SHAPARAK Project

Informatics Services Corporation
SHAPARAK Project
Iranian Electronic Card Payment System
2012-2014
SHAPARAK Project
Recommendation Form
Recommended Project:
SHAPARAK, Iranian Electronics Card Payment System
Category:
 Trade Facilitation
 Electronic Business in Public Sector
 Electronic Business in Private Sector
 Bridging Digital Divide
(Select only one category for a project)
Recommended by: (in print by the HoD)
Rational:
Signature of the HoD:
Date:
Page 2 of 18
SHAPARAK Project
Application Form
Country/Economy:
Iran
Project Title:
SHAPARAK
Organization:
Informatics Services Corporation(ISC)
Category:
 Trade Facilitation
 Electronic Business in Public Sector
 Electronic Business in Private Sector
 Bridging Digital Divide
(Select only one category for a project)
Project Leader:
Ali Seifi
Phone Number:
+98 21 25864657
Email Address:
[email protected]
Contact Person:
Reza Jourabpourian
Mailing Address:
No. 125, Dastgerdi St., Tehran, Iran
Phone Number:
+98 21 25864654
Email address:
[email protected]
URL (if applicable):
www.isc.co.ir
This form is completed and submitted by (in print):
Date:
2015/08/15
Job title:
Project Manager
Fax:
+98 21 22227129
Ali Seifi
Director
Card Systems Department
Informatics Services Corporation (ISC)
Signature:
Page 3 of 18
SHAPARAK Project
Project Title: SHAPARAK
Project Leader Name: Central Bank of Iran (CBI)
Organization/Company: Informatics Services Corporation (ISC)
Nominated by: Central Bank of Iran (CBI)
Page 4 of 18
SHAPARAK Project
Table of Contents
Abstract ......................................................................................................................................................... 6
Executive Summary ...................................................................................................................................... 7
Project Content............................................................................................................................................ 12
Project Scope .............................................................................................................................................. 12
Goals and Objectives .............................................................................................................................. 12
Challenges ............................................................................................................................................... 14
Strategies and Methodology ................................................................................................................... 15
Standards ................................................................................................................................................. 15
Economic benefits, achievements, and Impacts...................................................................................... 16
Next step on ward ................................................................................................................................... 17
Resources: ............................................................................................................................................... 17
Page 5 of 18
SHAPARAK Project
Abstract
In august 2002, in regard to Central Bank of Iran’s(CBI) main objective for migrating Iranian
traditional banking and business style to modern banking, Iran’s national card switch, known as
‘Shetab’ was introduced and launched. Shetab is a financial card switch which connects all issuer
and acquirer institutions in Iran. During the first decade of Shetab’s operation, a massive growth
use of electronic payments happened and made Iran’s card payment network the biggest one in
Middle East. Meanwhile banks and financial organizations invested in several Payment Service
Providers companies in order to provide Point of Sale (POS) terminals, Internet Payment Gateways
(IPG), and Mobile Payment Gateways (MPG) infrastructures for Iranian businesses all over the
country.
Growth of using card payment in society and increasing role of PSPs in card payment network of
Iran, augmented the need for supervision of Central Bank over PSP’s activities. In 2011, more than
twenty PSPs were working independently with twenty nine acquirers without unified standards
and there were no exact figures in order to track the different factors which affected negatively on
public satisfaction and increase security risks. On the other hand lack of Central bank supervision
caused unformed shape of PSPs business plan for revenue which results in unusual distribution of
terminals across country.
SHAPARAK project is started in January 2012 to meet CBI goals and concerns which last about
2 years. The initial version of SHAPARAK system has been launched in august 2012 and at the
first step all the PSPs moved their POS terminals to SHAPARAK platform. In December 2014,
CBI ordered to all PSPs to join their IPGs and MPGs Infrastructures to SHAPARAK platform
which was the final part of SHAPARAK project.
Till now, SHAPARAK handles over 14 billion payment requests with about 21000 billion IRR
turnover. Today it processes over 30 million customer payments per day.
Page 6 of 18
SHAPARAK Project
Executive Summary
Before this project relation of PSPs and banks was as illustrated in Figure 1. In this architecture
each PSP must had its own contract with a commercial bank to let it connect throw the bank media
to Shetab network.
Figure 1: Payment network before 2011
According to this architecture CBI had no supervision over technical quality of PSPs and could
not monitor financial transactions between PSPs and banks. Factors such as card holder sensitive
data security, availability, being responsible in the case of disputes were the issues that could not
be observed in this model and decrease the quality of service and satisfaction of both card holders
and merchants.
Page 7 of 18
SHAPARAK Project
On the other hand lack of proper tools for supervision decreased the power of CBI to regulate
whole payment network.
After launching SHAPARAK in Iranian payment industry, it plays role of a mega PSP for Shetab
and handles all the regulation, payment standards, supervisions, merchant management, etc. over
all PSPs on behalf of banks. Figure 2 shows position of SHAPARAK in electronic payment
network.
Figure 2: Payment network after SHAPARAK launching in 2012
In new architecture main purposes of SHAPARAK defined as following:


Achieving security enhancement in electronic payment infrastructure.
Effective supervision on financial activities of PSPs.
Page 8 of 18
SHAPARAK Project



Standardizing operations and services of all payment gateways in country.
Organizing the distribution of payment devices all over the country and eliminating
repetitive POS devices in merchant stores.
Improving businesses and increasing customer’s satisfaction.
By execution of SHAPARAK system as a mega PSP in Shetab, banking transactions such as
transfer, statement, withdrawal, deposit, etc. are sent directly from banks to Shetab and
transactions such as purchase, bill payment, charging are only sent from SHAPARAK to Shetab.
The flow of a typical card payment transaction through SHAPARAK is as follow:
1- Card holder begins a transaction via one of the merchant terminals. The point of sale
terminal should respect SHAPARAK security regulation in hardware, software and network
for connecting to PSP central switch. All terminals of SHAPARAK’s PSPs have to accept
all cards of Shetab members.
2- Respective PSP receives the transaction and transfers it to SHAPARAK. The standard to
send financial transactions to SHAPARAK has been published by SHAPARAK co. which
is established by CBI to manage SHAPARAK issues.
This standard is written based on ISO8583 version 1987. In this document all technical
issues to enforce security, regulations and unification have been declared.
3- SHAPARAK receives the transaction and checks the transaction and security rules then
forwards them to Shetab for leading to issuing bank.
4- Issuing bank performs the requested transaction and sends back the reply.
5- SHAPARAK receives the reply via Shetab and forwards it to respective acquirer.
6- After successful transaction from cardholder point of view, acquirer informs SHAPARAK
to settle with merchant.
7- SHAPARAK performs batch settlement offline for merchants and PSPs in periodic cycles
within a day.
Figure 3 shows the position of SHAPARAK and its connectivity with other financial payment
systems.
Page 9 of 18
SHAPARAK Project
Figure 3: SHAPARAK position in payment network of Iran
Recently in June 2015, another important facility of SHAPARAK which provides flexible and
comprehensive controls over all electronic payment participants has been launched. This sub
system is known as ‘Payment Management’. This facility enables Central Bank and
SHAPARAK Co to enforce regulation and financial policies over electronic payment network
with more details. The policies such as determining overall amount or transaction count of a
specific merchant, or merchants in specific geographical area, etc.
This system offers a huge range of parameters to determine different controlling rules.
Parameters such as merchant category code, specific PSP, specific merchant, specific customer,
Page 10 of 18
SHAPARAK Project
specific terminal or specific geographical locations such as cities and provinces or combination
of them. Since all transactions should be passed through SHAPARAK channel, we assure
adding illegal members in payment management black list which would result in operative
payment restriction.
E-commerce payment systems have become increasingly popular due to widespread use of the
internet-based shopping. However, one of the online payment challenges was secure electronic
payment. SHAPARAK verifies all the internet gateways and they should be in sub domain of
SHAPARAK.ir and in this way it provides reliable internet payment gateways.
In general, the role of SHAPARAK in Iran card payment media is an intermediate payment
processor which collects, analyzes and routes information gathered by different active PSPs
in order to manage the risks, promote electronic payment security, combat money laundering
and financial crimes, enhance the competition among PSPs in order to provide better services.
Page 11 of 18
SHAPARAK Project
Project Content
Project Scope
The scope of SHAPARAK project includes all PSPs which are going to have any financial activity
in Iran. Since all merchants and their terminals are under supervision of PSPs, we can say that this
scope is expanded to all the active merchants and terminals which are more than five millions all
over the country.
The characteristics of SHAPARAK project are as follows:






It has covered all the thirty one provinces of Iran.
It has included 12 payment service providers.
It has involved over 4,600,000 merchants.
It has included over 4,700,000 POS terminals.
It has included over 42,000 payment web terminals.
And according to Shetab rules It provides services to more than 200 million cards of
Shetab members.
Goals and Objectives
As a payment processor switch, SHAPARAK follows several goals and objectives. Following are
the main objectives of SHAPARAK system.
 Transactions aggregation: SHAPARAK acts as a unified gateway switch which gathers all
the transactions from all the licensed PSPs of Iran. This single entry point bridges the PSPs
to another banking network which transfers the transactions to issuer banks.
 Reporting and data mining: SHAPARAK data center is a unified and centralized data base
of all the PSP’s transactions, so it is suitable for generating regulatory reports; in addition,
data mining techniques reveals statistics data about customer behavior patterns useful in
formulating marketing, sales, and customer support strategies.
 Dispute Recovery Center: The management role of SHAPARAK provides the required
authority to decide on disputes which is an inevitable part of card payment switches.
 Fees calculation: assigning the fees of different parties which involve in a transaction life
cycle, is one of the SHAPARAK’s tasks. Without it, there were no reference center to
decide on fees calculation and each acquire has to deal with its own model.
 Secure data transfer between terminals and banks: enforcement of some security standards
such as PCI compliance by SHAPARAK provides a secure channel for transmitting data
between terminals and banks.
Page 12 of 18
SHAPARAK Project











Regulatory tasks: black list exists as a way of defining different constraints in order to
prevent illegal or invalid transactions in banking system.
Management of Payment Service Providers: In the past each PSP has to have a contract
with one or more acquirer. Several acquirers may have different regulations and lack of
central management lead to several disputes.
Organizing Merchant Category financial activities: business administration and merchants
classification are SHAPARAK’s tasks. CBI may utilize this categorization for economic
analysis and merchant codification based on its category.
Applying business rules: several financial business rules may exist in each local market.
For example transaction amount division among a number of vendors was a business
requirement which implemented in SHAPARAK.
Support different types of transactions: one of the SHAPARAKs’s goals was to support
different transactions which are required by market and at the same time the compliance of
transactions with financial transaction card originated messages standards. Transactions
such as balance, purchase, card PIN verification, special payment and bill payment are a
number of them.
Online monitoring: SHAPARAK has its own monitoring application which could simplify
the controlling and administrative tasks.
Screen of fraud: SHAPARAK supports a number of fraud detection approaches. The
transactions aggregation at SHAPARAK center makes the screening of fraud more
effective, because we are sure that a transaction should pass SHAPARAK as a single entry
point toward issuer bank.
Standardization: SHAPARAK appoints the comprehensive standards and supporting
materials to enhance payment card security. For example ISO 8583 for interchanging
message specifications, PCI Data Security Standard (PCI DSS), PIN Transaction Security
(PTS) and Payment Application Data Security Standard (PA-DSS).
Certification and labeling: PSPs receive a label after successfully passing all the tests and
procedures to apply on their terminals. In this way a payment terminal which has the
SHAPARAK label are trustable in the point view of card holder (customer).
Auditable card payment: several auditing tasks would be performed periodically and
violating service providers would be distinguished. Using auditing results, penalty or
incentive plan may execute and as a result a competitive market will be provided for service
providers.
Enhance the public trust to card payment system: all of the above objectives lead to
providing better services to customers. The more customers trust to card payment systems,
the more would use it and in this way, trading becomes much easier.
Page 13 of 18
SHAPARAK Project
Challenges
The main challenge of this project is migrating PSPs terminal from traditional model to new
SHAPARAK model. At that time it was about 9 years that POSs and IPGs worked in payment
industry and we had to plan a migration program in the way that no card holders or merchant
owners noticing the changes.
At that moment some of the PSPs gave online clearing service without any delay for merchants to
satisfy merchant. Maybe this solution is a great service for merchant owners but by increasing the
speed of transferring money we also augment some money laundry risks. One of CBI goals to
develop SHAPARAK was pushing some delay on this process in order to find ability to do more
control and authorization over merchant accounts and turnover. According to this facility,
satisfying merchant to forget this method and accept new one is another challenge of launching
this project in the first step.
Increasing the rate of using electronic infrastructure for replacing cash and banknotes with
electronic money is one of the main concerns of Central Bank of Iran but the main challenge in
electronic money transfer is effective supervision, comprehensive and intelligent control on
financial transactions.
Before SHAPARAK project a PSP offered online services for accepting electronic payments by
connecting to one or more acquiring banks. The problem here was the competition among different
PSPs and lack of central management lead to heterogeneous distribution of POS devices over
country. So for example there was a small store in metropolitan areas with more than three POS
devices and no POS device in some other parts of country. Moreover, we had disinvestment, lack
of standers and security infrastructures in this area.
The innovative idea to overcome above problems was an electronic payment card network named
“SHAPARAK” so that all PSP switch applications are connected to central switch application with
central management. This switch application transfers financial transactions to Banks and
performs merchant settlements.
Electronic payments will be controlled and managed in whole country by Central Bank. In addition
all PSPs have to get SHAPARAK certification for being connected to electronic payment network
so there is a unified standard for interchanging transactions. Therefore card holders have
acceptable security because SHAPARAK insures the money back in case of disputed transactions
and all valid cards would work on every payment points.
On the other hand SHAPARAK switch application recognizes card holders and merchant needs in
industry and all over country to improve electronic money usage and enforce payment service
providers to implement related transactions and functionalities. These functionalities would extend
security, performance, reliability and user satisfaction in electronic payment network.
Page 14 of 18
SHAPARAK Project
Strategies and Methodology
Several strategies were considered while developing the SHAPARAK project. The most important
factors are as below.





High Availability: The SHAPARAK network is a complex network known as “distributed
architecture” throughout the country. Chances of the entire network shutting down are very
low as the network does not have any single point of failure. If a single point is experiencing
short-term technical difficulties, it is not possible for the entire network to fail.
Fraud Detection: Using data mining and big data analysis for fraud detection combats
money laundering and abusage of merchants or PSP in the network.
Self-evaluation: Most complex solutions fall into a trap of doing same thing over and over.
This can be problematic so in this project there are weekly sessions for evaluating the
ongoing process and continues improvements which are examined in very advanced
laboratory.
Best Practices: The development process is based on agile and scrum methodology and
DevOps principals is used for communication, collaboration, integration and automation
between software department and other parts of company.
Development architecture: the main core of SHAPARAK is based on a Microkernel
architecture pattern for system software which causes the best performance and speed in
such systems. Also we use a multi layered application for monitoring and external interface
and tools.
Standards
SHAPARAK System like any other projects is deeply involved with the international standards
theme. International Standards are strategic tools and guidelines to help companies tackle some of
the most demanding challenges of modern business. The following is a list of International
Standards used in this system:
 ISO 8583
ISO 8583 is for financial transaction card originated messages and interchange message
specifications which presents an international protocol for card switch systems to pass electronic
transactions made by cardholders.
 PCI-DSS
Page 15 of 18
SHAPARAK Project
The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies
and procedures intended to optimize the security of credit, debit and cash card transactions and
protect cardholders against misuse of their personal information.
 ISO 13616
ISO 13616-1:2007 specifies the elements of an International Bank Account Number (IBAN) used
to facilitate the processing of data internationally in data interchange, in financial environments as
well as within and between other industries. The IBAN is designed for automated processing, but
can also be used conveniently in other media interchange when appropriate.
 ISO 27001
The ISO 27000 family of standards helps organizations keep information assets secure. It is a
specification for an information security management system (ISMS).
Economic benefits, achievements, and Impacts
Undoubtedly SHAPARAK provided an organized framework in Iran card payment infrastructure.
Nowadays people are more likely to carry one or more cards in their pocket instead of cash notes.
The volume of card transactions has been increased considerably in recent years with over 99%
successful transactions. Figure 2 shows the number of transactions in recent two years. It is obvious
that the trend is incremental and total number of transactions increased approximately two times
during this time slice.
600,000,000
500,000,000
400,000,000
300,000,000
200,000,000
100,000,000
0
month 1
month 2
month 3
month 4
month 5
Jalali Year 1392(2013/2014)
month 6
month 7
month 8
month 9 month 10 month 11 month 12
Jalali Year 1393(2014/2015)
Figure 4: Transaction Volume of SHAPARAK between 2013 - 2015
Page 16 of 18
SHAPARAK Project
In SHAPARAK card payment network, consumers can use their valid card in a valid merchant
and it does not depend on the card issuer or acquirer. As more consumers join the card network,
more merchant join to serve them. Consequently trading is accelerating more. Electronic
processing of card payment simplifies trading in many ways. For example the accounting process
would be more effective in compared to cash transactions, enhance transparency because it is
easier for them to have track of transaction amount, date and time , accelerates the sale process,
increase security because there is no need for cash transport or accepting forged notes and coins.
The mentioned above improvements lead to more public interest to use electronic payment instead
of cash payment. According to Iran Central Bank reports, the per capita cash decreased from 113
to 74 in two years since launching SHAPARAK project. Therefore one of the main objectives of
Iran central bank has been achieved.
Next step on ward
For future work we are going to consider online signature verification or other biometric
approaches for verification of card present transactions. Since cost of applying such approaches is
high, we would also consider the transaction amount as a key value for deciding whether these
techniques should be used or not.
One of the next steps in SHAPARAK network is developing and regulating offline transactions
and supporting EMV transactions. The main goals of using EMV and semi EMV approach in
SHAPARAK network are:
1. Eliminating online PIN verification data passing and using terminals to verify PINs
offline.
2. Using a well defined standard to support offline transactions.
3. Moving to contactless transactions.
The other step in SHAPARAK is getting compliance with PCI DSS certification. According to
goals of SHAPARAK, PCI DSS rules are already applied in SHAPARAK infrastructures but due
to international sanction getting certification from popular institution have been postponed.
Finally, we are going to develop SHAPARAK system based of ISO8583 version 2003 and
ISO20022 in order to achieve better solutions for new electronics business’s needs.
Resources:
Software: Combination of enterprise applications and modules based on C, C++ and Java EE
technology, IBM Informix DB, Linux.
Page 17 of 18
SHAPARAK Project
Hardware: HP Series servers.
Network: Iranian National Inter-Banking Network (NiBN).
Page 18 of 18