Understanding Online Payments in the UAE

It’s been a long time coming, and here is the oft promised continuation of my initial post on payments options in the UAE on my personal blog. Take a look if you want a bit of background information, the comments are a great read.

Online payments and their inner workings are unfortunately a very misunderstood area both locally as well as regionally. Payment services that are available across the region are generally similar, with slight variations in the quality and extent of services depending on your location and market.

There is a tremendous amount of conflicting information both online and offline with very few people and resources that are actually able to tell you in easy to understand terms what it would take to set yourself up for processing and accepting credit cards on your website.

To try to make things a bit easier, I’m going to define our current understanding of the online payments space in the UAE.

You need three basic components to process payments online:

Bank Account
Merchant Account
Payment Processor or Payment Gateway

Every payment provider out there either offers one or more of these services in conjunction.

Bank Account
This doesn’t really need defining, but for completeness, your money will eventually end up in your bank account from where you can move it, spend it, use it, get rich etc!

Merchant Account
While one or two interesting startup such as Square and Stripe (both US only) are trying to change this, you generally need a merchant account regardless of whether your processing credit cards online or offline. Most Merchant Account providers will provide the merchant with one account for offline and another account for online, while others may provide a single account for both services.

A merchant account is provided by an acquiring bank. An acquiring bank is one that has permission to accept and process credit cards. The counter to an acquiring bank is an issuing bank. An issuing bank issues credit cards but may not necessarily be able to process them.

In the UAE only three banks have been authorised by the UAE Central Bank to process credit cards. These are Network International (a partially owned subsidiary of Emirates NBD with the remainder owned by private equity house Abraaj, as an aside an interesting investment story!), Mashreq Bank and National Bank of Abu Dhabi. Unfortunately this has created an oligopolistic situation resulting in higher than necessary fee structures due to a lack of real competition. From my research and rough calculations, Network International dominates both locally and regionally closely followed by Mashreq Bank locally with National Bank of Abu Dhabi a distant third.

Obtaining a merchant account can be a difficult process. The acquiring banks have very limited, if any information on their respective websites about any merchant services that they offer. It took a lot of digging around to find out who did what and who we needed to get in touch with. Transparency, clearly is for everyone else.

All of the acquiring banks charge setup fees. This can vary from being a one time fee to being something that is charged annually. This should be in the USD 1000 and upwards range. Acquiring banks make their money by levying a percentage per transaction fee on all transactions that a merchant processes with them. This fee gets split up between the acquirer, the network, and the majority goes to the card issuer. This explains why we’ve got so many credit card offerings out there!

Our research and experiences indicate that Network International’s fee structure starts at 3% while both Mashreq and National Bank of Abu Dhabi tend to be higher, starting in the 3.5% to 3.65% range. Your ability to negotiate and settle on a fee as a startup will initially be limited unless you have an existing banking relationship in place, are an existing offline processing customer or have really good connections i.e. wasta (that always helps out here!).

Payment Gateway
A payment gateway does the actual payment processing when a customer uses their credit card online. The service offering differs from provider to provider, but in general most payment gateways provide a variety of ways to allow a merchant to process credit cards and other payment methods.

Some typical services may include:

Hosted Payment Page. This is usually the easiest way to get up and running, but with limited customisation. The page sits on the payment gateway’s server and shows up at the last step of your standard checkout process.
API. This option will allow you to programmatically connect to the gateway and submit the customer’s credit card data for authorisation. This method usually provides the most flexibility in terms of customisation.

Unfortunately most merchants tend to ignore the potential PCI (the credit card industry’s rules and regulations) compliance burden that the various methods may bring about. Generally, a hosted payment page will have the least burden while a custom method such as connecting to an API will maximise the burden.

All the local acquiring banks bundle with a payment gateway to make things easier. This is nice since it allows you to get started pretty quickly. However the bundled offerings tend to vary in quality, generally have poor documentation (or very hard to decipher documentation) and have next to no fraud management tools. Once your business starts to take off, it’s probably a good idea to start looking for a third party payment gateway.

Third party gateways provide their services in addition to or on top of what the local acquiring banks bundle with. They may connect directly to the acquiring bank or may seamlessly connect through the acquiring bank’s bundled gateway. Third party gateways tend to charge set up fees and usually charge merchants a flat fee per transaction rather than a percentage. Their services can include everything from hosted payment pages, API access through multiple methods, payment tokenisation as well as fraud management.

Fire away in the comments if you have any questions that you’d like to ask.

Posted on December 7, 2011

Mohammed Hingora

Any recommendations on third party payment gateways?

Anonymous

Hey Mohammed – thanks for swinging by. We’re currently working with Cybersource. That may be a good place to start!

Mohammed Hingora

Cybersource is PCI compliant right? I vaguely remember speaking with them and being directed to NI by them. Also, does using the API for customization significantly affect the fraud liability towards the website? Does NI have to approve the payment gateway we choose?

Anonymous

Cybersource is PCI Level 1 Compliant. They’re probably one of the largest and oldest payment processors out there. They’re owned by Visa.

In terms of their API – they have a few different methods by which you can implement their services. It can affect your own PCI Compliance (PCI DSS is actually pretty complicated and goes beyond your site and your infrastructure into elements like your processes and so on).

In terms of fraud liability – I am not sure what you mean. Fraud can occur regardless of the method being used. In most cases you as the merchant have most of the liability in the three way relationship between the merchant, the customer and the acquiring bank.

Network International does not necessarily need to approve the gateway that you choose to use, however since an integration is required with their systems, it’s likely that your choice of gateway will be restricted to those that can already integrate with NI and therefore have their implicit consent.

Mohammed Hingora

With respect to the fraud, I was wondering what kind of fraud management tools does Cybersource have that the NI one lacks (NI i non existent as far as I can see) and has it tangibly reduced the probability of fraud with you guys?

Thanks a lot for taking the time to answer the questions. Appreciate it.
Anonymous

Hey Mohammed, apologies – I was to come back t o you on this and it kinda got left behind.

Here’s a bit more info on what Cybersource offers in terms of Fraud Management: http://jdp.do/wHJ63r. In a nutshell, their Decision Manager tool is something that they tout the most. We haven’t started using it as tool ourselves just yet.

We use a couple of other techniques both post-order and pre-delivery alongside manual order processing (checking addresses and so on) to try to keep the fraudulent activity to a minimum.
http://www.ziyaad.ca/ Ziyaad Khoja

Hey Mo…. NI don’t offer sh*t neither does Etisalat… they say they are going to…. see funny thing is…. Omar correct me if i’m wrong with experience not policy ….. since we are using Etisalat’s Hosted Payment Page, it is 3D-Secure (Verified by Visa, Master SecureCode, J-Secure) by default, NI does the same thing. So, before integrating, I was clearly against 3DS, as I believe it can be a clear factor that can lead to shopping cart abandonment (I can discuss my reasoning if you wanna hear). As Etisalat could care less to hear what the customer has to say because they have their own policies to follow, they promised me that going 3DS on their payment gateway will remove any liability whatsoever on any chargeback (fraud transaction) case….. Too good to be true.. So now I needed to balance that against the shopping cart abandonment which I couldn’t really compare because I did not have any data… so we stuck with Etisalat….. So, just the other week, I noticed a highly suspicious fraudulent transaction. I withheld access to the subscription (digital goods) until I talked to NI and questioned what would happen if this transaction becomes a chargeback. They said if the total amount of chargebacks for the month is 3.5% (i think) or below actual total amount of transactions, then I could choose whether to refund the amount back to the issuing bank. So… still waiting for the chargeback to appear, sounds like the compromised credit card holder hasn’t checked their statement thoroughly….. ;) … as for the customer that made that fraudulent transaction, I contacted them by email to provide a valid number (the number provided during checkout was incorrect) so I can confirm the transaction… never heard back from them….. True Story!

As Omar defined below, manual processes, though you can put in place simple techniques utilizing analyzing registration details and IP addresses to raise flags, even use transaction attempt patterns, such as the same IP using different account information and so on….
Anonymous

Woah. Really interesting experiences!

To the best of my understanding you’re 3DS is meant to remove any liability from the merchant – as long as 3DS card is used. We’ve currently only got one local issuer, Emirates NBD who have a 3DS card in place. Everyone else is non 3DS and your liability as merchant still stands.

I don’t even want to go into all the fraud issues we’ve had to manage to date. We’re currently prosecuting two cases at Dubai Courts.

One quick recommendation would be to check that the name appearing on a customer’s statement matches or resembles as closely as possible, the name of your business. We customised this to try to cut back on “friendly” chargebacks, where customers may not recognize who’s billed them. It’s pretty common out here with a lot of the franchise stores billing under a single parent firm name.

We’ve built processes both pre-order processing and pre-delivery in order to try to cut down on the fraud as much as we can. And as you’ve just mentioned, we use IP screening, BIN country matching and so on to figure out whether an order is fraudulent or not.

With regards to digital goods, it’s currently a tiny portion of our business and it is significantly harder to screen for fraud since you don’t have delivery confirmations and so on. I could got out there grab someones card and buy a digital product with it, and the owner of the card has up to six months to issue a chargeback.

We really love cash on delivery
http://www.ziyaad.ca/ Ziyaad Khoja

Hey Omar.. I’m so happy you mentioned ’3DS card used’…. I forgot to mention, which is really what my ‘Too good to be true’ statement is all about…. Etisalat says…. ANY CARD, 3DS or not!…..

Dubai Courts… wow.. that’s heavy… hope things will go in your favour.. must be a large transaction…. about COD…. is it really sustainable… can you share some figures where COD went wrong…. eg. Customer wasn’t present, Customer refused to make payment …. who takes the hit when the shipper returns the product?….
Anonymous

Hi Ziyaad,

I think I need to correct my prior statement. We had some new information from Network International earlier this afternoon that regardless of whether a 3D Secure card was used or not as long as the merchant is 3D Secure, the liability shifts back to the bank or merchant account provider. That is really interesting and has suddenly incentivised us to ensure that our implementation is 3D Secure right away.

Assuming that the information holds true in practice, that would mean we can do away with some of the more cumbersome fraud management practices – even though they are nice to have.

In terms of the transactions we’re prosecuting – not really that large in size, more that we wanted to understand how things work and it’s good experience to have for the future. In a word, it’s slow. Heh.

With regards to Cash on Delivery, it happens on and off. We initially implemented a bit of a cheeky method called “JP’s Wanted List” where we would name and shame anyone who decided not to accept a CoD order for non legitimate reasons (i.e. your wife doesn’t like it). This unfortunately turned out to be something that is illegal by local law. We really were after a fun measure that would reduce the chances of it taking place while giving anyone the opportunity to cancel or change an order before we actually dispatched it.

Orders do get rejected from time to time. Usually it’s people trying to be bit dodgy more than anything else. We’re a little lucky in the sense that we operate our own delivery fleet and therefore the “cost” of a cancelled order isn’t as great as it would be should you be paying a third party carrier.

Unfortunately I don’t have any numbers that can provide more insight into what sort of percentages are cancelled or rejected. Anecdotally, it’s pretty small at the moment. Most of it gets caught when we try to do a phone confirmation.

I think it’s sustainable in the medium term – at least until people become very comfortable with using plastic both online and offline.

Sanjay

excellent stuff..!!.. finally someone throws light on the online payment gateway scene here in dubai..!!
http://timurkhamitov.com Timur Khamitov

Good post. Thanks!
Pingback: Payment Gateways in the #UAE : Interactive & Social Media news in the Middle East
Anonymous

Omar, Mohammed and Ziyaad: i have landed up in this blog, searching for a Payment gateway for a Startup company in Dubai..

my client is going to start a Deals website
now, MIGS is gonna charge him 10000 USD for the setup,
Masreq & Etisalat is gonna charge him : 50000 AED

now, being a startup, he can’t afford that much..
So, there is MoneyBookers, i guess…… but they are saying that they will escrow the money for 60 Days (definitely not acceptable)

so, do yo guys have any names for me, which accepts AED, doesn’t have a Humungous Setup charge??
and processes Credit + Debit card??

or, could we do it any other way…

waiting to hear from you

http://www.ziyaad.ca/ Ziyaad Khoja

Hi Arunava,

What’s this new eCommerce site about?

You can try:

Network International
Noel Pimentel
04.303.2458

Prosum,
Joseph Ponnou
+971-2-6994764 / +971-50-7263995 / +971-55-2852077

Good Luck!

M Smithdxb

Any suggestions on 3rd party gateway providers?

omarkassim

Hello! Sorry about the slow response. I would suggest looking at Cybersource (who we currently use), Innovate Payments, CashU and Prosum

ABDULRAHMAN AL SALOUS

Dear omarkassim,

how much does cybersource cost per month? and how much percentage cost per transaction?

Who

Hi, great topic, looking at opening an online shop myself in the UAE, seeming like a minefield for the small business, to start I might just use paypal as I have an over seas account. But would like to progress to a full system. Has anyone tried Authorize,net?

omarkassim

I think Badr is right, Authorize.net is limited in it’s geographical scope. It should be US only if I remember correctly. You could always go to Cybersource, who we use at the moment – they own Authorize.net and in turn are owned by Visa Inc.

Regardless of your payment gateway, the bigger issue that you’ll probably face is setting up a merchant account!

ABDULRAHMAN AL SALOUS

Dear omarkassim,

how much does cybersource cost per month? and how much percentage cost per transaction?

omarkassim

Hello! Apologies for the slow response – been traveling!

The costing for Cybersource really depends on the services that you decide to use. From a processing perspective they charge a few cents per transaction rather than a percentage.

You’ll still end up paying the merchant account fee (as a percentage) with Cybersource’s transaction fee on top.

I would suggest getting in touch with them directly so that they can give you a proposal according to your requirements.

Chand

Hello Omar,

I’m just starting my own ecommerce business and I’m leaning towards 2checkout for now. In the future I will certainly need a merchant account and a 3rd party gateway provider. Regarding the merchant account setup, do they still require a monster deposit for chargebacks and annual fees even if credit cards are processed using the 3rd party? Which bank are you working with here in the UAE?
omarkassim

Hello!

They unfortunately do require a bit of a large deposit. If I recall correctly – we paid USD 50K! Not pleasant.

We’re currently working with Network International who are co-owned by Emirates NBD and Abraaj, the private equity firm.

badr

I think
Authorize,net for us only

Who

Damn never new that, not read up on Authorize, What system does Jado Pado use? 2checkout has AED currency, Anyone used World Pay?

omarkassim

We use Cybersource, Authorize.net’s parent firm. 2Checkout will work to start with it, but once you start doing some serious numbers, I think you’ll find that it’ll make sense to switch to your own merchant account and payment gateway combination.

We spoke with WorldPay when we were starting out. Unfortunately they weren’t up for taking on UAE based merchant at the time.

Heh. I think I’ve probably got in touch with most of the larger guys out there!

Shams

Good job Omar.
Is IRFAN still the contact to call at ENBD for payment gateway setup assistance? I I’ve dealt with him 3 years ago and dunno if he’s still in charge.

omarkassim

Hi Shams,

I don’t think Irfan is our contact over at Network International / ENBD. We work with someone called Noel.

Somewhat ironically, if I recall correclty, Irfan is our contact person over at Mashreq!

Arpit

Hi Shams,Omar

I manage Vayana in the region , a BFSI technology and Consulting firm based out of India and US. I want to get in touch with you to get some intel on Payment gateways which we need to finalize a unique solution for SMEs in the region

Arpit
+971 50418 8634

omarkassim

Hello Aprit! Thanks for swinging by. My contact details are here: http://jadopado.com/about/ or over at http://omarkassim.com

http://www.ziyaad.ca/ Ziyaad Khoja

I heard NI asking for 25k…
Fahad

What countries in East Asia offer lower charges? Wont setting up a free zone entity in countries like Singapore or Hong Kong be of any benefit to route payments there?
Komilkhuja Makhamadkhodjaev

Hi. Very interesting post. I have spoken to Mashreq bank and NBAD recently. Mashreq offered me 3,5% per transaction + $20,000 fixed depost + AED 20,000 set up fees + AED 1500 / year membership fee and if I am not mistaken 15 days settlement. And they teamed up with Etisalat so they charge AED 0.5-2 per transaction for payment processing. NBAD was cheaper in terms of percentage – 2,9% per transaction + AED 20,000 set up fee + 10% retention for 6 months (for possible chargebacks. that is extra high!) + AED 2 / transaction (this goes to CashU). I am about to start an online business and need to process payments online, but local banks have nothing to offer for start-ups. This is a real issue for future businesses since many people are turning into e-commerce these days.

P.S. Network International does not even bother answering their phone. And if you get to hold on to them, they will never send you that email with detailed pricing.