Many people new to websites and/or ecommerce are confused at the in and outs of ecommerce. Even many people who are fairly adept at scripting can set up a store using some popular package such as OSCommerce and then are left stumped by the idea of making it work with a payment gateway to actually collect money and put it into their account. In this article, I will give a brief overview of how the system is set up to collect your money. I will then discuss briefly what to look for in evaluating payment gateways. As usual, I will keep this basic and understandable just as I do with all of my articles.
The Basics – How Funds are Collected
Ecommerce simply refers to the practice of shopping online. From the site owner’s perspective, it entails collecting funds from sales transactions on their website and depositing that money into the bank. In order to collect funds, you need to have a merchant account and a payment gateway (discussed below). Basically, when a person enters their credit card number on a website, the card number and buyer information is sent to a payment gateway. This is done securely. The payment gateway will interface with a payment processor to check availability of funds as well as any other criteria set for accepting transactions. If the funds are available, the payment processor will then deduct the funds. The payment gateway will then report back a successful transaction to the merchant, at which point the merchant’s shopping cart system will respond by displaying a “Thank You” type message to the buyer. Funds will sit until the transaction is settled, which means the funds are collected and deposited to your bank account. Until a transaction is settled, the transaction will not post to your bank account and the corresponding debit will not post to the buyer’s credit card account.
A Merchant Account is a special type of account specifically for online retailers. They are designed to allow non-POS (point of sale) transactions using credit cards, or transactions where you don’t have the person’s credit card in hand. In other words, you don’t have a card swiper. A merchant account is not the same as a bank account. It acts as a go-between between your payment gateway and your bank account, accepting funds from credit cards which are then deposited into your bank.
A merchant account is a relationship based on trust between you and the issuing bank. The bank takes funds from the buyer’s account and deposits into your account. A payment processor takes care of checking for availability of funds and debiting from the credit card account. The bank issuing the merchant account is trusting that you will fulfill your end of the transaction by providing the product or service that the buyer purchased. In case where this does not occur, the buyer can dispute the transaction. This puts the issuing bank on the line because they are then obligated to return the funds to the buyer’s card (a chargeback). Therefore, merchant providers are taking a risk in allowing a merchant to take credit cards under their name.
The organization providing your merchant account will do underwriting on the account when you apply to check your credit. If you have a history of too many chargebacks, you may be denied. In fact, too many chargebacks can result in you, as a merchant, being put on the Terminated Merchant File (also called The Match File). This is a blacklist which will effectively prevent you from ever receiving a merchant account again.
A payment gateway serves as the front end to your merchant account, allowing you to manage funds, transactions, and the like. It also serves as a connection between your website and your merchant account. It takes data submitted via your secure order forms and presents it to your processing bank. The processing bank then approves or declines the transaction and sends its response back to the payment gateway. The payment gateway then turns around and provides this data back to the merchant for appropriate handling of the transaction. A payment gateway, then, does not offer services such as merchant accounts or shopping carts, although some of the larger-known gateways do provide such options as value-added services.
Some of the better known payment gateway services are Authorize.Net, Verisign, 2CheckOut.com, Linkpoint, Paysystems.com, Worldpay.com, and MerchantCommerce. Some of the things to look for in a payment gateway are compliance with CISP, SDP and DISC (security initiatives put out by the major credit card companies), virtual terminal (to be able to accept transactions over the phone by typing in their data rather than only relying on your website), fraud prevention, recurring billing, methods of integration, cost and whether they can accept e-checks or not.
Fraud prevention is a big one because, as stated above, too many fraudulent transactions will result in chargebacks which could end up putting you on the Match List and your merchant account closed. Some of the common fraud detection mechanisms are Address Verification (AVS) which compares the customer’s address with that on file with the issuing bank, CVV2 which makes use of the 3-digit security code on the credit card (4-digit on American Express cards).
Most gateways will provide instructions on how to interface with their servers from your web store. Most gateways offer two methods of integration.
One method is to have your site POST a form to the gateway’s server which is pre-populated with your customer’s information. At that point, the customer will provide the customer with the payment form which allows them to type in their credit card number in a secure environment. After processing occurs, the customer is then routed back to your website along with the results of the transaction. Your site again takes over the process. This method is usually easier to set up for site owners and it also means the site owner does not need to purchase their own SSL certificate (allowing secure transactions on the site itself). The tradeoff is that you do need to send your customers off of your website for payment collection. Many gateways offer ways to make the payment form look like your website using customized headers and footers, but the fact remains that the visitors are leaving your website.
The second method is totally invisible to the customer. If the site owner has an SSL certificate, they can set up security on their own site. This means they can host the payment form themselves, totally customizing it to their website. When the customer submits payment, your site will securely and invisibly submit the information to the payment gateway. The payment gateway will do the usual processing and then invisibly send the response back to the merchant’s website, allowing it to respond properly. From the customer’s perspective, they never left your website. And they never did. This type of setup requires an SSL certificate as well as access to the CURL library.
Many gateway providers can get you set up with a merchant account at the same time as the gateway. So, in most cases, you do not need to sign up for them separately.
Hopefully this has given you a brief introduction to how credit card payments are processed on the internet.