

Ask HN: How to set up a payment gateway - coglethorpe

Here's what I want to do:  I'd like to act as a third-party to facilitate payments between two parties.  From my initial look, I can't use a service like PayPal or Authorize.net to manage the transactions between two other people's accounts.  Besides that, I'm adding on another layer of charges which would make the cost prohibitive for our customers.<p>So if I want to act as a third party, I need to set up my own system.  Here's what I think I need:<p>1. My own servers in a secure location, to store all those account numbers.  I don't think I can trust a third party to handle that.  Is there anyone who does?
2. The firewalls, enncryption, etc. to maintain PCI compliance.
3. Deals worked out with Visa/MC/etc. to accept credit cards.
4. Deals worked out to handle ACH payments.  I have no idea how to go about doing that.
5. Software to manage the process of payers and payees entry and verification of data.<p>If I do it right, I can bring down the cost per transaction, and I'd need to run the numbers to see how many transactions are needed to pay off the system.  ACH transactions are cheap and would bring down costs, obviously.<p>My gut tells me it's like 1.5 million USD to set that all up right, in a way that would scale and eventually pay off.<p>Anyone have experience pricing that sort of thing?  I assume I'd need that to go after funding, if that's the direction we decide to go in.
======
gm
Coming from a financial services guy: Look at the legal aspects first before
you sit down and write code. It sounds like you are jumping right into the
transfer money aspect of it, bypassing the laws ytou need to comply with.

If you are in the middle of a money transactions you are subject to many
federal and state laws, and if you deal with international, you are subject to
more federal and state laws, as well as those of the country you are
transferring to.

You will be imprisoned if you do not. Since Sept 11 everyone involved takes
these things extremely seriously, they will jail you first, and investigate
later. (not to mention close your company and impound all your equipment).

EDIT: And you will need much more than your gut estimate of $1.5 mill because
there are huge bonds to be put in _per_state_ you want to do business in.
Money transmission is not a business for the small guy any more.

EDIT2: Have a sip of the legal requirements <http://www.fincen.gov/> (this is
just for the federal government, each state has its own office that places
additional restrictions on you as well)

~~~
coglethorpe
Do these rules apply for a gateway like Authorize.net, or just the banks they
communicate with? If so, starting up something like that must be a massive
undertaking.

~~~
gm
Financial rules apply to any company that does transactions that could reach a
high volume (one of the magic numbers is USD $10,000). So, for example, a car
dealership that does single transactions of over $10,000 must comply with
several regulations already, including checking the OFAC list (google it) for
possible matches of people forbidden to do business with US companies (Believe
me, you do NOT want to get caught as the inadvertent money laudering agent for
a terrorist organization; your ass is going straight to federal prison even if
you did not mean to be their money laundering instrument).

You must also check for structured transactions (transfer $20,000 USD in small
transactions so they do not go on the radar), etc...

The laws are very strict on this nowadays, and people who make themselves be
the middleman in a financial transaction are at great risk of getting into
trouble if they do not do what they are required to (by the various goverment
regulators, both federal and state). I am talking about criminal charges, not
just civil penalties.

The banks must do their own compliance work, but that does not absolve - in
any way - the company that is doing the transactions from doing so as well. It
is mostly a cover your ass thing, rather than an "as long as someone in the
chain reports it" thing.

So yeah, the legal compliance in this business is - vastly - the more complex
part of the business. The technology is the easy part.

------
drusenko
A payment gateway doesn't handle the transferring of money, they only
communicate with the interchange. Then, you go to a processor to settle the
transaction given a specific transaction ID for which you have received an
authorization.

There's a very important distinction: A gateway doesn't involve transferring
money, while a processor does. There's a huge set of risks on the processor
side, and being a "start-up" processor seems to be a non-starter (big banks
usually perform this task).

You also need to figure out what you have to lose to fraud. Gateways, it would
seem, don't have that much to lose to fraud (they just handle the transaction,
they don't settle it or transfer any kind of money).

There's definitely a huge market for a better gateway (Authorize.net's APIs
suck). Being a new PayPal, in my opinion, is going to be incredibly difficult,
for many of the reasons mentioned in this thread.

I'd start your journey by educating yourself on exactly how the credit card
system works. This is a good place to start:
<http://authorize.net/resources/howitworksdiagram/>

~~~
coglethorpe
Thanks for that information! Maybe what I'm trying to do is set up my own
gateway, so I can handle transactions for two third parties. It also seems
much cheaper.

------
olefoo
Would Amazon FPS do what you need?

[http://www.amazon.com/Flexible-Payments-Service-
AWS/b?ie=UTF...](http://www.amazon.com/Flexible-Payments-Service-
AWS/b?ie=UTF8&node=342430011)

If not, then you will need funding if only to pay the lawyers who will be
helping you charter your new financial institution.

~~~
johns
Unfortunately, FPS requires users to use an Amazon account, which makes it
unattractive for a lot of uses.

~~~
olefoo
A pool of people who have a demonstrated willingness to spend money online is
unattractive?

Letting Amazon brand the transaction and own the relationship is less than
beautiful it's true; but that also means they own the headaches associated
with those accounts.

~~~
run4yourlives
I think he's saying that his non-pooled customers that are willing to pay him
may not be willing to sign up with Amazon.

~~~
johns
And that asking someone for a separate set of credentials when making a
payment is a disjointed and possibly confusing process.

~~~
olefoo
I'm not entirely disagreeing with you, and for a straight ecommerce site, I
think it looks a lot more pro to have your own merchant account, ssl
certificate, domain etc.

But for more specialised needs FPS could be the right answer, particularly if
you are acting as a broker or escrow agent (which sounds sort of like what
coglethorpe was describing) and it would let you build something that would at
the very least show the potential of the business model enough to justify a
real investment (10-50 Million USD for a new bank that is intended to operate
nationally; more if you want to start global).

------
blender
Anything is possible but the due diligence on your idea is enormous. Good luck
getting investment. 1.5M probably won't even cover the upfront legal costs.

~~~
gm
It can cover the legal costs, provided you get the right lawyer. If you get
the wrong lawyer, 1.5M will not be enough. The requirements are fairly
straightforward, they need to be implemented correctly, though. Huge companies
that transfer money have a single scary-smart lawyer/compliance officer on
staff, with lots of clerks that are not particularly expensive.

------
swombat
There's already quite a few players in this market. What will you do
differently to make it worth using you instead?

~~~
coglethorpe
That's true. What I was hoping to do was offer payments for a specific niche.
But if I have to build a full payment service, I may as well offer payments
for all sorts of things. There are many players who offer generic payments,
PayPal and Authorize.net to name two.

I wasn't going to offer merchant solutions or shopping cart integration like
others do, but it looks as if I'm going to act as a third party, I may as well
set up the whole thing. 1.5 million in legal costs alone might be far to steep
a barrier to entry for just one niche.

~~~
swombat
Why not re-use one of the numerous existing payment gateways? Most of them
take only a very small cut if you have large enough volumes, and it'll save
you a lot of hassle. Even integrating with an existing gateway is a lot of
hassle - writing your own is considerably more painful.

~~~
coglethorpe
It's my understanding that they don't allow a person to act as a third party
between two other people's accounts. That's essentially what a gateway does,
so I can see why they don't want n-tier gateways.

~~~
swombat
I don't think the banks will allow you to do that either. Transfers are always
to a merchant account. You'll have to build your own Paypal-style account
system to allow transfers between users.

------
pageman
contact me at paulpajo [at] gmail maybe asiapay [dot] com can help. you can
browse through this: <http://www.slideshare.net/ebiziseasy/pesopay-
presentation/> slide 17 might be of interest to you (payalert)

