
Ask HN: Help me understand online payment gateways - pcidss-clueless
I'm a long time developer that's recently moved into web development. I'm also based in the UK, so that seems to limit my options somewhat significantly.<p>As I understand it, my options are either speak to my bank about a internet merchant account, or use a third-party payment processor. It seems however, that if my company is newly formed and thus doesn't really have a trading history, the likelyhood of my bank allowing me to have an internet merchant account is slim. Using a third-party payment processor usually - from what I can see - results in customers being redirected to a third-party branded checkout page, which I want to avoid. Is this correct, or am I missing something?<p>If I have a merchant account and people are submitting payment data to my server that I am then passing on to be processed, I am responsible for PCI DSS compliance, correct? (Am I correct in my understanding that Braintree gets around this by having your checkout form POST to their servers?)<p>Lastly, can anyone recommend a means for me to accept credit and debit card payments [in pounds Sterling, for a UK site] for a newly formed business that doesn't use a third-party [Paypal, Google Checkout etc]?
======
chaosmachine
I recently launched a niche startup selling addon content for Photoshop. It's
a purely digital-goods business: people pay money and in return they get an
email with a download link.

I looked at a bunch of solutions (shopify, 2checkout, paypal, authorize.net,
e-junkie, and others). Ultimately, I went with a company called FastSpring.
It's a third party shopping cart solution, but they let you use your own
xhtml/css template. They do include some text in the footer to let you know
who's providing the service, but it's not really intrusive.

If you want to see how it looks, here's a page from my site. Click the add-to-
cart button: <http://photoshoplayerstyles.com/sale>

Overall, I really like their service. They pay out twice a month, directly
into my bank account. I'm in Canada, and most places just won't do this, so it
was a nice surprise when it just worked.

Edit: I should mention, they handle international sales smoothly, too. I've
had sales from all over the EU. They detect the country, do currency
conversion, charge the correct VAT, etc.

~~~
decadentcactus
Offtopic, I remember seeing this when you announced it. How's the site going?

~~~
chaosmachine
Not bad. It paid my rent this month.

Conversion rates are good, but getting links and traffic has been difficult.
If I could move the site up from #7 to #1 for my domain keywords on Google,
I'd be very happy.

~~~
ashitvora
Good Luck :)

------
watchdogtimer
We have had several different merchant accounts and bank accounts over the
years, and have found that your bank is probably the last place from which you
want to obtain a merchant account.

These days most businesses (online businesses, at least) obtain a merchant
account through an Independent Sales Organization (ISO). The ISO is basically
an independent sales rep for a Merchant Services Provider (MSP) associated
with a bank. When your account is set up, the funds from your customer pass
seamlessly through the MSP's bank and are deposited into your local bank
account.

The ISO makes his/her money through fees on your account. The more sales you
have, the more they earn.

Competition between ISOs is intense, so it pays to shop around. Every local
bank I've dealt with "outsources" their merchant accounts to an ISO. I assume
the bank receives referal income from the ISO, as the fees we've been quoted
for a merchant account through a local bank have always been higher than we've
found elsewhere.

A few months ago, we quit having our own merchant account and moved to PayPal,
as basic interchange fees have increased to the point where we found that is
the least expensive option for our level of sales (>$10,000/month).

We use a basic PayPal Website Payments Standard Account using their name-value
pair (NVP) interface. Our customers enter their shipping address data on our
web site and their credit card information on PayPal's web site so we don't
have to worry about PCI compliance. We use custom headers on our order page
("Checkout: Step 1") and our PayPal page ("Checkout: Step 2") to make it look
pretty seamless. You can upgrade to a Website Payments Pro account for
$20/month if you want to do it all on your own server, however.

~~~
rbritton
Just one small nit: Website Payments Pro was raised to $30/mo a little bit
back. We used this for some time and it worked reasonably well, but there are
other options that don't cost as much.

We use a combination of our own merchant account through a reseller and
Authorize.net, which has about half the monthly fees of the PayPal option and
lower rates.

------
sargeantd
It took us months to get a payment system for my start up in Australia. Its a
nightmare. You are correct in thinking there are only two options - a merchant
account or a service like paypal or authorize.net. However, if you have a
merchant bank account and use a 3rd party gateway, you are submitting and
storing the credit card information on the gateway and not on your own server,
therefore PCI DSS complaince is not required. Many credit card gateways have
APIs so that you can create a seamless experience if you wish. I would
certainly try approaching the banks for a merchant account. Our company was
fairly new when we got our merchant facility and there was never any concern
about how old the business was. They were more interested in the type of
product and thus the risk of getting charge backs. The bank may also be happy
to provide the facility for a security deposit. Also, before you make a final
decision, compare all the charges and how much the facility is going to cost
your business. The charges seem to vary dramatically between banks and
providers.

------
zaidf
(1) At least in the US, banks are only _one_ way of getting a merchant
account. There are decent number of companies that offer merchant accounts. It
is a pretty competitive business and there are plenty of companies and
affiliates vying to get you under their belt because they get a fraction of a
% of sales you do for life. Google around. Banks may not be the best option.
In U.S you can definitely get a merchant account for new businesses with
little history. I was able to get one at 15 under my brother's name--who was
barely 18 and had no prior biz record.

(2) Yes, merchant account can help you avoid 3rd party pages and gives you
complete control of the flow of the order process.

(3) Yes it is a bad, bad idea and mostly not officially acceptable to store cc
info on your server.

~~~
tow21
Actually, in the UK, banks are pretty much the only way of getting a merchant
account, see:

[http://www.businesslink.gov.uk/bdotg/action/detail?type=RESO...](http://www.businesslink.gov.uk/bdotg/action/detail?type=RESOURCES&itemId=1073791016&r.s=e&r.l1=1073858790&r.lc=en&r.l3=1073920405&r.l2=1073858942&r.i=1073791013&r.t=RESOURCES)

(sorry for shitty URL)

The only non-bank merchant accounts you can get are Amex & Diner's Card, both
of which only work for their own cards.

~~~
omarchowdhury
He's referring to Independent Sales Organizations (ISOs), which are groups
sponsored by acquiring banks to underwrite, provision and maintain merchants
accounts for clients.

------
trizk
You are responsible for the security of any information on your system. Thus
you should want to be PCI DSS compliant even if it is not a requirement.

Take a look at PayPal Website Payments Pro.

[https://www.paypal-business.co.uk/process-online-payments-
wi...](https://www.paypal-business.co.uk/process-online-payments-with-
paypal/index.htm)

Why don't you want to use PayPal. Its a pretty safe path to start accepting
payments online and you can use their transparent API so they are not visible.
Get an account, read their API docs and security best practices for the
language of your choice (and in general). Implement an example from the docs
on your server and grow it from there. Don't store credit card data on your
server and don't cut corners when checking integrity of communication between
you and PayPal.

~~~
notyourwork
Paypal is expensive and I have had too many problems with them to ever
consider using them for my business.

~~~
vog
Also note that in general, keeping away dubious companies helps both your own
reputation and the society as a whole.

And PayPal has gained a lot of bad reputation for several reasons. The
Wikipedia provides a good summary of the issues:
[http://en.wikipedia.org/wiki/PayPal#Criticism_and_limitation...](http://en.wikipedia.org/wiki/PayPal#Criticism_and_limitations)

------
sullichin
The easiest way for you to achieve PCI compliance is definitely by using a 3rd
party gateway. Customers will have to leave your site but you can usually skin
the gateway page to look like the original store. If credit card data is
entered in a PCI compliant server, even in an iframe on your site, then you
aren't responsible for making your server PCI compliant to accept credit
cards.

------
bakbak
I did lots of research and finally settled with Payloadz ... visit
<https://www.payloadz.com/default.asp>

Edit: they support PayPal, Google Checkout, 2Checkout, Amazon Payments and
TrialPay - also you can use their system to create your own affiliate
system/network.

------
retroryan
Can anyone make recommendations for merchant accounts in the US? Are there any
that you would avoid? beanstream, authorize.net and Braintree all look pretty
similiar, are there any real differences? Thank you!

------
olalonde
Self promotion here, but I suggest you check out <http://payfacade.com>. We're
trying to make life of web developers easier regarding online payments.

------
jwecker
I highly recommend talking to Isaac and the team over at recurly.com (you can
guess his email address (: )

Even if you don't end up using them you'll get some very valuable intel.

~~~
neiled
Off topic: I always wondered how to put a 'smiley' inside of brackets, I never
considered making it face the other way around. Genius!

------
ig1
See also this previous thread on the topic:
<http://news.ycombinator.com/item?id=1074860>

------
somabc
Have you looked at 2 Checkout?

<http://www.2checkout.com/community/>

------
zackattack
What kind of bullshit banks in the uk wont give a business a merchant account?

Anyway, chargify can recommend you some gateway/merchant account providers.

~~~
mattmanser
From the text of his question it doesn't sound like he's actually asked yet.

I also read recently that chargify only works with Barclays in the UK, but I'd
check that out yourself.

In other words, OP, you probably have more options than you realise, go talk
to your bank's business advisor. Or a few banks. I mentioned to mine that I
will want to do what you want to do in a few months and she didn't bat an
eyelid, although I haven't yet pursued it.

Also, why post with a throwaway account? It's a perfectly good question, the
whole area's fairly confusing at first!

------
ahoyhere
You might find my free ecommerce cheat sheet helpful if you go the custom
solution route (merch acct, cc processor, etc): <http://jumpstartcc.com>

~~~
kristaps
Looks interesting, thanks. BTW the page says "2009", might want to bring it up
to date.

