fbpx Skip to main content

How to choose Online Payment Solution

So you are starting your own online business or you are helping to start a new one. And you want to quickly and seamlessly give users the capability to pay with their Credit Card for services or products. Be aware that developing your own online payment solution is not an option if you want to implement  it quickly. So what can you do? There are many services out there that provide the necessary functionality to integrate such a service without difficulty  and be ready for the  marketplace.

Some of the  benefits you might expect when using payment providers

PCI compliance

Anyone involved with the processing, transmission, or storage of card data must comply with the Payment Card Industry Data Security Standards. PCI compliance is a shared responsibility and applies to both the online payment processor and your business. When accepting payments, you must do so in a way that is PCI compliant. The simplest way for you to be PCI compliant is to never see card data at all. This is integral to  online payment processors which  can help ensure you to archive PCI compliance. However, you will still have to obey to some rules.

Check the CC (Credit Card) while issuing a $0 or$1 transaction

This is the only way to make sure that the card is valid before an actual transaction will happen. Online payment processors often use $0 authorization but not all banks will accept it. Stripe does that for you when storing customer details or using Checkout to collect payment data. When a $0 transaction is not supported a $1 transaction is then executed. Some clients may see an authorization for $1 on their credit card statement but this is not a charge, and it will be removed from their statement. Depending on the bank they use this might happen anywhere between a few minutes to a couple weeks.

Well known Online Payment solutions

There are quite a few online payment solutions and they differ in the size of the fees they collect, service availability, and integration capabilities. Some of them provide ecommerce solutions so that you can only copy the code on to your page and they will handle the rest, while some of them provide the means to send money between each other.

Let’s look at some existing online providers:

  • Paypal – The most well-known way of making payments. Good sides: it’s almost a standard. Bad sides: Paypal sometimes can freeze your account without any warning. It’s also known for its high fees. Some users love it, some hate it.
  • Alipay – Very popular in China. Service is available across the world.
  • Amazon Pay – Built on the popularity of Amazon. Reuses Amazon account information. Ecommerce integration, own api.
  • Apple Pay – Popularized by Apple as a payment solution for Apple devices. You can send money through text messages or by asking siri. They also support web payment.
  • Dwolla – Available only in US. Modern company. Known for its low fees of $0.25 for each transaction. Dwolla api is easy to use but less well known.
  • Stripe -Is the new-kid-on-the-block. Stripe Api is easy to use.It is the most customizable and modern Payment solution around. Accepts payments from Google Pay, Apple Pay, and Alipay. Everybody suspects that Stripe is the main reason for innovations in PayPal.

Well known Online Payment solutions

How to choose an Online Payment Solution and our choice

The payment provider is chosen based on many different criteria. Some of these are the service availability in the country where your bank account is, costs of a transaction, monthly fees, the costs of integration, and whether it resolves sales tax issues or allows for integration with some other well-known payment solutions. Many of these questions must be answered by You the client. Stripe is our preferred choice as it had excellent API capabilities. This article will use Stripe as its  payment processor of choice.

Best Practices for payment providers

  • Retry if transaction did not succeeded

The transaction might fail not only due to technical reasons but sometimes insufficient funds might be the reason. You should retry processing the transaction between  an hour to couple of days later.

  • Know when your CC will expire

Some of the card details will expire or their data will no longer be valid for various reasons. When you do not have valid CC data charging the customer will not be possible. The major card schemes offer a service that lets you check if there are any updates pending for the customer data that you store. Some of the online payment  solutions will even update card information for you. Stripe will do this for the majority of MasterCard, Discover, and Visa cards. Not only CC.

  • Be aware that in some parts of the world people are not willing to pay with their Credit Card

The best example of this is China when Alipay is the main payment source. It is worth noting that not all clients are happy giving away their card details so using a well-known payment method helps to increase the completion rate of potential transactions. Stripe also supports Alipay for China and for Europe Giropay, iDEAL

  • We would like to have Paypal

Sometimes clients just want to use Paypal as they are familiar with the brand. Don’t be stubborn – Stripe will help to maximize your profit. Stripe and Paypal are direct competitors there is no integration between them.

Best practices while using the Stripe payment process

PCI compliance with Stripe

Most users become PCI compliant by filling in the Self-Assessment Questionnaire (SAQ) provided by the PCI Security Standards Council. The type of SAQ depends on how you collect card data. The simplest method of PCI validation is SAQ A. The fastest way to become PCI compliant with Stripe is to make sure you qualify for a prefilled SEQ A. If so Stripe will fill the SEQ A for you and will make it available for you to download to your account’s compliance settings after the first 20 or so transactions. The way to achieve this is as follows:

  • Use the Embedded form called Checkout, Stripe.js and Elements (it offers better layout customization then Checkout). You can use react-stripe-elements which uses Stripe.js API or Stripe mobile SDK libraries. When you’re using react-native go with tipsi-stripe. ipsi-stripe bindings are not officially supported by Stripe so support will not officially tell you that they qualify for prefilled SEQ-A compliance – but they do.
  • If you are using web serve your payments pages should use HTTPS.

In all those cases data is securely transmitted directly to Stripe without it passing through your servers. When you choose the fastest way you will not have to do anything more. It is as simple as this until you reach 6 million transactions per year then you will have to fill a Report on Compliance to validate your PCI compliance annually.

 

Prepare for technical failure – Idempotency key

If you are using API to take payments you must prepare for a technical failure as all networks are unreliable . If failure happens wit is not always possible to know if a charge was made or not. In the case of a network failure you should retry the transaction. The Idempotency key is a prevention mechanism against charging a customer twice. If for some reason you submitted the payment twice – which may occur due to retrying operations after a failure. In Stripes node lib you just add it to options parameter while charging. Each Idempotency key will time out after 24 hours so after that time if you make a payment with the same Idempotency key you will charge the client.

 

Stripe charges in cents not dollars

Online payment solutions like PayPal charge in dollars rather than cents. But that  in Stripes all charges are made in smallest currency unit. This is not only the case regarding dollars, Stripes does it for all currencies.

 

Test

Stripe provides many card numbers for you to test different scenarios on the frontend and tokens so you could directly test your backend. For example you can not only test Visa, Mastercard, American Express, Discover, Diners Club and JCB Cards but also international cards and 3D Secure Cards. Stripe also provides you with tokens so you can test failure scenarios like a charge being declined, or a charge being blocked because its fraudulent, an expired card, or a processing error. So you will be prepared for everything that can happen when you go live.

 

Do not put JSON in description – Use metadata

Be descriptive as you can. Metadata is your friend. You can enrich your Stripe transaction with custom data so you can then view it in the dashboard. For example you can add things like customer_id or the shipping_id in metadata so there is no reason to pollute your transaction description.

 

Should I collect more data?

The bare minimum to collect from a CC is its number, CVV and expiry date but you can collect more. You can also collect the zip code / CC holder name / address for Address Verification System (AVS). If you collect them it will increase payment security because the fraud prevention algorithms will have more data and will be able to react more accurately. However, from the user perspective it’s more data to type – which is not always good. Customers are only human and sometimes make mistakes when entering data which can also cause some transactions to be rejected. So you must decide on how much data you need and what will work best for you and your income. Equally banks will sometimes reject payments with a ‘do not honor’ status and you will have to contact your customer so they can ask their bank about the reason (high level of recent activity on a card, a lack of matching AVS information, a card being over its limit, or a range of other reasons which only the bank will know).

mobile payments

A Stripe Payout Example

 Collecting CC data – (tokenization explanation and an example)

For collecting CC data we can use Checkout, Stripe.js elements lib, react Stripe elements lib which utilizes Stripe js, mobile libs, and react native tipisi-stripe. Checkout offers a selection of forms to collect data with, while other methods require you to craft your own custom form. The process of safely collecting CC data using a payment provider is called tokenization as we are exchanging  all the sensitive data for a short-lived data token. And that is all that tokenization is about. This token can later be used  for making a one-time charge of a customer or for creating a customer (See section below). The following example will focus on the simplest method of tokenization called Checkout. When using checkout we have two options, either simple and custom. Let’s look into the code.

 

Checkout simple option

In checkout simple option everything is provided for you from a selection of options. All you need to do is to embed the following code into your webpage:

This will embed the button below:

pay with card

When clicking the button you will see:

Espeo Checkout

 

This example will POST on your-server-side-code with a “token” parametr.

 

Checkout Custom option

When using the custom Checkout  option you can use any HTML element or JavaScript event to trigger the Checkout process. So, for example, if you would like a bootstrap button instead of the one provided by Stripe go with the custom checkout option.

Now let’s see what we can do with the token on the backend

Charging the customer - an exampleThe token goes on the backend. Let’s use node to create a customer and then charge them based on a returned customer id for when the need arises.

This will return the token but remember to handle the errors that arise. If response succeeds just look for id that belongs to the customer and save it for later use. You will use the customer id to charge the user. Let’s see how to do this:

Is that all? Yes but please remember about being prepared for failures and retries when needed.

 

Signing up to events - an example

Stripe can update the client CC if it is expired and this works for most MasterCard, Discover, and Visa cards. How is that possible?- Stripe works with card networks and automatically tries to update card details whenever a customer receives a new card. When the card information is updated you will receive a webhook with an event as follows: "customer.source.updated." You can also sign up to be informed before an expiration date with the event “customer.source.expiring.” Webhook is a general way to sign up to various events that will be produced by Stripe. You will be called by them in a push manner so you don't have to pull for information and all you have to do is expose a webhook. If you are only interested in card payments when using Stripe webhooks are not required. Webhooks are configured in the webhooks settings section of the Dashboard, where you can add a new URL for receiving webhooks. Logic for webhook should be idempotent and the webhook signature should be verified.

Other Stripe capabilities

Stripe services are not only limited to the Payments services that we have looked at  this article. Stripe also offers:

  • Subscriptions: To charge customers on a recurring basics. Stripe has several plans for each customer including discounts
  • Connect: A solution to use when you serve as a platform between clients and sellers. With this solution you can transfer money from/to your clients and sellers.
  • Sigma: A feature for writing custom reports that will be available in your dashboard. This is done by writing ANSI SQL queries against Stripe schema. You can also use scheduled queries to further automate things - results will be sent as webhook events or via email. Just be aware that using sigma is not free and it generates additional costs.
  • Radar - A fraud protection machine learning system. You can use it when you have integrated with Checkout, Stripe.js, Elements, and mobile SDK integrations (tipisi-stripe will also work here).

 

Summing up

With this knowledge you can process your first payments. When choosing Stripe remember that you are responsible  for your own PCI compliance after the first 6 million transactions. In Espeo Software we are using more sophisticated ways of performing tokenization whilst using other methods then Checkout to produce our own custom forms to individualize the design. This also helps in the important aim of creating a good user experience so that you can achieve the 6 million transactions bar. Please also remember that  transaction failures are inevitable and part of the process. But if at any time you would like to get support don’t hesitate to contact us at Espeo Software.

Interested in online payments - check out our aticle about Micropayments!

 

Staszek Paszun