MCH2022 Payment System

From MCH2022 wiki
Jump to navigation Jump to search

The MCH payment system: Still plastic, but less spherical

While the blogpost published on April 1st obviously was an April fools' joke, it did contain a few real moot points of the previous Dutch camps such as SHA and OHM - plastic coins are quite annoying and not super practical. So while we are aiming to make things better this year, we can already confirm the rumors that it won't be by virtue of plastic balls in fabric nets. And no, foam cubes on a string ("blockchain") are not a viable solution either.

Excurse: Why plastic coins at all and not cash?

First of all, we need to establish that handling currency is expensive. Always. Doesn't matter if it is real cash, card payments or plastic coins: You always have to pay someone. With card payments, you obviously have card networks and acquirers that would like to get a piece of the action, with cash you have the company that manufactures the coins and exchange machines and rents them to you. With cash (and coins) you also possibly need a secure money transport service that will come take the money away, count it and deposit it into your bank account.

Comparing cash to coins, it seems like using coins only has downsides. In either case you need to pay someone to handle the cash - but now you also have to pay for the coins, too?!

Well, yes - that's true. But using coins also means few people handling the actual cash - everyone else only uses intrinsically-worthless plastic coins. Not having to worry about potentially many people losing a lot of real cash or - even worse - getting robbed on their way from the bar to the finance office is worth quite a bit. Sure, someone could decide to just rob a bar and take all the coins. But since the coins are worthless outside the event, that seems rather far-fetched.

Generally speaking - while not exactly a priority for us - plastic coins also allow the festival organizer to enforce honest reporting of on-site sales by independent vendors. Festivals often outsource their catering operations and require the vendors to pay a percentage in kickback. If the vendor has to exchange coins for cash, they don't have much of a choice as to properly report their income.

So coins are only here in order to make event organizers life easier and being at best, no or only a minor inconvenience to visitors.

Converting cash to coins: a one-way street?

Unfortunately, we have to admit, in the past the coins were a bigger bother to some visitors than they should have been. Due to contradictary statements and misinterpretations on our part, leftover plastic coins were not exchanged back at the end of the event "due to rules regarding money laundering". Seeing that at previous events coins could be purchased for cash or by card, it is true that this put us in a difficult position. Card payment processors and networks do indeed strongly encourage that merchants *only* refund money to the original payment method. You might know that practice from purchases in a brick and mortar store - items you bought with cash and returned will be paid out in cash, things paid by card will be refunded only to the original card.

The main reason for this is indeed to a certain extent to prevent money laundering - but mostly those rules are in place to protect the merchant. If a card payment is disputed, a merchant has a hard time winning said dispute if they refunded the service to a different card or in cash.

Since we trust our visitors and have never had any issues with chargebacks, we have to admit that mistakes were made when it comes to refunds - and we'll try to do better than this in the future, so that you don't have to take leftover coins back home or always question the amount of money you're exchanging.

Quo vadis plastic coin?

COVID has changed a lot of things for all of us. Visitors from Germany might already have seen the most prominent example when it comes to card payments back home. The "cash preferred" or "Card payment only starting at 10 Euro" signs started disappearing and instead customers were encouraged to pay by card in order. All in the name of getting a better grip on the spread of COVID.

Dutch people will probably laugh at the idea. For them (contactless) card payments were already the norm - not only at super markets but also for festivals. Looking at card payments from a merchant's perspective, it does make sense: (debit) card payments are dirt cheap (thank you PSDII) and often are on par or even lower than the price of paying a company to remove your cash from the premises, count it, etc. Not to mention (in a professional context) that now your employees now have to handle even less yucky, dirty cash and the risk of loss is substantially reduced. COVID only added the layer of percieved hygiene, as cashiers do not need to touch dirty coins and customers that pay contactless do not need to touch the dirty card terminals.

In order to go with time, we would like to try something new and go in the same direction: MCH2022 will be a (mostly) cashless event. No more plastic coins to exchange, no more cash that needs to be handled.

All points of sale (bars, food, merchandise, etc.) will have a proper EFT-terminal present where you can pay with your usual cards. Currently, we are aiming to accept all major debit and credit cards (VISA, Mastercard, American Express) through tap, chip or even swipe. Are you a user of a fancy payment-enabled wearable? We'll accept that, too.

Security and Anonymity

"All card payments will be safe!" - that's easy to say. We as a community should know better than anyone else that there is no such thing as absolute security. Not even plastic coins are 100% safe - some random badger might break into your tent and take off with your coins! Or you might fall victim to a gang of vicious 3D-printing coin counterfeiters (which should be standard practice during events like this)!

But since we are not reinventing the wheel and using payment terminals that are being used in the millions around the world, we feel fairly confident that your payment cards are not at risk. Of course you should be concerned with proper OPSEC and perhaps invest some money into a RFID-shielding wallet - but that's independent of MCH going cashless.

One major question - and deservedly so - might be, "What about anonymity? Will everyone know now what I spent my money on?" The answer to that is, and we're being honest here: No. Not everyone.

When paying by card there are multiple parties involved. For the sake of simplicity, we're compressing all involved parties into two: the merchant and the card networks.

The card networks are your card issuer (probably your bank), the actual card network (VISA, Mastercard, Amex), the payment processor (Adyen) all banks and institutions along the way that pass you payment on. The merchant is us, the IFCAT Foundation.

First things first: raw card data (as defined by PCI DSS) such as your card number and CVV/CVC will never touch IFCAT's systems. When you touch your card to the payment terminal, the data is encrypted and only sent to the card processing network. Our cash register system, [pretixPOS](https://pretix.eu/about/en/pos), will however receive a set of information (Example below) of which we actually only care about the pspReference as it allows us to refund your payment without having to go through the list of all transactions one by one.

Using the information contained in the data that we receive from the terminal, we could in theory go through our database and try to match your payment based on the name on the card, the expiry date, the BINrange (first 6 digits) last 4 digits. However, that would involve someone manually parsing all the data in the database and then pulling the receipts for what you have consumed. Except for the admin team, no one has access to this information. And the same as with any order or payment data that the system has received previously during the purchase of your ticket on the online shop, we have rules put into place to prohibit access to the information except when explicitly requested so by the card/order owner and for legitimate use cases. It should be noted, that "legitimate use cases" is not to be confused with those "legitimate use cases" found on cookie consent banners where they'll still sell all your information. We're taking this stuff seriously and only use payment information to process refunds and the like.

The card networks on the other hand will not have access to any of the information regarding your order. They will only see your card information, the amount to be paid and the name of the merchant. They won't even see that you're buying a drink at the bar or a hoodie at the merch stand - to them it'll all be "someone bought something from the IFCAT Foundation".

We are very well aware, that for a privacy-conscious visitor, using a payment card might not be an option at all and we sympathize with that assessment.

In addition to payment by card, we will offer a select number of payment points (and possibly even an unattended machine - to be explored) which will allow visitors to exchange cash (EUR only, please) into a QR-Code of equivalent value. Think of those QR-Codes as our previous plastic event coins, only in paper form. The same as with card payments, you'll be able to redeem them at all point of sale by scanning them yourself. Those "prepaid vouchers" (for lack of a better term) are available in any denomination you prefer - so you can adjust the amount of privacy to your own liking. Just don't want your name/payment card associated with a purchase at MCH but don't care about the theoretical issue that some rogue sysadmin could look at all the orders you have made using your vouchers? Exchange 50 Euros for a single voucher and redeem to your liking. Want to have the plastic coin experience without plastic coins? Exchange your 50 Euro into 100 0,50 Euro vouchers and redeem multiple ones for a single purchase. Or share them with your likeminded friends and mix and match.

Why tho?!

Organizing a big event is expensive and with COVID inhibiting us from organizing a camp in 2021, we are looking at cutting some cost whenever possible. With card payments being prevalent everywhere these days, we're hoping to offer a convenient and known way of paying, while dialing the annoyance of plastic coins way down.

We are expecting to saving money on the cost of cash handling that outweighs the cost of card processing and implementing the system at MCH2022 and hopefully, increase visitor happiness when they are not stuck with too few plastic coins, or worse, too many coins at the end of the event. In this vein, we also pledge to offering full refunds on unused balances on QR vouchers at the end of the event.

Since this will be the first time an electronic payment system is used at MCH, we are also looking forward to making purchase data available for creative use. Why not extend our [Grafan Dashboards](http://grafana.mch2022.org/) with near-realtime information on the consumption of Tschunks per hour? Or automatically alert the logistics warehouse if the Mate at the bar is at risk of running out?

In the end, it is all about comfort and saving operational costs that can be reinvested into cooler things like flamethrowers or colorful LEDs.

I would like to talk to your manager!

We admit that this topic has enough facets to require more information or clarification. Please feel free to write to your questions to tickets@mch2022.org and we'll answer you directly and expand the FAQ page on the wiki where appropriate.

Example information received by the POS system from the payment terminal

{
   "paymentverificationdata": "BQABAQAS1b23riARwA76RttFwxyndkZJ2A9Cn0jokYsVeSruB9r3rkuaS8Oz/ln2oLAsmkg0MDu0ER5u9U+GW8O2XwaicBAq9vjY/IiP7HAt2WEcK1dJHOerkHrMLidvoxJjWaK20bTDOluq1+t1bBNK8PnwrCQPeGrMObKiZX7syeBjXYlMdFRBJvqwQ2M5H8gYVLAWC1YkdjPSsqqLLEqxkAdgxtoqIRvCNJnLfUSotQkvV0LmPaSehTUvkdfV2SONJqSEJSMVCJLPT0lg75+oIQCfhGa9Qt918RUqU0j7xMWzMZqUDvp4OoFAyUcwHV2jz+sPOKxN+VpGBLktY6uQci+gEOBmMjOGZo1bSVs8PR1KO+0AAP7xGBLlhbse5pCFC5qel05Ag9B227qN0qtxn2yeY7n5A0F/cP2OwMVcF8F7Y3qKa6KF0xjHY1CIy3vBBolmQ5Tzy/wDAXeMyHeg5sD9Txg/rvbLr0MwALw6kPTeQhPf5b3c+2nvqXSM9tXFowv0vQ5KhU1WBVCrjqkZBtS2oZqHWDoxwz7g/aPqSE9kz130igh4YeyWhgHuXVY=",
   "startMonth": "01",
   "cardScheme": "mc",
   "cardHolderVerificationMethodResults": "1F0302",
   "tenderReference": "siza001332082947009",
   "tid": "72148010",
   "txdate": "18-3-2022",
   "txtime": "16:02:27",
   "appinfo.appid": "f54536f7-f90c-4f5b-9413-ee4528ec4040",
   "paymentMethodVariant": "mc",
   "AID": "A0000000041010",
   "pspReference": "NVDC8T535V5X8N82",
   "location.longitude": "-32.91504",
   "appinfo.cashregisteragent": null,
   "posAmountAdjustedValue": "0",
   "posAuthAmountCurrency": "EUR",
   "appinfo.lib": "1.24.6",
   "startYear": "2017",
   "posAmountCashbackValue": "0",
   "displayAmount": "EUR 23.00",
   "location.latitude": "83.29697",
   "appinfo.appname": "eu.pretix.pretixpos.debug/3.0.0-debug",
   "paymentMethod": "mc",
   "appinfo.libimplementation": "Android",
   "cardIssueNumber": "33",
   "cardSummary": "9999",
   "CVMResults": "1F0302",
   "mid": "1000",
   "expiryYear": "2028",
   "terminalId": "VX820-902004522",
   "applicationPreferredName": "mc en gbr gbp",
   "cardBin": "541333",
   "posResultCode": "APPROVED",
   "terminalApiVersion": "adyen-v1_51p0",
   "appinfo.os": "10",
   "merchantReference": "61/42 - 2020",
   "timestamp": "2022-03-18T15:02:29Z",
   "cardIssuerCountryId": "826",
   "appinfo.posregisterconfiguredname": "4fc8598268273846",
   "authCode": "123456",
   "transactionReferenceNumber": "NVDC8T535V5X8N82",
   "iso8601TxDate": "2022-03-18T16:02:27.0000000+0100",
   "cardType": "mc",
   "expiryMonth": "02",
   "terminalOsVersion": "QT000560",
   "posAuthAmountValue": "2300",
   "tc": "33D6275F8CD41826",
   "transactionType": "GOODS_SERVICES",
   "posOriginalAmountValue": "2300",
   "applicationLabel": "mc en gbr gbp",
   "posAmountGratuityValue": "0",
   "posEntryMode": "CLESS_CHIP",
   "appinfo.model": "rk3399-Android10"
 },
Retrieved from "https://wiki.mch2022.org/index.php?title=MCH2022_Payment_System&oldid=15890"