5.14 Payment Systems

The more cautious companies take themselves online in stages.

1. A start is a simple online catalog, from which customers can order by telephone or email. The personal contact fosters confidence, and customers can check product details with a knowledgeable salesperson.

2. Then may come a website with page information automatically supplied from a linked database, ensuring that stocks, prices and specifications remain up to date.

3. Only with online payment does ecommerce proper arrive, and even then there are sub-stages which companies may pass through.

a. Rather than process credit cards in realtime, emerchants will commonly take payment by one or more of these approaches:
1. Online checks.
2. Wallet systems.
3. Credit card details taken by encrypted email.

b. At the next stage enters the payment service provider, where the mix of options and misleading terminology almost guarantees confusion. At their simplest, the options are:
1. An all-in ecommerce system supplied by the webhosting company.
2. An Internet payment service bureau that handles all aspects of payment, sending customer details back to the emerchant for order fulfillment.
3. A secure order form on the emerchant's site, which transfers customer details via a payment gateway to a credit-card processing company.
4. An application programming interface on the emerchant's server that allows more direct access to the merchant account, though still through a payment gateway.

The devil is in the details. These are the common complications: The all-in ecommerce hosting system may:

1. Allow or not allow a range of shopping carts to be used.
2. Allow or not allow emerchants to find or use their own merchant accounts.
3. Some shopping cart programs are only sold through registered partners or hosting companies, which effectively makes their use an all-in ecommerce-hosting system.

Internet payment service bureaus differ widely in:
1. Rates and terms applying
2. Products they handle (content/physical goods, adult sites, etc.)
3. Turnovers expected (usually unstated on their sites).

Secure order forms and application programming interfaces :
1. Are often not properly distinguished in the service details, though they are very different in operation, obligations and costs.
2. May or may not require your own server or dedicated server.
3. Require a payment gateway which works only with specified shopping carts and merchant accounts.
4. May or may not be supplied by the merchant account provider
5. May or may not be added to your shopping cart without programming expertise.

A merchant account may be unobtainable, throwing the emerchant back on Internet payment service bureaus or other stratagems.

Simple Merchant Accounts

You must have a merchant account to process credit cards, and these may be either a retail merchant account or an ecommerce merchant account.

As far as the retail version is concerned, bricks-and-mortar shopkeepers will be familiar with the authorization process — swiping the card or phoning to authenticate — and this may be all an online business requires. If you operate on low volumes (e.g. letting a farmhouse for the summer), or face little competition (subscription to a specialist ezine), you can simply take the customer's credit card details with encrypted email, authenticate as convenient, and then email acceptance.

Online Merchant Accounts

Very different is the ecommerce merchant account serving the needs of the high volume emerchants who process credit cards online in realtime. Website customers expect sale acceptance within a minute, and to be furnished with tax and shipment details. More sophisticated software is needed to handle the transactions, and the perceived risks are greater — which means higher charges all round.

Nonetheless, taking credit cards online is essential for many ebusinesses, and the greater costs are more than outweighed by the advantages:

1. Decisive edge on the competition.
2. Enhanced sales.
3. Greater protection from fraud.
4. More flexibility in processing orders and invoicing the customer.
5. Lower costs once sales exceed $1,000/month or so.

How Merchant Accounts and Payment Gateways Work

The merchant account acts as an intermediary or clearing house between your bank and your customer's credit card account. The transaction operates through software called a gateway payment system. Procedures differ somewhat depending on the providers and countries concerned, and third parties may intervene with fraud detection systems, but in essence the steps are:

1. Customer fills out the order and credit card information on the website order form, and clicks the submit button.
2. The information is transferred via the gateway to the bank's processor and the account is looked up.
3. If the result is favorable, an authorization number is sent via the gateway to the merchant's website, and the acceptance is viewed by the customer.
4. The merchant notifies the gateway that the item has been shipped and the transaction settled.
5. The gateway then informs the bank that the transaction has been settled.
6. The merchant emails the customer with confirmation of the sale and shipping details. The bank credits the merchant's account and debits the customer's credit card account.

Leaving aside wallet systems and payment service bureaus, payment gateways come in two types:

1. A secure order form hosted on the payment gateway provider's site. This is the cheaper option and provides better shipping and tax calculation facilities than is usually the case with payment service bureaus. Because information is collected off the merchant's website, however, it can be difficult to source customer information on purchases, even sufficient to identify individual charge-backs. Data integration, marketing and planning therefore suffer.

2. An API (application programming interface: software) running on the server hosting the merchant's website. This is the more expensive option but overcomes the previous limitations. Such software is usually specific to the type of server concerned, however, and requires considerable programing expertise to install (plus permission from the hosting company: normally only allowed on a dedicated server).

MAPs and Credit Card Processors

Merchant accounts are provided by Merchant Account Providers (MAPs). These may be acquiring banks, Independent Sales Organizations, or the ISP company hosting your website. To add to the confusion, Credit Card Processors may also be called MAPs, though their role is actually limited to processing the credit cards associated with merchant accounts. Like ISOs, CCPs supply software (payment gateways) and sometimes the hardware to physically process the cards. An ISO account will normally come with its own Credit Card Processor, but you may have some choice if your business bank provides the merchant account.

Mechanics of Merchant Accounts

Suppose you've found a MAP to give you a merchant account. What needs to be done before signing the contract? You should:

1. Make sure you understand what's entailed: technical, financial, legal.
2. Shop around to know what constitutes a good deal for your business.
3. Check that the merchant account will work perfectly with your chosen shopping cart and payment gateway.

Software Integration

Ideally you would first choose your storefront program, then establish the payment gateway system, and only then research the appropriate merchant account. But since that approach may lead to dead-ends, it's often necessary to juggle the options until you find a reasonable fit. Certainly the most important decision is the choice of shopping cart — you can change the others more easily later — and here you can shorten the odds by choosing one that employs a popular gateway system. Remember also to check what hosting platform is required — generally Windows or Unix. Integration is a good deal easier if both storefront and payment gateway use the same platform.

Software Integration: How It Works

Shopping cart, gateway and merchant account need to work together because anything the acquiring bank requires must be collected from the website customer, and the stated shipping costs, tax and payment details also find their way through the system to the customer's credit card account. But payment gateways demand a good deal more than that. Their security measures employ protocols, message formats, certificate authorities, sums, secret keys, secure socket layers, timeouts, and retransmissions. That in turn means compatible procedures, and sometimes common operating platforms. The details only concern programmers, but banks will know what their systems can and cannot support. This information should also be available to ISOs, and some are indeed very helpful to the prospective merchant. Unfortunately, many still chase the commission, and it is usually wise to contact all parties to double check that everything will indeed work as promised.

Who Does What?

Suppose you find your ideal merchant account: what happens next? The provider arranges for a third party (credit card processing company) to accept the credit cards, verify the transactions and deposit funds into the acquiring bank. The third party provides you with software — the payment gateway — to link up with the third party or to process cards on your sites. Then what?

1. If your gateway takes the form of a secure order form hosted on the credit card processing company, you may simply be able to cut and paste the supplied HTML coding. Much depends on the instruction manual and your own level of expertise.

2. If your system is supplied as a complete package by the company hosting your website, then that hosting company will probably do the installation. A standard arrangement will be included in the price, usually very competitive. If, however, you insist on your own choice of payment gateway, then additional coding will be needed, and you may end up paying a sizable bill, either to the hosting company or a third party programmer.

3. If your gateway is an API (application programming interface) running on your server, then you will most certainly need a expert programmer familiar with both the server and the coding language (Perl, PHP, ASP, C++, VB or Coldfusion). The bill will be high, but using an accredited professional will be cheaper in the long run.

Finally, you have to get the funds deposited into the acquiring bank into your own bank account. The two may be the same — if your business bank is supplying the merchant account — and transfers between banks located in the USA are not expensive. On the other hand, overseas merchants will obviously need to investigate with both banks the costs of transfers and currency conversion.

Costs

How much will the payment gateway cost? If your merchant account is arranged through an ISO, then the fees and charges will probably include the hire of payment gateway software, though you should inquire. If you've obtained your merchant account directly from a bank, however, then the payment gateway costs usually come as an extra. You may have to pay something like $400 for setup, plus possibly various monthly and transaction fees. Check, and do your sums carefully.

Security

Customers are providing you with credit card details. What measures are needed to handle the information securely? Again it depends on the payment gateway system.

1. For a system hosted on the credit card processor, the security issues are theirs. Customers will need to be assured that their details are safe, but it is the card processor and not you that has access to the information. Nonetheless, the hosting company will probably offer you SSL at a reasonable price, and you would be wise to take it.

2. For a complete package the security measures are the concern of the hosting company, but it's also your responsibility to ensure that the measures are adequate. You may have to employ an outside consultant to overlook the system.

3. For an API, security is wholly your concern — which is another reason for employing someone who really knows what they're doing.

Merchant Accounts

Competition among MAPs is fierce, particularly for the better customer. And as merchant accounts can be various and complicated, it pays to understand what is being offered and why. Your merchant account should a) offer good terms, b) provide legal safeguards to all parties, c) allow you to upgrade the service or move to another provider without heavy penalties and d) have the machinery and experience to resolve any difficulties promptly.

Bank or ISO?

Both banks and ISOs watch the bottom line, but banks are more concerned with security and reputation, while ISOs naturally want a fatter profit margin to cover the increased risks. Banks are therefore cheaper but choosier. ISOs are more tolerant, providing fuller services to Internet businesses, but at a cost.

Transaction Charges

The transaction charge is commonly made up of two components: a fee charged at a flat rate on each transaction and a fee charged as a percentage of the value of the transaction (discount rate). Both vary widely, and your choice will be guided by the nature of your business. Generally, you'll aim as follows:

1. Low sales volume — try to minimize monthly charges.
2. Low cost items —go for low flat fees and higher percentage transaction charges.
3. High cost items — go for higher flat fees and low percentage transaction charges.

Evaluating a Merchant Account

A merchant account is a business transaction, and you'll start by evaluating the Merchant Account Provider itself. Banks are reputable, but too many ISOs don't deliver. Watch out for these warning signs:

1. High application fees, to be paid immediately.
2. No acquiring bank is mentioned.
3. Unreasonably low transaction charges.
4. No proper business address.
5. Incomplete or loosely-worded contracts.
6. Vague answers to specific business and/or technical inquiries.
7. No response to phone inquiries.

Ask what credit cards the merchant account handle. And do they accept these cards worldwide or only within a selected area: USA, Canada, Europe, Australia? Research geographical preferences for global businesses: they vary widely.

The cost of a merchant account includes a setup fee, a monthly charge, and a cost per transaction (generally a flat fee per transaction plus a percentage of the value of the transaction.) Banks will certainly retain some percentage of funds to protect themselves from charge-backs — i.e. for those purchases not honored by the customer, either deliberately or through forgetfulness. What are the percentages retained, and for how long? Is a fee imposed for charge-backs, and/or beyond a certain level of charge-backs? The more cautious banks, particularly outside the USA, may also require a security deposit, which can be punitive for smaller businesses. Additional fees, small in themselves but aggregating to an appreciable total, may include those for credit card use outside the USA, processing transaction batches, verifying customer addresses, supplying a monthly statement, using the payment gateway, fraud screening software, providing voice authorization, and cover for charge-backs when your account holds insufficient funds. Scrutinize the agreement, and query what isn't spelled out.

The banks will have reviewed their security before issuing a merchant account, but how how safe are you? You'll certainly need SSL (secure socket layer: normally provided by the hosting company) technology if you're using an API, but security may need to be further checked by an outside consultant if you don't have your own IT department.

Your business will be online 24 hours a day, and you expect the payment gateways to be equally responsive. Most are, but horror stories happen. Then there are transactions that go off the rails, or run into the unexpected. How helpful are the merchant account providers here? Again you need to read the literature.

A merchant account is a binding legal agreement between bank and merchant, and you don't want nasty surprises down the line. The terms should be fully spelled out on the agreement, and fully appraised by your legal team. Probe if matters are unclear — or, better still, find another account. If the MAP doesn't understand the business sufficiently to frame a proper agreement, it may not be able to help when things go wrong. Remember also that you can't afford to default on the legal aspects. Quite apart from the costs arising, you may be placed on the list of companies failing in their account obligations, and so find it very difficult to open another merchant account.

Four areas need your special scrutiny:

1. Reserve account: funds reserved to cover charge-backs can amount to an appreciable percentage of the total, and be retained for up to 270 days of account closure.
2. Recoupment or set off: banks usually have the right to withdraw or withhold funds if charge-backs become excessive or your standing with the bank deteriorates.
3. Security: the lien placed upon your funds under the Uniform Commercial Code.
4. Advertising restrictions: how are credit cards and promotional material to be displayed? MAPs can be very particular, even withdrawing accounts for infringements.

Merchant Account Providers

Institutions that provide merchant accounts are known as merchant account providers (MAPs). Providers falls into three categories, each with their strengths and shortcomings.

Independent Sales Organizations (ISOs)

Hundreds of these exist, many very reputable, some not so. Generally they work on a commission basis for the acquiring banks, and therefore levy higher fees and transaction charges. The usual requirements are:

1. Professional-looking website.
2. Proper business or trading name.
3. Returns policy clearly stated on the website.
4. US checking account.
5. US postal address for checking account.
6. Not to be in active bankruptcy.
7. No conviction for credit card (or other) fraud.
8. No record of having failed in merchant account processing responsibilities.
9. Business records for 2 years or more.
10. Tax returns.
11. Proof of partnership or business incorporation.
12. Excellent credit record.
13. Trade references.

Businesses outside the USA will probably also need:

1. Proof of US business incorporation.
2. Personal guarantor with US social security number.
3. Proof of warehousing in and shipping from the USA.
4. Proof of tax payment in the country of business location.

Banks

Strictly speaking, banks that supply merchant accounts are called acquiring banks. The mainstreet bank holding you business account may be one of them, but acquiring banks are usually separate entities specializing in merchant accounts. Banks are cheaper and more reliable than ISOs. But they are also more selective, and can charge steep fees for charge-backs, or withdraw the merchant account altogether. In addition to the requirements above, you may also need to:

1. Maintain a larger reserve against charge-backs.
2. Supply more detailed documentation.
3. Provide personal guarantees and/or security deposit.

Complete Solutions Provided by Hosting Companies

Hosting charges are often very reasonable, and the package will take the hassle out of integrating shopping cart, payment gateway and merchant account. But choices are restricted, and merchant account rates may not be the best going. At least cost the alternatives before taking this route.

Merchant Accounts Outside the USA

Most MAPs are chary of foreign businesses, being all too aware of the increased risks of charge-backs and disputed bills. Disputes are less easily settled when the merchant lies outside US jurisdiction, and business may be conducted by different codes of practice. Since MAPs cannot cover all eventualities, they usually play safe by refusing an account.

Even more damning are:

1. Countries under US trade restrictions or embargoes.
2. Countries with economic or social instability.
3. Goods of antisocial nature: weapons, adult material.

Additional Requirements

The small percentage of MAPs that will entertain overseas businesses cover the extra risks by increasing both the requirements that have to be met, and the charges they impose. Expect a much stiffer treatment on:

1. Nature of your business
2. Credit worthiness
3. Business records and tax returns
4. Reserves: 10-20% of receipts are commonly held back for 6 months; sometimes 100% of receipts are held back for 90 days.

Increased Charges

Overseas businesses also face higher charges.

Minimizing Difficulties and Charges

Faced with these charges, many foreign businesses use alternative methods of taking credit cards. But those that do persevere in obtaining a merchant account will commonly:

1. Open a US bank account in the country of business, or
2. Employ a MAP to open a US bank account, set up a US trading address and obtain US incorporation.
3. Find an incorporation company to set up a US company. The corporation so established will have to pay state and federal taxes, plus an annual fee for a registered agent if it doesn't otherwise have residence in the state.

Doing Without A Merchant Account

The larger, US-based companies will find merchant accounts the best way to go. Nonetheless, many ebusinesses do very well without them, even enjoying certain advantages.

Types of Alternative Payment:

1. Payment by credit cards service bureaus
2. Payment without credit cards wallet systems
3. 1-900 billing
4. Online checks
5. Encrypted email transactions.
6. Third party merchant services.

Pros and Cons

Alternative payment methods are adopted by companies that cannot get a merchant account, or those that find the costs of doing so unjustified by their current level of business. Online checks and transactions conducted by encrypted email are slow, but are perfectly satisfactory for companies with extended settlement periods. Wallet systems are very safe, although they are also troublesome, particularly for users outside the USA, and perhaps will appeal only to certain customers. Phone or 1-900 billing is largely restricted to the States, but avoids security problems. Employing an Internet payment service bureau or third party merchant service runs up more in transaction charges, but the systems are readily set up and initial charges are low. Alternative payment systems are not always the poor relation to merchant accounts, moreover, but can in fact be safer and more reliable. Using a payment service bureau means that your merchant account can't be suddenly withdrawn for reasons beyond your control (e.g. excessive chargebacks) and you won't have the nightmare of extracting receipts from a fraudulent or incompetent ISO.

Foreign companies, or those in the high-risk category, may also find the transaction rates compare very favorably with what they could obtain through using their own merchant account in adverse circumstances. A good number of service bureaus or alternative systems can be tried out before settling on the best. And at the very least, alternative methods of payment allow the market to be tested without great expense. Consider these seriously if your sales do not exceed $500 - $1000/month.

Finally, it should be remembered that many customers do not possess a credit card, and countries like Germany, Russia and much of the third world do not use them anyway. To sell here, you'll have to provide other means of payment.

With Credit Cards: Outsourcing to Payment Service Bureaus

Payment Service bureaus handle the whole process of taking real-time credit cards online. After selecting their purchases, customers simply click on a button at the merchant's website, and are transferred to the service bureau for credit card processing. Shipping details and product queries are the emerchant's responsibility, but customer support is otherwise handled by the service bureau. Transaction charges are 2-12% higher than with a normal merchant account, but there are often no penalties for charge-backs, no monthly minimum sales, and very low setup fees. Many such systems exist, each with their own rules.

A small selection (more are listed in the Resources section):

PSP

Setup fee

Monthly fees

US $

Transaction fees

(US cents, from)

2Checkout

49

-

45

5.5

Amazon Payment Services

0

0

1

1.5

Card Accept

0

33

25

2.24

CCNow

9.95

0-9.95

50

4.99

ClickandBuy

19.95

19.95

35

2.9

ClickBank

50

0

100

7.5

Google Checkout

0

0

30

1.9

Multicards

25

49/yr

45

4.95

NorthStar Solutions

0

0

45

6.5

PayPal

0

0

30

2.4

Verotel

0-1000

30

-

13.0

Yahoo! Small Business

0

$40/m

0

1.5

Ditto: recurring Payments and Subscriptions

PSP

Setup fee

Monthly fees

US $

Transaction fees

(from)

website

US $

US $

US cents

%

123Ticket

0

0

€0.11

-

ClickBank

50

0

100

7.5

CCBill

0

0

-

11.5

Multicards

25

49/yr

45

4.95

WorldPay

£200

£30

£0.56

4.5


Software and eBooks are commonly sold through a registration service, which software developers evaluate by these factors in making their choice:

1. Reputation in the software development community.
2. Level of fees and commissions charged.
3. Service offered (from supply of unlock code through Internet monitoring of software use to aftersales support).
4. Types of payment accepted (currencies, credit cards, debit cards, checks, money orders, wire transfers, PayPal, etc.).
5. Cost of charge-backs and fees for cards declined.
6. Promptness and reliability of payment.

A small selection:

Registration

service

Setup /

software

Monthly fees

US $

Transaction fees

(from)

US $

US $

US cents

%

Digital Candle

0

0

0

10%

eSellerate

0

0

0

15%

FastSpring

39.95

0

0

0

Get Software

0

0

300

15%

Kagi

0

0

250

10%

RegNow

-

0

100

6.9%

Regsoft

0

0

300

0

SWREG

0

20

100

6%

Without Credit Cards: Wallet Systems

The customer pays funds into a secure account ('wallet') which is then accessed by emerchant, thereby avoiding the need to send confidential information directly to the merchant. Many systems have been floated, but only few successfully, most being killed by primitive security or the demand that customers install special software on their PC. Current systems are better, and PayPal, for example, allows direct payment by credit cards for US customers.

Without Credit Cards: 1-900 Billing

Rather than disclose confidential information, the customer has simply to add payment to their monthly telephone bill. Suitable for smaller payments, the arrangement is largely restricted to the USA, though extensions to Europe are periodically announced. A small selection:

PSP

Setup fee

Monthly fees

US $

Transaction fees

(from)

website

US $

US $

US cents

%

123Ticket

0

0

€0.11

-

Allopass

inquire

inquire

inquire

-

BillJunction

Rs 225-1149

0

inquire

-

DaoPay

0

0

-

10

Charge.com

0

26.95

25

2.25

NetBanx

-

-

£0.10

-

Ogone

inquire

inquire

-

inquire

PayByWeb

0

30

38

2.29

Verotel

0

0-30

-

20.0

Without Credit Cards: Online Check

Customers may be happier having a check drawn on their bank account than giving out their credit card details. Name, address, number, routing/sort code and account number are keyed in by the customer, and a cashable check is printed out at the merchant's terminal. Some systems also convert the to a fully electronic payment, for an additional fee. Banks can charge extra for processing these checks, it should be noted, though online checks currently account for 10% of online payments in the States. A small selection:

System

supplier

Setup / software

Monthly fees

US $

Transaction fees

(from)

US $

US $

US cents

%

BidPay

0

0

195

-

ChecksbyFax

99

0

0

0

CheckMAN

39.95

0

0

0

NoChex

0

0

20p

2.60

Obian

0

0

inquire

inquire

Pay By Check

100

40

112

-

PayPal

0

0

30

2.9

Versa

60

0

0

0

Without Credit Cards: Encrypted Email Transactions

Small businesses can always accept credit card details by encrypted email if both parties employ similar security measures.

PayPal

PayPal is one of the Internet's success stories, but some merchants complain of:

1. An unreliable security system, alternately lax and over-protective.
2. Criminal activities that try to exploit the service.
3. Suspended or frozen accounts for insufficiently-explained reasons.
4. Poor or non-existent help in sorting out problems.

PayPal is not a bank, and is not apparently bound by US banking regulations, which may explain the rash of PayPal complaint sites that have appeared.

Questions

1. How does an online merchant account differ from a normal retail one?
2. How would your company obtain an online merchant account?
3. Explain how payment gateways work.
4. In what circumstances may an online merchant account be difficult to obtain. What are the alternatives?
5. Give some examples of Internet payment service bureaus and how they work. What are their advantages and disadvantages?

Sources and Further Reading

1. CardWeb. Payment card information network. Articles, news and statistics on many aspects of credit card industry.
2. Internet Fraud Watch. Provides free articles, advice and bulletins on anti-fraud measures useful to emerchants.
3. 4CreditCardProcessing. Lists MAPs, shopping carts and card processors.
4. Wilsonweb. Useful articles, advice and feedback from subscribers using various payment gateways and merchant accounts.
5. Internet Works. Online edition of UK magazine for net professionals: use search box to find past reviews.
6. Business.Com. Some 100 payment gateways listed in this useful business database.
7. Top Merchant Accounts. Selected listings of MAPs plus brief articles.

8. Understanding Credit Card Fees, Part 4: The Merchant Statement – Per Item Fees by Phil Hinke. Practical Ecommerce. August 2011. All four are worth reading.
9. 19 Tools for Online Bookkeeping and Invoicing by Sig Ueland. Practical Ecommerce. May 2011. Several are free.
10. The Changing Online-Payments Landscape by Gagan Mehra. Practical Ecommerce. December 2011.