What do you need to know about taking online payments?
Well, the last few weeks have been an eye opener for me as I have been trying to work out what is most cost effective way to take credit card payments online. I learnt a lot. The short answer is that I will use Stripe but some explanation is needed.
I searched for Credit Card Payments on Google and found a number of companies. One of them, Charity Clear, seemed reasonably priced and they donate their profit to charity which is fantastic. I would be a fool not to use them for my charity website. I was almost about to sign up and then something in the documentation hit me:
"You require a Merchant ID in order to use this system, which can be obtained from a Merchant bank account" - or words to that effect.
Hmm. We have a business bank account so let's contact the bank. Nope. Business Bank Account is NOT equal to Merchant Bank Account. Merchant Bank Accounts cost money, not just to open but you pay a transaction charge on them too. Eventually, when I priced this into the equation, the cost was really quite high compared to someone like Stripe so I wondered why we needed the Merchant account and how Stripe (and Paypal although slightly less so) could charge less money for their services.
Clearly, money transfers entail risk and require trust. A credit card company is not going to give you money just because you give them a bank account number. A merchant account is basically a bank account with some additional checks that occur and which prove to the credit card companies that they can trust you are a real business entity and not just a hacker. Of course, they do nothing of the sort since credit card fraud occurs all the time but that is the justification and why they charge you money. The payments gateway is simply the mechanism that captures credit card information, does some checks and then requests the Merchant account to actually transfer the money from the credit card company to the destination bank account (although delayed - of course!).
The reality is that in the modern age of micro-payments and small business, Merchant accounts are really just another way to earn the banks money but because you don't have a choice except to have one, you can't really do anything about it. Or can you? This is where the aggregated Merchant account comes in with companies like Stripe and Paypal.
The logic of the aggregated Merchant account is simple. Instead of creating one account per company, which is time consuming and expensive, why not create one massive one and anyone who uses Stripe or Paypal has the funds transferred into the big pot and then transferred out later. A bit later than a normal account (usually 7 days) but the larger pot enables Stripe to manage the risk of charge-backs and other fraud and gives them slightly longer to withhold funds if a problem occurs. Because there is only one account, the cost of managing it is much smaller and that cost is owned directly by the payment gateway. They can therefore charge you one fee (usually a small amount + a percentage), which in our case was around 50% of the cost of a dedicated Merchant account.
So are dedicated accounts useless? Well, they do allow you to get your money sooner and if you are a large customer, you could negotiate your rates to be lower. You might also write your own payment gateway and not have to pay for that so there are potential savings - although for us small people, a dedicated service like Stripe or Paypal is often cheaper and more convenient.
There is one last thing to consider and that is PCI. Any site that handles payment card data MUST conform to PCI standards. They are not law but they are a requirement for Visa, Mastercard, Amex etc. PCI is about security and has things like firewall requirements, coding requirements, encryption requirements etc. In most cases, it is not a place you want to go to unless you specifically deal with financial software and have the expertise. The audits and compliance can be very expensive and this is another area where a good payment gateway (including Stripe and Paypal) can help you out.
The easiest way to be compliant is not to touch the data. Some gateways allow you to simply redirect to their site to take payment and you never see the card details. This is OK but doesn't give you any customisation options. Some will allow you to host your own payment page but then you require PCI checks because you theoretically have access to the card data.
Stripe give you two options and they get the benefits of both extremes - Stripe-hosted but still customisable! The easiest but least customisable is called Checkout. It is simply a button that is drawn by a script you load from Stripe. You can customise some basic stuff like the title and logo image but otherwise it generates you a pre-designed card entry form, hosted by Stripe and where the data is sent directly to their servers. You are given a token and it is that token that you then use to take payments or setup a recurring charge or whatever. The second is called Stripe.js and uses a similar trick to allow you to create and style your own form but in a certain way which allows Stripe to pick out the values, sends it directly to them and gives you back the same token. The only requirement is that your site uses https, which is a small price to pay for this functionality.
So if you are a small merchant, I would recommend a complete payment solution like Stripe or Paypal (there are others too) and make sure that when you look into what is available, you work out whether they are integrated or whether you would also need a Merchant account. Check out the pricing too and try and estimate some income so that you can work out whether a higher transaction and lower percentage is more cost effective than a lower transaction and higher percentage charge.
I searched for Credit Card Payments on Google and found a number of companies. One of them, Charity Clear, seemed reasonably priced and they donate their profit to charity which is fantastic. I would be a fool not to use them for my charity website. I was almost about to sign up and then something in the documentation hit me:
"You require a Merchant ID in order to use this system, which can be obtained from a Merchant bank account" - or words to that effect.
Hmm. We have a business bank account so let's contact the bank. Nope. Business Bank Account is NOT equal to Merchant Bank Account. Merchant Bank Accounts cost money, not just to open but you pay a transaction charge on them too. Eventually, when I priced this into the equation, the cost was really quite high compared to someone like Stripe so I wondered why we needed the Merchant account and how Stripe (and Paypal although slightly less so) could charge less money for their services.
Clearly, money transfers entail risk and require trust. A credit card company is not going to give you money just because you give them a bank account number. A merchant account is basically a bank account with some additional checks that occur and which prove to the credit card companies that they can trust you are a real business entity and not just a hacker. Of course, they do nothing of the sort since credit card fraud occurs all the time but that is the justification and why they charge you money. The payments gateway is simply the mechanism that captures credit card information, does some checks and then requests the Merchant account to actually transfer the money from the credit card company to the destination bank account (although delayed - of course!).
The reality is that in the modern age of micro-payments and small business, Merchant accounts are really just another way to earn the banks money but because you don't have a choice except to have one, you can't really do anything about it. Or can you? This is where the aggregated Merchant account comes in with companies like Stripe and Paypal.
The logic of the aggregated Merchant account is simple. Instead of creating one account per company, which is time consuming and expensive, why not create one massive one and anyone who uses Stripe or Paypal has the funds transferred into the big pot and then transferred out later. A bit later than a normal account (usually 7 days) but the larger pot enables Stripe to manage the risk of charge-backs and other fraud and gives them slightly longer to withhold funds if a problem occurs. Because there is only one account, the cost of managing it is much smaller and that cost is owned directly by the payment gateway. They can therefore charge you one fee (usually a small amount + a percentage), which in our case was around 50% of the cost of a dedicated Merchant account.
So are dedicated accounts useless? Well, they do allow you to get your money sooner and if you are a large customer, you could negotiate your rates to be lower. You might also write your own payment gateway and not have to pay for that so there are potential savings - although for us small people, a dedicated service like Stripe or Paypal is often cheaper and more convenient.
There is one last thing to consider and that is PCI. Any site that handles payment card data MUST conform to PCI standards. They are not law but they are a requirement for Visa, Mastercard, Amex etc. PCI is about security and has things like firewall requirements, coding requirements, encryption requirements etc. In most cases, it is not a place you want to go to unless you specifically deal with financial software and have the expertise. The audits and compliance can be very expensive and this is another area where a good payment gateway (including Stripe and Paypal) can help you out.
The easiest way to be compliant is not to touch the data. Some gateways allow you to simply redirect to their site to take payment and you never see the card details. This is OK but doesn't give you any customisation options. Some will allow you to host your own payment page but then you require PCI checks because you theoretically have access to the card data.
Stripe give you two options and they get the benefits of both extremes - Stripe-hosted but still customisable! The easiest but least customisable is called Checkout. It is simply a button that is drawn by a script you load from Stripe. You can customise some basic stuff like the title and logo image but otherwise it generates you a pre-designed card entry form, hosted by Stripe and where the data is sent directly to their servers. You are given a token and it is that token that you then use to take payments or setup a recurring charge or whatever. The second is called Stripe.js and uses a similar trick to allow you to create and style your own form but in a certain way which allows Stripe to pick out the values, sends it directly to them and gives you back the same token. The only requirement is that your site uses https, which is a small price to pay for this functionality.
So if you are a small merchant, I would recommend a complete payment solution like Stripe or Paypal (there are others too) and make sure that when you look into what is available, you work out whether they are integrated or whether you would also need a Merchant account. Check out the pricing too and try and estimate some income so that you can work out whether a higher transaction and lower percentage is more cost effective than a lower transaction and higher percentage charge.