Ask the Expert: Interview with Andrew Immerman, SVP Technology

Sphere recently sat down with its own Andrew Immerman, Senior Vice President of Technology to answer questions asked regularly by software vendors when choosing a payments platform with which to integrate. Mr. Immerman leverages over 20 years of experience in the development, deployment, coordination and operation of quality-driven, mission-critical technologies.

Sphere: Why use a gateway when you can connect directly to an acquirer/processor? 

Immerman: Premium gateways are optimized to dramatically reduce the costs and risks of electronic payment acceptance. In general, processors are optimized to extend as much functionality as possible to the widest possible user base. To facilitate these objectives, premium gateways offer user-friendly human interfaces and easy to integrate application programming interfaces (APIs).  Processors, on the other hand, extend complex, yet highly functional, user interfaces and APIs.  As a result, processor interfaces are generally far more costly and time consuming to implement.

Premium gateways offer a wide variety of value adds and flexibility processors generally cannot.  For example, gateways can offer fraud prevention and analysis solutions generally beyond those of the processors themselves.  Additionally, gateways can offer management and automation for scheduled payments, such as those of a recurring, installment, or deferred nature.  As from such functional value adds, gateways almost always natively support seamless transitions from one processor and acquirer to another.

In general, only merchants processing an extreme and sustained volume of transactions, such as 100+ transactions per second (TPS), are advised to directly integrate with a processor.  Such merchants essentially build and use their own gateways, though often without the benefit of proven and ever-maturing technologies.

Sphere: Should gateway uptime/availability be a concern when selecting a gateway, or has cloud computing made this a non-issue?

Immerman: Dependability, performance, security, and many other quality attributes should be considered whenever evaluating any technology for use.  As part of any dependability evaluation, availability, reliability, resiliency, and controlability should all be considered.  Availability describes a system’s functional readiness; reliability describes a system’s functional correctness and consistency; resiliency describes a system’s ability to endure exceptions; and, controlability describes the efficacy and efficiency of system controls for management, maintenance, and administration.  These quality attributes are implemented using careful and proven design, development, and deployment lifecycles.

“Cloud”-based technologies generally enjoy greater dependability and performance through service-driven relationships that abstract single points of failure.  The configuration of cloud-based technologies and, more so, the services, applications, and other software that run thereon, dictate the potential and realized dependability and performance of such technologies.  Put another way, cloud-based technologies reduce some risks; however, poor designs, such as those having single points of failure, are often just as failure-prone as are non-cloud-based technologies.  As an analogous example, consider that multi-engine aircraft are often considered safer than singles.  In actuality, multi-engine aircraft are generally more challenging to operate and are still susceptible to fuel depletion and contamination, both essentially being single points of failure.

When considering the introduction of any new technology, such as those of a payment gateway, it is generally advisable to obtain historical dependability, performance, and security data, as well as to understand and assess its continuity, resiliency, and resumption considerations.

Sphere: Does using a gateway add time to a transaction, especially if it’s EMV?  Can bandwidth/capacity affect transaction times, especially during peak periods?

Immerman: Whereas all payment processing steps do increase round-trip transaction times, premium gateways do so with increases of no more than 10 to 50 milliseconds, including EMV overhead.  In many cases, a premium gateway may be able to offer reductions in transaction times through highly tuned, high-throughput integrations with upstream entities.  As an example, Sphere round-trip transaction times include overheads generally well under 50 milliseconds and, in total, average less than one second, including all round-trip times with the processor, associations, and issues.

Sphere: Every gateway is PCI validated, what makes Sphere more secure?

Immerman: Payment gateways, like all entities that handle sensitive cardholder information, are expected to maintain ongoing compliance with the PCI Data Security Standard (DSS).  That said, not all do.  In some cases, organizations predominantly focus on annual PCI DSS revalidation efforts, as opposed to ongoing compliance.  Often, the terms “secure,” “compliant,” “validated,” and “certified” are used interchangeably when, in fact, each is distinctly different from one another.  For example, being secure and/or being compliant are ongoing states, while being validated and/or being certified are based on assessments of security and compliance at specific points in time.  Moreover, most security and/or compliance assessments are sample based, as opposed to being comprehensive.  Additionally, no single security standard is truly comprehensive or all encompassing.  All this is to say that being PCI “validated” may only be a superficial indication of an organization’s security and/or compliance maturity.

In numerous ways, Sphere distinguishes itself in the community of payment gateways and other service providers.  As just a few examples of Sphere’s commitment to exceptional security and compliance:

  1. Sphere maintains several independent compliance and security organizations that operate in tandem with one another, as well as with mutual accountability;
  2. Sphere prioritizes and invests in security and compliance as separate activities to ensure that both are achieved;
  3. Sphere leverages several security frameworks to ensure better coverage (e.g., Sphere maintains compliance with the PCI DSS, as well as the PCI Point-to-Point-Encryption (P2PE) Standard and the HITRUST Common Security Framework (CSF);
  4. Sphere establishes compliance and security requirements that, in many cases, exceed those of the PCI DSS, PCI P2PE, and/or HITRUST CSF;
  5. Sphere invests separately in the architecture, the implementation, the administration, and the assessment of security and other sensitive solutions;
  6. Sphere implements security considerations through the lifecycle of all plans, processes, products, and technologies;
  7. Sphere offers and encourages ongoing training for all employees; and,
  8. Sphere maintains a culture where security, privacy, compliance, and risk mitigation in general are championed.

Sphere: What can go wrong with payments and what risk does that introduce to me and my customers?

Immerman: Payment processing involves numerous entities and many complex workflows.  Any degradation with any interconnectivity, any degradation with any processing entity, and/or any workflow exception can lead to connectivity failures, processing failures, duplicated or otherwise erroneous financial authorizations, incorrect settlement or funding, etc., not to mention numerous risks relating to security, privacy, and compliance.

Premium payment gateways implement numerous checks, balances, and other controls to minimize the vulnerabilities and risks of processing exceptions.  Such controls may include redundant connectivities, client- and server-side availability switching (fail-over and load-balancing), verification cross-checks, integrated and continuous system health and integrity monitoring, and autonomous exception containment, mitigation, recovery, and reporting.

Sphere: Is integrating to Sphere more complicated than using other gateways?

Immerman: Sphere technologies were designed to be inherently easy to integrate.  As an example, the TC Link API, a highly dependable and highly flexible application programming interface (API), can easily be integrated with less than a dozen lines of programming code.  Additionally, Sphere products are designed and assured to be compatible with all major operating systems and operating environments.  For more information, please refer to the TC Link API Developer Guide, which details and demonstrates its integrational simplicity, as well as its vast functionality.

The Sphere Technology team and I are very proud of the products and services we offer.  We look forward to addressing any questions or comments our partners may have, and to assist with all integration efforts.

To learn more about the developer resources that Andrew mentioned, visit our integration page or contact us below: