Unit 4.case

Case Study: PCI & Gateway Integration for Nepali Merchants

IT 204: E-Commerce

Learning Objectives

By the end of this case study, you will be able to analyze a real-world payment integration strategy.

✅ Explain how Hosted Payment Pages (HPP) reduce PCI DSS scope for merchants.
✅ Describe the role of tokenization in enabling "saved card" features securely.
✅ Evaluate the function of 3-D Secure in mitigating fraud and payment disputes.
✅ Connect these technical choices to business outcomes like conversion rates and operational efficiency.

The Challenge: Moving Beyond Local Payments

A Nepali online retailer needed to expand its payment options beyond the standard methods.

Current State

Cash on Delivery (COD)
Local Wallets (e.g., eSewa, Khalti)
Limitation: Low balance caps on wallets hindered high-ticket sales.

The Goal 🎯

Accept international/domestic credit & debit cards.
Increase conversion for expensive items.
CRITICAL: Avoid the complexity and risk of handling card data directly.

The Security Hurdle: PCI DSS

Payment Card Industry Data Security Standard (PCI DSS): A set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.

Directly handling card data is complex, expensive, and high-risk.

💡 The primary goal for any small-to-medium merchant is to reduce their PCI scope as much as possible.

Solution Part 1: The Hosted Payment Page (HPP)

The merchant chose an integration method that keeps card data completely off their servers.

User Checkout Flow 🛒

User clicks "Pay with Card" on the merchant's site.
Browser is redirected to a secure page hosted by the Payment Gateway.
User enters card details directly onto the gateway's page.
Gateway processes the payment and redirects the user back to the merchant's site with a success/failure status.

Result: The merchant's system never sees or touches the raw card number. ⚡

Interactive: HPP Checkout Flow Simulator

Step through the Hosted Payment Page flow to see exactly where the customer's browser and card data are at each stage.

Reducing PCI Scope: SAQ A vs. SAQ D

This HPP approach drastically simplifies PCI compliance.

SAQ A (The Goal)

For merchants that completely outsource all cardholder data functions.

Simplest questionnaire
Fewest controls to validate
Achieved via HPP / Redirect

SAQ D (The Nightmare)

For merchants who store, process, or transmit cardholder data.

Most complex, lengthy questionnaire
Hundreds of security controls
Requires significant IT/security overhead

Choosing an HPP allows a merchant to qualify for SAQ A, the lightest level of PCI validation.

Interactive: Which SAQ Level Are You?

Answer these 3 questions to determine your merchant's PCI DSS Self-Assessment Questionnaire tier.

Q1: Does your website directly collect card numbers (e.g., via a self-hosted input form or iFrame)?

Yes No — I use a redirect / HPP

Q2: Does your server store, process, or transmit any full cardholder data (PAN, CVV, expiry)?

Yes No — all data stays with the gateway

Q3: Do you accept card payments through physical POS hardware at a brick-and-mortar store?

Yes No — e-commerce only

Solution Part 2: Tokenization for Repeat Customers

How can the site offer a "save card" feature without storing card data?

Tokenization: A process where sensitive card numbers are replaced with a unique, non-sensitive equivalent known as a "token." This token is useless to attackers.

🔍 How it Works:

On first payment, the gateway saves the card details in its secure, PCI-compliant vault.
The gateway returns a safe token (e.g., `tok_1Jabc...`) to the merchant.
The merchant stores this token against the user's profile.
For future payments, the merchant sends the token instead of the card details.

Interactive: Tokenization in Action

Enter a fake card number and see how the gateway replaces it with a safe, meaningless token that the merchant stores instead.

Fake Card Number:

Expiry (MM/YY):

CVV:

Solution Part 3: 3-D Secure (3DS)

To prevent fraudulent transactions and chargebacks, 3-D Secure was integrated.

Frictionless Flow ✅

The customer's bank recognizes the transaction as low-risk and approves it instantly without any extra steps. This is the ideal user experience.

Challenge Flow 🔐

The bank requires an extra step for verification (Strong Customer Authentication - SCA). The user is prompted to enter:

An OTP sent to their phone
A password
A biometric confirmation via their banking app

Benefit: Liability for fraudulent chargebacks often shifts from the merchant to the card-issuing bank.

Interactive: 3-D Secure Risk Assessment

Adjust the transaction risk factors to see whether the bank's algorithm would trigger a Frictionless or Challenge flow.

💰 Transaction Amount

Rs. 500Rs. 50k+

Rs. 1,500

📱 Device Trust Level

UnknownFully trusted

Well-known

⏱️ Transaction Velocity

NormalSuspicious

Normal

Operational Impact: Automated Reconciliation 📊

Accepting a new payment type adds operational complexity. Automation is key.

Reconciliation: The process of matching transactions processed by the payment gateway to the funds deposited into the merchant's bank account.

The payment gateway provides a daily settlement file (CSV, XML, or via API).
This file lists all successful transactions and fees for that day.
An automated script was developed to ingest this file and match it against orders in the internal accounting system.
This eliminates hours of manual work and reduces human error.

Practical Application: The Nepali Context

This HPP and Tokenization model is a standard for enabling card payments in Nepal.

Local Gateways

Companies like NCHL (N-PAY) and local banks provide the infrastructure for card processing.

International Gateways

Merchants targeting tourists or international customers often use Stripe or Cybersource via a local partner bank.

Why it Works Here

It allows Nepali SMEs to access global payment standards without massive upfront investment in security infrastructure.

Case Outcomes & Business Impact

✅ Security & Compliance

Card acceptance achieved with minimal PCI scope (SAQ A).
Reduced fraudulent disputes and chargebacks due to 3-D Secure.

📈 Sales & Conversion

Improved conversion rate for high-ticket items.
Removed the "wallet balance" as a checkout blocker.
Enhanced user experience with a secure, trusted checkout flow.

A smart technical strategy directly led to improved security posture and increased revenue.

Interactive: Business Impact Calculator

Estimate the monthly financial benefits of implementing HPP + Tokenization + 3-D Secure for a Nepali online store.

Monthly Card Transactions

Average Order Value (Rs.)

Current Chargeback Rate (%)

3DS shifts ~75% of chargeback liability to issuing bank

Conversion Lift from Saved Cards (%)

Tokenization enables one-click repeat purchases

Monthly Card Revenue

Chargeback Liability Saved (3DS)

Extra Revenue (Tokenization lift)

Estimated Monthly Net Benefit from HPP + 3DS + Tokenization:

Key Takeaways

What are the core lessons from this implementation?

🎯 Prioritize PCI Scope Reduction: Always choose the integration method with the lightest possible compliance footprint. An HPP is often the best choice for non-enterprise merchants.
🔐 Never Handle Raw Card Data: Let the payment gateway's secure vault and tokenization system manage sensitive data.
UX is Security: A clear, well-designed 3-D Secure flow and robust error handling are crucial for minimizing checkout abandonment.
⚙️ Think Beyond the Button: Plan for back-office operations like reconciliation from day one to ensure scalability.

Thank You

This case study demonstrates how strategic technology choices in payment systems can unlock growth while minimizing risk.

Next Up: Unit 4.6 - Digital Wallets and Mobile Payment Systems

Back to Course Home | Unit 4 Overview