A guide for accepting online payments for
Hertfordshire eMarketplace Providers
9 June 2012 Commercial in Confidence 2 CONTENTS
Background ... 3
Accepting online payments ... 3
Online payment terminology ... 3
Acquirers ... 3
Internet merchant accounts (IMAs) ... 3
Payment service providers (PSPs) ... 4
Shopping Cart ... 4
Payment Card Industry Data Security Standard compliance (PCI) ... 4
Selecting an Internet Merchant Account (IMA) ... 5
Beware of fraud ... 5
The costs ... 5
PSPs integrated into the Hertfordshire eMarketplace ... 5
Data Protection ... 6
PCI / DSS ... 6
Some scenarios to consider: ... 7
I have never traded online or taken a card:... 7
I can take card payments on the phone but have never traded online – ... 7
I already trade online ... 7
I have a PSP not on the list... 7
9 June 2012 Commercial in Confidence 3
Background
As a valued provider to Hertfordshire County Council you have been selected to be on the Hertfordshire eMarketplace. This involves being given an eCommerce website that will allow you to sell your services to Hertfordshire citizens and gives you control over the content visible and trading settings that are relevant to you. This is free of charge as long as it is only used for transacting with the Hertfordshire eMarketplace.
Step by step information will be given to guide you through this process but as many of you may be unfamiliar with taking payments online, this document deals specifically with the process of accepting online payments.
Unless you are absolutely clear about merchant Accounts and what you need for the Herts eMarketplace, please make sure you read this document carefully.
Accepting online payments
For many small businesses, accepting payments online offers major benefits. Customers increasingly expect this facility and it can improve your cashflow significantly.
Buyers often use the internet for a speedy service; most sales are paid for with credit and debit cards. To accept cards online, you will have to make special banking arrangements.
Online payments using cards are 'card-not-present' transactions. There are higher risks of fraud with this type of payment and banks require you to operate within a well-defined set of rules and accept a higher level of commercial risk than a conventional swiped card transaction in a shop.
It’s important to understand, there are two components for taking online card payments. The first is an
internet merchant bank account (IMA) and the second is a payment service provider (PSP). An internet
merchant account is not the same as your business bank account.
This guide will help you to understand these requirements and assess the options available for taking advantage of online payments.
Online payment terminology
Debit and credit card payments and their application online involve some key concepts and terminology. Acquirers
An acquirer can be a high street bank or other financial institution that offers credit and debit card accepting/processing services. It acquires the money from the customer, processes the transaction and credits your account.
Internet merchant accounts (IMAs)
To trade online you need a business bank account and a merchant bank account (these are not the same thing).
Obtaining an IMA from an acquirer may be quicker and easier if you already have 'offline'
9 June 2012 Commercial in Confidence 4 with internet transactions. This process is normally quick, especially if the risk to your business does not change.
To help protect merchants and cardholders from fraud, the card schemes have developed a service that allows cardholders to authenticate themselves when shopping online. MasterCard's is called MasterCard SecureCode and Visa's is Verified by Visa.
Payment service providers (PSPs)
You need a payment gateway (from a payment service provider) to securely accept card payments online.
A PSP will provide you with a 'virtual' till or terminal that collects card details over the internet and passes them to the acquiring bank. To take electronic payments over the web, you will need a PSP.
Your choice of PSP will depend on its cost and compatibility with your chosen e-commerce software solution. Usually the higher your transaction volume the lower the rate you will be charged.
Some acquiring banks offer PSP services as part of their product and there are other less expensive options available.
Shopping Cart
Part of the offering from Hertfordshire County Council is an eCommerce website with an off-the-shelf shopping cart included.
Payment Card Industry Data Security Standard compliance (PCI)
The Payment Card Industry Data Security Standard (PCI DSS) - is a worldwide security standard developed to protect cardholders' personal information. It includes requirements for security management, network architecture, software design, security policies and procedures, and other protection of customer account data. The standard is applicable to any organisation that stores, transmits or processes cardholder information.
The Payment Card Industry (PCI) Security Standard Council encourages businesses to comply with PCI DSS and become certified to help reduce financial risks from data compromises.
All eCommerce websites on the @UK marketplace benefit from their PCI/DSS certification which allows secure payment flows between the buyers’ and the suppliers’ bank accounts
9 June 2012 Commercial in Confidence 5
Selecting an Internet Merchant Account (IMA)
An internet merchant account (IMA) is a type of account that enables you to accept customers' credit and debit card payments directly online.
Several banks and processors offer IMAs. These are referred to as merchant acquirers or acquiring banks. Even if you already have a merchant account for face-to-face transactions, you will still need one
specifically to accept online payments directly from customers' credit or debit cards.
Card users will visit your internet shop to order your goods or services and make payments, and the funds will usually be in your bank account after three or four working days.
Beware of fraud
Online card payments are classed as 'card-not-present' transactions, because you can't physically check the card or the cardholder. If a transaction proves to be fraudulent, the money will be reclaimed from your bank account - this is known as a chargeback. Even if a card-not-present transaction is authorised by the cardholder's bank, this doesn't necessarily guarantee payment.
To help guard against fraud, where a cardholder claims that they did not authorise a payment, check to see if your online payment card processor can offer the card scheme's authentication service -
MasterCard SecureCode and Verified by Visa. The costs
Acquiring banks will charge for their services. There may be a sign-up fee, and day-to-day charges may be a fixed fee in the case of debit card transactions or a percentage of each transaction for credit cards.
In addition, where you are using a payment service provider, they will charge you for their service. Online payments are processed by acquiring banks. Currently, businesses can open an internet merchant account (IMA) with the following acquiring banks to receive payments from credit and debit cards:
• Check the type and length of contract
• Requirement to be able to process pre authorisation payments (deferred)
PSPs integrated into the Hertfordshire eMarketplace
The PSP’s below can be used for the Hertfordshire eMarketplace. If you already have a merchant account it is possible that you will not need a new one, but you will need to ensure it is compatible with one of the following:
• Sagepay
• Realex Global Iris • Barclays ePDQ
Please note that different merchant account and PSP providers have different charges, length of contract (for example for some the contract may be for 24 months, others may offer a 3 month cancellation).
We have also provided you with a document which provides details on how to set up a merchant account with Sagepay, which traditionally offers a 3 month cancellation.
9 June 2012 Commercial in Confidence 6
However please note that you are free to choose any merchant account provider that is compatible with the PSP’s listed above AND the cancellation period specified is only guidance and you should check this with whichever provider you choose as offers can change over time.
Data Protection
@UK is registered under the Data Protection Act 1998 and is committed to upholding the principals and obligations of information handling.
PCI / DSS
Your merchant account provider and payment service provider will need to know that your website allows secure payment flows. You can let them know that all eCommerce websites on the @UK marketplace benefit from PCI/DSS certification.
9 June 2012 Commercial in Confidence 7
Some scenarios to consider:
I have never traded online or taken a card:
You should apply directly for an Internet Merchant Account and discuss your requirements with the acquiring bank. You will need to make sure that you include a PSP in whatever solution you decide to implement.
I can take card payments on the phone but have never traded online – Your business already accepts debit and credit card payments for face-to-face transactions.
You should apply directly for an IMA and discuss your requirements , including whether their solution includes a PSP, with the acquiring bank.
I already trade online
Firstly, you need to establish whether your existing Payment Service Provider (PSP) can be set up in pre-authorisation mode because this is a requirement of the Hertfordshire eMarketplace.
You will then need to let your existing (PSP) know where payments will be coming from. You can do this by logging into your PSP online portal and adding @UK’s IP address 080.064.053.015 and subnet mask 255.255.255.000. Typically, you will find this on the Technical tab once you have logged into your PSP website.
I have a PSP not on the list
If your PSP is not listed, you will not be able to use this on the @UK marketplace. Please talk to your IMA provider to confirm whether you can use the PSP’s on the list above.
9 June 2012 Commercial in Confidence 8
Checklist: applying for an internet merchant account
Banks that offer internet merchant accounts (IMAs) for accepting card payments have strict
requirements. When you apply for an IMA, the bank will want to know certain details about you and your business. You may need to:
Outline your business plan - including details of your cashflow and how you'll promote your online activities
• supply your website address
• explain the details of your product or service
• describe how you will deliver your product or service • set out your terms and conditions for online trading
• work out your expected average online transaction values, your estimated turnover from online sales and your predicted number of credit and debit card transactions
• provide details of the secure server you'll use (this is @UK’s secure server)supply your bank details and provide authority to the bank to carry out a check with credit reference agencies • detail your trading history