Meat In The Sky Blog

The opposite of low hanging fruit is meat in the sky.

« Back to blog

Viewed
times
Favorited 2 times
About Me

Startup stuff by Sachin Agarwal, with a focus on product, marketing, pricing, and some other "damn, I wish I had known that" stuff.

Featured in Daring Fireball and ReadWriteWeb, amongst others.

Get Updates
 

Introduction To Online Payments - TL;DR: It's A Total Bitch

UPDATE: Hey Fireballers!  You should follow @meatinthesky on Twitter to get updates to this blog as well as other interesting startup/small business links.
 
Online payments are a bitch.  Just over a decade ago, you had to hook up your online commerce system to an actual terminal that would send bleeps and bloops to the gateways, but even today, it's not much better.  There are still a plethora of players who have to touch your information to process a simple credit card transaction, and each and every one of them gets to take a little bit of your money and introduce their own technical hassles.  While there are never any easy answers - every option has pretty severe tradeoffs - I'm going to try to shed some light on how the process works and look at some of the major players/options you have for accepting payments on your website.
 
The traditional way to process online payments is to have an internet merchant account, and talk to that account via a payments gateway.  Nowadays, many internet merchant accounts come bundled with a gateway as part of the cost (notably, Authorize.net), but they are separate and you can always choose to use the gateway of your choice (as long as they work with a processor platform that's supported by the merchant account).
 
"Wait, what?" you say.  "You said you were going to shed some light, but you're just confusing me with all this talk about accounts, gateways, and processors."  Well, I told you that online payments were a bitch.
 
OK, let's start at the top.  An internet merchant account is what you need to accept credit cards on your site.  Despite its name as an "account", it's really not an account at all.  An internet merchant account merely gives you permission to accept credit cards.  At the end of every day, the internet merchant account will deposit all of your funds into your real checking account that you maintain with your bank.  So think of an internet merchant account as a holding pen of sorts.
 
The vast majority of business banks (Bank of America, Silicon Valley Bank, etc.) can provide you with an internet merchant account, but you will rarely want to go that route.  While the costs are often higher, the real reason you don't want to go that route is that you're more likely than not to be denied a merchant account as these banks (SVB, Square 1, etc excepted) are more used to traditional brick-and-mortar merchants and you can often spend weeks or months applying for an internet merchant account just to be turned down for being "too risky".  If you just Google "internet merchant accounts", you'll see a bunch of companies who are dying to give you their business.  
 
Personally, I highly recommend TransFS to find an internet merchant account.  All of the merchant accounts on TransFS are "interchange plus" accounts.  Interchange is the fee that Visa and MasterCard charge to process their cards; these fees vary depending on the type of card - consumer versus business, plain vanilla versus rewards, and so on.  (The complexity and fees are actually a big enough deal that there are advocates to reform interchange in Congress.)  Interchange-plus passes along these charges plus an incremental amount; in almost all cases, interchange plus is both cheaper and more transparent than "qualified/non-qualified" bundled rates.  While the bundled rates may be simpler, they're often mischaracterized in a way to benefit the merchant account provider at the expense of the merchant. (If you want to learn more, read this post on TransFS' very comprehensive blog.)  These merchant accounts will generally charge you a "statement fee", aka "the fee you pay us monthly for the privilege of being a customer" plus a small percentage (usually between 0.15% and 0.30%) and a flat per-transaction fee (usually 10-15 cents).  I have worked with a merchant account provider called CoCard that I found via TransFS and have generally been very happy with their customer service and fees. 
 
It will take you about three to four weeks to jump through all the hoops to acquire the internet merchant account, so you need to plan ahead to have a merchant account ready to go before any launch.
 
Once you have an internet merchant account (or while you're going through the process), you need to find a gateway.  Again, you write your code to talk to the gateway; the gateway takes the credit card information that users input on your site and talk to the processors (First Data, Paymentech, Global Payments, etc.) to get the funds released to the merchant account (which then sweeps into your regular bank account).  Most internet merchant accounts will resell or bundle a gateway - most often, it's Authorize.net.  Auth.net (for short) is a perfectly serviceable gateway for most use cases, but if you need a more elegant gateway API, you may want to pay extra for Braintree's payment gateway.  Braintree has focused on e-commerce since their founding and they (while not perfect, especially with their documentation) are generally considered the easiest gateway to work with.  However, if you decide that you want to use Braintree's gateway with your internet merchant account, you need to make sure that your merchant account supports the First Data Nashville processor.  (There's actually a First Data Omaha processing network which does not work with Braintree.  Why?  I have no idea.)  Braintree's gateway will add significant costs to every transaction, but you're paying for a more elegant API and premium customer support.  If you're doing large dollar ticket sizes, these additional fees may be worth it; if you're doing lots of small dollar amounts, they may not be.  (And forget about it for microtransactions.  Use PayPal or Amazon Payments' specialized solutions for microtransactions.  I'd recommend PayPal as it's easier to grow into their other offerings as necessary.)
 
Well, that's a lot of work.  Why not just use PayPal?

Actually, that's a very good question.  While many people may have poor experiences with PayPal, they are invariably easier to get set up and understand than the combination of hoops and charges for an internet merchant account and gateway.  In addition, PayPal can often be cheaper.  Here's a pretty little chart that PayPal has on their site:

 
 
Let's be clear; this isn't to scale, but it does accurately display the differences in complexity.  (One note - if you use interchange-plus pricing, you're not subject to the downgrade fees that kick in for qualified versus non-qualified transactions.)  What's confusing about PayPal is that they have three products that you can use: Website Payments Standard, Website Payments Pro, and PayFlow Pro.  PayFlow Pro is a standard gateway that works with any internet merchant account (PayPal actually acquired this line of business from VeriSign back in late 2005).  Website Payments Standard and Pro are combined merchant accounts and gateways.  The main difference between the two is that with Standard, the transaction happens on PayPal's servers.  With Pro, it happens on your servers.  In addition, with Standard, you have to accept PayPal as a payment mechanism; with Pro, you can accept credit cards only.  (Why you would want to comes to how PayPal funds their accounts; e-checks don't clear for three to five days and introduce risk to merchants that credit cards, with their instant money transfers, do not.)
 
In some cases, PayPal can be cheaper than the combination of merchant account and gateway.  In particular, if you have very high tickets (average order sizes) and a mix that is skewed towards business cards (which have higher interchange fees), PayPal can often be more economical.  PayPal's simplified rate structure is a marketing tactic that, on balance, does make PayPal more expensive than the more complex option.  EDIT: You can compare PayPal versus a standard merchant account with the PayPal Upgrade Calculator built by TransFS.  (Disclosure: I worked with TransFS to build this calculator, a relationship that happened after this article blew up.)
 
However, there is one additional downside to PayPal: they will oftentimes hold back up to 25% of your proceeds for three months as a fraud prevention/risk management effort. This means if you charge a customer $100, you will only get $75 immediately and will have to wait three months to see the $25 balance.  If cash is tight, or you are running inventory, this can kill your business.  
 
There is one additional issue to consider when deciding on your merchant account, gateway, PayPal, and your options: vendor lock-in.  In most cases, you are locked into a particular vendor.  This is because they store the credit card information on your behalf (unless you use a standard merchant account and decide to try to be PCI compliant - which is a whole 'nother ball of wax that requires audits and precludes using cloud hosting for your e-commerce).  In particular, if you have a subscription recurring billing model, this vendor lock in can be killer because you can't switch providers without forcing your customers to return and re-enter their credit card information in a very limited timeframe between your switch and the next billing cycle.  To avoid this, there are a small number of vendors who provide "vaults" that store credit card information in a portable manner.  
 
The two most well-known vaults are Authorize.net's CIM and Braintree's vault.  A newer company focused on their elegant subscription payment API, Recurly, also provides a vault (but they are not a gateway provider themselves).  These companies offer credit card portability if you ever choose to store credit card data yourself.  (You may be able to move from one vault to another, but I'm not sure if this is actually possible.)  These vaults are the only way I know of to offload PCI compliance while still maintaining some flexibility in changing merchant account or gateway vendors.
 
OK, so here's the million dollar question: so what should you do?
 
As far as I'm concerned, there are three real options:
  • PayPal Website Payments Pro
  • Braintree Gateway + Account
  • Authorize.net + Merchant Account (add Auth.net's CIM, Braintree's vault, or Recurly if you need vendor flexibility)
PayPal will be the easiest to get set up, by far, but the 25% holdback can be a killer.  Braintree's single-source solution will take longer to set up, and will be the most expensive option for most cases, but they provide the most flexibility and best customer support.  Getting your own merchant account and using the bundled gateway will presumably be the cheapest option, but will invariably cause you the most headaches.  You can avoid some headaches by writing to Braintree or Recurly, but then you will lose much of your cost savings, but you'll retain the flexibility to host the card numbers yourself or possibly switch vault providers.  
 
Of course, if you don't mind having the checkout transaction happen on someone else's servers, PayPal, Amazon Payments, and Google Checkout are all (non-exclusive) options.  Here's a good rundown of all three.
 
I recognize this is both a very long and completely uncomprehensive review of online payment processing.  As I've repeatedly said, online payments are a bitch.  I intend on revisiting and editing this post as comments and additional information becomes available. 

Posted
by Sachin Agarwal 

27 comments

May 03, 2010
Marc Gayle said...
Thanks for this post. It has proved to be quite timely and very helpful.
May 03, 2010
Bryan Johnson said...
Sachin - the online payments industry is very complex. I'm impressed that you both took the time to write this up and did such a nice job. I would add a few things.

1) There is much more than meets the eye when choosing a merchant account provider, and not all are created equal (it's very true that very few understand online payments). We will be first to say that providing merchant account services to online merchants is very challenging for a host of reasons. Because it's so complex and because there are so many moving parts, no one is immune to mistakes, misunderstandings, complex situations and difficult situations. With that said, the importance of choosing the right provider cannot be overstated. Merchants need to find a company they can trust because when stuff happens (i.e. account closure, reserves) you need someone in your corner that can help navigate. In our experience, merchants are most likely to make mistakes when solely focused on price.

2) I'm very pleased to see you call out data portability. We were the first in the industry to start raising the alarm bells about providers holding stored credit card data hostage. It's a huge issue with very serious implications. To address this problem, we created the Credit Card Data Portability Standard and invited all providers to participate (http://bit.ly/a0i86v).>

Regarding First Data, I believe they have ~5 processing platforms, each of which requires a separate integration. We connect to Nashville because they've focusing the most attention there and because it's online payment friendly.

We've been blogging about this complex industry for years now trying to help educate merchants. Here is one resource to contribute to yours: New to Payments - http://bit.ly/cIY58t

Bryan Johnson
Braintree

May 03, 2010
Olivier Lalonde said...
Great article! Online payments is overly complex and our goal at PayFacade is to take away the pain away of integrating (multiple) payment gateways and helping merchants chose the best one. Check us out at http://www.payfacade.com !
May 03, 2010
Deyan Vitanov said...
Thanks for this great write-up, very helpful! Quick question: if using PayPal Website Payments Pro, do you have to be PCI compliant as well?
May 03, 2010
Cullen King said...
Thanks for putting out some clarification in a complex field! I chose Braintree because they seem to be the most 'open', as well as the most involved online (as you can see from their comment here). They must lurk on HN like crazy :P Anyway, seems like they care about their reputation a whole lot, which usually means good customer service.

Didn't realize about the congressional prodding that is going on. Though if it's anything like the 'investigations' into text message fees with wireless carriers, it won't last too long :(

Finally, I saw an article on HN yesterday claiming that anyone even integrating with something like braintree/authorize.net would need to get some sort of PCI compliance this year. Do you have any knowledge/opinions of that?

May 03, 2010
Tim Case said...
According to this article: http://sinard.com/blog/uncategorized/have-an-online-store-what-you-need-to-do..., the PCI rules are changing, being PCI compliant is no longer limited to merchants who store credit card numbers but for any merchant that transmits those numbers to a payment gateway such as authorize.net or braintree. Again to clarify, the article states that the change means you must be PCI compliant if you transmit numbers, which nullifies the old idea that you only had to be compliant if you were storing the numbers.

Considering that processing payments directly from a merchant site through a gateway is so common, if this article is correct, then that probably means 70% of small merchants will not be in compliance after July 1st. Additionally, using a shared host or cloud service is not possible for compliance as compliance means being on a dedicated PCI compliant, audited server, which is expensive for small guys.

Of course enforcement of these rules across the board is not practical and that doesn't seem to be the motivation of the rule change. What is probably the case is that if you are a small merchant taking credit card orders through a site and the site is hacked, the credit card companies have the right to rain down a shit storm on you for non-compliance.

May 03, 2010
Kai Backman said...
Do you have any advice on selecting a merchant account if your business is located in Europe?
May 03, 2010
Aaron Greenspan said...
We're trying to fix payments one step at a time starting with point of sale in the United States. Take a look at http://www.facecash.com if you're interested in being a beta tester.
May 03, 2010
Logan Leger said...
You need to look into http://chargify.com. It made online payments such a breeze for me.
May 04, 2010
Camille Wanty said...
Very helpful post, as well as some comments, thanks guys.
May 04, 2010
Sean said...
To address the PCI compliance issues - yes, you need to be PCI compliant no matter what. However, what "PCI compliant" means is different depending on your situation. If you are a small company simply passing through credit card numbers the hoops you need to jump through to achieve PCI compliance is a lot less than if you are a huge company storing numbers on site.

Like everything in the payments industry, the rules are way more complicated than one would reasonably expect.

re: First Data Nashville vs. First Data Omaha -- First Data has been built through many acquisitions and have a really hard time sunsetting platforms because of really gnarly reverse compatibility issues (imagine having to maintain reverse compatibility for millions of currently installed semi-smart payment terminals -- ick). Each of their platforms has slightly different features. A major rationale for the KKR buyout of FD was to consolidate platforms to generate cost savings.

May 04, 2010
Richard B. said...
I think there's a large market for a company that can make online transactions programming painless. I mean a perfect API, very simple, great documentation, handle all of the PCI compliance nonsense. I'd nominate paypal for something like that but their corporate culture won't let them create an easy to use product. All I have to say is THANK GOD I didn't have to do any transaction processing for http://www.dirtyphonebook.com because it would have added a long time to the development process and we're enjoying making everything free. Just out of curiousity though, can anybody recommend a payment processor for a personal project I'd like to pursue?
May 04, 2010
Marc Gayle said...
Sachin,
In a 'by the way' type of comment you mentioned SVB, Square 1 as banks that are 'better' for online merchants.

Do you have other examples of such banks?

I have reached out to Square 1 and they seem really pleasant and awesome, but unfortunately they don't offer services in Jamaica. SVB is to get back to me, but I would like to find out about other banks like that, that I can possibly take advantage of.

Thanks.

May 05, 2010
Brian said...
Sachin::
As said above - good clarification on a complex subject. Thx
May 06, 2010
Ben Jamieson said...
It's so much easier here in The Bahamas!!

No global provider (Paypal, Auth.net, Worldpay, etc) will touch businesses located in this country, so our choice is limited to... *one* bank here that offers e-commerce solutions.

[sigh]

May 06, 2010
TelPay said...
Great explanation on merchant accounts, their costs, and how they work.
May 06, 2010
ElatedDotCom said...
Nice post Sachin. You're right - online payment processes are hideously complicated right now (not to mention inefficient!). PayPal is "cleaner" but has its own issues. Another fairly well-known alternative to merchant accounts and PayPal is 2Checkout (http://www.2checkout.com/).>Here's an article I wrote a while back that covers the various payment options, and the fees involved:

http://www.elated.com/articles/ecommerce-take-payments-online/

Cheers,
Matt

May 06, 2010
Wim Leers said...
This blog post appears to apply to North American companies only.

At least PayPal Website Payments Pro is only available in the US, Canada and UK. So it effectively can't be used in most places around the world. Hence it's no viable option for international e-commerce.

May 06, 2010
romanroan said...
This article only applies to US market. For the rest of the world it's PayPal only. Sad.
May 07, 2010
alastair said...
I don't recognise the PayPal withholding money problem from my dealings with them. They may withhold funds if a charge is disputed, but they certainly aren't holding back 25% of what we charge *our* customers.

Also, PayPal's transaction fees go a little lower than you mention on your graph; for Express Checkout payments, they drop to 1.4% + £0.20 for U.K.-based merchants, while for other payments they go down to 1.9% + £0.20. Certainly in the U.K., these fees are pretty competitive.

I don't know what the deal is in the United States (different to here, clearly), but having looked at more traditional merchant account-based services and having previously used a payment gateway service, we're pretty happy with PayPal.

May 07, 2010
AMPCToday said...
Good explanation, thank you

We offer an exchange plus account with a free software terminal that can turn non-qualified transactions into qualified transactions. plus determine if signature debit or PIN debit should be used in face-to-face transactions.

See http://shipp.in/g/1aa

May 07, 2010
Alex said...
What amazes me with Web 2.0 craze is that people simply don't know how many options are out there. I linked to the page that lists a bunch of payment processors with fees (note, that it wasn't updated for 2 years, so information on fees might be outdated, but the list of processors is what's important). It's not just PayPal vs Authorize.net, not at all.
May 11, 2010
Ben Greene said...
Great post Sachin. One question for you - what amount of PCI compliance work must be done when using a service, like PayPal Website Payments Pro, with which one implements the transaction on one's own site but stored the credit card information remotely?
May 17, 2010
Kyle said...
great post -- very helpful and insightful. thanks!
May 17, 2010
jam said...
This is one of the reasons why I think startups like Square and Venmo are poised to disrupt the market and change the way we think about payments.

I wrote a little about it here: http://jamthoughts.tumblr.com/post/598760745/the-future-of-payment

Would love to hear your thoughts on the mobile payment industry.

Jun 15, 2010
Justin Greene said...
Online payments make the process of money transferring easier between clients and their customers and business partners. Many companies benefit from online payment because they get paid for their services outside the traditional brick and mortar structure. Since payments can be done online, payroll can now also be processed through the internet.

Since many businesses today don't want any delays for any transaction especially for salary distribution, they avail of a small business payroll service who can process their payroll needs. With that they save time in processing salary as well as get real time information when paying online.

Aug 02, 2010
igordr1 said...
quero faze a minha conta

Leave a comment...