There are a lot of misconceptions around how credit cards are processed on the web. Many assumptions are made in regards to the fees one might expect, the steps involved with getting up and running, etc. I commonly hear both extremes - It's very difficult and very expensive or It's very easy and very cheap - the bulk of assumptions in the latter. The reality is that it is fairly complicated to set up the first time if you have no guidance, and it's probably more costly than you'd like.
In this short guide I hope to provide the basic knowledge necessary to get someone on the path to accepting credit cards electronically.
There are 4 main components required:
A merchant account
A payment gateway
A payment processor
E-commerce (i.e. shopping cart)
A merchant account is a type of bank account that allows you to accept payments via debit or credit cards. In web based scenarios, you're most likely not going to be creating your own merchant bank account*, rather you will be entering into a merchant agreement with the payment processor who operates a merchant bank account. When you enter into an agreement with a payment processor they will assign you a merchant ID to identify you as a merchant but you'll be one step removed from the actual merchant account.
For all intents and purposes, your assigned merchant ID will serve as your merchant account.
*You'll still need a business checking account for your funds to be deposited to.
The payment gateway is the service your website will use to initiate a transaction and to retrieve feedback such as approval or decline. It is the virtual equivalent of a credit card terminal or point of sale. In fact, they usually provide a virtual terminal to run ad hoc credit card transactions just as you would with a card swiper. The payment gateway is responsible for providing the settlement reports as well as initiating refunds and voiding transactions. The gateway handles all of the sensitive information in a secure way. It also commonly performs several anti-fraud measures such as address verification or geolocation checks. You never communicate with the payment processor directly, only indirectly through the gateway. When the processor determines if a transaction is approved or declined, it passes that authorization back to the gateway which provides your e-commerce system with a response.
This is where some confusion can occur. The payment processor and payment gateway are two separate entities. The gateway is the service your e-commerce system uses to interface with the payment processor. The payment processor is the service which actually communicates with the credit card companies and card issuing banks.
When a transaction is forwarded to the payment processor from the gateway, the processor then forwards that request to the card issuing bank (or directly to the credit card company in the cases of AMEX and Discover). The card issuing bank then performs fraud, credit, and debit checks on the transaction before responding to the processor with an approved or declined status. The payment processor then forwards that response to the gateway for relay back to your e-commerce system.
The payment processor is who you will be entering into an agreement with and they are the ones doing all of the heavy lifting. They are also the component taking on much of the risk and consequently they will scrutinize you and your business before approving an agreement with you. Most processors will send your application through a 3rd party underwriter for a risk evaluation.
Finally, you need a way to sell your stuff in order to initiate a credit card transaction. This can be an e-commerce system or custom software you or your developers have written to interact with the payment gateway. If you're using an e-commerce system already or have one in mind, you'll want to see what payment gateways it's compatible with before making a decision on which gateway to choose.
Becoming an Internet Merchant
Here's the good news, the payment processor application will basically take care of every component in one shot, aside from the e-commerce system. The way we generally proceed is to work backward to the payment processor. We choose the e-commerce system first, then choose a gateway it's compatible with, then see which processors work with the gateway, then choose a processor.
One of the most popular payment gateways is Authorize.Net. It's compatible with most major e-commerce systems either natively or via a plugin. We've been using them for nearly a decade in all of our inhouse projects as well as the vast majority of our client projects.
Authorize.Net supports hundreds of local payment processors but it's much more convinient to select one of their web based processors from their preferred list of 25 or so resellers.
For years we've relied on e-onlinedata.com to be our payment processor but lately it seems that their setup and transaction fees have increased making it difficult to recommend them. That said, we've had a positive experience with them for the vast majority of our dealings. Merchant Account Providers seems to have the most aggressive pricing but be sure to do your homework before settling on a payment processor.
Once you've chosen a processor you can begin the application with them. Be prepared to fork over all of your intimate details including your SSN, drivers license, bank account information, voided check images, personal/business addresses and more. They will use this information to run a credit check on you to assist in the underwriting process. Additionally you'll be required to provide details on the nature of your business, estimated transaction amounts, estimated monthly revenue and more. It's important that you're realistic with these numbers as wild approximations will result in your application being denied due to adverse risk factors.
The processor will likely perform an audit of your website at this time as well. They will be looking for PCI compliance items such as an SSL certificate, a business address and phone number, and a refund / warranty policy.
After you submit this application you'll likely be assigned an account representative who will contact you via phone and/or e-mail to guide you through the remaining steps to complete the setup. Once you are approved you'll be assigned a merchant ID and be provided with a username and password for your payment gateway.
Now that you have access to the payment gateway you can log in to set up your account and retrieve the necessary keys to connect your e-commerce system to the gateway.
It's not easy but with a little work you can be accepting credit cards on your site. There are alternatives of course such as PayPal and Google Wallet, or you could use an e-commerce service that handles the credit card processing for you. An important thing to note however is that the closer you are to the bare process, the lower your fees. If a service makes it extremely easy for you to accept credit cards they are no doubt taking a cut along the way.
Things nobody tells you
In a follow up post I will discuss the things nobody tells you regarding online credit card processing so that you can be on the lookout for them.