Developing payment solutions in a risky environment

Figure 1: Gabriel Falk, Product Manager at Juno in Brazil
Figure 1: Gabriel Falk, Product Manager at Juno in Brazil

Juno is a rising star in Brazil’s payment processing industry that, in only a few years, has grown from 10 to more than 200 people. The company began by handling boleto bancário payments which are simple barcoded payment slips that can be used to pay bills online or in person at ATMs, banks, post offices, lottery agencies and Internet banks. Later, the company became part of the EBANX Ltda economic group, one of the largest fintechs in the country.

Following the company’s success processing boletos, it was a natural progression to develop a service to process credit card cards which is where things got complicated. As Gabriel Falk, Product Manager, explained in a recent interview, “There was no clear manual on the Internet showing how to create a safe credit card solution! The details – to ensure full-service needs and to be secure – can be incredibly complex.”

Juno staff faced several challenges

The issues that Juno faced stemmed from several key challenges: operating in a market ripe with credit card fraud, enabling instant card-based installment loans, and setting up one-click purchases.

Credit Card Fraud

Of the country’s 212 million people, 70 percent1 have an Internet connection averaging 26 hours per week online and place fourth worldwide for mobile phone penetration. In 2016 it ranked second worldwide for credit card fraud (with the US ranking third)2 which would explain why 40 percent of Brazilians are so fearful of fraud that they refuse to share credit card information online3.

Graph: The US has the third-highest card fraud rate in the world
Figure 2: Chart courtesy BI Intelligence

Card-based instant loans

“At the time of sale, credit card users can charge the entire sales price on the spot or they can opt for installments.” For example, someone might purchase a $1,000 television (USD) but only put $100 on the card at the time of purchase then pay the balance in installments of from one to twelve months. As a result, only $100 is deducted from available credit instead of $1,000 which frees up credit for many people in a credit-starved nation. It also adds the risk of storing customer payment information for up to one year. 

One Click Purchases

“Another feature that was needed was ‘one-click buy’ which is one thing that Amazon does beautifully. As we began developing the feature, we realized that this feature would require storing customer data indefinitely.”

Connecting to AuricVault® Tokenization services

The company reached out to their partners at EBANX who had already solved their needs by working with Auric Systems and their tokenization services. “After the introduction to Auric, Ray Côté and his team showed us how tokenization works then helped us connect our new credit card services to the AuricVault® Tokenization services. From the lite-touch installation process to the ongoing services in which everything is in the background, the process was smooth and far easier than we expected.”

As a result, all of Juno’s customers’ payment data is automatically stored securely in the vault while only a set of cryptic tokens reside in Juno’s own systems. Therefore, no payment data is held by Juno, dramatically reducing the company’s – and customers’ – exposure to risk.

The Results

“Integrating with Auric was important not only because of the security that it provided, it also enabled us to provide major features that we did not have when we launched our credit card services.” For example, the company now supports one of the largest Internet companies in the country by enabling customers to enter their card information in a website. Then, anytime they make online purchases, they only need to enter their CVV.

Tokenization Explained


As Forbes.com described, “Tokenization is the process of replacing sensitive data, such as credit card numbers, with unique identification data while retaining all the essential information about the data. Because tokenization is a non-destructive form of obfuscation, data is recoverable via a unique security key.

“To help explain this more, think of tokenization as a secret code that uses a key to retrieve the coded message. The tokenized version of the credit card number has maintained its last four digits; however, the remaining numbers in the credit card number are random. The token is now safe to store in your database. Anyone who has access to this token alone cannot use it to compromise a credit card account.”
 

In another example, with the Covid-19 pandemic and the corresponding inability to host concerts, many bands have turned to hosting live stream concerts that can be viewed for free. Looking for a way to generate revenue, bands often raffle something large like a vacation trip or a car. To participate, viewers scan a QR code on the screen of the live concert and then make a payment through boleto bancário or credit card. This device succeeds in generating revenues but it also poses a serious challenge: when the QR code is displayed on the screen, the demands on Juno’s payment processing services instantly skyrockets as many of the millions of people watching online suddenly buy a ticket. However, without needing to alert Auric Systems, the payment data has been tokenized through even such dramatic spikes in payments.

At the end of the day...

“Today, after four years using AuricVault® tokenization, we support over 30,000 businesses throughout the country processing millions of transactions worth $60 million US dollars every month without lying awake at night because we know that thieves cannot steal what is not there . . . and we could not do this without Auric.”

Story written by Dirk A. D. Smith, the founder of Landfall Research which specializes in the research, analysis, writing and presentation/publication of complex technical knowledge.

Have Questions?

Contact Us

1,000 character limit.

By submitting your name, email address, phone number, and message, you are permitting us to contact you by these means in response to your inquiry or feedback. You also acknowledge that you have read our Privacy Statement and that you consent to our processing data in accordance with it.