--:-- --
↓ Scroll for more

Unit 4.case

Case Study: PCI & Gateway Integration for Nepali Merchants

IT 204: E-Commerce

Learning Objectives

By the end of this case study, you will be able to analyze a real-world payment integration strategy.

  • ✅ Explain how Hosted Payment Pages (HPP) reduce PCI DSS scope for merchants.
  • ✅ Describe the role of tokenization in enabling "saved card" features securely.
  • ✅ Evaluate the function of 3-D Secure in mitigating fraud and payment disputes.
  • ✅ Connect these technical choices to business outcomes like conversion rates and operational efficiency.

The Challenge: Moving Beyond Local Payments

A Nepali online retailer needed to expand its payment options beyond the standard methods.

Current State

  • Cash on Delivery (COD)
  • Local Wallets (e.g., eSewa, Khalti)
  • Limitation: Low balance caps on wallets hindered high-ticket sales.

The Goal 🎯

  • Accept international/domestic credit & debit cards.
  • Increase conversion for expensive items.
  • CRITICAL: Avoid the complexity and risk of handling card data directly.

The Security Hurdle: PCI DSS

Payment Card Industry Data Security Standard (PCI DSS): A set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.

Directly handling card data is complex, expensive, and high-risk.

💡 The primary goal for any small-to-medium merchant is to reduce their PCI scope as much as possible.

Solution Part 1: The Hosted Payment Page (HPP)

The merchant chose an integration method that keeps card data completely off their servers.

User Checkout Flow 🛒

  1. User clicks "Pay with Card" on the merchant's site.
  2. Browser is redirected to a secure page hosted by the Payment Gateway.
  3. User enters card details directly onto the gateway's page.
  4. Gateway processes the payment and redirects the user back to the merchant's site with a success/failure status.

Result: The merchant's system never sees or touches the raw card number. ⚡

Reducing PCI Scope: SAQ A vs. SAQ D

This HPP approach drastically simplifies PCI compliance.

SAQ A (The Goal)

For merchants that completely outsource all cardholder data functions.

  • Simplest questionnaire
  • Fewest controls to validate
  • Achieved via HPP / Redirect

SAQ D (The Nightmare)

For merchants who store, process, or transmit cardholder data.

  • Most complex, lengthy questionnaire
  • Hundreds of security controls
  • Requires significant IT/security overhead

Choosing an HPP allows a merchant to qualify for SAQ A, the lightest level of PCI validation.

Solution Part 2: Tokenization for Repeat Customers

How can the site offer a "save card" feature without storing card data?

Tokenization: A process where sensitive card numbers are replaced with a unique, non-sensitive equivalent known as a "token." This token is useless to attackers.

🔍 How it Works:

  • On first payment, the gateway saves the card details in its secure, PCI-compliant vault.
  • The gateway returns a safe token (e.g., `tok_1Jabc...`) to the merchant.
  • The merchant stores this token against the user's profile.
  • For future payments, the merchant sends the token instead of the card details.

Solution Part 3: 3-D Secure (3DS)

To prevent fraudulent transactions and chargebacks, 3-D Secure was integrated.

Frictionless Flow ✅

The customer's bank recognizes the transaction as low-risk and approves it instantly without any extra steps. This is the ideal user experience.

Challenge Flow 🔐

The bank requires an extra step for verification (Strong Customer Authentication - SCA). The user is prompted to enter:

  • An OTP sent to their phone
  • A password
  • A biometric confirmation via their banking app

Benefit: Liability for fraudulent chargebacks often shifts from the merchant to the card-issuing bank.

Operational Impact: Automated Reconciliation 📊

Accepting a new payment type adds operational complexity. Automation is key.

Reconciliation: The process of matching transactions processed by the payment gateway to the funds deposited into the merchant's bank account.

  • The payment gateway provides a daily settlement file (CSV, XML, or via API).
  • This file lists all successful transactions and fees for that day.
  • An automated script was developed to ingest this file and match it against orders in the internal accounting system.
  • This eliminates hours of manual work and reduces human error.

Practical Application: The Nepali Context

This HPP and Tokenization model is a standard for enabling card payments in Nepal.

Local Gateways

Companies like NCHL (N-PAY) and local banks provide the infrastructure for card processing.

International Gateways

Merchants targeting tourists or international customers often use Stripe or Cybersource via a local partner bank.

Why it Works Here

It allows Nepali SMEs to access global payment standards without massive upfront investment in security infrastructure.

Case Outcomes & Business Impact

✅ Security & Compliance

  • Card acceptance achieved with minimal PCI scope (SAQ A).
  • Reduced fraudulent disputes and chargebacks due to 3-D Secure.

📈 Sales & Conversion

  • Improved conversion rate for high-ticket items.
  • Removed the "wallet balance" as a checkout blocker.
  • Enhanced user experience with a secure, trusted checkout flow.

A smart technical strategy directly led to improved security posture and increased revenue.

Key Takeaways

What are the core lessons from this implementation?

  • 🎯 Prioritize PCI Scope Reduction: Always choose the integration method with the lightest possible compliance footprint. An HPP is often the best choice for non-enterprise merchants.
  • 🔐 Never Handle Raw Card Data: Let the payment gateway's secure vault and tokenization system manage sensitive data.
  • UX is Security: A clear, well-designed 3-D Secure flow and robust error handling are crucial for minimizing checkout abandonment.
  • ⚙️ Think Beyond the Button: Plan for back-office operations like reconciliation from day one to ensure scalability.

Thank You

This case study demonstrates how strategic technology choices in payment systems can unlock growth while minimizing risk.

Next Up: Unit 4.6 - Digital Wallets and Mobile Payment Systems

Back to Course Home | Unit 4 Overview