from Starting + Sustaining.
by Garrett Dimon
be a scary thought. My goal here isn’t to recommend a specific vendor but rather to help you understand the payment process-ing ecosystem and the associated complexities so that you can e�iciently make a decision without overlooking any features or limitations that may be important to you.
Understanding the Ecosystem
There are three primary components to accepting money for a hosted web application. They don’t necessarily correspond to ven-dors, but understanding how these components interact can help frame the conversation.
While not all providers fit nicely into buckets, we can loosely sort them into three groups. The first is what I’ll call “Logic Providers.” Logic providers can handle varying degrees of your billing logic, credit card forms, notifications, and even your virtual vault in some cases. They also serve as the API to your payment gateway. The second group is “Payment Gateways,” which provide an interface to your merchant account. (If you’re not familiar with payment
a bit.) The third group combines your logic and the gateway, and we’ll call them “hybrids” or “all-in-ones.” Hybrid vendors’ close coupling of your logic and the gateway can make them easier to work with, but you lose some flexibility in choosing your payment gateway or merchant account.
The combination of providers you choose depends on quite a few variables. Some of these variables, like geography, are likely out of your control. Others, like data portability or features, are aspects for which you can decide their importance to your busi-ness. Figure �.��helps illustrate how the di�erent components fit together. Keep in mind that this is intended as an overview rather than a precise representation of a payment system.
PCI Compliance
No matter how you accept payments, you’ll probably be required to meet some level ofPCI compliance. (The payment card industry, PCI, has established a set of security standards for any business that deals with credit cards.) Ideally, you’ll only need to meet the most basic level of PCI compliance, which involves a simple ques-tionnaire and yearly third-party security scan. The responsibility and e�ort required will vary based on how you implement your payment handling. Your best approach is to make sure that your
Payment
Processing Merchant Account
Your
Application Gateway“API”
User Experience
Developer Experience
Your Costs and Fees
Credit Card Forms
Email Notifications Virtual Vault Billing Logic
Logic Provider / Gateway Interface
Payment Gateways / Alternative Payments
Hybrid or Bundled Providers
customers’ credit data never touches your servers—fortunately, most payment processors make it easy to do this, minimizing your PCI compliance obligations. However you go about it, it’s some-thing you’ll have to address.
Billing Logic and User Experience
Your billing logic includes pricing, coupons, discounts, payment methods, invoices and receipts, past due notices, billing frequency, upgrades and downgrades, renewals, your credit card form, and your billing-related email notifications. The more complex your billing requirements, the fewer choices you’ll have.
Many vendors can handle basic billing logic for subscriptions, but if need to handle more complex situations like metered billing, special discounts, add-ons, or setup fees, you’ll want to extensively research each provider’s capabilities. From a development stand-point, the more of this that you can leave to your providers, the easier your life will be. But when it comes to user experience you may want to exercise more control over some of these aspects; naturally, the more control you want, the more work you’ll do.
Payment Gateway and Vault
You’ll need a payment gateway, which is how you’ll actually bill credit cards, and a virtual vault, which is where you’ll securely store credit card information. No matter how you choose to handle your billing logic and your user experience, this is the point where you’ll have no choice but to turn over some control to your vendors; that’s an unavoidable trade-o� of simplifying your PCI compliance requirements. (And believe me, you don’t want them to be any more complicated than they have to be.)
You need to ensure that your servers never touch or see credit card information; instead, you’ll send the credit card information directly to your vendor of choice who will securely store it for you. There’re a few common ways to handle this from a technical stand-point, and di�erent providers have varying levels of flexibility in how they need you to send the credit card information to them. We’ll cover these options later.
Merchant Account
You can think of a merchant account as a special bank account into which customers’ funds are deposited. With some payment processors, you might not have to worry about your merchant
account at all; if your business requirements are simple, you can be up and running a lot faster if you can choose a payment gateway with a bundled merchant account.
There are, however, situations where you may want to choose your own merchant account—for instance, if you have significant volume, you may care about how much you’ll be paying in fees, or you may have a unique business that requires a close relationship with your merchant bank. If you choose your own merchant ac-count, you’ll need to be aware that you’ll have fewer options for payment gateways and logic providers—and that can increase your development costs or otherwise complicate your business.
Choosing Your Providers
Now that you have some context, let’s dig into choosing your providers. The good news is that you have countless options and configura-tions that can help you design a payment processing solution that’s perfect for your business. The bad news is that you have countless options and configurations—and that can be a lot to wrap your head around.
Geography
With the myriad of challenges around credit card processing, bank accounts, currency conversion rates, taxes, and government re-strictions, not all providers are available in all countries. So before you get too deeply into researching your options, you should make sure that all the vendors you’re considering are available in your country. This will probably be the easiest way to narrow down your choices. I had really wanted to include detailed geographic infor-mation here, but everyone that I spoke to said that the availability of these services is changing too rapidly and that the information would quickly be out of date.
À La Carte vs. Hybrid
A�er you consider geography, you’ll probably want to think about whether you want to go à la carte— separately choosing your logic provider, payment gateway, and possibly your merchant account— or whether you want to use a single provider to handle everything. If you were to choose a single hybrid provider, you’d simplify your implementation and your costs by removing the complexity of having to coordinate multiple vendors. But you’d also lose some flexibility as you wouldn’t be able to easily switch payment
gate-ways or merchant accounts down the road; you may also have significantly less control over the details of your billing logic. On the other hand, your fees would be simpler, albeit slightly higher, and you’d only have to communicate with a single vendor.
If you were to take an à la carte approach, however, you’d not only gain the flexibility to choose your initial merchant account or gateway (or both), but you’d also make it easier on yourself if you were ever to need to change gateways or merchant accounts down the road. In addition to giving you flexibility, a logic provider also insulates you from the gateway. You’ll probably end up paying additional fees by using separate services, but you’ll gain flexibility and features. Depending on your business model, that may be a small price to pay relative to the benefits.
Costs and Fees
It can be easy to overlook credit card processing fees. An easy rule of thumb is to assume that about � percent of every transaction will go toward credit card processing fees; it’s usually less than that, but for planning and budgeting purposes, � percent is a good starting point. If you add a logic provider to your processing flow, you may have to pay another �–� percent or a monthly fee or both. All this adds up, but your logic provider’s fees will generally outweigh the
Braintree Stripe PayMill Pin PayPal TrustCommerce BeanStream Authorize.net QuickPay PaymentExpress Ogone GoCardless Dwolla
Recurring Billing Logic Payment Gateway Merchant Account
User Experience Payment Gateway Interface
Spreedly Core
Custom
PayPal PayPal Custom PayPal
Choose Your Own
Stripe Stripe
Stripe Stripe
Braintree Braintree Bundled
Custom Braintree
PayMill PayMill PayMill PayMill
Pin Payments Pin Payments Custom Pin Payments
ChargeBee ChargeBee ChargeBee FuseBill FuseBill FuseBill Recurly Recurly Recurly Recurly Virtual Vault Chargify Chargify
Chargify (Your Gateway)
Spreedly Spreedly Spreedly
Custom Development
If you’re looking for increased control over the user experience and business logic, these components can o�en be custom built using the vendors’ APIs. But with some vendors, custom development may be your only option for some of their functionality.
Payment Gateways and Payment Types
Not all payment gateways are available through all logic providers. But for the sake of simplicity (and because the lists can change), I haven’t gone over which logic providers and gateways work together. You’ll need to verify that on your own when you select your providers.
Chargify and Data Portability
Since Chargify relies on your payment gateway to securely store credit card information, your data portability ultimately depends on your gateway’s data-portability policies.
costs of having to build your own billing system—and that can save you a ton of time.
Payment Gateway Flexibility
Vendors like Spreedly, Recurly and, to some extent, Chargify o�er data portability along with the flexibility to change your payment gateway without having to update your application. Unfortunately, while Chargify works with multiple payment gateways, they rely on your gateway to store credit card information, so your data is only as portable as the gateway that you choose. For instance, you’d be all right if you were to use Chargify with Braintree, but if you were to use Chargify with Authorize.net, you wouldn’t be able to take your data with you.
One of the most flexible solutions isSpreedly, which insulates you not only from your payment gateway but also from any credit card storage requirements—the idea is that this lets you switch from one payment gateway to another with less e�ort. And there are advantages to being able to switch payment gateways as your business grows. For one thing, you’d have an easier time obtaining lower credit card processing rates. And you’ll have more options if you ever need to leave your current provider.
Merchant Account Flexibility
It may be tempting to view your merchant account as a commodity, but that can be a risky oversimplification for larger or more complex businesses. Ultimately, your merchant account provider bears the risk of your business. So some merchant account providers may be quick to freeze your funds or otherwise pull the plug on your business if everything doesn’t seem to be on the up and up. You may have heard stories of PayPal criticism in the last few years where they’ve hastily shut o� their customers’ accounts and locked down their funds. Given the catastrophic impact that could have on your business, you want to do your best to find a merchant account provider that understands your business.
The more obvious reason to choose your own merchant account is to reduce the rates that you’re paying to process credit cards. Bundled providers like Stripe, PayPal, and Braintree will generally charge one rate across the board—usually in the neighbordhood of �.� percent plus �� cents per transaction—while some merchant accounts may charge rates lower than that. Unless shaving half a percentage point o� your rate were to translate into thousands of dollars in savings, you’d probably be better o� if you were to
that there may quickly come a point where those savings could be worth it.
If you were to get a bundled payment gateway and merchant account, you wouldn’t be able to easily change merchant accounts in the future. Even if you were to design your application so that you could easily change payment gateways, you’d still have a sig-nificant amount of development work to do. If you choose a logic provider and rely on their API and user experience, you can e�ec-tively insulate yourself from your payment gateway and merchant account. That can make it easier in the long term if you ever need to change payment gateways.
Data Portability
Switching payment providers is probably second only to migrating between hosting companies in terms of complexity and inconve-nience. It’s better than it used to be, and most good providers will do their best to help you, but you may want to consider whether your provider is on board withdata portabilitybefore you sign up. Changing merchant accounts or payment providers is one thing, but if you can’t bring your current customer data with you, you could be in a tough spot.
Payment Type Flexibility
While credit and debit cards are common forms of payment, they aren’t the only game in town, especially in other areas in the world. So you may want to consider accepting other forms of payment. In particular, companies likeBalanced,Dwolla, andGoCardlessare be-ginning to show up, and they’re o�ering companies straightforward paths to accept additional types of payment as well as—in some cases—significantly lower rates and fees for processing payments. Whether you just want to save money on fees or o�er additional payment options for your customers, you might want to consider usingSpreedly. Your development e�ort will be more significant, but you’ll be setting yourself up for incredible flexibility.
User Experience
Your choice of payment processors can have a dramatic impact on your customers’ experience. Some providers allow more than enough control while other processors control not only the interface but also the email notifications that go to your customers. It can be disappointing to sign up for a payment processor only to later find out that you have very little control over what your customers see. On the other hand, you can save yourself significant amounts
of time if you let your processor handle some of this.
You’ll have to decide for yourself, but if fine-grained control of your user experience is important to you, you’ll want to make sure that you understand how much control that you’ll have over the interface and the notification emails. If I were to be just getting started today, I’d try to choose products that allowed for maximum control while o�ering sensible defaults. That would help us ship quickly while allowing us to circle back later to pull more of the control into our own application.
There are three ways in which payment providers accept credit card information and minimize your PCI compliance obligations:
�. Hosted Forms. With hosted forms, the provider hosts the credit
card forms on their own web site. In some cases, you can control the appearance of these forms by making adjustments to their colors, fonts, or CSS. In all cases, however, your customers will see your payment provider’s web address in the address bar of their browser. This approach usually leaves you with the least control over your customers’ experience, but it also requires the least e�ort to set up.
�. Transparent Redirect. With transparent redirects, you host the
provider then processes it and sends the relevant data back to you. Naturally, since you host the form, you have complete control over its design and user experience. Technically, your customer is briefly sent to your provider’s server, but the redirect process is designed to be virtually transparent.
�. JavaScript. Some providers have JavaScript libraries that let
you set up your forms similarly to the way transparent redirects work but using JavaScript so that the experience is completely seamless for your customers.
Developer API
In addition to your customers’ experience, you’ll also want to con-sider your developers’ experience. Each provider o�ers an API, and some will be easier to use than others. Some providers o�icially support client libraries that make integration incredibly easy, but not all providers o�er such a library or o�icially support them. If most of your interactions with a provider will be through their API, you’ll want to make sure that it’ll be easy for you to jump right in. I suggest taking their API for a test drive to make sure that you’re getting everything you hope for.
Billing Logic and Feature Complexity
Many apps can get by with incredibly simple billing logic—and in most cases, the simpler, the better. But not all applications have simple billing requirements. If you need metered billing, one-o� or add-on charges, an a�iliate program, extensive tax rules, coupons, discounts, or reporting, you may want to read up on the capabilities of your vendors. Dedicated logic providers like Recurly or Chargify o�en have extensive feature sets to handle some of this advanced functionality, but remember that you’ll be paying additional fees on top of your payment gateway’s fees to get these added features.
Payout Schedule
Depending on your payment processor and the cards you accept, you’ll generally be paid on a rolling basis—that is, you’ll get paid anywhere from one to fourteen days a�er your customer pays. Stripe, for instance, pays you seven days a�er receiving the money. If you were to bill your customers in daily batches—rather than a single batch each month—this type of delay wouldn’t have much of an impact since you’d be receiving regular deposits. If, however, you were to receive a lump sum once or twice a month, you’d need to have a solid grasp of the lead time between when your customers
your bank account.
Underwriting
Another consideration, depending on your timeline, isunderwriting. While some providers o�er instant or near-instant underwriting, others may take several days—or even longer in some situations. If you’re trying to set up your own merchant account, or if you have a business model that involves large or unusual transactions, you may find that the underwriting process can run on long enough to a�ect your schedule. It’s not necessarily a huge problem, but it’s something you should account for in any project planning. Just ask up front how long the underwriting can take—and remember, with underwriting, there’s no guarantee that your chosen provider will approve your account. Always have a backup plan, and be prepared for the process to take a little longer than you thought.
Daily or Monthly Billing
Should you run billing once a day or once a month? I’ve come across some people who prefer one and some people who prefer the other, but in my experience, daily is the way to go. You can help
your customers each day rather than trying to collect payments from all of your customers once a month. And if something ever were to go wrong with your billing, it’d also impact fewer of your customers.
Keep in mind that sending out invoices will invariably lead to some questions and support requests. And if you were to bill all of your customers on the same day, you’d be increasing your chances of a monthly spike in your support load. You’ll be better o� if you can spread out those requests so that you can have a more predictable and manageable support workload.
Related Reading
I couldn’t possibly cover all the details here, so you’ll have to do a fair bit of legwork. Here’re some additional resources to help you dive into more details and help kickstart your search.
Understanding Online Payments—A great resource to help you learn about the nuances of choosing a payment provider.
JumpStartCC—Amy Hoy and Thomas Fuchs of Freckle provide a great overview of credit card processing and some of the lower-level technical details of accepting payments. It’s a couple of years old, but most of the data is still relevant.
