An online store is a delicate thing. Even the slightest variation in the design of a landing page or the placement of a call to action can derail the whole online sales process. But it’s the logistics of accepting payments that is the most important aspect of running an online store. It’s essential that you get it right.
This is where payment gateways come into play. A payment gateway is a service provided by a bank or financial institution that’s designed to take the reins after a customer has entered their credit card details.
There are effectively two basic forms of payment gateway, and each presents a significantly different user experience. The first is on-site payments, in which the entire transaction process is hosted on your website, allowing for continuity from the moment they click onto your landing page to the second they hit the ‘buy button. The second is third-party, or off-site payments which involve directing customers to a separate website for payment processing. This is commonly the route taken by businesses that rely on services like PayPal or eBay. It’s by no means less efficient or secure but does affect the continuity of the online sales pipeline.
The main consideration you should have when choosing a payment gateway is the user’s experience – whether you want to keep them on the site for the duration of the purchase, or if you’re comfortable directing them to a third-party page for payment processing.
Most payment gateways offer a dedicated piece of software called an API (application programming interface) that integrates with the on-site transaction software that your store uses. When it comes time for customers to part with their credit card number, these details are punched directly into the API, which acts as a secure channel between the site and your business’s bank account. By using a payment gateway in this fashion, a customer isn’t directed off-site at any stage during the transaction process, allowing you to build trust by maintaining continuity throughout the online sales funnel.
“It really comes down to control over that user experience. A lot of businesses want to retain the user on their site to complete the entire transaction so they can do other things like cross-selling and upsell, and really provide that sense of a holistic experience,” explains Jarrod Dumble, co-founder of online consultancy Ventiv. “So the business is basically saying to the customer ‘We are taking care of everything.’ Rather than,’ Tell us what you want to buy and we’ll flick you off somewhere else.’ It really just comes down to brand perception.”
The other option is to collect the customer’s details on-site, and to then direct them to a third-party page (like PayPal or eWay) to actually process the payment. While this is a cheaper alternative to hosting all payments on-site, it can present a barrier to customers in the transaction pipeline.
“Basically, you’re not maintaining a single user experience,” says Dumble. “You’re kind of passing them off to someone else to complete the transaction.”
Despite the potential for disruption in continuity, services like PayPal are widely recognized and trusted with respect to secure payment processing. While it may present an inconvenience for those without a PayPal account, directing customers offsite to finish the transaction isn’t unlikely to present a major hurdle for those familiar with the process.
Adam McArthur is the CEO of News Ticketing, the company responsible for both Moshtix and Foxx. He explains that his business opts for the use of an in-site API, which then links to two merchant bank accounts as a failsafe measure in case of overwhelming traffic spikes.
“There are options where you can push off to a third-party site, which is the cheapest and easiest to do. But we wanted to integrate it into our site so that users had the seamless experience,” he says.
“My strong suggestion would be, rather than try and build one of these things yourself, is to connect to a commercial, third-party payment gateway. That’s all they do. They’re experts in managing payment.”
Although all payment gateway providers will profess to offer some degree of security, there are a few essential things to look for when weighing alternatives. Firstly, the service you choose needs to be compatible with the Payment Card Industry Data Security Standard, or PCIDSS. This is a standard developed by major credit card providers that outlines for online stores the security measures that need to be taken when handling credit card details.
“The easiest way to avoid any kind of complications with PCIDSS is to not store any credit card information on your site whatsoever,” says Ventiv’s Dumble.
By getting customers to enter their details into your site as opposed to a third-party gateway, the responsibility for keeping those details securely encrypted and firewall-protected implicitly lies with your business. It’s much simpler and safer to let an organization well-versed in the intricacies of PCIDSS handle the customer’s sensitive financial data.
“It’s fine to present a form to a customer and ask them for their credit card information, but as soon as you capture that on your server, you pass it straight off to the payment gateway, and they will send you back a token which says the payment is successful,” says Dumble. “But you have not, as a site owner, stored the credit card information at all.”
This minimizes the risk of security breaches between the website and your merchant account, but there’s still the possibility of trouble between your site and the customer’s web browser. In addition to the inbuilt security of the payment gateway’s API, it is still vital to use an SSL (secure socket layer) security certificate for interactions between the customer’s browser and your site. Not only does this add extra precaution, but it can also work to alleviate any apprehensions the customer might have about buying online. The presence of SSL during a transaction is usually indicated by a padlock in the navigation bar of a browser and is commonly accompanied by the ‘security seal’ of the company providing it.
“It’s still very important from a user perception to have all that connectivity under SSL so that in your browser you can see the small padlock,” says Dumble. “Users look at that and they instantly get that feeling of protection, rather than having an open form with no padlock, in which case they’re more reluctant to put in their credit card number because they know it’s an unprotected channel between the browser and the website.”
News Ticketing’s McArthur reports that security has been a major concern for the company, which has seen a significant spike in credit card fraud and chargebacks this year. He claims the key to dealing with this lies in the features offered by the business’s elected payment gateway that allows it to tailor the nature of payments made online.
“With a good third-party payment gateway, you can specify a whole lot of security checks where you basically program the payment gateway,” he says. “That’s the value of a third-party payment gateway: you don’t have to build that kind of security verification into your own software.”
McArthur explains that to avoid fraudulent transactions, Moshtix and Foxtix use the gateway to block international cards and IP addresses, limit the number of transactions per card and also curb the size of individual transactions.
“Basically, you get a web interface that you can just log into and set these criteria. It’s all about providing control in your business based on the policies that you have,” he says. “You don’t have to have programming expertise. Anyone can go in there and just create or manage their conditions or the transactions that they want to let through or control.”
It’s also wise to ensure that any gateway you choose integrates with the transaction software in place on your site.
“It’s to do with your shopping cart and the e-commerce solution that you’re hosting, and how well it integrates with your inventory or point of sale systems,” says Ventiv’s Dumble.
“You really do need to marry up the choice of which payment gateway you’re going to choose based on price, features, and security, and what shopping cart you’ve got within the e-commerce solution that you’ve got.”
The last major thing businesses should look for in a payment gateway is the variety of credit cards accepted.
“American Express and Diners are good to have, but the thing to keep in mind is that payment gateway and potentially even the merchant bank account that you’re going to get, they may charge you additional processing fees for them,” says Dumble.
Make your online payment processing safe with Netregistry’s real-time credit card processing.