Lately, I’ve been looking into figuring out the ins and outs of credit card payment processing for two projects. One is our Yosemite vacation rental and the other is an ecommerce website for a friend who sells ultralight hiking gear. It can be dizzying with all the options and many pitfalls along the way. A lot has changed since I built a website for the Sierra Club Bookstore back in the day and I’m still wrapping my head around all the new options and requirements, but I’m collecting some good links along the way.

In order to accept credit cards, you need a payment gateway and merchant account and some method of collecting credit card info (card machine, website, virtual terminal). All have fees and the entire chain needs to be PCI compliant, that is to say meet the security requirements of the Payment Card Industry.

A payment gateway is a service that connects your point of sale with your merchant account. A merchant account is a bank account that can accept credit card payments, as processed by your payment gateway. Sometimes these are combined in one service, most famously by Paypal in their various offerings.

The Simplest Way: Paypal and similar

The simplest way to get a merchant account and payment gateway is to sign up for a Paypal merchant account. Paypal actually offers two options

  • Website Payments Pro which is basically a combined merchant account and gateway.
  • Paypal Payflow Pro which is really just a gateway. Though it is still possible to choose Paypal as your merchant account, high-volume merchants can likely get better rates by connecting this to another merchant account.

Paypal’s offerings are actually quite a bit broader than that and it can get confusing and Paypal’s own site doesn’t help unless you have a lot of time and patience. Fortunately, Massimo has laid out the options and done an interview with a Paypal honcho to help merchants decide which offering makes the most sense. See his article on Website Payment Pro versus Payflow — a brief guide to Paypal services.

You can also get similar services from Google Checkout, but Google requires users to have a Google Account to use the service, so to me that’s only useful as an additional, not a primary option.

Other Gateway and Merchant Account options

There are a lot of other options. The 500-pound gorilla is Authorize.net. Often you can get Authorize.net access included in your merchant account fees. Other big players include Intuit Payment Solutions and Chase Paymentech. You can also get gateway access through merchant accounts from Costco or Sam’s Club (but see Braintree’s page about Costco Credit Card Processing Fees). Commonly, the gateway will be bundled with a merchant account. In fact, Authorize.net doesn’t even sell access directly. You have to go through a reseller.
Interestingly, it turns out that every reseller, according to their sales copy, offers incredibly low prices and great service compared to their competitors. In general, review sites are useless because, like for web hosting and other services, their “top choice” almost always means “top paying choice”, that is the provider that offers the reviewer the highest commission payout. There is one guy — Merchant Maverick —who offers no-holds-barred honest merchant account reviews. He doesn’t shy away from giving a provider a 1/5 rating and panning them. He also has a lot of great articles about fees and so forth.

As an alternative, TransFS has a merchant account auction system that in theory saves you money through competitive bidding. They also have a blog that’s worth reading. One final really useful feature of their site is a Paypal versus Merchant Account Fee Calculator. Note that though the link isn’t that obvious (grey on grey) look for the Options link to allow for comparison of Paypal Pro options compared to a traditional MA. It lets you adjust the balance between debit cards, standard and business credit cards and a few more options. Very useful! From this calculator, it looks like I’m spending an extra $30 per month. Not huge, but that’s $360 per year.

Finally, Startup Nation has a pretty good collection of articles on payment processing. This website is new to me, but it tends to be pitched to a non-expert audience with clear, simple explanations, but not perhaps the detail that you get int he Merchant Maverick articles. Typical would be their article on 7 Things to Look for in a Credit Card Processor. Though I mention it last, that’s probably a good place to start.

There’s a lot to balance. I like Braintree’s transparent fee structure, but at the same time, Braintree has a monthly minimum of $75 per month in transaction fees (not counting monthly service fees). Since our business is seasonal, we might not reach that threshhold some months, so we would need to compare it over a year of business.

PCI Compliance

Every merchant is required to meet basic security requirements, known as PCI Compliance, if they plan to accept credit cards. If you will transmit this information over the internet, whether because your swipecard machine connects via DSL or because you sell through a website, the requirements increase. If you plan to store customer data, the requirements increase substantially. As a very minimum, you’ll need a third-party security scan every three months. Large merchants can pay as much as $500,000 to come into PCI compliance, but even small merchants are looking at some significant costs, including, but not necessarily limited to:

  • Scanning. Small merchants don’t typically require an on-site assessment, but can do a self-assessment questionnaire (SAQ) and have a third-party scan. Control Scan offers compliance scanning and breach protection for $150 per year, plus $100 per additional IP. Paypal has set something up with Control Scan to offer free scanning for the first year. Several other payment gateway and merchant account providers.
  • Hosting. If you want to store customer card numbers, you’ll typically want two dedicated servers, one for your public-facing website and one for your database, put behind a firewall and protected from intrusion. Glowhost offers special PCI hosting packages that cost $129/mo per server plus $49/mo for PCI compliance management. So as a minimum, you’re in for $307/month just for hosting.
  • SSL or TSL Certificate for https (security encrypted web transmission over https). Not a significant cost, but still count on $100 to $200.

This doesn’t include adminstrative time, the costs of getting sued if you have a breach, the cost of losing yoru merchant account and not being able to do business as the result of an unremediated fail in a PCI security scan and costs and so forth. For more on PCI compliance, see http://www.pcicomplianceguide.org/pcifaqs.php.

How to avoid these costs and risks?

First and foremost, don’t store credit cards on your server (or anywhere else) if you can possibly avoid it. Generally speaking, you can in fact avoid it through a variety of methods.

  • Redirect your users to Paypal and have them sent back to your site after payment. This is the simplest and easiest way.
  • Clone Pages. CRE Secure allows you to create a clone page on their server that looks like your web page, but is in fact on their server. They have an option, fairly pricey, that lets you have this page on your domain, but it is still served entirely off their server. They are responsible maintaining security in general and PCI compliance in particular on their servers and you have the much simpler job of achieving the simplest type of PCI Compliance. There are also hosted shopping carts like BigCommerce or Pinnacle Cart (hosted) that make PCI compliance easy with services similar to CRE Loaded, but easier to integrate because your shop is already on their server. I’m not a fan of hosted services except in the cases of the most trusted companies, but it’s definitely an option to consider.
  • Tokenization. This is the slickest solution. You hire a third-party to manage your sensitive customer data. They are responsible for the difficult aspects of PCI Compliance and you only need to handle basic security. If you need to access the customer data, you use a customer ID and a “token” that represents their credit card, but which is not the credit card number itself. You only store the token, so even if your server is hacked, the system is not breached. You only have to make sure that you maintain a secure connection while the customer form gets sent to the third-party server. The two obvious solutions are Braintree and Authorize.net Customer Information Manager.

PCI Compliant Shopping Carts

Some advertise PCI Compliance and some don’t. Ubercart, for example, has worked hard on Ubercart’s PCI Compliance, but they don’t really advertise it. Others, like CRE Loaded and CS-Cart advertise their PCI compliance, but the shopping cart is just one piece of the puzzle. Most reputable carts these days will meet their part of the PCI-DSS standard, but that’s just the tip of the iceberg for making your site PCI compliant and no matter what cart you use, you’ll have a significant challenge if you want to store credit cards on your server.

Action Plan

So that’s still pretty dizzying. So here’s an action plan:

  1. Decide between Paypal and other solutions. Start with TransFS calculator for a ballpark idea. If you go for Paypal, you’re basically done.
  2. Get bids from TransFS or just comparison shop based on the Merchant Maverick recommendations. Always include Paypal, Intuit and some of the big ones in your search just to see how they stack up.
  3. Figure out which ones integrate easily with your shopping cart. For example, though I like Braintree, I don’t know of any shopping cart that ships with Braintree integration.

I’m still working through a lot of options myself. If you have something to add, please add something to the comments. I’d love to hear what your experiences are.

Tagged with:

Filed under: Web Development

Like this post? Subscribe to my RSS feed and get loads more!