
PayMill. Is it really a clone of Stripe? - Rulero
http://notes.prashant.es/post/paymill.-is-it-really-a-clone-of-stripe
======
jtdowney
One thing the article mentions that is not correct is that "there's no need to
be PCI Compliant as Stripe handles this whole process for you." While it is
true that Stripe bundles the merchant account, you do still need to be PCI
compliant. They even say as much in their Terms of Service (section 8): "You
agree that at all times you shall be compliant with the Payment Card Industry
Data Security Standards (PCI-DSS) and the Payment Application Data Security
Standards (PA-DSS), as applicable."

It is very dangerous to think that just because you use a service you are not
responsible for PCI compliance. Any business that accepts credit card payments
needs to be sure and research what their exact relationship is with PCI.

(Disclosure, I work for Braintree)

~~~
dave_sullivan
Can you give an example of what specific considerations need to be taken into
account re: pci compliance and stripe? My understanding is that there are more
stringent requirements if storing CC numbers, and using stripe helps to shift
that burden. Are there any other major non-obvious (eg, using ssl)
considerations re: pci compliance if using stripe to handle recurring billing?

~~~
sdepablos
Taking a look to [https://support.stripe.com/questions/what-exactly-do-i-
need-...](https://support.stripe.com/questions/what-exactly-do-i-need-to-do-
on-my-end-for-pci-compliance-through-stripe) it looks like you only need to
use stripe.js and SSL and you're ok.

~~~
thehammer
Regulations are set by the card brands, not the gateways. Here are Visa's
requirements for merchants that want to accept their cards:

[http://usa.visa.com/merchants/risk_management/cisp_merchants...](http://usa.visa.com/merchants/risk_management/cisp_merchants.html)

Requirements scale with processing volume, and are generally minimal for
merchants processing under 20k Visa transactions annually.

Many gateways use tokenization to dramatically reduce PCI scope for their
merchants. It's fairly standard, actually. Even with tokenization, merchants
have compliance obligations. The required network scans, for example, protect
consumers from merchant websites being compromised ahead of the tokenization
step.

~~~
sdepablos
Interesting. I thought you only needed PCI compliance if your server touched
the card, no the front-end, but it makes sense. Nevertheless here in Spain
we'll need to wait to have tokenization. There's only one gateway - unless you
choose Ogone or Adyen - and hell will freeze before it innovates.

------
skrebbel
I'm very interested in more stories here. Do people on HN share the OP's
experiences with Paymill? Anyone working at Paymill reading this?

I know Paymill is one of Rocket Internet's many "ripoffs" of successful US
companies, but as a European I really don't care about that. They executed on
Zalando real well, I've no reason at all to assume that they'd not execute
well on Paymill. Or, well, I _had_ no reason to assume so until this article.

~~~
Kliment
I did the required paperwork stuff before writing any code. They called me
when I signed up, told me about the service and what documents they needed. It
took me an hour to fill out the forms, and once I sent it it took them two
days to activate the account. Later on, they had me fill in another form from
some industry compliance organization, with super-cryptic and confusing stuff
on it. They sent me a sample form with the correct data filled in and told me
how much they hated that their customers had to do that. They've been paying
me every week without issues. Haven't had to do any other paperwork since. On
the first day I accepted payments, their acquiring bank emailed me to verify
the addresses of several customers because they had cards issued by high-fraud
banks. They all checked out, and I haven't heard from them either since. From
my POV Paymill's execution is excellent, and they ANSWER THEIR PHONE
immediately if I need them, and solve stuff right away (I haven't needed to do
that in a long time)

------
jokull
Just adding a datapoint. I went through the verification and it was annoying
to print, fill out, scan and send but not that horrible. The staff was helpful
and followed through with the whole process. They even rang me up at one point
because there weren’t any transactions coming through to see if I needed any
help with the software end of things (that wasn’t the case, but nice to know
they care).

~~~
CarlHoerberg
exactly my experience too

------
d0mme
As I'm a member from the dev team and have read this article and following
discussions, we will write tomorrow a blog post regarding concerning issues
the OP mentioned. There are really some fair points of critics, which we
should consider thoroughly and change for the future. A more detailled answer
tomorrow.

Best, Dominic

~~~
tpsc
Still waiting...

~~~
d0mme
sorry for the waiting, here it is:

[https://blog.paymill.com/2013/02/25/customer-feedback-on-
our...](https://blog.paymill.com/2013/02/25/customer-feedback-on-our-service/)

------
samwillis
I looked in to Pay Mill a few months ago when I was setting up my website.
Being in the UK we couldn't use stripe and so it initialy looked like a good
option but then when you dig into it you find its no different than a merchant
account. Ultimately I went with paypal as I could set it up quickly and then
move to another option later on when the idea is validated.

We are now raman profitable and so when stripe launches over here i will
probably move to it but if it doesn't we are now in a position with trading
history to get a merchant account.

~~~
ig1
Stripe is apparently in private beta in the UK now, I'm guessing they're going
make their formal announcement at the talk their giving at the London Web
Summit in a few weeks.

------
jamesmoss
I've been looking at using Paymill for an upcoming side project but now I
think I might just use Braintree instead after reading this article. The
purported lack of paperwork was a big selling point for me but if if this
article is true (as well as other comments on here) then it's a big turn off.

~~~
CarlHoerberg
the paymill paperwork is minimal. braintree wants a lot more papers
(<https://www.braintreepayments.com/tour/international>) and has som hefty
upfront costs.

~~~
Silhouette
Yes, Braintree's initial paperwork is a PITA, at least as bad as any other
payment gateway/merchant account set-up we've seen. And actually their fees
can work out very high as well in the early days, because they have a minimum
level each month whether you take any payments or not.

We're still looking into them because their terms don't seem to have any of
the abusive conditions that we would never sign and their reputation for good
customer service is attractive, but they are very far from ideal.

------
tobiasbischoff
It's them same with Samwers clone of Square, Payleven. They send you a
cardreader immediatly but before you can use it you have to sign 5 different
paperworks and wait for approvals. Just sad and the reason iZettle is still
the only Square-a-like in Europe.

~~~
weitzj
Or sumup

------
mikeseeh
Read the general terms and you know why your client was rejected. You wrote
it's a 'dating website' and according to the terms 'Partner negotiations of
any kind' are not allowed.

~~~
Rulero
Interesting. Although I don't see how a dating site is partner negotiation,
you're simply paying a subscription for a service which allows you to browse
members. You're not paying for the relationship or negotiating on it.

Something which might have been relevant which I didn't add was my client
wasn't provided a reason for rejection. They simply stated "Our acquiring bank
will not consider your application". He attempted to follow up, but still no
reason was supplied.

------
dewey
The site in the OP is not accessible right now, but by reading the other
comments I assume it's about the paperwork you have to go through after you
signed up for PayMill.

My experience is that it takes an hour to sign up, then they'll send you some
papers to sign and you are good to go and ready to accept payments.

Then a month later you'll get an email telling you to go through a
certification done by a third-party. You'll have to download a .rtf with about
20 pages, formatted in a horrible way and go through the answers with no real
guidance. You don't have to fill in a lot of information if you are using
PayMill because you are not actually storing any sensitive information on your
servers. That's not really PayMill's fault because it's required by law but
it's _very_ annoying and I had to resubmit it twice because I missed some
fields (Which isn't really that surprising if you look at the way the document
is designed).

A few weeks later I had to go through another verification required by EU's
money laundering laws. But it was basically just signing a document at the
post office so they can verify it with your passport.

Edit: I have to add that PayMill's Support Staff is brilliant and they really
care about their customers. They probably hate the required paperwork as much
as we do.

~~~
Kliment
About the annoying document, they sent me a sample one with all the required
fields filled in so I just had to change company name and dates.

------
bencevans
Site's taking ages to load, so here's the google cache
[http://webcache.googleusercontent.com/search?q=cache:tBHXw_P...](http://webcache.googleusercontent.com/search?q=cache:tBHXw_PrE_cJ:notes.prashant.es/post/paymill.-is-
it-really-a-clone-of-stripe+&cd=1&hl=en&ct=clnk&gl=uk)

~~~
dewey
Thanks!

Now that I have read the article I think it's not really fair to compare
payment providers working under EU jurisdiction and US jurisdiction. If it'd
be easy to just skip the paperwork in the EU I'm pretty sure Stripe would've
just rolled out their services in Europe in the first place.

~~~
Rulero
Why not? PayMill is supposed to be a clone of Stripe, therefore, I expect
instant activation.

If you can't offer instant activation (Due to regulations and jurisdictions),
don't be misleading with your marketing communications. Let the consumers know
the real deal. Simple.

~~~
dewey
"What’s more, we normally validate all of the necessary customer documents
within just 48 hours. However, in order for you to start working right away,
you will receive an individual test key from us directly after you register.
This will allow you to integrate Paymill even while the contracts are still
being processed."

They never said they are a Stripe clone, and if you are expecting that they
are one with the exact same features ("instant activation") just because they
are selling the same product that's not really their fault isn't it?

They are basically saying that normally you are up and running within 48 hours
and that's the case if you are not rejected. So what's misleading about that?

~~~
Rulero
Actually, that statement doesn't say anything about being rejected. In fact,
it is phrased in such a way that induces you to believe that after 48 hours,
your account will be "processed" or "functional".

~~~
dewey
Well it's kind of obvious that you are not up and running in 48h if your
verification failed don't you think?

~~~
Rulero
Which is my point about it being misleading :)

~~~
pestaa
Well if it was obvious to you how did it also mislead you?

------
rmoriz
PayMill data could be used by the Samwers to _cough_ identify _cough_ trends
and interesting business ideas

------
onemorepassword
I don't really see the point of a European Stripe clone, since in Europe we're
dealing with a completely different set of problems when it comes to online
payment.

In many countries it's relatively painless if not trivial to set up a merchant
account and start accepting payments through one of the many payment service
providers, so for the internal market a Stripe-like service doesn't offer much
of an advantage over tried and trusted local services.

If you want to accept payments across Europe, especially the many local direct
payment solutions which are often much more popular than credit cards (and
Paymill doesn't support any of them), you'll run into a whole different class
of problems which any service will have a hard time solving.

But if you want to disrupt the European online payment market, then that's the
problem to solve.

~~~
Kliment
This is not true.

Before Paymill came along, I had no reasonable (not involved with going
through huge amounts of paperwork and diligence just to get a price quote) way
of taking payments in Germany. Merchant accounts are a pain. They are most
definitely neither painless nor trivial. I hear it's better in the UK, but for
me the only reasonable alternative was PayPal, who have strongly negative
trust in my book. Paymill made it possible for me to take credit cards at all.

As of recently they also support the most popular local direct payment method
in Germany. Given how quickly they spread from DE only to most of Europe, I
expect they'll support other local payment methods eventually, but I honestly
don't care much. Being able to take credit card payments is already a huge,
huge step.

~~~
sdepablos
And at least here in Spain you should not forget the TERRIBLE way of
integrating payments in your site if you're not PCI compliant. When you try to
pay you end up in a ugly POS terminal that with some browsers shows misleading
JS alerts when you click on the pay button.

------
crazygringo
Ugh. With tiny 12px text, the blog has zooming _disabled_ for Webkit browsers,
even desktop ones, by specifying:

    
    
        -webkit-text-size-adjust: none;
    

That's a horrible bug and makes it practically unreadable.

EDIT: never mind, apparently it was fixed in the meantime.

------
smagch
As for Japanese Stripe clone, webpay is literary a clone. They offer using
stripe gem for accessing their API.

<https://github.com/keikubo/webpay-ruby>

~~~
revelation
The fact that they offer the same API does not make them a clone and a recent
ruling between Oracle and Google would even suggest it's not a copyright
issue. Theres also an exception in the DMCA that allows reverse engineering
for purposes of interoperability (IANAL).

------
sdepablos
I think Paymill would be a good alternative for us Europeans if not for the
pricing. 2.95% + 0.28€ for transaction is really bad if you work with low
margins and far far worse what we get working directly with our bank (and
don't forget you only see your money once a week).

------
d0mme
Thanks to everyone for feedback, we really appreciate your input! We have
compiled a blog post to answer your questions:

[https://blog.paymill.com/2013/02/25/customer-feedback-on-
our...](https://blog.paymill.com/2013/02/25/customer-feedback-on-our-service/)

Best, Dominic

------
calpaterson
This is similar to the issue I had with Paymill. Their bank seems to turn down
applications because of a lack of trading history or because you can't meet
some strange German legal requirement.

------
cocoflunchy
OP should really consider writing larger and _allow zoom!_.

Luckily there's still Readability...

Edit: well I'm not sure what just happened, but the whole layout has
changed... everything is good now.

~~~
lobster_johnson
Zooming that site is still not working for me in Chrome.

------
zakshay
PayMill doesn't have a credit card vault. So it can never be or provide the
same features as Stripe.

