“How can I sell and collect money using my website?” This is the most common question we are asked when a new business come to us.
Many website owners who are selling products and services over the net wish to have setup a payment gateway or in other words they wish to allow their customers to pay easy and secure.
For an IT person working every day in this area all is simple. However for a business person terms like: PC compliant, DSS, Amazon S3, Google checkout, offline vs online cc processing may be just annoying.
Wheeler Software has in its core implemented an “engine” that allows the owner of the Wheeler Software website to turn on/off with a few click of mouse a “switch” that allows internet users to pay using their credit card. This is an example of offline CC processing.
There are plugins that can be installed on a Wheeler Software, WordPress or any other website that allow the owner to collect money via Paypal or other Online Payment Gateway. This can be an example of online CC processing.
Let’s make clear a few terms using “plain English”:
You can collect money from credit cards in three ways:
- Offline. It is named offline because the money are not transferred from the customer to you immediately the customer send his credit card details using your website (fill in a form and press Send/Submit button).
It means you receive the Credit card number & expire date and you manually input these details in your “terminal”.
- What you need: a terminal ID. This terminal can be a physical machine (you may have one as a merchandiser) or your bank web interface. If you do not know what it is about just contact your bank and tell them that you wish to process offline credit cards of your customers. You will receive your merchant ID(and a terminal device if applicable). The process takes a few weeks.
- Costs: Your bank monthly fees for your Merchant ID (and terminal) and a fee per transaction based on what type of CC was processed (visa, master card etc. and what kind of card is for example low interest rate) Check with your bank for details.
- Time frame the money get into your account: usually 24 hours (except holidays – ask your bank for details)
- Anti fraud. This is the single method that gives you a chance to avoid collecting money from a stolen credit card. For example if you receive a “not common order” (big value, from another country/oversees) you can check if the request is valid. Ask the user to send you a copy of his ID or you can contact him by phone asking for details. If that CC was stolen you will not receive any details and you will not charge that credit card. Doing this you will avoid money refund and the extra fee (usually $50) the bank will charge you.
- Important. Please consider HOW YOU GET CC details. You can use a Offline payment gateway for example e-path. Subscription per year, no transaction fee. You can setup your website in a PCI compliant hosting space – this is very expansive. Ask your hosting provider for details.
- Online. It is named online because the money are transferred from the customer to you (actually to your payment gateway provider and then to your account) in the moment the customer press “Pay Now” (final approve of his action/ buying process).
- What you need:
– terminal ID (no physical device). If you do not know what it is about just contact your bank and tell them that you wish to process online your customers credit cards. You will receive and merchant ID. The process takes a few weeks.
– account on and Payment gateway system (eWay for example). They will ask for your merchant ID and the process takes another few weeks.
– Your bank monthly fees for your Merchant ID (and terminal) and fee per transaction based on what type of CC was processed (visa, master card etc. and what kind of card is for example low interest rate).
– Your Payment gateway provider fees: monthly fee based on specific subscription + fixed amount per transaction (usually 10c t0 50c) + percent per transaction (usually 0.2% to 2%, depends of your subscription)
- Time frame money get into your account:usually from 48 hours. 24 hours from the customer bank to your Payment gateway provider + 24 hours from this one to your account.
- Anti fraud.Your payment gateway provided usually has implemented an automated anti fraud system based on many parameters. It does his job okay but however, if a CC is stolen and used quick then it will not be detected as stolen. The transaction will be processed and later you will refund the money and will pay the “fraud fee” to your bank.
- Important. Using an online Payment Gateway system you don not have to worry about “PCI compliant hosting space”. You pay heavy for it every single month and translation.
- What you need:
- Paypal or similar (Google checkout, Amazon S3): I will talk about PayPal only. For other systems please consult the provider. Money from your customer are going to your account on PayPal (you must have one).
- What you need: Business PayPal account (it is free) linked to your bank account. The process takes up to 5 days. When you setup your PayPal account you will provide at least one email address. That address is all you need to have a PayPal payment gateway installed on any website.
- Costs: Basically there are no fees as long as you keep the money on PayPal. That is not a realistic scenario because you will transfer them to your bank account or you will buy something and pay from your PayPal account. At that point you will be chargedand honestly the charges are pretty heavy. Check PayPal website for full and current details. There are available subscriptions that will reduce your transactions fee.
- Anti fraud. It is the same like in Online CC processing. However, even PayPal has a good “feedback/support” system be sure you will be charged and you will refund the money if a fraud will occur.
- Important. Using PayPal you don not have to worry about “PCI compliant hosting space”.
PCI standas for Payment card industry
DSS stands for data-security standard
You, as owner of a website, can collect CC numbers using your Wheeler Software website for example, I mean your internet user will type all CC details into a form and you get them and process them using your terminal for example.
To do it, your website must be hosted on a hosting space (server) that is PCI and DSS compliant. Ask your hosting provider if you do not know. If you do collect CC using your website and the website is not hosted in a PCI, DSS compliant environment and if you have “bad luck” then you ca get a fee starting with $50k. It just does not worth. Read above and decide what system to have. Contact us if you need professional consultancy.
A bit about cloud systems. According with Dr David Ross (Credit: Michael Lee/ZDNet Australia) speech at AusCERT 2012 on the Gold Coast on 17 Mai 2012 (source ZDNet.com.au):
- the Payment Card Industry’s (PCI) data-security standard (DSS), which has 12 overarching requirements for how credit and debit card information must be secured.
- Dropbox and Amazon Cloud Drive are not suitable, even though data itself is being stored on Amazon S3, which is suitable for PCI-compliance purposes.
- no Google products are suitable either, including Drive, which he said is often a source of leaked information, due to the poor practice of storing card numbers in spreadsheets and then having these automatically synced to Drive. The only exception is Google Checkout Merchant, which, Ross said, if implemented correctly, would not harm an organisation’s PCI compliance.
- Microsoft also has certain issues, with the company stating that its Azure Cloud platform undergoes annual PCI DSS audits — but never explicitly stating that its systems are actually compliant. Ross recommends watching and waiting to see whether the company achieves compliance.