Behind the scenes: Pleo’s payment and security infrastructure explained

We all love the fact that Pleo cards can be used in numerous ways: with Pleo you get a physical card, a virtual card, and you can use them on Apple Pay and Google Pay. We know that this is a matter of convenience for all our customers.

Now, the Pleo experience is not only about convenience. We are also proud to say that at least 99 percent of our customers feel secure using Pleo.

But what exactly is it that makes paying with Pleo safe? We talked to no one less than our very own Senior Product Manager, Parth Parikh, who works on the payment side of the Pleo product and dived deep into behind the scenes of a Pleo transaction.

What happens in the background when I pay with my Pleo card?

Typically, when you do a card transaction, there are two types of card transactions: One we call “card present transaction” and the other “card not present transaction”.

So let’s look at what happens if you pay for coffee with your card being present:

There is the merchant where you use your Pleo card to pay. Then you have the acquirer, for example SumUp who gives you a POS machine (point of sale machine). You tap the card on the machine. The first thing that happens now is that the information on the card passes on into the machine. Now it’s the acquirer’s responsibility to consume this information and send it to the network. In Pleo’s case, the network is Mastercard because all our cards have the Mastercard network assigned to it. Now the network identifies which issuer this card belongs to. If you are lucky enough to own a Pleo card, your card issuer is Pleo itself. The network sends the message, which is eventually received by the card issuer to decide: hey, somebody is trying to make a purchase with your card, would you approve it or not?

Now, the challenge is that Mastercard has a very cryptic way of sending this message. This is a very specific format ISO 20022 format, which most issuers are unable to read. We would have to invest into a huge amount of infrastructure to do so. So, we ask someone to simplify this for us. This is where the card processor Enfuce comes in. It processes the transaction. Enfuce consumes the message from Mastercard, simplifies it and sends it to Pleo. Pleo can then read the transaction, and we then decide whether we want to approve the transaction. This is something most card issuers choose to do, only big banks might have their own card processor. For most issuers, it’s more efficient to pay for someone else's expertise to take on this job for them.

What's the difference between different networks like Mastercard and Visa?

Usually, the issuer choses the network. Pleo has a contract with Mastercard. The acquirer can send signals to all networks, but it detects from the card which network the issuer has chosen for the card.

There is technically no difference between different networks. It’s as if you shop at shopping mall A or shopping mall B – the outcome will be the same.

But of course Mastercard is widely accepted across the world, more than 30 million merchants accept Mastercard, so in that way Pleo is a very acceptable expense solution.

High card acceptance rates are important to everyone having to choose a credit or company card. What could be the reasons for a card not to be accepted?

This could have multiple reasons. Few examples are as follows:

The first possible reason could be that the merchant’s acquirer is simply not working with certain networks. So, it’s never really the merchant who chooses not to accept a card, it’s the acquirer he/she is using.

The second reason could be that the acquirer does work with the network the presented card belongs to, but the card details are completely alien and trigger a risk based check. This could be the case if you are going to Aruba using a Korean Mastercard. Those cases are very unusual and very out of the box.

The third scenario would be: the acquirer accepts the card information, passes it on to the network, but then the issuer says that this transaction is completely out of their standard norms to accept, potentially because they breach the parameters configured for the transaction e.g. daily spend limit.

Here at Pleo we have a risk engine run by monitor transaction rules stating that a particular transaction is risky, or the merchant is risky. If they are, we go ahead and check the transaction, and additionally we could immediately freeze the card. If you go to a high-risk country to pay for something with your Mastercard, the transaction might go through to the card processor, but then Pleo won’t authorise your purchase in a high risk country due to sanctions or money laundering risk. We simply reject the transaction.

This list of rules is customizable, and it is smart, meaning that the risk engine learns from previous data. If you keep on using the card on the same merchant, the engine also learns that it is OK to approve this transaction.

At what point does the money actually leave your Pleo account?

If Pleo as an issuer approves a transaction, the first phase is completed. This is what we call “card authorisation”. The second phase would be “settlement”.

The first phase means that actually no money movement has happened yet, the issuer has only authorised the transaction. Now the merchant has the capability to come to Pleo at a later time to collect the outstanding balance. This final step of the money moving from your Pleo wallet to the merchant is called “settlement”. This typically happens two days after the transaction.

Everyone knows about having to pay a deposit when renting a car, for example. Here we can see the same principle working: the 500.00 euros deposit are getting authorised and blocked on your card, but they never actually get taken – unless you damage the car.

After a transaction is settled, the user may dispute a purchase made using their Pleo card, claiming that it was fraudulent or made without their knowledge or permission and can initiate a chargeback claim. This can take several days and is subject to review from the merchant. Between authorisation and settlement, the merchant  actually has the chance to stop money being transferred or organise a partial settlement.

Our customers need to top up their Pleo wallet to use their Pleo cards. Where exactly is this money being stored?

The money does not go directly to us. 

We work with trusted partner banks with a well-connected payment network across the globe, like J.P. Morgan, Banking circle and Danske Bank.

So, to be more specific, when you top up your wallet the funds first go to safeguarded account at J.P. Morgan (or to Danske Bank for our clients in Denmark and Sweden). This means that neither we - nor anyone else - has direct access to your money.

If a transaction is made and Mastercard looks for the funds to cover it, Pleo takes the money from J.P. Morgan (or Danske Bank) to pay.

How common is it for a business expense solution company like Pleo to be the issuer of the cards customers are using?

If you look at our competition, in some cases the competitor is also an issuer like Pleo, and in other cases our competitors aren’t the direct issuer. This means that they are only regulating the cards. They can still monitor transactions and set up transaction rules to pass on to the issuer, though.

How is a purchase with a virtual card different?

What makes your virtual card virtual is that its card information is not stored on a physical card. That’s the only difference to a physical card. You can do a card present transaction with your physical card and your virtual card. In both cases, your card is present, meaning you can tap your virtual card on a POS machine (by presenting your smartphone or your smartwatch) in the same way you tap your plastic card.

This is also the reason why, from an issuers' perspective, I care more about whether we are dealing with a card present or card not present transaction. A card not present transaction would be for example buying something online and then using details either from your physical or your virtual card to pay. 

Does this mean that virtual cards have the same risks as physical cards?

It means that a purchase is more risky when a card is not present, so not stored on a personal device being used to pay or just not present in your hand to tap or insert into a POS machine.

In terms of payment security, virtual cards and physical cards are both equally safe to use.

In the end, online or card not present transactions are riskier than offline transactions, purely because merchant and card user are not physically together in the same room.

For online payments, there is no physical acquirers' device present. How is an online transaction being processed?

Online merchants usually use a third-party acquirer e.g. PayPal where you have to enter your card details. The next steps are mostly the same as they are with offline payments: The acquirer sends a message to the network, the network sends a message to the card processor and the issuer has to authorise the payment.

But for security reasons there is an additional step on the issuers side which is what we call Strong Customer Authentication. This online authentication process is only needed for card not present transactions. The issuer is now checking if the merchant is a known and usual merchant, if not, they will send a notification to your phone asking you to approve the transaction.

At Pleo we built a smart engine in our ecosystem that determines whether the merchant is a recognized supplier. 

When we talk about Pleo, we actually need to talk about the two Pleos there are: Pleo Financial Services and Pleo Technologies. What role do they play when it comes down to transactions?

Enfuce and Pleo are part of Pleo Financial Services, which is a financial entity regulated by the FSA in Denmark. Only a financial registered company can issue a card. However, the technology that the financial service uses could be housed in a separate entity. This is because the financial service can purchase the technology to, for example, determine which merchant is safe and which is not. In Pleo’s case, Pleo Financial Services needs to buy this technology from somewhere, and it is buying it from Pleo Technologies, which is just a tech company developing software. Our app, for example, is designed by Pleo Technologies. They are two separate companies.

Using two separate companies to offer the final product is quite a common practice among expense solution companies.

Are there any other benefits of issuing our own cards within Pleo Financial Services?

The existence of Pleo Financial Services means that we can enforce our own compliance and fraud regulations and maintain a close relationship with the financial regulator.

We are not dependent on any other institution to comply with the regulations. We are not exposed to governance failings by others.

How can we reassure our customers that their money is safe with us?

All Pleo cards are secure, we have fraud protection and fraud detection in place. Purchases are monitored by fraud detection algorithms, which temporarily freeze cards in case of suspicious activity.

We are simply providing the highest standard of payment and data security. We have all certifications in place that make transaction and transaction data safe:

The PSD2 certificate means safety from a point of view of risky and non-risky transactions. As explained earlier, there is a base requirement for our risk engine, but we set up rules on top of that. Gambling is for example not prohibited by the regulator, but we took an extra cautious step to say you can’t gamble with Pleo cards. This is also where the Strong Customer Authentication kicks in to give an extra security level on all payments and user authentication.

The PCI DSS certificate is all about the privacy and security of your data. From the moment you tap your card, your data gets tokenized. Even if someone would gain access to this data, they could not make sense of it at all. Your data stays fully encrypted. All data is protected by the highest security banking standards.

The Mastercard Zero Liability Policy means Pleo customers are protected by Mastercard and every transaction uses the Mastercard protection. If your card has been used for fraudulent activities, you will get repaid. 

Within the EU Data privacy & security requirements Pleo is fully compliant with the GDPR legislation. We won’t use customer data for anything other than what is allowed by the law. We won’t share it with website marketing agencies, we won’t use it for newsletters etc. without your permission.

We truly use some of the best technologies around to prevent criminal activities with our cards.