Taking Payments Online


Myth Busters

Ok, before we proceed it is probably a good idea to dispel a few security myths that have been around since e-commerce began.

When people started to use their cards online quite a few lazy hacks wrote a lot of stories along the same lines – if you enter your credit or debit card details on a payment page on a website you would lose everything etc.

If this were really the case e-commerce would never have grown and Amazon would still be a friends & family sized start-up; not the tax dodging mega-corp it is now. So back to reality, here is how it works:


The Secure Payment Process

When someone buys something from a website they go through a secure payment page. You can tell a secure payment page because the beginning of the web address changes from “http” to “https” – meaning secure.

This means the details you enter on the payment page are encrypted before they go from you to the bank or payment provider that receives the payment details.

For the encryption process imagine the following:

1. A door key split into two pieces

2. You keep the first piece of the key, this key remains private and secret on your server.

3. The party receiving the payment information receives the second piece.

4. When you send the sensitive information via https all the information sent is encrypted.

5. Only the second piece of the key can decrypt the sensitive information encrypted with the first part of the key.

6. As the information is only passed when encrypted it cannot be read by anyone else. Also the second key can decrypted the information, but still does not know the details of the first key. All it knows is that the information can only have come from the server with the first key – so the information is secure and can be trusted.

7. The information encrypted is effectively protected by a 300,000,000,000,000,000,000,000,000,000,000,000 key combination and only one possible combination will decrypt the information. You also need the first part of the key, and that remains secure throughout the entire process.


How To Take Online Payments

The payment process online seems quite simple - it is designed to be. However, the steps you have to take can be lengthy and sometimes painful:

1. Create ecommerce website with a secure payment page.

2. Apply for merchant account.

3. Choose a payment company to process the card payments for you.

4. Start taking payments.

Please see the rest of the article for further details.


1. Create Ecommerce Website

We have already written an article on this, please see: Setting Up A Website – 10 Key Issues

2. Merchant Account

To take payments via your website you will need to open a merchant account with your bank or another bank. (This is not your ordinary business bank account; your merchant account is solely for taking card payments.)

The best known in the UK is Barclays Merchant Services. It does not have to be with your own existing bank, (the bank that handles your offline banking).

Some banks are easier to deal with when setting up a merchant account – and it may not be your own bank.

If you already take card payments from customers via a shop you will already have a merchant account for accepting payments and receiving funds. However, this will be an account for taking payments using a card machine. This will not automatically allow you to take online payments; there are extra hoops to jump through. If you take physical payments with a card machine you will need to apply to extend this to online payments.

For new companies securing a merchant account to take online payments may well be difficult, because you probably lack both assets and a trading history. It may be beyond difficult – as in impossible. This where the next guys in the chain come in.


3. The Payment Provider

For security reasons the actual payment page where customers enter their card details will not be hosted by you on your website.

A third-party company will provide the secure payment page and other facilities to you, in return for a monthly fee. The reason they exist is because someone has to create and maintain the secure payment system from the payment page to the banks.

This is a complex and expensive process, and that is why they exist.

If you are large enough website you can do all this without them. You can host your own payment pages and maintain your own secure links direct to the banks. Amazon does it – but you won’t be doing it.

Also going back to the merchant account issue – if you have problems securing a merchant account your payment provider can allow you to use their own.

Like your having your own merchant account you will have to pay card processing fees usually a percentage of the transaction value when the customer uses a credit card, and a fixed-fee when the customer uses a debit card.

However, the important detail is that when you have your own merchant account you usually receive your money direct to your business bank account three days after the transaction on your site. If the payment company provides the service you usually have to wait 30 days to receive the same payment. This is an important cash-flow consideration.

However, once you have traded for long enough, (and without problems) you can apply for a direct merchant account.


4. Start Taking Payments

This is the good bit (at last) – you start taking money from customers.

Your payment provider will allow you to take a range of credit and debit cards, all the main ones. They will also probably allow you to take payments via PayPal, which will be integrated into the payment page as an option. PayPal is a good payment option for customers; they use it and like it.

Customers also do not have to re-enter their card details, so purchasing is quicker.

Also, many customers keep money in their PayPal accounts from selling items on eBay. This means they may be more likely to go for an impulse purchase if they already have the funds in their PP account.

The downside for websites is that PayPal’s fees are relatively high, plus they will nearly always side with the consumer customer in any dispute. That leads onto the last topic.


Important Issues


When you signup for a merchant account, whether direct or through a payment provider as part of the terms & conditions you sign you have to give an undertaking regarding chargebacks (debts).

This means that if a customer seeks a refund the merchant bank will pay it and you will repay the merchant bank in full. In practice what happens is that the merchant bank has access to your business bank account and just takes the money.

The undertaking is also usually personal, given by the directors or partners. So if the money from the business runs out the bank will come looking for you. This leads onto why…


Chargebacks are the big ecommerce dirty secret. Basically a chargeback is when a transaction is charged back to you – the cardholder receives a full refund direct back from your account. This can happen in some of the following scenarios:

1. The customer does not like the service paid for or does not receive the goods. In the normal process they would contact you to ask for a refund, but some don’t they take it up with their card company directly.

2. The customer disputes buying the goods. This can be split into two possible scenarios – the customer’s card has been used without their knowledge, been stolen or cloned – this is much more likely to happen out in the real world at bars, petrol stations etc.

The second more worrying (and growing scenario) is that the customer did pay for and receive the goods or services, but is stating they did not, basically customer fraud. Now that consumers are becoming more aware of chargebacks this is becoming a growing issue. It has long happened in traditional mail order businesses, with customers stating they did not receive goods and getting a refund or second “replacement” product free.

The problem with chargebacks is that they are virtually impossible for companies to dispute. The money is refunded automatically and then the website has to argue the toss with their merchant bank. The only party to lose out is the website. The issue is worse if you ship physical goods, as you will also lose the shipped stock, if the customer contends they did not receive it, or it goes to a fraudster who uses stolen card details.

We could (and will) write an entire article on this issue.

To add further injury to insult your merchant bank may also add additional penalties on top of the chargebacks, if they have a large number to deal with.

So before people say this is all doom-laden, we would like to recount a conversation we had a few years ago with a website owner. They built their site and started selling mobile phone accessories. Business was good, suspiciously good. They sold thousands of units in their first month all over the world. In the second month the chargebacks started to flow in and kept coming. Virtually every transaction was fraudulent. In the first six weeks they lost more than £10,000 worth of stock and were also hit by chargeback penalties from their merchant bank.

Now this was few years ago and card security measures have improved dramatically with additional security checks, such as 3D Secure.

However, the fact remains it is easier to steal cards and card details offline, and easier to subsequently use those details online.