How to Choose and Integrate Payment Gateway: Online Payments, Transaction Processing, and Payment Gateways Providers
Whether you are an eCommerce platform owner or just maintaining your online presence, you want to offer your customers a safe, quick, and easy-to-use payment system. The chosen payment solution has to satisfy both the needs of your customers and your business. So, it has to be protected from fraud, support a variety of payment methods, be convenient to use, and compatible with your platform.
To accept electronic payments and be able to process credit or debit cards, a merchant uses a payment gateway. Choosing the right payment gateway determines the currencies you can accept, the transaction fee, how fast money gets in your merchant account, and the payment methods you’ll offer.
According to Invespcro.com, over 23 percent of customers abandon their shopping carts because of a complex checkout (11 percent) system or too much information required to complete it (12 percent). These statistics confirm that choosing the right payment solution provider is as important as other aspects of a good eCommerce website. But, in order to choose a payment solution, first, we need to understand what is a payment gateway and how it works.
What is a payment gateway?
A payment gateway is a service that authorizes and processes payments in online and brick-and-mortar stores. A gateway serves as a portal to facilitate transaction flow between customers and merchants. It uses security protocols and encryption to pass the transaction data safely. The data is transferred from websites/application/mobile devices to payment processors/banks and back.
Payment gateways can execute the following transaction types:
Authorization — a type of transaction used to check if a customer has enough funds to pay. It doesn’t include the actual money transfer. Instead, during authorization, a merchant ensures that a cardholder is capable of paying for an ordered item. An authorization transaction is used for orders that take time to ship/manufacture.
Capture — the actual processing of a previously authorized payment resulting in funds being sent to the merchant’s account.
Sale — a combination of authorization and capture transactions. A cardholder is first authorized. Then funds may or maybe not captured. It’s a regular payment for immediate purchases, like a subscription purchase, or e-tickets.
Refund — the result of a canceled order for which a merchant will have to apply a refund payment processing to return the money.
Void — similar to refund but can be done if funds were not yet captured.
Payment processing infrastructure
The infrastructure of online payment processing is a little bit more complicated than you might imagine. For the customer, it’s represented by a small window, or a separate website, where they have to pass through the checkout. But actually, processing involves several financial institutions, or tools, verifying the transaction data on both ends, allowing the customer to complete the purchase in a few seconds.
When a customer checks out — passing the card number, expiration date, and CVV — a payment gateway has to perform several tasks, which take about 3–4 seconds:
- Customer. A customer presses a “Purchase” button and fills in the necessary fields to pass the transaction data. The data is encrypted and sent to the merchant’s web server via an SSL connection.
- Merchant and payment gateway. After the transaction data is received, a merchant passes it to the payment gateway via another encrypted SSL channel.
- Payment processor. The information goes to payment processors. These are the companies that provide payment processing services as third-party players. Payment processors are connected both with a merchant’s account and a payment gateway, transferring data back and forth. At that stage, a payment processor is passing the transaction to a card network (Visa, Mastercard, American Express, etc.).
- Visa/Mastercard/American Express/Discover. The role of a card network is to verify the transaction data and pass it to the issuer bank (the bank that produced the cardholder’s credit/debit card).
- Issuer bank. The issuer bank also accepts or denies the authorization request. In response, a bank sends a code back to the payment processor, which contains the transaction status or error details.
- Payment gateway. Transaction status is returned to the payment gateway, then passed to the website.
- Customer and issuing bank. A customer receives a message with the transaction status (accepted or denied) via a payment system interface.
- Issuer bank. Within a couple of days (generally the next day), the funds are transferred to the merchant’s account. The transaction is performed by the issuing bank to the acquiring bank.
Now we are moving closer to payment gateways in their variety. To integrate a payment system into your website, you will have to follow multiple steps.
Deciding on a suitable integration method
Generally, there are four main methods to integrate a payment gateway:
A hosted payment gateway acts as a third party, as it requires your customers to leave your website to complete a purchase.
The pros of a hosted payment gateway are that all payment processing is taken by the service provider. Client card data is also stored by the vendor. So using a hosted gateway requires no PCI compliance and offers pretty easy integration.
The cons are that there is a lack of control over a hosted gateway. Customers may not trust third-party payment systems. Besides that, redirecting them away from your website lowers conversion rate and doesn’t help your branding either.
Best fit for: small or local businesses that are more comfortable using an external payment processor.
Direct Post method
Direct Post is an integration method that allows a customer to shop without leaving your website, as you don’t have to obtain the PCI compliance. Direct Post assumes that the transaction’s data will be posted to the payment gateway after a customer clicks a “purchase” button. The data instantly get to the gateway and processor without being stored on your own server.
The pros of this method are equal to an integrated payment gateway. You get the customization options and branding capabilities, without PCI DSS compliance that we’ll discuss below. The user performs all the necessary action on one page.
The con is that a Direct Post method isn’t completely secure.
How to integrate: A vendor would set up the API connection between your shopping cart and its payment gateway to post the card data.
Best fit for: can be used by businesses of all sizes.
Non-hosted (integrated) method
An integrated payment gateway allows you to keep the user at your website during the purchase. Non-hosted payment gateway providers allow for integrating via APIs.
The pros are that you have full control over the transactions at your website. You can customize your payment system as you wish, and tailor it to your business needs.
The cons generally are all about maintaining the infrastructure of your payment system and the related expenses. To use an integrated gateway, you have to be PCI compliant first of all, because you will have to store all clients’ credit card data on your own servers. Also, integrating the gateway can be tricky if you want to add custom functionality.
How to integrate: Non-hosted payment gateways are integrated via APIs to your server. Consequently, it will require an engineering team to perform the integration. Most vendors have well-documented integration guides, API references, or developer portals.
Best fit for: for medium and large businesses that rely heavily on branding and user experience.
Consider obtaining PCI DSS compliance
For medium and large size merchants, a Payment Card Industry Data Security Standard (PCI DSS) is a necessary element for processing card payments. This security standard was created in 2004 by the four biggest card associations: Visa, MasterCard, American Express, and Discover. So, if you are going to do credit card processing or store clients’ banking data on your own server, you will have to become PCI compliant.
As we mentioned, there are integration methods that use a payment gateway without storing credit card information. In this case, all the work is done by the vendor, so it doesn’t require PCI certification.
To become PCI compliant, you will have to complete 5 steps:
- Define your compliance level. There are four levels of compliance that are determined by the number of safe transactions your business has finished. Transactions count if they were done via MasterCard, Visa, American Express, or Discover cards, and there was a certain number of successful transactions.
- Study the PCI Self-Assessment Questionnaire (SAQ). SAQ is a set of requirements and sub-requirements. The latest version has 12 requirements.
- Complete the Attestation of Compliance (AOC). AOC is a kind of exam you take after reading the requirements. There are 9 types of AOC for different businesses. The one required for retailers is called AOC SAQ D — Merchants.
- Conduct an External Vulnerability Scan by the Approved Scanning Vendor (ASV). The list of ASVs can be found here.
- Submit your documents to the acquirer bank and card associations. The documents include the ASV scan report and your filled-in SAQ and AOC.
When you are set up, there are additional factors to consider while choosing a payment gateway:
- Methods of integration
- Transaction fees
- Supported payment methods and accepted currencies
- Physical and digital products permission
Choosing a payment gateway provider
Now, you can choose a payment solution for your business considering all factors, your business specifics, and your customers. Here are some things to consider prior to deciding on a provider.
Study the pricing
Payment processing is complex, as it includes several financial institutions or organizations. Like any service, a payment gateway requires a fee for using third-party tools to process and authorize the transaction. Every party that participates in payment verification/authorization or processing charges fees. Transactions commonly are billed according to the amount, location (across a certain country or international), and type of a product (physical or digital).
Consider merchant account options
A merchant account is an agreement between a merchant and an acquiring bank, by which a merchant allows a bank to process their transactions. Additionally, a merchant agrees to follow the operational regulations of credit card processing established by credit card companies.
A merchant account can be opened through banks or payment gateway providers, that offer merchant accounts as a part of a service. This includes payment processors. If you already have a merchant account, consider what that provider offers. Otherwise, it’s better to choose a provider that offers a merchant account from the start.
Make sure a vendor supports necessary payment methods and multiple-currencies
According to Statista on March 2017, the most popular payment methods remain credit cards (42 percent of online shoppers), e-payment like PayPal (39 percent), and debit cards (28 percent). But it doesn’t mean you have to support only those methods. For example, mobile payments generate more revenue to business each year, globally reaching $930 billion in 2018. In eCommerce, mobile payments means using e-wallets. Those are applications like Apple Pay, PayPal, and Google Pay, that store your credit card information, or store your money on their own. That means you are able to make online purchases without a bank account.
So, make sure your payment gateway supports all the necessary payment methods that are popular in your specific industry, region, or country.
Another aspect is multi-currency support. If your business is international, you want your customers to be able to pay, no matter what currency they use. Popular gateway providers offer multi-currency support processing with or without an additional fee. If you are going to use a hosted payment system, there are also localized checkouts available.
Ensure your product type is permitted by the provider
Generally, there are two types of products considered by providers: digital and physical.
Some of the payment solution providers offer their services both for physical and digital products. But it’s not rare for only one type of product to be available in use of a certain system. So, before subscribing to a provider, make sure it permits your type of a product.
Popular payment gateway providers
The horde of gateway providers is overwhelming, so we’ve picked some of the biggest, most reliable options.
Stripe is an eCommerce tailored-payment solution. Stripe accepts all major payment methods, including mobile payment providers such as Apple Pay, WeChat Pay, Alipay, and Android Pay.
The service is fully loaded with its comprehensive documentation, international support, and monitoring system. It has a simplified PCI compliance procedure, with 135 supported currencies, and allows for integrating with other third-party platforms.
Pricing: Stripe charges no setup fees. The standard package charges 2.9 percent + $0.30 per transaction. Additionally, there is a fee for international card processing (1 percent). But Stripe also offers a customized solution and pricing package for large businesses. The chargeback amount is a fixed $15.
PayPal is one of the most widely accepted electronic payment methods in the world. PayPal offers scalable solutions for businesses of different sizes. Through its gateway, PayPal offers processing of all the major credit and debit cards, and PayPal payments themselves, with various other methods. It also has multiple services, which include PayPal Payments Pro, PayPal Express Checkout, and Braintree.
PayPal is often integrated as a hosted payment solution. PayPal Payments Pro is an upgrade you may obtain if you want an integrated checkout right on your website. PayPal Express Checkout is the easiest option, as it simply adds a PayPal button to your website. Braintree is a separate payment solution, but it is a PayPal division. The main advantage of using Braintree is that it bills international transactions without an additional fee.
Pricing: PayPal’s pricing model is complex, and includes different calculations for micropayments, their platform usage, and international transactions. Domestic transactions are billed at 2.9 percent + $0.30 per transaction. Outside the US transactions are 3.9 percent + a fee based on the currency used. There is no monthly fee for the standard PayPal, but Payments Pro charges $30 monthly for a subscription. The chargeback amount is $20, and for Braintree, with equal pricing for transactions, it is $15. No setup fees are included.
Amazon Payments is an eCommerce giant with its platform designed for online retailers. Amazon Pay is integrated via API, offering a semi-integrated payment solution. It’s available across devices, with a focus on mobile use. Amazon service also supports all the major payment methods and credit cards.
Pricing: Domestic transactions are billed at 2.9 percent + $0.30 per transaction. International is 3.9 percent. The refund amount is $20 + taxes, if applicable. No setup or monthly fees.
Authorize.net is designed for small- and medium-sized businesses. Their service also provides all the major payment method support, including PayPal payments and Apple Pay. Authorize.net protects users from fraudulent transactions via its Advanced Fraud Detection Suite. They also support integration with mobile applications.
Pricing: 2.9 percent + $0.30 per transaction. There is a $25 monthly fee for a gateway and $49 for merchant account setup. You may sign up for a payment gateway if you already have a merchant account.
2Checkout provides customizable options for businesses of different sizes, as well as integrated payment solutions. Its biggest advantage is its scalability with packages for different product types. 2Checkout support all the major payment methods, 87 currencies, and 15 languages localizations.
Pricing: 2Checkout includes 3 packages with different fees. There are no setup, monthly, or recurring payments. The 2Sell fee is 3.5 percent + $0.35 per transaction. 2Monetize is a package tailored to digital product sellers, and its pricing is 6.0 percent + $0.60 per transaction.
Custom payment gateway
There are a lot of payment gateway providers that offer a full shopping experience to your customers and various integration methods. But if you are a large enterprise, you might be interested in building your own payment solution to break free of vendor restrictions.
How to build a custom gateway?
Creating a custom payment gateway requires several steps:
Payment gateway provider registration. Register as a payment gateway provider with a credit card company (or several) through your acquiring bank.
- Contracting with banks. Contract banks that will act as payment processors to handle the actual processing for you. Multiple banks can give you different transaction fees for international transfers, or different rates for currency exchange.
- API development. Develop an API for your gateway and write robust documentation as required within PCI DSS compliance.
- PCI DSS certification. Become PCI DSS compliant by implementing all the necessary security measures and integrating merchant fraud protection mechanisms on your website.
- Choose additional payment methods. If you need additional methods like PayPal, Bitcoin, or mobile wallets (e.g. Apple Pay), you’ll need to integrate them separately with their APIs.
- Management tools development. Develop a merchant administration web application, or simply an admin panel to allow your staff to control merchant operations.
You may also use open-source payment gateway solutions. It is possible to use an open-source payment gateway (like OmniPay, PayU, or Active Merchant) software that will lower the costs on the engineering. But it will, again, restrict you in customization options.
Developing an independent custom gateway and payment processing infrastructure requires serious expenses that are billed in a range from $150,000 to $800,000. That price includes engineering, maintenance, PCI DSS compliance certification, SSL certification, writing API documentation, and administration expenses. Besides the financial issues, it also requires the time to launch a fully working system and implement it into your product.
However, a custom payment solution can bring a number of benefits:
Lower transaction fees. Establishing your gateway, you avoid a gateway provider as a free-forming factor, which lowers transaction fees.
Customization. A large enterprise business may be firmly restricted by what vendors offer. Even if you find a vendor with low transaction fees and a great number of payment methods, there are always restrictions. Developing a custom payment solution allows you to implement any feature you want, whether those are recurring payments or multi-currency transactions.
Offer payment gateway as a product. With your own custom payment solution, you will be able to offer it to other merchants and agents.
Being a long-time investment, developing a custom payment gateway is quite reasonable for a company with a large yearly revenue. For companies handling fewer than 20 thousand transactions per year, a customer payment solution is unnecessary. But for merchants conducting over 1–2 million transactions, the savings quickly mount up.
Optimizing your gateway and saving costs on transaction fees are reasonable factors to consider. Pitfalls you should be aware of are security issues, which are usually carried by the gateway providers. But, obtaining PCI compliance, and using fraud management will help you to get customer confidence.
So, whether you are choosing a payment gateway/processor provider, or planning to build your own payment portal, it is always a much more profitable solution for an online merchant, unless you are a non-profit website. Websites using an inbuilt payment system are more trusted by customers. And if you are looking for a way to improve client confidence, integrate a payment solution that will inspire trust, support multiple payment methods, and be protected from fraudulent actions.
Originally published at AltexSoft tech blog “How to Choose and Integrate Payment Gateway: Online Payments, Transaction Processing, and Payment Gateways Providers”