that they d already sold. Merchant Credit problems Most financial institutions are not willing to let small or newly founded merchants to use a VPOS. They consider it risky, and they don t have the tools and knowledge to manage them. Merchant Customer Data Theft Merchants have limited knowledge and resources on IT security, customer data including card data can be stolen from their systems.

VPOS Suggestions For starter merchants, volume limited VPOS Using security strategies (3D Secure, Tokenization) Passing VPOS knowledge to the branches of acquirer Be aware of VPOS sharing without the knowledge of the acquiring institution e-government Projects Leveraging VPOS for B2B payments

Merchant Bank Transfers Consumer Shopping Cart and ecommerce Software Merchant Banking Retail Banking Bank A Bank B Bank A Bank B

Merchant Standardized transfers ideal, Giropay Consumer Shopping Cart and ecommerce Software Regulating Body (ideal, Giropay) Bank A Bank B

Merchant Electronic Money (Paypal, WebMoney, cashu) Consumer Shopping Cart and ecommerce Software Bank Transfers, Prepaid, Cards e-money Provider

Merchant Mobile Operator Invoice Consumer Shopping Cart ecommerce Software and Games Direct or via 3rd party integrators Mobile Invoice Mobile Operator

Security in ecommerce

hack 1. to cut, notch, slice, chop, or sever (something) with or as with heavy, irregular blows (often followed by up or down ): to hack meat; to hack down trees. 2. Computers. to devise or modify (a computer program), usually skillfully.

Maginot Line It took nine years for the French to build, but only five days for the Germans to defeat it

Phishing Attacks Mostly found on emails Nigeria, Congo Lottery or prize Lawyer of a wealthy Too good to be true

Hacking Cracking Attacks Attacks on systems processing card data Internet facing web servers and applications are under risk Sony PlayStation Network (April 2011, 77 million users)

Risk Reduction Strategies Identity focus, verify 3D Secure Tokenisation and Data Elimination PCI-DSS

Extended Validation Certificate (EV) IE (only if you share your browsing history with Microsoft) Firefox

3D SECURE Ecosystem Issuer Bank Setups Access Control Server (ACS) Registers with card brand directory Educates cardholders Acquirer Bank Provides Merchant Plug In (MPI) to merchants Registers merchants to card brand directory Cardholders Protect themselves to online fraud by using an extra measure Merchants Reduce fraud risk and shift liability to cardholders

3D Secure Domains

3D Secure Authentication

Tokenization Replace card data with controlled tokens Prevents theft of card data over merchants Merchants lower their risk, and still process transactions Merchants transfer the responsibility to 3rd party, make PCI compliance easy

PCI-DSS for Systems Build and Maintain a Secure Network Protect cardholder data Maintain vulnerability management programs Implement strong access control measures Regularly Monitor and test networks Maintain an information security policy

PA-DSS for Applications Standards for software vendors Targets the security of card data, align with PCI-DSS Prevents storing highly sensitive data (such as CVV2 or PIN) Most of the companies who had their card data stolen, did not know that they have this data. PA-DSS does apply to payment applications that are typically sold and installed off the shelf without much customization by software vendors. PA-DSS does NOT apply to payment applications offered by application or service providers only as a service

PCI Security Standards Validation Requirements Level Merchant criteria Validation requirements 1 2 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region. Merchants processing one million to six million Visa transactions annually via all channels. Annual Report on Compliance (ROC) to follow an onsite audit by either a Qualified Security Assessor or qualified internal security resource Quarterly network scan by Approved Scan Vendor (ASV) Annual Self-Assessment Questionnaire (SAQ) Quarterly network scan by ASV 3 Merchants processing 20,000 to one million Visa e-commerce transactions annually. Use a service provider that has certified their PCI DSS compliance OR Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ) 4 E-commerce merchants only Merchants processing fewer than 20,000 Visa e-commerce transactions annually. Use a service provider that has certified their PCI DSS compliance OR Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ) Non e-commerce merchants Merchants processing up to one million Visa transactions annually. Annual SAQ Quarterly network scan by an ASV

PCI Merchant Self Assessment Questionnaire (SAQ) SAQ Description Questions A B C-VT C D Card-not-present (e-commerce or mail/telephoneorder) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. Imprint-only merchants with no electronic cardholder data storage, or standalone, dial- out terminal merchants with no electronic cardholder data storage Merchants using only web-based virtual terminals, no electronic cardholder data storage Merchants with payment application systems connected to the Internet, no electronic cardholder data storage All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ. 11 21 21 38 226

Emre Özpınar emre.ozpinar@est.com.tr e-payments