⛳️ What you’ll learn after reading this article:
- Four stages of card payments
- Unique aspects of Korean card payments, such as two-track and capture
- Detailed walkthrough of the card payment flow
Card payments in Korea consist of the four stages defined below.
|Card company authenticates the identity of the card owner, and then informs the merchant whether the card is valid and has sufficient funds.
|Card company approves the authenticated payment request. The card's limit is debited, but money is not yet transferred out of the customer's account.
|Authorized payment data is submitted to card companies, asking them to pay cash for what the customer bought on credit. Payments can be captured up to a month after they have been made.
|Toss Payments transfers the cash received from card companies to the merchants after deducting PG service fees.
Understand three essential concepts of Korean card payments.
In Korea, authentication and authorization are two separate steps, or two track. This process differs from most global payment systems, where authentication and authorization are completed in a single step, or single track.
Although the single track seems more convenient, it actually requires additional steps to ensure data consistency. First, it requires webhook integration because it's impossible to know when the customer will complete the payment otherwise.
However, webhooks can be problematic if your server is overloaded or in certain scenarios when webhooks are not sent. For instance, if the customer closes the payment window, Toss Payments does not send a webhook. The data in your server may have the payment as pending, while it is actually canceled.
Two track guarantees data consistency and reduces your workload. By separating authentication and authorization, data incosistency due to external factors is minimized. Furthermore, since the authentication result contains the data needed for authorization, there is little extra work for you to do in two-track.
Capture is submitting approved payment data to the card company. You're asking the card company to pay you for the goods or services that the customer paid for with credit. The payment data includes the card number, payment amount, authorization number, and installment period.
By default, Toss Payments automatically captures authorized payments every day at midnight. You may also choose sign up for manual capture. If the capture is not processed, the payment status stays approved which means the card has been debited but the money has not been transferred.
The "Card Company App" method is paying directly from an app, where you register an AppCard (an online version of your card). An AppCard can be used in place of a physical card for online and offline transactions.
To use an AppCard, you must install the credit/debit card app and register your card. If you're already using the card company's app, you can skip registering your card, but you must still verify your identity and set up a password.
At checkout, select your credit card and choose app payment. The app will open, and you can pay with your AppCard.
To help your understanding, watch this YouTube video of the Lotte Card app.
The Toss Payment process consists of three steps: Request, Authentication, and Authorization(Approval). This document does not cover what happens after the payment (capture, settlement).
First, the customer selects a card and inputs their payment information to request a payment. If the payment information is authenticated by the card company, you must authorize the payment to complete the purchase.
From the PG's point of view, the payment request is when the customer submits card information. A payment request is made when the customer selects a card and opens a credit card window.
After the request, the card company authenticates the payment information. If the authentication is successful, authorize the payment. Let's take a closer look at each step.
When the customer wants to checkout, collect the customer's order information (product, amount, etc.) and use it as parameters to open the payment window. When the customer selects a payment method and clicks 'Next', the payment has been requested.
Now, the customer inputs their card information and the card company authenticates the requested payment. The card company verifies the customer's card information to validate the transaction against fraud and abuse. Authentication requires the card number, expiration date, CVC, and a one-time password (OTP) issued by the card company. With an AppCard, there's no need to manually input the card information.
The customer can choose how to input their card information in a window like below.
After successful authentication, Toss Payments redirects the client to the success URL that was set when the payment was requested. The query parameters of the success URL are used to authorize the payment in the final step.
From the customer's perspective, the payment looks finished. However, the payment has only been requested and authenticated. To complete the payment, make sure you authorize it.
Authorize the authenticated payment. Only after authorization will the card company charge the customer. Make sure you authorize the payment and then provide the customer with the goods or services they purchased.
Authorize the payment by making a Payment Authorization API request. Use the data given in the query parameters of the success URL as the API request body. If the authorization is successful, the payment is complete. Check the successful response for details on the payment.