Payment processing

This topic provides an overview of payment processing and what Rebilly provides. Payment processing is the management of money transfers from customers to merchants. A payment transaction is the transfer of money from a customer to a merchant so that the customer can receive goods or services. To process a payment, you require a payment gateway account and a merchant bank account.

To view all payment interactions that are available in Rebilly, see Payment management.

Payment gateways

A payment gateway is a service which enables a business to receive payments from customers to their merchant bank account. A merchant account is a bank account that enables businesses to receive payments.

A payment method is a means of making a payment, for example a credit card payment. A payment instrument is a term which describes any means of making a digital payment, such as: credit cards, debit cards, direct debits, payment service providers, and digital wallets.

Rebilly supports over 199 payment gateways and more than 167 payment methods. By using Rebilly, you avoid the complex and time-consuming process of individually integrating payment gateways and methods — you get all this out-of-the-box. Additionally, you will never need to handle these integrations yourself. If you would like to integrate a new payment gateway, Rebilly will do it for you at no additional cost. For more information, see Request a new payment gateway integration.

Rebilly provides an array of payment gateway automations to help you manage your payment gateways. One of the most common gateway automations is gateway routing, which dynamically routes transactions between payment gateways, based on real-time data and selected parameters. For more information, see Gateway automations.

To use a payment gateway in Rebilly, you must have an account with a payment gateway provider, and must configure payment gateway settings in Rebilly. For a complete list of supported gateway providers, see Payment gateways.

To set up and configure payment gateway accounts in Rebilly, see Set up a payment gateway.

Components of a payment transaction

A payment transaction is associated with the following components, interactions between these components are described in payment transaction lifecycle:

• Customer: Entity that purchases goods or services from a merchant.
• Merchant: Entity that sells products or services to customers.
• Merchant website or app: Where a merchant sells products or services to customers online. Rebilly acts as an intermediary between the merchant's website or app and the payment gateway, ensuring secure capture, encryption, and transmission of payment data. Rebilly also:
  • Provides payment gateway routing.
  • Tokenizes payment data.
  • Ensures PCI compliance and adherence to security and payments regulations.
  • Provides fraud protection.
• Payment gateway: Service that enables a business to receive payments from customers to their merchant bank account.
• Payment processor: Service that enables a business to receive payments from customers to their merchant bank account.
• Issuer processor: Service that enables a business to receive payments from customers to their merchant bank account.
• Issuing bank: Bank that issues credit cards to customers.
• Acquiring bank: Bank that processes payments for the merchant.

Payment transaction lifecycle

The following diagram describes the interactions and components in a payment transaction.

1. A customer initiates a transaction in the merchant's website or app. For example by entering payment details, such as credit card details. Rebilly is integrated into the merchant's website or app.
2. Rebilly captures, encrypts, and securely transmits payment data to a payment gateway that is selected using gateway routing. Rebilly tokenizes the payment data, ensures PCI compliance, and provides fraud protection.
3. The payment gateway forwards the encrypted payment data to the payment processor for further processing.
4. The payment processor sends the transaction request to the issuer processor, such as the Visa or Mastercard network.
5. The issuer processor sends the transaction request to the issuing bank, which is the bank that issued the customer's card.
6. The issuing bank verifies the transaction details, checks the customer's account status and available funds, performs fraud checks, and makes a decision to approve or decline the transaction based on these results.
7. The issuer processor sends the authorization response back to the payment processor.
8. The payment processor sends the authorization response to the payment gateway.
9. The payment gateway notifies Rebilly of the transaction status, whether it is approved or declined.
10. Rebilly notifies the customer of the transaction status, whether it is approved or declined.
11. The issuing bank initiates the settlement process by transferring funds to the acquiring bank, which is the bank that processes payments for the merchant.
12. The acquiring bank receives funds from the issuing bank and credits them to the merchant's account. The transaction is complete.

PCI compliance and security

All businesses that accept card payments must comply with the Payment Card Industry Data Security Standards (PCI DSS) standards. Obtaining and maintaining PCI compliance is a complex and expensive process. By using Rebilly you reduce security related expenses by offloading most of your PCI-DSS compliance burden.

Rebilly is a level 1 PCI-DSS service provider, data security is one of our highest priorities. Rebilly goes beyond industry standards to meet a high level of data security at every layer, from server hardening techniques and network segmentation to extensive data integrity logging, secure coding practices, and rigorous testing.

Rebilly is also SOC 2 compliant. This means that sensitive data is managed securely within the context of SaaS and other cloud-based services. For more information about Rebilly and PCI compliance, including a link to download the Rebilly attestation of compliance, see PCI compliance.

Additionally, to make your system more secure, Rebilly provides the ability to tokenize and vault cards and process them, along with secure SDKs in iframes to reveal and capture card data in the merchant website or app. Rebilly enables you to isolate your system from managing or processing card data.

Tokenization and vaulting

Rebilly helps to keep your payment data secure and reduces processing costs by providing tokenized payments. Tokenized payments can produce higher approval rates and ensure less fraud. Rebilly also supports storing and re-using third-party tokens.

Tokenization is the process of replacing Payment Card Numbers (PANs) with unique and non-sensitive strings of numbers called payment tokens. A payment token is a short-lived unique string of numbers that represents a PAN.

Rebilly vaults cardholder data and supports the portability standard. Rebilly is committed to making sure clients have full access to their data when they need it. The safe, secure, free-flow of data makes it a better online experience for everyone.

Fraud protection

Rebilly helps protect you from fraud by providing the following fraud protection:

• Transaction risk scoring: Use risk scoring to automatically manage the level of risk that is associated with each transaction, and to automate specific actions based on that level of risk. A common use case for risk scoring is to add a customer to a blocklist and to stop the transaction.
• Enhanced Due Diligence (EDD): Use EDD to confirm customer-provided information against public sources for multiple risk factors such as arrest, fraud, bankruptcy, and occupation information. This feature provides search logs of every automatic check.
• 3 Domain Secure (3DS): 3DS is an authentication method used by merchants to validate cardholders. The cardholder authenticates their card against the issuing bank's website. The merchant chooses whether to use 3D secure. This enables the merchant to shift liability from themselves to the issuing bank. 3DS requires cardholder interaction.
• Device fingerprinting: A device fingerprint is a unique identifier for a device. It is generated from specific device characteristics, such as: operating system, browser, and IP address. Device fingerprints are used to identify devices and prevent fraud.
• Blocklists: Use blocklists to prevent fraud and criminal activity. Blocklists are lists of customer attribute values that are blocked from buying from you. For example, if a customer attempts to make a purchase from you with a credit card or fingerprint that is in a blocklist, the transaction is blocked and will not be processed.
• Dispute and fraud management: Use Rebilly to automate the dispute process, manage evidence, save time, and reduce human error.

Rebilly also provides a Know Your Customer (KYC) and Anti-Money laundering (AML) add-on to help you comply with regulations and prevent fraud.

Hosted payment forms

Hosted payment forms are a secure way to capture payment information from your customers without having to handle sensitive payment data yourself. Rebilly hosts your payment forms and ensures that your payments process is secure and PCI-compliant.

You can also embed payment forms into your website and host them yourself. This is a more advanced integration that requires development resources. For more information, see Integrate payment forms.

Billing portals

Billing portals are a secure way to provide your customers with a self-service portal to manage their subscriptions, invoices, and payment methods. Billing portals are customizable and use fully responsive design, built-in error messaging, and validation. For more information, see Billing portals.

Deposit forms

Deposits forms provide a secure and compliant way to allow your customers to deposit funds. Deposit forms use fully responsive design, built-in error messaging, and validation. You can also manually specify the deposit amounts that are presented to the customer, or use deposit strategies to determine the amounts presented to the customer.

For more information, see Deposit forms.