Taking Payments Online

Myth Busters 

Ok, before we proceed, it is probably a good idea to dispel a few security myths that have been around since e-commerce began.

When people started to use their cards online quite a few lazy hacks wrote a lot of stories along the same lines – if you enter your credit or debit card details on a payment page on a website, you will lose everything etc.

If this were the case e-commerce would never have grown, and Amazon would still be a friends & family sized start-up; not the tax-dodging mega-corp it is now. So back to reality, here is how it works:


The Secure Payment Process 

When someone buys something from a website, they go through a secure payment page. You can tell a secure payment page because the beginning of the web address is “https” – meaning secure. The browser will also show a padlock symbol in the address bar. Clicking on the padlock symbol will provide you with more details relating to the website - verifying its identity.

This means the details you enter on the payment page are encrypted before they go from you to the bank or payment provider that receives the payment details.

For the encryption process, imagine the following:

1. A door key split into two pieces

2. You keep the first piece of the key, this key remains private and secret on your server.

3. The party receiving the payment information receives the second piece.

4. When you send sensitive information via https, all the information sent is encrypted.

5. Only the second piece of the key can decrypt the sensitive information encrypted with the first part of the key.

6. As the information is only passed when encrypted, it cannot be read by anyone else. Also, the second key can decrypt the information but still does not know the details of the first key. All it knows is that the information can only have come from the server with the first key – so the information is secure and can be trusted.

7. The information encrypted is effectively protected by a 300,000,000,000,000,000,000,000,000,000,000,000 key combination and only one possible combination will decrypt the information. You also need the first part of the key, and that remains secure throughout the entire process.


How To Take Online Payments

The payment process online seems quite simple - it is designed to be. However, the steps you have to take can be lengthy and sometimes painful:

1. Create an e-commerce website with a secure payment page.

2. Apply for a merchant account.

3. Choose a payment company to process the card payments for you.

4. Start taking payments.

However, you can shorten this process considerably by using a website platform; for example, Shopify Shopify includes its secure card payment service, which can be easily integrated into your Shopify hosted website. The usual payment fees will still apply - and may be slightly higher than those offered elsewhere.

Please see the rest of the article for further details.


1. Create an Ecommerce Website 

We have already written an article on this, please see: Setting Up A Website – 10 Key Issues


2. Merchant Account 

To take payments via your website, you will need to open a merchant account with your bank or another bank. (This is not your ordinary business bank account; your merchant account is solely for taking card payments.)

The best known in the UK is Barclays Merchant Services. It does not have to be with your existing bank (the bank that handles your offline banking).

Some banks are easier to deal with when setting up a merchant account – and it may not be your bank.

If you already take card payments from customers via a physical shop, you will already have a merchant account for accepting payments and receiving funds. However, this will be an account for taking payments using a card machine. This will not automatically allow you to take online payments; there are extra hoops to jump through. If you take physical payments with a card machine, you will need to apply to extend this to online payments.

For new companies securing a merchant account to take online payments may well be difficult, because you probably lack both assets and trading history. It may be beyond difficult – as in impossible—this where the next guys in the chain come in.


3. The Payment Provider

For security reasons the actual payment page where customers enter their card details will not usually be hosted by you on your website - though the level of integration can make it look like it is part of your website.

A third-party company will provide the secure payment page and other facilities to you, in return for a monthly fee. The reason they exist is because someone has to create and maintain the secure payment system from the payment page to the banks.

This is a complex and expensive process, and that is why they exist.

If you are large enough website, you can do all this without them. You can host your payment pages and maintain your own secure links direct to the banks. Amazon does it – but you won’t be doing it.

Also going back to the merchant account issue – if you have problems securing a merchant account your payment provider can allow you to use their own.

Like your having your own merchant account you will have to pay card processing fees usually a percentage of the transaction value when the customer uses a credit card, and a fixed-fee when the customer uses a debit card.

However, the important detail is that when you have your own merchant account, you usually receive your money directly to your business bank account three days after the transaction on your site. If the payment company provides the service, you usually have to wait 30 days to receive the same payment. This is an important cash-flow consideration.

However, once you have traded for long enough, (and without problems), you can apply for a direct merchant account.


4. Start Taking Payments 

This is the good bit (at last) – you start taking money from customers.

Your payment provider will allow you to take a range of credit and debit cards, all the main ones. They will also probably allow you to take payments via PayPal, which will be integrated into the payment page as an option. PayPal is a good payment option for customers; they use it and like it. PayPal customers also do not have to re-enter their card details, so purchasing is quicker.

Also, many customers keep money in their PayPal accounts from selling items on eBay etc. This means they may be more likely to go for an impulse purchase if they already have the funds in their PayPal account.

The downside for websites is that PayPal’s fees are relatively high, plus they will nearly always side with the consumer customer in any dispute. That leads to the last topic.


Important Issues 


When you signup for a merchant account, whether directly or through a payment provider as part of the terms & conditions you sign, you have to give an undertaking regarding chargebacks (debts).

This means that if a customer seeks a refund the merchant bank will pay it and you will repay the merchant bank in full. In practice, what happens is that the merchant bank has access to your business bank account and takes the money.

The undertaking is also usually personal, given by the directors or partners. So if the money from the business runs out, the bank will come looking for you to pay. This leads onto why…


Chargebacks are the big e-commerce dirty secret. A chargeback is when a transaction is charged back to you the website – the cardholder receives a full refund direct back from your account. This can happen in some of the following scenarios:

1. The customer does not like the service paid for or does not receive the goods. In the normal process, they would contact you to ask for a refund, but some don’t- instead, they take it up with their bank or card company directly.

2. The customer disputes buying the goods. This can be split into two possible scenarios – the customer’s card has been used without their knowledge, been stolen or cloned – this is much more likely to happen out in the real world at bars, petrol stations etc. Once a card is cloned, it can then be used online.

The second more worrying (and growing scenario) is that the customer did pay for and receive the goods or services, but is stating they did not, basically customer fraud. Now that consumers are becoming more aware of chargebacks, this is becoming a growing issue. It has long happened in traditional mail-order businesses, with customers stating they did not receive goods and getting a refund or second “replacement” product free of charge.

The problem with chargebacks is that they are virtually impossible for companies to dispute. The money is refunded automatically, and then the website has to argue the toss with their merchant bank. The only party to lose out is the website. The issue is worse if you ship physical goods, as you will also lose the shipped stock if the customer contends they did not receive it, or it goes to a fraudster who uses stolen card details.

To add further injury to insult your merchant bank may also add additional penalties on top of the chargebacks if they have a large number to deal with from your website.

So before people say this is all doom-laden, we would like to recount a conversation we had a few years ago with a website owner. They built their site and started selling mobile phone accessories. Business was good, suspiciously good. They sold thousands of units in their first month all over the world. In the second month, the chargebacks started to flow in and kept coming. Virtually every transaction was fraudulent. In the first six weeks, they lost more than £10,000 worth of stock and were also hit by chargeback penalties from their merchant bank.

Now, this was a few years ago, and card security measures have improved dramatically with additional security checks, such as 3D Secure.

However, the fact remains it is easier to steal cards and card details offline, and easier to subsequently use those details online.

Bank regulations have been slow to deal with the issue of chargebacks; this is partly because the website owner pays, not the bank, card company or PayPal. However, websites are being required to implement 3D Secure for online transactions. 3D Secure works by requesting an additional security pin that you have setup with your bank for online transactions. The theory is that only you know the pin - so it must have been you who made the purchase. The banking industry will diplomatically dodge the subject, but one of the key drivers for this additional security has been chargeback fraud committed by the cardholder.

You will not see Amazon implementing 3D Secure or even asking for the last three digits from the back of your card during the checkout process, as this would interfere with their one-click ordering system. Amazon is prepared to take the hit from fraud to ensure their website is the quickest and most convenient to use. Amazon also never reveal the scale of fraud, even when making financial declarations.