Consumers and organizations have a variety of options for making and receiving payments. While these payment types share the ultimate goal of transferring funds from payer to payee, the path those funds travel and the approaches employed for safely and securely completing transactions vary. The Secure Payments Task Force developed the Payment Lifecycles and Security Profiles as an educational resource and to provide perspectives related to:

  • The lifecycles of the most common payment types, covering enrollment, transaction flow and reconciliation
  • Security methods, identity management controls and sensitive data occurring at each step in the payment lifecycles
  • Relevant laws and regulations, and other references, as well as challenges and improvement opportunities related to each payment type

The profiles employ a consistent format for describing the lifecycle of each payment type. The lifecycle template is not designed to represent the nuances of specific payment transaction flows, but as a broad taxonomy that can be applied across different payment types for understanding and comparing controls and risks. The profiles are not all-encompassing in describing the layered security strategies that may be employed by specific networks, providers or businesses and shouldn’t be considered an assessment of overall security of different payment types. The improvement opportunities noted in the profiles highlight areas for further industry exploration and are not intended as guidance or specific solutions to be implemented.

These valuable resources were developed through the collaborative efforts of more than 200 task force participants with diverse payments and security expertise and perspectives. It is the hope of the task force that by helping industry stakeholders better understand these payments processes, the security and risks associated with these processes, and potential improvement opportunities, they will be well positioned to take action to strengthen their payment security practices.

Note:  These materials were created by the Secure Payments Task Force and are intended to be used as educational resources. The information provided in the Payment Lifecycles and Security Profiles does not necessarily reflect the views of any particular individual or organization participating in the Secure Payments Task Force. The document is not intended to provide business or legal advice and is not regulatory guidance. Readers should consult with their own business and legal advisors.

Feedback and/or questions related to the Payment Lifecycles and Security Profiles can be submitted by using the “provide feedback” form.

General Payment Flow

The general payment flow defines the steps at each point in the payment lifecycle, however each of the payment types may vary at certain points within the process due to different standards, technologies, and in some cases, physical equipment and systems that serve as the interface between payer and payee. Some of these steps take place almost instantly, while others may take several days depending on the payment type.

Enrollment

Payer ID

Enrollment of a payer includes identity (ID) proofing, management of users (enrollment, de-enrollment, and changes) and determination of authority based on role

Payee ID

Enrollment of a payee includes identity (ID) proofing, management of users (enrollment, de-enrollment and changes) and determination of authority based on role

Transaction*

Payer Authentication

Verification of payer when originating payments

Initiation

Initiation is comprised of four parts:

  • Access Mode / Network: Environment in which the payment origination is requested
  • Device Used to Initiate Payment: Type of interaction or device used to enter payment account information
  • Funding Account for Payment: Entry and/or identification of the funding account (with format checks)
  • Payment Initiation Mechanism: Payment network, system and/or third-party accessed

Payer Authorization

Payer Authorization is comprised of two parts:

  • Payment Network Traversed: “Rails” used to route authorization requests to the holder of the funding account
  • Transaction Authorization: Determination of whether to approve or decline a transaction including authorization time-frame, obligations, and any recourse decisions

Format Exchange

Payment instructions, rules, and formatting

Receipt

Acknowledgement/Guarantee: Notification and confirmation of payment completion including terms for use

Payee Authentication

Mode of access to funds (or accounts)

Clearing and Settlement

Settlement / Exchange of Funds: Actual movement of funds to settle funding arrangements and applicable fees

Reconciliation

Reconciliation / Exception Handling

Process and responsibilities associated with reconciliation and handling any exceptions or problems with a payment

User Protection / Recourse

Applicable rules, regulations, and legal means of recourse

 

Last Updated: 02/21/2018

Footnotes

* Note: Payments/Transfers Flow in Both Directions