You need to be able accept money online. And that can be a scary thought. My goal here isn’t to recommend a specific vendor, but rather to help you understand the payment processing ecosystem and the associated complexities so you can efficiently make a decision without overlooking any features or limitations that may be important to you.
Thankfully, payment processing is one of the areas where technology is improving by leaps and bounds. Legal and geographic matters play into it as well. As a result, all of this information is changing rapidly. This chapter isn’t an exhaustive list of providers or options. Instead, use it as a trail guide to help you evaluate and choose a provider that’s right for your business and situation.
Understanding the Ecosystem
There are three primary components to accepting money for a hosted web application. They don’t necessarily correspond to vendors, but understanding how these components interact can help frame the conversation.
While not all providers fit nicely into buckets, we can loosely sort them into three groups. The first I call logic providers. Logic providers can handle varying degrees of your billing logic, credit card forms, notifications, and even your virtual vault in some cases. They also serve as the API to your payment gateway. The second group is payment gateways, which provide an interface to your merchant account. (If you’re not familiar with payment gateways or merchant accounts, that’s OK–we’ll go over those later.) The third group combines your logic and the gateway, and we’ll call them hybrids or all-in-ones. Hybrid vendors’ close coupling of your logic and the gateway can make them easier to work with, but you lose some flexibility in choosing your payment gateway or merchant account.
The combination of providers you choose depends on quite a few variables. Some of these, like geography, are likely out of your control. Others, like data portability or features, you can evaluate as to their importance to your business. (Figure 1)
No matter how you accept payments, you’ll probably be required to meet some level of PCI compliance. (The payment card industry (PCI) has established a set of security standards for any business that deals with credit cards.) Ideally, you’ll need to meet only the most basic level of PCI compliance, which involves a simple questionnaire and an annual third-party security scan. The responsibility and effort required will vary based on how you implement your payment handling. Your best approach is to make sure that your customers’ credit card data never touches your servers–fortunately, most payment processors make it easy to do this, minimizing your PCI compliance obligations. Regardless of your approach, it’s something you’ll have to address.
Billing Logic and User Experience
Your billing logic includes pricing, coupons, discounts, payment methods, invoices and receipts, past due notices, billing frequency, upgrades and downgrades, renewals, your credit card form, and your billing-related email notifications. The more complex your billing requirements, the fewer choices you’ll have.
Many vendors can handle basic billing logic for subscriptions, but if you need to handle more complex situations like metered billing, special discounts, add-ons, or setup fees, you’ll need to extensively research each provider’s capabilities. From a development standpoint, the more of this you can leave to your providers, the easier your life will be. But when it comes to user experience, you may want to exercise more control over some of these aspects; naturally, the more control you want, the more work you’ll do.
Payment Gateway and Vault
You’ll need a payment gateway, which is how you’ll actually bill credit cards, and a virtual vault, which is where you’ll securely store credit card information. No matter how you choose to handle your billing logic and your user experience, this is the point where you’ll have no choice but to turn over some control to your vendors; that’s an unavoidable trade-off of simplifying your PCI compliance requirements. (And believe me, you don’t want them to be any more complicated than they have to be.)
You must ensure that your servers never touch or see credit card information; instead, you’ll send the credit card information directly to your vendor of choice who will securely store it for you. You have a few options on how to handle this from a technical standpoint, and different providers have varying levels of flexibility in how you send the credit card information to them. we’ll cover these options later.
You can think of a merchant account as a special bank account into which customers’ funds are deposited. With some payment processors, you might not have to worry about your merchant account at all; if your business requirements are simple, you can be up and running a lot faster if you can choose a payment gateway with a bundled merchant account.
There are, however, situations where you may want to choose your own merchant account–for instance, if you have significant volume, you might care about how much you’ll be paying in fees, or you may have a unique business that requires a close relationship with your merchant bank. If you choose your own merchant account, you’ll need to be aware that you’ll have fewer options for payment gateways and logic providers–and that can increase your development costs or otherwise complicate your business. (Figure 2)
Choosing Your Providers
Now that you have some context, let’s dig into choosing your providers. The good news is that you have countless options and configurations that can help you design a payment processing solution that’s perfect for your business. The bad news is that you have countless options and configurations–and that can be a lot to wrap your head around.
With the myriad of challenges around credit card processing, bank accounts, currency conversion rates, taxes, and government restrictions, not all providers are available in all countries. So before you get too deep into researching your options, you should make sure that all the vendors you consider are available in your country. This will probably be the easiest way to narrow down your choices in the first instance. I had really wanted to include detailed geographic information here, but everyone I spoke to said the availability of these services is changing too rapidly and the information would quickly be out of date.
Stripe, in particular, has been aggressively expanding its geographic options. Stripe has also created Stripe Atlas which makes it easier for businesses to incorporate in the U.S. and thereby increase access to services otherwise limited to companies based in the U.S.
Your customers’ location could play into this as well. In some countries, credit cards are much less common. In these cases, PayPal is usually the most common option, but offering additional payment methods like automated clearing house (ACH) or digital currencies could help as well. With Sifter, we received regular requests for PayPal as a payment option from customers who didn’t use credit or debit cards. However, PayPal has been notorious for withholding money from businesses, so I was uncomfortable trusting them as a partner. However, every situation is different. Just be aware that if you only accept credit cards as payment, you may be turning away a significant number of potential customers.
À La Carte vs. Hybrid
After you consider geography, you’ll probably want to think about whether you want to go à la carte–separately choosing your logic provider, payment gateway, and possibly your merchant account–or whether you want to use a single provider to handle everything.
If you were to choose a single hybrid provider, you’d simplify your implementation and your costs by removing the complexity of having to coordinate multiple vendors. But you’d also lose some flexibility, as you wouldn’t be able to easily switch payment gateways or merchant accounts down the road; you may also have significantly less control over the details of your billing logic. On the other hand, your fees would be simpler–albeit slightly higher–and you’d only have to communicate with a single vendor.
If you were to take an à la carte approach, however, you’d not only gain the ability to choose your initial merchant account or gateway (or both), but you’d also make it easier on yourself if you were ever to need to change gateways or merchant accounts. In addition to flexibility, a logic provider also insulates you from the gateway. You’ll probably end up paying additional fees by using separate services, but you’ll gain adaptability and features. Depending on your business model, that may be a small price to pay relative to the benefits.
Costs and Fees
It can be easy to overlook credit card processing fees. An easy rule of thumb is to assume that about 3% of every transaction will go toward credit card processing fees; it’s usually less than that, but for planning and budgeting purposes, 3% is a good starting point. If you add a logic provider to your processing flow, you may have to pay another 1–3% or a monthly fee, or both. All this adds up, but your logic provider’s fees will generally outweigh the costs of having to build your own billing system–and that can save you a ton of time.
Payment Gateway Flexibility
Vendors like Spreedly, Recurly and, to some extent, Chargify offer built-in data portability along with the flexibility to change your payment gateway without having to update your application. Unfortunately, while Chargify works with multiple payment gateways, it relies on your gateway to store credit card information, so your data is only as portable as the gateway that you choose. For instance, you’d be all right if you were to use Chargify with Braintree, but if you were to use Chargify with Authorize.Net, you wouldn’t be able to take your data with you. These rules and practices are in constant flux, though, so research them in case things have changed since this was written.
One of the most flexible solutions is Spreedly, which insulates you not only from your payment gateway but also from any credit card storage requirements–the idea is that this lets you switch from one payment gateway to another with less effort. And there are advantages to being able to switch payment gateways as your business grows. For one thing, you’d have an easier time obtaining lower credit card processing rates. And you’ll have more options if you ever need to leave your current provider.
Merchant Account Flexibility
It may be tempting to view your merchant account as a commodity, but that can be a risky oversimplification for larger or more complex businesses. Ultimately, your merchant account provider bears the risk of your business. Some merchant account providers may be quick to freeze your funds or otherwise pull the plug on your business if everything doesn’t seem to be on the up and up. You may have heard criticism of PayPal in recent years, where they hastily shut off customer accounts and locked down their funds. Given the catastrophic impact that could have on your business, you want to do your best to find a merchant account provider that understands your business.
The more obvious reason to choose your own merchant account is to reduce the rates you’re paying to process credit cards. Bundled providers like Stripe, PayPal, and Braintree will generally charge one rate across the board–usually in the neighborhood of 2.9% plus 30 cents per transaction–while some merchant accounts may charge rates lower than that. Unless shaving half a percentage point off your rate were to translate into thousands of dollars in savings, in your early days you’re probably better off sticking with a simpler solution. But keep in mind there may quickly come a point where those savings could be worth it.
With a bundled payment gateway and merchant account, you won’t be able to easily change merchant accounts in the future. Even if you were to design your application so you could easily change payment gateways, you’d still have a significant amount of development work to do. When you choose a logic provider and rely on their API and user experience, you can effectively insulate yourself from your payment gateway and merchant account. That can make it easier in the long term if you ever need to change payment gateways.
Switching payment providers is probably second only to migrating between hosting companies in terms of potential complexity and inconvenience. It’s better than it used to be, and most good providers will do their best to help you, but you should consider whether your provider is on board with data portability before you sign up. Changing merchant accounts or payment providers is one thing, but if you can’t bring your current customer data with you, you’ll be in a tough spot.
Payment Type Flexibility
While credit and debit cards are common forms of payment, they aren’t the only game in town, especially in other areas in the world. Consider accepting other forms of payment like ACH or digital currencies. Companies like Dwolla, and GoCardless focus on other payment methods, and they offer straightforward paths to accept additional types of payment, as well as–in some cases–significantly lower rates and fees for processing payments. Braintree, Stripe, and others have also expanded their payment options and can support ACH and digital currencies. Their degree of support varies, though, and you’ll still need to explore exactly how it works to make sure the effort to support the other forms of payment is worth it.
Digital currency is a rapidly growing payment option. Similarly, supporting alternatives like Apple Pay and Google Pay could also be worthwhile depending on your business. These are still powered by credit cards behind the scenes, but they can definitely make it easier on your customers in the right contexts.
In most cases, I’d advise choosing a vendor that will more easily enable you to accept other forms of payment, but don’t worry about supporting them all out of the gate. Instead, launch with the bare minimum payment options that your business needs to be viable, and then expand the options as customer demand dictates.
Whether you just want to save money on fees or offer additional payment options for your customers, you might want to consider using Spreedly. Your up-front development effort will be more significant, but you’ll be set up for incredible flexibility between providers.
Your choice of payment processors can have a dramatic impact on your customers’ experience. Some providers allow more than enough control, while other processors oversee not only the interface but also the email notifications that go to your customers. It can be disappointing to sign up for a payment processor only to later find out that you have very little influence over what your customers see. On the other hand, you can save yourself significant amounts of time if you let your processor handle some of this.
You’ll have to decide for yourself, but if fine-grained control of your user experience is important to you, you’ll want to make sure you understand how much control you’ll have over the interface and the notification emails. If I were to be just getting started today, I’d try to choose products that allowed for maximum control while offering sensible defaults. That would help us ship quickly while allowing us to circle back later to pull more of the control into our own application.
There are three ways in which payment providers accept credit card information and minimize your PCI compliance obligations:
- Hosted Forms. With hosted forms, the provider hosts the credit card forms on its own website. In some cases, you can change the appearance of these forms by adjusting colors, fonts, or CSS. In all cases, however, your customers will see your payment provider’s URL in the address bar of their browser. This approach usually leaves you with the least control over your customers’ experience, but it also requires the least effort to set up.
- Transparent Redirect. With transparent redirects, you host the form on your site, but when your customer submits the form, the data is sent to your provider instead of your servers; your provider then processes it and sends the relevant data back to you. Naturally, since you host the form, you have complete control over its design and user experience. Technically, your customer is briefly sent to your provider’s server, but the redirect process is designed to be virtually transparent.
In addition to your customers’ experience, you’ll also need to think about your developers. Each provider offers an API, and some will be easier to use than others. Some providers officially support client libraries that make integration incredibly easy, but not all providers offer such a library or officially support them. If most of your interactions with a provider will be through its API, make sure it will be easy for you to jump right in. Take the API for a test drive to check you’re getting everything you hope for.
Billing Logic and Feature Complexity
Many apps can get by with incredibly simple billing logic–and in most cases, the simpler, the better. But not all applications have simple billing requirements. If you need metered billing, one-off or add-on charges, an affiliate program, extensive tax rules, coupons, discounts, or reporting, read up on the capabilities of your vendors. Dedicated logic providers like Recurly or Chargify often have extensive feature sets to handle some of this advanced functionality, but remember that you’ll be paying additional fees on top of your payment gateway’s fees to get these extra features.
Depending on your payment processor and the cards you accept, you’ll generally be paid on a rolling basis–that is, you’ll get paid anywhere from one to fourteen days after your customer pays. Stripe, for instance, pays you seven to ten days after receiving the money, but this time period with Stripe can be much shorter depending on your business and geographic location. If you can bill your customers in daily batches–rather than a single batch each month–this type of delay won’t have much of an impact, since you’d be receiving regular deposits. If, however, you were to receive a lump sum once or twice a month, you’d need to have a solid grasp of the lead time between when your customers pay you and when that money becomes available in your bank account.
Another consideration, depending on your timeline, is underwriting. While some providers offer instant or near-instant underwriting, others may take several days–or even longer in some situations. If you’re trying to set up your own merchant account, or if you have a business model that involves large or unusual transactions, you may find that the underwriting process can run on long enough to affect your schedule. It’s not necessarily a huge problem, but it’s something you should account for in any project planning. Just ask up front how long the underwriting can take–and remember, with underwriting, there’s no guarantee your chosen provider will approve your account. Always have a backup plan, and be prepared for the process to take a little longer than you thought.
Daily or Monthly Billing
Should you run billing once a day or once a month? I’ve come across people who prefer one and people who prefer the other, but in my experience, daily is the way to go. You can help ensure a steady cash flow by collecting payments from some of your customers each day rather than trying to collect payments from all of your customers once a month. And if something were to go wrong with your billing, it’d also affect fewer of your customers.
Keep in mind that sending out invoices will invariably lead to some questions and support requests. And if you were to bill all of your customers on the same day, you’d increase your chances of a monthly spike in your support load. Better to spread out those requests so you can have a more predictable and manageable support workload.
Fraud Protection Tools
Unfortunately, fraud is very real and very common. You’ll likely need to implement any significant fraud mitigation logic within your own codebase, but you can also lean on the fraud protection provided by your payment processor. The quality and functionality of fraud tools varies by provider, but it’s something worth paying attention to as you evaluate them. I’ll cover detailed suggestions for fighting fraud and spam in a later chapter.
Taxes are complicated. They’re so complicated that several services have popped up specifically to help with sales tax calculations. If sales tax is relevant for your business, you’ll need to find out which ones are best for you. You should also consider how well they work with your payment processor. Does the payment processor make it easy to include tax? Will it require you to write more billing logic?
If you’re not sure if sales tax is relevant to your business and geographic location, get professional advice from your accountant and lawyer before making any assumptions one way or the other. Make it a conscious decision and not something you ignore.
Understanding Online Payments A great resource to help you learn about the nuances of choosing a payment provider.
JumpStartCC Amy Hoy and Thomas Fuchs of Freckle provide a great overview of credit card processing and some of the lower-level technical details of accepting payments. It’s a couple of years old, but most of the data is still relevant.
Sales Tax by State: Is SaaS taxable? This is a bit of a pitch by TaxJar, but it’s still a solid reference to help you understand sales tax on a state-by-state basis.