Skip to main content

What's wrong with payment gateways?

· 2 min read
Alejandro Revilla

/by apr on why-oh-why/

What's wrong with Payment gateways?

I've seen this problem coming a long time ago; in my country there's a local credit card association called POS2000. After a long long time they've settled on a single ISO-8583 v1987 based protocol that is a mix of several POS and host based protocols where every acquirer managed to bastardize the standard a little bit in order to make the POS implementor's life a little bit worse.

They did a pretty good job (at bastardizing us) and made jPOS quite better (we have now support for esoteric stuff such as the dynamic packagers that change the way we deal with a message for different message types, etc.).

But that's nothing compared to web based payment gateways.

The first craptastic work I've got to see was presented by a local credit card acquirer/issuer.

You know, the regular redirect-to-the-acquirer-site thing with OK and DECLINE URLs which were available in hidden fields, as if a malicious user couldn't read the page source code and hand-craft the OK-url to continue shopping. Come on! More acquirers followed the trend and provided similar pathetic implementations that very few merchants and less users actually use; but things get worst, thanks to the mouse and some visual tools, there's a whole new group of people writing SOAP based services. OMG!!

We are dealing with quite a few now, to support credit card transactions, prepaid top up applications, etc.

Decades of hard work by large financial institutions working on good standards go down the toilet, it's easier to "invent" an API than read an ISO spec and do the right thing. We are working now with a pre-paid phone company and you get to see things like no reversals, and one-second time-window for voids (come on!), and the results code are usually SQL syntax errors displayed to the client.

A similar thing happens with language-specific APIs, vendors think that developers are stupid and not capable enough to deal with a well specified protocol, so they create an API that is usually a bad and closed source implementation of a bad proprietary wire protocol.

Serenity now!