

Credit Card Processing as a Commodity Business - zt
http://blog.zactownsend.com/credit-card-processing-as-a-commodity-business

======
ameoba
Payment processing is a commodity when things are easy. If you're shipping
T-shirts with cheesy movie quotes to college students, you don't have a
problem. If you're selling credits for nude webcam chat, things get more
complicated.

You get people waking up with hangovers regretting the $500 they spent. You
get married men denying that they ever used the site. You get Ukrainian
hackers running up charges on stolen cards. You start to wonder if people are
laundering money through the site. You get mountains of chargebacks & fraud -
preventing most processors from even wanting to do business with you, let
alone compete for your business. The ones that will do business with you are
going to charge an arm and a leg to deal with the risk.

I had the misfortune of working on a site that ran one of these businesses.
They had to run a pool of processors - selecting which one to go through based
on how trusted the customer was, how suspicious a transaction looked & even
what part of the world they (and their card) were from. Being able to funnel
transactions through a single commodity gateway rather than having to add &
remove new processors every month as they dropped our account would have been
a dream.

~~~
erikig
I got firsthand experience of this as well. We built a system that leveraged
Bayesian filtering for risk measurement and transaction approval (above and
beyond CVC and AVS) in high risk markets.

When things were going well, they were great but when they weren't it was
really bad. In short, card issuers tend to side with clients (card holders_
and even with the best risk management, it is not an easy business to get
right.

------
jusben1369
Tip Hat to the author for updating this. FYI Braintree's gateway was under
similar margin and competitive pressure as a regular "Full stack" provider.
There is a point where one can build their on PG. Or there are generic no name
alternatives that run in the 1 - 3 cent range. These are bare bone services
but once folks hit scale they replace (by building up deep understanding of
payments) much of the value add of Braintree (acting as a super friendly
partner bringing you into the online world) would bring.

------
NetWarNinja
Ahh Credit Card processing. Let me tell you a story about being a credit card
processor. PCI and if you are not PCI compliant don't even bother trying to be
a processeor. Not only that if you are processing CC's you need to have a bank
to sponsor you. Here is the key to being the best CC processor in the world.

1\. Fraud detection 2\. Speed of processing 3\. Security 4\. Security 5\.
Security 6\. Security 7\. Did I mention security ? If you can master those you
will be king.

Real time processing is a panecea but be careful what you wish for.

It's a game of pennies. Not dollars.

Also your system needs to be able to take in any input. Oh and the companies
who send you these files to process are not exactly state of the art. 20+ year
old mainframe systems. I can tell you the hours our processors spent trying to
unscrew non comma delimited files.

If you are processing your credit card information in India I won't tell you
how unsecure companies operate over there. VMWare is not the way to scale up!
But hey it's your money.

I was a Systems administrator/ Security officer for one of these companies. I
am so glad I am not doing that now. They could not pay me enough.

~~~
ballard
Curious. Was it the paperwork, snort setups or something else?

~~~
NetWarNinja
Paperwork was part of it. It's Crossing your T's and dotting your I's. Go
price out a company who can do a PCI Audit for you. It starts at 40K and
climbs rapidly.

Also who is minding the store? Are you a 24x7 operation? If you are you should
have someone who is constantly monitoring your network. If you get breached
and fail to disclose it you can be looking at jail time. Also if you do
disclose you were breached you may be out of business.

Being a processor is not just creating an app that can process CC numbers. The
security behind the scenes better be fort knox and you need to be constantly
training your people about security. The first thing out of any persons mouth
should be.

So tell me what is the secure method you will be using to transfer these CC
numbers over to us?

Our developers are creating a new app and we need to make sure you are
following security best practices.

Not to many developers think about security when developing apps. If you do
get one who is security concious you better treat them like gold.

Don't even talk about the next upgrade to the Sales weasels otherwise they are
selling it to the first customer who gets thier attention. Remember thier job
is to sell and they will sell thier mother to close the deal. As soon as it's
closed they get paid.

------
pherk
Very informative. We are a payments company
([http://www.juspay.in](http://www.juspay.in)) based out of India. We came to
similar conclusion just after the inception of the company. Instead of
building a payment gateway, we built a solution that acts as a wrapper on top
of payment processors and positioned our product as a specialization in cards
processing. And today, some of the biggest companies in India are using our
product (1-click checkout).

Our positioning gives us better margins than processors and the icing on the
cake is that we are also not exposed to fraud related risks. Settlement
process in India is cumbersome and mostly manual. Being a completely
engineering team, we are happy that we aren't dragged into settlements and
related issues as well.

One of the big downsides for us is that we don't get to have a big float like
the processors.

~~~
ballard
Wow. Interesting.

As having having used several at different scales in both tech and business
capacities, general feedback on payment gateways is:

    
    
      - developer support (libraries, examples to get apps going quickly and sandbox APIs)
      - clear communication of due-diligence process for new accounts
      - advance notification for production changes
      - discussion of security and audit standards (makes customer due-diligence, internal selling easier)
     
    

Stripe and others shake things up a little whereas traditional
US/multinational basically didn't care about anyone, especially customer
service unless you happen to be a Fortune 100 that can yell at their mgmt at a
high level.

------
berlinbrown
We work with credit card vendors and to me, it seems like an easy business.
You have many companies that want to be PCI compliant and they want to save
money and they want reliable service. With credit card processing, it is
really quite easy . Charge a credit card, validate, reject, etc. Can you
handle all of my transactions? Is your API clean?

The one issue I see:

* Some vendors are slow. E.g. 3-5 second transactions

* Too expensive

* No good PCI compliant user interface. E.g. if I want to embed an iframe into my application. These are kludgy.

Other than that, what a great market to be in. And not just credit card
transactions but banking/ach transactions, wire transfers, the whole 9 yards.

~~~
LeBlanc
Unfortunately, it is not that easy because you are just one part of a larger
financial system and have to deal with horribly outdated banks, etc.

I used to work at WePay and a lot of the complex technical work we did was to
make sure that the craziness and unreliability of the entities lower in the
chain never reached our customers. In a credit card transaction there are
multiple parties including the issuing bank, the acquiring bank, the
processor, the gateway, the card network, etc. Issuing banks in particular
often return bogus error codes, time out, or have provide inconsistent
results. I remember Delta SkyMiles rewards cards being particularly
problematic.

And with payments there is very little margin for error because you are
dealing with people's money. Customers get very upset when you cannot charge
their card, and it is not helpful to try to explain that the problem is
downstream (for example the issuing bank is returning bogus error codes). The
worst is the dreaded "general decline"; which is when an issuing bank declines
a CC transaction but doesn't tell you why.

The ACH network is even worse. There is no synchronous way to determine if an
ACH transaction was actually successful. NSF errors (not sufficient funds) can
come in 3 days after the initial transaction. I hope that Dwolla's planned ACH
replacement actually takes off because it would be a huge improvement.

------
pbreit
Basic processing may be a commodity but the service is so essential and the
data so valuable that there are numerous opportunities to add value (and
charge for it) be it fraud detection, analytics, cash management, loyalty,
etc.

------
jkuria
I am curious, why are most payment gateways about $25 to $50 /month? Seems
like such a commodiy. Why isn't someone offering a $5 -- $10 gateway?

~~~
jeffblake
Some of the newer gateways (Braintree, Stripe) don't have monthly fees - but
there is a tradeoff. Both of those guys have a high per transaction fee (25-30
cents) and also a relatively fixed discount rate (I haven't heard of anyone
negotiate it down with volume). They also don't have some of the extra
features other gateways offer: ACH/EFT transfers, Interac Online (canada),
card-present transactions (lower discount rate), etc.

For example, I use Beanstream (canada), my monthly fee is about $70, but I pay
a much lower discount rate (as I can plug in my own merchant account), and my
per transaction fee is only 10 cents. When I do 4,500 transactions in one
month for a big event, that saves me $900 alone. I can also do automated ACH
transfers to my clients (I provide event ticketing software), Interac Online
support, and more. My business model is also TPPA (third party payment
aggregation) so the risk is much higher. They also have great customer
support.

But the $70 does hurt. I think more and more gateways will start to have to
offer no monthly fees much like Stripe/Braintree.

~~~
jkuria
I'd switch to Stripe in a heart beat if they worked with 1ShoppinCart.

~~~
kyledilger
Why? 2.9% is almost a full 1% higher than what you can get otherwise. On top
of 1sc's 1% transaction cost, you're looking at 4% just for processing!

------
contingencies
Yes, absolutely, settlement _should_ be a commodity business.

The "complexity" is down to fraud issues, a factor of the system's design and
a 'feature' for the network operators. Why? It creates a myth of expertise,
training, competition-stifling "existing investment" and an ecosystem around
the things which also provides weighty large-numbers to wield in arguments
with regulators and other bodies.

Major _network_ operators of debit and credit cards today are American
Express, Bank of America (Mastercard/Cirrus/Maestro), Visa, JCB (Japan), China
Unipay.

There's very few of them really. The prior three could be viewed as an
extremely valuable US intelligence asset; the others, being primarily
domestic, also... but only in a national context. Governments then (or even
pre-emptively in the case of China) issue further regulations, pretending to
be in the interest of the consumer, but really to prevent any effective
competition. This is similarly the case with countries like Australia refusing
to adopt the IBAN.

Improved objectiveness an a fair platform for "settlement path agility" (in
the same vein as SSL "trust agility") was explained in my rambling post with
bits missing from yesterday on the future of financial settlement @
[https://news.ycombinator.com/item?id=6455277](https://news.ycombinator.com/item?id=6455277)

