Here you will see a self implemented idea about payment processing and fraud analisys, this is just a little POC ilustrating a solution on acquirer market. This project use, docker, docker-compose, python, machine learning, ruby on rails, nodejs and testing with jest.
- 1 - Project
- 1.1 - About
- 1.2 - Guide
- 1.3 - Prerequisites
- 1.4 - Installing
- 1.5 - Running
- 1.6 - Usage
- 1.7 - Tests
- 2 - Acquirer Market
- 2.1 Money Flow and Information Flow
- 2.2 Chargeback and Refound
- 2.3 Hypothetical Transactional Data
- Links
On this project i implement a multisystem solution, one system will process the first request and using some protections will reject or not the request initially. If it is ok, this system make two request to other two systems at the same time, if one of these denied the transaction an error occur stopping the process and responding with reject message. One of these systems is implemented using machine learning, which return a percentage of fraud and other system is have static rules like a blacklist of users. The image bellow explain it better.
-
Gateway: Building on NodeJS this choice occur first because i'm more acquainted using it, and seccond is because NodeJS(Javascript) is very good with promises and requests. I used Redis to reject fast multiple transactions of the same user, and postgres to store credentials.Here you can see:
-
ML-Service: Building using tensorflow, keras and flask, this choice is because machine larning can show the best option when static rules don't block suspect transactions. And this stack is the more fast to learn and implement in on few days using some templates and tutorials.
-
Rules-Service: Builded using Ruby on Rails is a choice by the maintenance, performance, what is very good to process static rules like storing blacklist and verifing this. The idea was use more complex static rules but it will encrease mutch the time of building, so now only have have one simple route, schema and function.
-
Dockerized: All this project run just running 'docker-compose up', eacth system have a specify container.
-
1.2.1 - Terminal commands
When you see something like this:
$ echo 'hello'Is for copy all the command after the '$' symbol and run on your linux like terminal.
Before the '$' symbol maybe the current path what are needed to run the command is described. Like:
...home$ echo 'hello'On this case to run it echo 'hello' inside the ./home directory.
-
1.2.2 - API Description
HTTP METHOD - /route - Little description of it behaviour.
Received or sended object schema. Ex: { "text":"Lorem ipsum..." }Final thoughts about API behaviour
Exemple:
GET - /health - API return status 200 with object below.
{ "message":"I'm Alive!" }Simple way to verify if API is up. Maybe is not implemented on this project
Usage - In this case you will make a GET request on http://localhost:5000/health. And will receive the JSON object "message: I'm Alive!" on the console, terminal or display, depending on the case.
Now you can understand better the steps below.
-
1.3.1 - API Client
You will need one tool to make requests and interact with your API. Some famous API Clients are Insomnia, Thunder CLient to VSCode users, Postman and many others, like browsers plugins. If you dont use to complex jobs any of these will help you.
-
1.3.2 - Git
You need install GIT if you don't already have, to clone project,.
Click here or Acess:
https://git-scm.com/downloads -
1.3.3 - Docker
You need install Docker on your machine if you don't already have.
Click here or Acess:
https://docs.docker.com/get-docker/And use the step-by-step doc to download and install on your specific system.
-
1.4.1 - Clone on your local system
$ git clone https://github.com/raferdev/payment_processor -
1.4.2 - Go to project path
$ cd payment_processor -
1.4.3 - Create env file
WARN : To emprove more simplicity and customised options i have opted for divide 3 paths: production, development and test. For each path of this you can set a ".env" file which docker will use to run in this specific environment and set the instructions for production, development or test.
Separated in Recommended(1) or Advanced(2) method, choose one.
.1 - Recommended: You can rename the ".env.exemple" file to ".env", just removing ".exemple" and save, the exemple file have the basic configuration to execute on controlled environment, but not to run on real production (99% chance are of you don't need change it ).
Ok, where is the .env.exemple file?
.1.1 First go to the docker path
...paypro$ cd ./gateway/dockerYou can run:
...docker$ lsExpected output:
development production test.1.2 And now you can choose who path open, like:
...docker$ cd developmentAnd change the '.env.exemple' file name to '.env'
...development$ mv .env.exemple .envAdvise: Maybe you will need use 'sudo' command to run with admin privileges like it: 'sudo mv...'.
$ sudo mv .env.exemple .envIf you want to change all the env files to run in production, development and test use cd .. command to return to latest path.
$ cd ..
.2 - Advanced: Open a text editor or other editor do you prefeer, create this variables like below and save file with name '.env'. It need to be in ./paypro/gateway/docker/(production/development/test) path.
# NodeJS PORTGAT= SALT_ROUNDS= JWT_SECRET= INTERN_TOKEN= ADMIN= PASSWORD= MODE= # Postgres DATABASE_URL= POSTGRESPORT= POSTGRES_DB= POSTGRES_USER= POSTGRES_PASSWORD= # Redis REDIS_URL= REDISPORT= REDIS_USER= REDIS_PASSWORD= REDIS_DB=$REDIS_DB # Rails RULESPORT= RULES_SERVER= RAILS_HOST= RAILS_LOG_TO_STDOUT= RAILS_SERVE_STATIC_FILES= # TensorFLow MLPORT= MLHOST= MLDEBUG= ML_SERVER=
-
1.5.1 - Go to the npm path to run the scripts.
Use on terminal:
If you are on the main path.
...paypro$ cd gatewayIf you are inside another path use cd .. to return.
$ cd .. -
1.5.2 - Execute the script.
Now just specify what you want run: production, development or test.
Production:
...gateway$ npm run prodDevelopment:
...gateway$ npm run devTest: The tests are more described 1.7 - Tests
...gateway$ npm run testNow the magic of Docker will setup all the enviroment and start the containers to run the project
Maybe if your network, ram, or cache don't colaborate are a good moment to prepare a coffee and eat some snacks.
IMPORTANT: When you run the npm scripts on the terminal a admin token will be shown, and you can use to test yourself the end points. The token it's appear like bellow and you can copy (normally using Ctrl+Shift+C on terminal).
-
1.6.1 - The Connection
The docker container will set the port of your system with the port of the gateway container and it is specified on the .env file with the variable PORTGAT, the default is 5050 and if wasnt changed the connection with the project will be on the address:
http://localhost:5050/ -
1.6.2 - Routes and Methods
POST - /:token - The token is sended on the route, so dont need header with authorization, the api verify if its the same stored on credentials.
Exemple of route with token:
http://localhost:5050/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cBODY:
{ "user_id":21320399, (number) "transaction_id": 92895, (number) "merchant_id": 2708, (number) "card_number": "444456******4210", (string) "transaction_date": "2019-12-01T22:45:37873639", (string) "transaction_amount": 734.87, (number) "device_id": 497105 (number) }The possible responses and exemples bellow:
Approved
Denied
Transaction reject by too much requests by same user
If you want see the rate by the machine learning you can see the terminal like this message
On this project i first make the integration tests, this type of tests can check if all the units needed to a functionality, and if these are working correctly together. The tests will run automatically when you use npm run test like described on 1.5 - Running topic.
The expected output after all the container process is like the image below.
Telling us the numbers of passing and failed tests. Above this message the tests are more described, and below this the message the containers stopping is shown.
I will explain the role players involved on the traffic of the information and the money, with his basic purpose existence. The acquirer market involve a lot of steps, laws, technology, and a collaboration of many companies. Each second of the transaction influence the chance of the customers decline the purchase, of some timeout occur, and many others aspects that impact the rate of transactions approved, this impact direcly the merchant and, in turn, all the role players. On the other hand it's not a good play just focus on speed because the elevated risk of fraud or errors that can broke the creditors which have to repasse to his clients, increasing the risk of the operation, costs, fees and judicial process.
First of all we need understand the roles, because depending the transaction type, like credit or debit, some steps aren't the same way, but basically we have this players:
- You, the customer.
- Merchant.
- Gateway.
- Payment Processor.
- Acquirer Bank.
- Issuer Bank.
- Cards Brand System.
- Sub-Acquirer.
You will purcharse something, and to do that you have your bank account, your bank is named on this roadmap like issuer bank, the bank which have your founds and informations to confirm the acquisition. On the other hand the merchant have his bank account too and this bank is named acquirer bank, this is the bank which make the settlement of founds to merchant.
Now you may think it's just a linear information route, and the banks can communicate with itselves and resolve that, but is a very different type of operation. The banks don't take care of the terminal points on merchant's store, before and after the checkout some system is needed to deliver this information, and they don't have the systems that connect all each others, so to make this really possible is necessary an intermediate system which can haddle the requests and take care of this information, sharing your approvement or his rejection, and this player is the gateway. The gateway is a company which will connect all players and return if the transaction is accepted or not. So now we need understand what are needed to validate it, the first thing is send the information to acquirer bank which have the responsabilitie about the merchant methods of payments, score risk of transactions, and manage the your founds, this player are the more relevant on the process, because is the responsable to garantee the settlement of this transaction on determinated period, so possible chargebacks, refounds and invalid transferences which aren't recognized before the confirmation to customer, will generate more costs to manage this founds on this complex system and the companie and the merchant will have lost.
Next step is send to cards brand network, this companie have responsabilities accepting and connecting customer bank (bank issuer) the request information, this step garantee some rules and schemas of the specific brand card which are used. And now we can call the issuer bank, on this step the customer data are check and the founds. The information return on the same way to gateway network with the message of sucess or not, but this transference are really complete in the future.
The real money are moved after the confirmation of the process, and because of this invalid processes will result in charges to the responsable of moving and settlements merchants founds, that are que acquirer bank role, so the acquirer bank in the future, maybe seconds, hours, days, weeks, will resolve the transaction information receiving and giving the respective amount to the merchant account.
Other player can appear connecting the merchant to the acquirer bank, without the gateway the sub-acquirer are the companie which can make the processing of the payment before send to the acquirer bank, connecting with the other players but don't have all the autonomy of the acquirer bank which take your settlement part anyway.
The chargebacks occur when customer don't recognize the payment like valid, when it's by fraud, abuse... And the acconting already happened, so the payment must be inspected and the opposite part have to prove validity, causing feels and cost to process. On the other hand the cancel of payment occur before the acconting, a day or hours and the transaction only "desapear" dont ocasionating more cost's. The chargebacks hurts merchant's chargeback-to-transaction ratio and thats will impact his credibility, besides have to pay feels.This chargebacks only occur when are know fraud, so it's much better detect this fraud before occur, and with caution to don't reject valid operations.
The first thing that is visible is the lack on device_id in some rows, but after analyzing better this does not look to make a difference. Trying to understand a pattern the multiple transactions over a short period looks like relevant but nothing i see is deterministic.
A GPS location of the transaction to determinate nearly impossible payment on different locations. History of payments of a user, merchant, device to understand some pattern maybe, providing a rate of risk. And maybe a obvious thing is a list of valid devices_id, merchants_id...
1# About Project
-
Get Started: 3 Ways to Load CSV files into Colab page.
-
Keras Documentation page.
-
Structured data classification from scratch page.
-
TensorFlow Doc page.
-
Building a simple Keras + deep learning REST API page.
-
Basic classification: Classify images of clothing page.
-
Add a Authentication Header to Your Python Flask App page.
-
A Simple Keras + deep learning REST API. page.
-
The Rails Command Line. page.
2# About Acquirer Market
-
Payment Authorization vs. Settlement: Whatโs the Difference? page.
-
Payments Explained page.
-
Differences Between Refund, Cancel, and Chargeback? page.
-
Whatโs the difference between a merchant acquirer and payment processor? page.
-
What is the role of financial agents in the payment flow of an application in Brazil? page.
-
How Payment Disputes Impact Both Merchants and Consumers page.