Software development best practices

How to choose a secure payment solution that will make your app valuable

Time for reading: 12 min

Payment processing services are the gateways to revenue for the majority of web and mobile applications. But when you’re new to online payments, the sheer amount of options seem paralyzing.

Wikipedia lists over 70 payment gateways, each having different terms, fees, and features.

Some handle a hundred transactions per month while others process the same amount each hour. Some of them have transparent pricing, some of them are full of “hidden fees”.

Let’s be real: there are a lot of pitfalls you can easily fall into if you’ve never dealt with payment gateways.

To make your life easier, I’ve made a list of 13 simple questions that will help you avoid them and make a better informed decision.

Understand how payment gateways work

The first thing you need to accept payments online is a payment gateway. It’s a digital equivalent to a point of sale terminal in a convenience store, a secure middleman between a customer’s credit card and your bank account.

The anatomy of online payment systems

The anatomy of online payment systems; source: formstack.com

A payment gateway collects and verifies the credit card details and checks if there’s enough money in the account. It then transfers the sensitive data between the user, you, and your bank. If everything is alright, the gateway completes the transaction and transfers the money to your account.

Without a payment gateway, you alone are responsible for collecting, storing, and processing extremely sensitive information.

To accept payments online, your application must comply with security standards like PCI DSS (Payment Card Industry Data Security Standard). Getting those certificates is a great hassle, especially for startups and small vendors.

Payment gateways process the sensitive data for you making PCI compliance much easier. In most cases, you can just integrate a gateway, set up HTTPS and validate your compliance with a Self-Assessment Questionnaire.

PCI DSS

Source: Data Center Post

To accept payments on the Internet, you’ll also need a merchant account. It accumulates money you receive from your app over the course of a day and then transfers the whole sum to your main account. This allows you to accept recurring payments as well as avoid making hundreds of deposits a day.

Consider 13 important things about payment systems

1. What vendor locations and currencies do they support?

  • First, ensure that the payment gateway supports both the country your business is located in and the currencies your users are comfortable paying with.
  • Next, check the types of cards supported by the payment service providers. Although the top gateways accept Visa, MasterCard, and American Express, they can turn down some of the popular local cards.
  • If you accept international payments, look for a gateway that supports this option and offers a multi-language UI. But beware of fees for multi-currency and cross-border payments as well as requirements to have a merchant account in a particular country.

2. What is their reputation and security?

Making purchases online means passing extremely sensitive information and a data breach could ruin your reputation.

Take, for example, the BlueSnap incident in which the gateway has apparently “lost” the credit card details of 324,000 clients including their CVV2 numbers (storage which violates PCI requirements).

  • Check if the system keeps the credit card data. You should know their reasons for doing so as well as how long this data stays in their system.

Note: to comply with GDPR, you must destroy the customer personal data after passing it to the payment gateway.

  • Сheck the provider’s reputation. Look through the reviews by both experts and regular users. With large companies, reviews are usually a mixed bag, but bad gateways tend to draw a lot of criticism.

You should also сheck social media. People often use Facebook and Twitter to vent their frustration and companies respond to questions and complaints.

OH NO DATA BREECHES

3. What anti-fraud tools do they offer?

The standard measures include:

  • Card Verification Value (CVV2), a security number consisting of 3 – 4 digits located on the customer’s card. Only cardholder should know this number;
  • Address Verification System (AVS) checks the cardholder’s address against the provider’s database.

Some payment systems have additional anti-fraud tools such as 3-D Secure, an extra authentication layer (typically, a password).

There can also be various filters monitoring suspicious activity, such as the abnormal number of incoming transactions from a single card/IP address. Such behavior may point to a criminal trying to max out a stolen credit card.

stripe-min

4. What are the fees?

Most payment gateways charge transaction fees (usually, 2-5% of the whole sum + a flat rate of 30 – 50 cents). The fees can also depend on the type of card (e.g debit or credit, enterprise or private).

Some gateways also collect monthly fees, often split into multiple tiers. The more features you use, the more you have to pay. Additionally, they may charge extra fees for services like scam detection, automatic billing or premium support. The amount may also depend on the size of your business and the projected number of monthly transactions.

Note: some providers charge an additional monthly fee for maintaining a merchant account.

The majority of gateways have steep chargeback fees as compensation for disputed transactions. Some will also charge a small fee for normal refunds.

Some systems have different tiers of security and customer support. If you go for the cheapest option, you may end up with pretty limited ways to contact the provider.

Remember that all gateways should have a PCI certificate as a baseline and only charge additional fees for extra security features.

Payment processing solutions may also charge fees for setup, batch processing, fund transfer, contract termination, re-billing, currency conversion, payment processing and more.

While some of these fees will be proudly listed on the provider’s website, others can be buried deep within its documentation. Email providers and ask them about any hidden fees.

5. Do you need a merchant account?

Some gateways, such as PayPal and Stripe, come with their own merchant accounts while others require you to open one yourself. Merchant accounts can be either dedicated (i.e. money stored there belongs to you and you only), or aggregate (i.e money on the account belongs to many vendors).

To open a dedicated account you’ll have to go through a drawn-out application process and a credit history check.

If your business is large, a dedicated account will give you more control over your funds. It will streamline your cash flow as you usually don’t have to wait more than two days to get money from a transaction.

If you process just a few hundred payments per month, an aggregate account will save you a lot of trouble. While you’d still have to provide some information about your company, payment systems won’t reject your request due to a bad credit history. So expect a faster setup, simpler fee structure, and a generic contract.

On the flipside, you’ll get paid less often (anywhere from five days to a whole month). With an aggregate account, your money is completely at the provider’s mercy. It can, for example, freeze your account in case of a dispute, or after a sudden spike in your revenue.

paypal screenshot

Finally, a card association might close an aggregate account if a lot of companies that use it show fraudulent behavior.

Note: some gateways will charge you additional fees if you open a merchant account in a US bank while your business is based overseas.

6. What kind of checkout do they provide?

Remember the last time you bought something in an online store only to be redirected to some shady page requiring you to enter your credit card details? This page is called a hosted gateway. A lot of small business owners prefer this type of checkout as it’s pretty easy to implement even without technical expertise.

But beware: a hosted gateway is bad from the UX point of view. You want your checkout experience to be as smooth as butter but redirects interrupt the flow and distract users. In the end, this can cost you a lot of conversions.

On the bright side, you can usually customize the appearance of the hosted gateway to match the design of your application.

A far better option is an integrated gateway. This way, your customers won’t ever need to leave your site to make a purchase. The gateway takes care of security while you get the air of credibility and professionalism.

paypal

Note: integrated gateways often require your site to comply with PCI DSS and have an SSL certificate. But with some providers like Braintree and Stripe, credit card data never hits your servers freeing you from the extra security requirements.

7. How well a payment system will work with your integrations?

Сonsider how easily you can integrate it with your shopping cart, accounting and billing solutions, CRM system, etc.

The best choice is a gateway that is already integrated with the products you use. If that isn’t an option, look for the services that provide open APIs, clear instructions, and comprehensive documentation.

8. When will you get your money?

Another thing to consider is the gateway’s payout policy. Payment systems accumulate money and transfer the whole sum to bank accounts at regular intervals. Some gateways pass money daily while others do this on a weekly or even monthly basis.

Delayed payouts may seriously disrupt your cash flow but at the same time, can make refunds easier.

9. Do they support recurring payments?

One of the advantages offered by payment gateways is the ability to automatically rebill your users.

To do this, the system has to store the credit card information of your users. In addition to encryption, some gateways add tokenization as another security level.

It turns the credit card number into a random value that is worthless outside of the system.

It’s impossible to decrypt a token and get a user’s credit card number.

But there’s a downside. As the gateway stores tokens instead of credit card information, it’s pretty hard to set up recurring bills. Hence some gateways, such as PayPal Standard and Google Checkout, don’t support re-billing.

10. Do they offer a card update feature?

Imagine you’ve lost your credit card. In a couple of days, the bank will issue a new сard and send you a notice to update all the recurring payments bound to the lost card.

The same can happen to your users, and if they ignore the reminder and don’t update the card information, you’ll lose a paying customer. Sounds bad, right?

Fortunately, a lot of payment services offer the option to automatically update the credit card information each time a user is issued a new card. This can save you a lot of money as your customers will continue making recurring payments from the lost and expired cards.

11. Can I take my data with me?

At some point, you might decide to leave your current payment gateway service for a better alternative. But will you be able to take your data with you? A lot of business owners skip this question and have to find this out the hard way.

You may, for example, discover that with PayPal you don’t own your data. You won’t get it back if you terminate the contract. In this case, you’ll have to beg your clients once more to give you their payment information.

So learn who owns the customer data before you pick a gateway. And while you’re at it, check how easy it’s to terminate the contract.

timoelliot com

12. What kind of customer support do they provide?

Cynic’s guide to life says that if something can go wrong, it will. One day you’ll need to contact the support center. It would be a pity if their hotline turns out to be an endless phone tree with some rage-inducing tune looping in the background.

Note that many payment services (such as Stripe) don’t have a phone line, so email may be your only way of contacting them.

That’s why it’s important to know the support options before you commit to a payment gateway. While you may not need a 24/7 live support, ensure you can actually contact a qualified manager in the time of need.

If you’re an international client, check whether the support is available during your business hours. Also, check if the gateway has an extensive FAQ and other self-help options.

But first, contact the support line and see for yourself how this experience will go.

13. Do they support high-risk merchants?

If you offer certain goods or services, providers may classify you as a high-risk merchant. You don’t have to sell weapons, sex-related goods, medicines, or e-cigarettes to end up in this category. This can also happen if you have an exceptionally bad credit history or your clients pose an increased risk of fraud. The exact criteria may vary from provider to provider but the result is the same.

The majority of payment gateways will outright reject high-risk merchants. And those who won’t, might exhibit/have/display outright predatory practices with higher fees, long-term contracts, early termination penalties, and nonexistent customer support.

Nevertheless, you can find some trusted and ethical payment gateways, such as Durango Merchant Services or Payline Data that specialize in high-risk clients (although you still should expect higher-than-average fees).

Make a choice

Now you’re ready to pick a reliable payment gateway for your web application. You can use these 13 questions as a guideline to discover which service suits you the best. Join me in the next part of MindK’s guide to payment systems for a comparison of the top gateway providers.

If you have trouble choosing the right payment processing service, you can always contact MindK. We’ve successfully integrated both international gateways, such as Stripe or PayPal, and local systems, such as Vipps (Norway) and PayEx (Scandinavia).

As always, we invite you to subscribe to get our articles fresh off the (Word)press.

CTA-banner-online-business

Subscribe to MindK Blog

Get our greatest hits delivered to your inbox once a month.
MindK uses the information you provide to us to contact you about our relevant content andservices. You may unsubscribe at any time. For more information, check out our privacy policy.

Read next

Outsourced IT department

Getting SaaSy: Winning SaaS Product Development Process in 10 Steps

Read more
HRIS Integration

How HR Digital Transformation Can Change the Workplace

Read more
Automation of Performance Management Process

Key Challenges Solved By Automation of Performance Management Process

Read more