the small business guide to choosing the best Merchant Accounts.
Today's Web developer needs to have a thorough knowledge of how to build commerce-enabled Web sites. One of the most mysterious areas, for clients and Web shops alike, is the process of setting up a Web-enabled credit card merchant account. The gold rush of e-commerce has spawned hordes of pick-and-shovel peddlers. If you search for information on credit cards, you'll find page after page of outfits, all offering to get your credit card scene together pronto and cheapo. All of them try to make the process of getting a merchant account sound extremely difficult and complicated (if you buy their product, of course, it becomes easy). I am sorry to say that not a few of these outfits are shaky, shady, or simply scams. What do you really need to get credit card transactions going on a site, and how do you find a reputable bank that's knowledgeable about the Internet?
I won't begin this article by expounding the virtues of credit cards, because that would sound too much like the blobs of Spam that appear in your mailbox every day. All I'll say is that the first sentence or two (and little more) of those Spamograms is usually correct - if you want to do business online, you do need to accept credit cards. Forget about "virtual cash" and "smart cards." Credit cards are here now, and are rapidly becoming the payment method of choice whenever possible. Most or all of the retail business transacted over the Web is done with credit cards.
You can also forget the scare stories you've heard about credit card security risks. The whole rigmarole about hackers sniffing packets and harvesting your credit card numbers made great press, and sold a tremendous number of magazines about a year ago, but it was mostly pretty far-fetched stuff, and it's old news now. If I really must debunk this bugaboo (my regular readers know how I hate debunking bugaboos), let's briefly revisit three facts:
Most credit card companies limit your liability in case of credit card theft to a small amount, perhaps $50 - 100, so that's the most at stake even in the worst-case scenario, which is that the first documented Internet credit card rip-off in history just happens to happen to you.
For obvious reasons, credit card numbers are much more likely to be stolen when you use your card in a restaurant or over the phone than when you use it over the Web.
By taking a few simple precautions, you, the Web site owner, can make it difficult enough to breach your security that it simply wouldn't be worth anyone's time to make the attempt. If somebody wants to run a credit card rip-off, there are far easier ways to do it than hacking into a site that has taken basic security precautions.
Having said all that, the fact remains that perceptions are often more important than facts, and the majority of people out there are probably still convinced that using credit cards over the Web is extremely risky. It's very important for you to make sure that your online sales system is as secure as practical, and to convince your site visitors of this fact.
What You Need - Plain and Simple
Against a background of rapidly changing technology and hordes of online hucksters, it can be hard to figure out how to get started with credit cards. In fact, to accept credit cards through your Web site, you need to have three different elements in place:
You need a form on your site that customers can use to place their orders. This should incorporate a security technology such as SSL.
You need to have a credit card merchant account with a bank.
You need payment-processing software to serve as the link between your site and the bank.
A form that takes orders online is no different than any other form. You set up the form using HTML, and set it to use a CGI script to do the following:
1. Pass the credit card info to the payment-processing software, which sends the transaction to the bank.
2. Send an email to whoever fulfills the orders, with the order information and customer mailing address if appropriate.
3. Create a confirmation page for the customer. This page should not only thank them for their order, but provide them with a phone number and/or email address to contact in case of problems with the order, and perhaps an order number for their records.
To learn how to create forms, consult an HTML primer. Here I'll just go over a few of the principles of good form design. Make sure that all your fields line up neatly - not always an easy task. Be sure to check the appearance in both Netscape and Explorer.
Make it very clear to your customers what will happen when they click on something. Don't assume that they're familiar with Web forms. A link that leads to the order form should not say "Click here to order," but rather something like "click here to proceed to ordering page." The Big Button (the one that sends their credit card number to the payment-processing software) should also be unambiguously labeled. Perhaps something like "Click here to finalize your order. Your credit card will be charged." E-commerce experts agree that uncertainty about whether they are actually committing themselves causes many would-be customers to bail out early.
Of course, the name of the game is getting people to click that Big Button, so make it easy for them. Avoid superfluous pages - the fewer clicks it takes to place the order, the more orders you'll get. And display plenty of reassuring messages about the security of your order form. Some sites go so far as to include a FAQ about credit card security. Another confidence-building measure is to join one or more of the various Internet consumer-protection groups, such as Netcheck and Public Eye. One of the best confidence-builders of all is simply to put your company's complete street address and phone number right on the ordering page.
There are several systems you can use to make your ordering page secure, but the most popular is Secure Sockets Layer (SSL), which is supported by all major browsers, and by most ISPs. Using a secure Web protocol such as SSL has two main goals:
Encrypt the credit card data being transmitted, so that it would be very difficult for a third party to decipher.
Certify that the message is in fact coming from where it claims to be coming from, so that it would be very difficult for a third party to forge a transaction. This is done by means of a digital certificate.
Notice that I say "very difficult," not "impossible." No matter how strong an encryption system you use, it is theoretically possible for someone to "crack" it, given enough expertise and computing power. The idea is not to make your messages as secure as humanly possible, but simply to make it secure enough that the potential ill-gotten gains from cracking your system wouldn't be worth the time and money involved in doing so. Experts agree that popular secure protocols like SSL are more than adequate to achieve this goal.
So, how to get SSL up and running? Your ISP will handle most of it for you, although they may charge a small fee for doing so. Your ordering page will have to be placed on a secure server, and you will need to obtain a digital certificate. Only the page with the actual order form needs to be on the secure server. A digital certificate may be obtained from one of several certification authorities (perhaps the best known is Verisign, and the process is pretty simple. You have your ISP generate a Certificate Signing Request, then you go to the certification authority's Web site and fill out and submit a form, including the Certificate Signing Request. The certification authority will charge you a fee (Verisign currently charges about $350), your ISP will install the certificate for you, and you're good to go.
SSL-secured page URLs begin with https:// instead of http://, and most browsers automatically indicate to the user whether a page is secure or not. However, it never hurts to remind your visitors that their credit card information is protected by SSL. If you'd like to learn more about Internet security, there are links to several FAQs at: Yahoo! Computers and Internet:Security and Encryption:FAQs. The Verisign site also has links to various security resources.
Getting a Merchant Account
Banks are famous for making their cost structures complicated, so that you can't easily compare costs among different banks, and merchant accounts are no exception. Most banks charge a percentage of each transaction, called a discount rate, and a fixed per-transaction fee. There is often a fixed monthly fee, a monthly minimum order, and a one-time setup fee as well. A payment-processing system, whether hardware- or software-based, is an additional expense, as we shall see.
Fees for merchant accounts are like interest rates on loans - they vary depending on the perceived level of risk to the bank. Users of credit cards may refuse to pay certain charges for a variety of reasons, ranging from returned products to honest errors to fraudulent charges. Banks want to encourage the view of credit cards as a safe and convenient way to buy, so they are generally pretty lenient about allowing buyers to make chargebacks, as they are called. The risk to the bank, of course, is that chargebacks may occur after the merchant has already been paid, and the bank could be left holding the bag. How favorable a deal you get therefore depends not only on how large a company you have, and how long you've been in business, but also on what kind of business you're in. Banks have stats on the rates of chargebacks and other hanky-panky in various different industries. Somebody in the business once told me that porno Web sites average over 50% chargebacks, meaning that over half of the charges made don't get paid in the end.
Banks do several things to limit their exposure to chargeback risk. They may ask you to personally guarantee the account agreement, meaning that if your company ends up owing money to the bank, you will be personally liable. Naturally, companies in businesses that have a high rate of chargebacks, especially those selling big-ticket items, will pay less favorable fees. Banks will also hold back a certain percentage of your money every month as insurance against future chargebacks. If you are deemed to be a high chargeback risk, it could be months before the customer's money makes it through the system to your bank account. The bank's chargeback policy has a dollar cost, because money in your bank account earns interest for you, while money owed to you by the bank does not. Be sure to get all the details of a bank's chargeback policy.
As with loans, insurance and other such financial services, some banks simply don't offer accounts to businesses in their "high-risk" categories, while others are happy to do business with anybody, for a suitably high price. Some of the businesses considered "high-risk" are what you'd expect - anything to do with porno, gambling, MLM or GRQ (get rich quick). Weight-loss programs, herbal remedies, and (don't ask me why) water filtration equipment are considered slightly less risky. If your business is on the official poo-poo list, you'll be forced to deal with a smaller bank, and pay premium fees.
Whatever you're selling, an Internet-based store is automatically in a higher-cost category than a traditional merchant. In a traditional store, the customer's card is "swiped" through a gadget that reads the data in the magnetic stripe, and transmits that data to the card issuer, which either authorizes or declines the transaction in a matter of seconds. The cardholder also signs a receipt. Such "cardholder present" transactions present little risk to the bank, and thus earn the lowest merchant rates. Merchants doing transactions when the cardholder is not physically present, whether over the phone or whatever, will pay a higher rate. Merchants doing business over the Internet will pay yet another slight premium, just for general purposes. When you apply for a merchant account, the bank will ask you what percentage of your transactions are "cardholder not present" transactions, and offer you a rate accordingly (for Internet merchants this will of course be 100%).
Today's Web developer needs to have a thorough knowledge of how to build commerce-enabled Web sites. One of the most mysterious areas, for clients and Web shops alike, is the process of setting up a Web-enabled credit card merchant account. The gold rush of e-commerce has spawned hordes of pick-and-shovel peddlers. If you search for information on credit cards, you'll find page after page of outfits, all offering to get your credit card scene together pronto and cheapo. All of them try to make the process of getting a merchant account sound extremely difficult and complicated (if you buy their product, of course, it becomes easy). I am sorry to say that not a few of these outfits are shaky, shady, or simply scams. What do you really need to get credit card transactions going on a site, and how do you find a reputable bank that's knowledgeable about the Internet?
I won't begin this article by expounding the virtues of credit cards, because that would sound too much like the blobs of Spam that appear in your mailbox every day. All I'll say is that the first sentence or two (and little more) of those Spamograms is usually correct - if you want to do business online, you do need to accept credit cards. Forget about "virtual cash" and "smart cards." Credit cards are here now, and are rapidly becoming the payment method of choice whenever possible. Most or all of the retail business transacted over the Web is done with credit cards.
You can also forget the scare stories you've heard about credit card security risks. The whole rigmarole about hackers sniffing packets and harvesting your credit card numbers made great press, and sold a tremendous number of magazines about a year ago, but it was mostly pretty far-fetched stuff, and it's old news now. If I really must debunk this bugaboo (my regular readers know how I hate debunking bugaboos), let's briefly revisit three facts:
Most credit card companies limit your liability in case of credit card theft to a small amount, perhaps $50 - 100, so that's the most at stake even in the worst-case scenario, which is that the first documented Internet credit card rip-off in history just happens to happen to you.
For obvious reasons, credit card numbers are much more likely to be stolen when you use your card in a restaurant or over the phone than when you use it over the Web.
By taking a few simple precautions, you, the Web site owner, can make it difficult enough to breach your security that it simply wouldn't be worth anyone's time to make the attempt. If somebody wants to run a credit card rip-off, there are far easier ways to do it than hacking into a site that has taken basic security precautions.
Having said all that, the fact remains that perceptions are often more important than facts, and the majority of people out there are probably still convinced that using credit cards over the Web is extremely risky. It's very important for you to make sure that your online sales system is as secure as practical, and to convince your site visitors of this fact.
What You Need - Plain and Simple
Against a background of rapidly changing technology and hordes of online hucksters, it can be hard to figure out how to get started with credit cards. In fact, to accept credit cards through your Web site, you need to have three different elements in place:
You need a form on your site that customers can use to place their orders. This should incorporate a security technology such as SSL.
You need to have a credit card merchant account with a bank.
You need payment-processing software to serve as the link between your site and the bank.
A form that takes orders online is no different than any other form. You set up the form using HTML, and set it to use a CGI script to do the following:
1. Pass the credit card info to the payment-processing software, which sends the transaction to the bank.
2. Send an email to whoever fulfills the orders, with the order information and customer mailing address if appropriate.
3. Create a confirmation page for the customer. This page should not only thank them for their order, but provide them with a phone number and/or email address to contact in case of problems with the order, and perhaps an order number for their records.
To learn how to create forms, consult an HTML primer. Here I'll just go over a few of the principles of good form design. Make sure that all your fields line up neatly - not always an easy task. Be sure to check the appearance in both Netscape and Explorer.
Make it very clear to your customers what will happen when they click on something. Don't assume that they're familiar with Web forms. A link that leads to the order form should not say "Click here to order," but rather something like "click here to proceed to ordering page." The Big Button (the one that sends their credit card number to the payment-processing software) should also be unambiguously labeled. Perhaps something like "Click here to finalize your order. Your credit card will be charged." E-commerce experts agree that uncertainty about whether they are actually committing themselves causes many would-be customers to bail out early.
Of course, the name of the game is getting people to click that Big Button, so make it easy for them. Avoid superfluous pages - the fewer clicks it takes to place the order, the more orders you'll get. And display plenty of reassuring messages about the security of your order form. Some sites go so far as to include a FAQ about credit card security. Another confidence-building measure is to join one or more of the various Internet consumer-protection groups, such as Netcheck and Public Eye. One of the best confidence-builders of all is simply to put your company's complete street address and phone number right on the ordering page.
There are several systems you can use to make your ordering page secure, but the most popular is Secure Sockets Layer (SSL), which is supported by all major browsers, and by most ISPs. Using a secure Web protocol such as SSL has two main goals:
Encrypt the credit card data being transmitted, so that it would be very difficult for a third party to decipher.
Certify that the message is in fact coming from where it claims to be coming from, so that it would be very difficult for a third party to forge a transaction. This is done by means of a digital certificate.
Notice that I say "very difficult," not "impossible." No matter how strong an encryption system you use, it is theoretically possible for someone to "crack" it, given enough expertise and computing power. The idea is not to make your messages as secure as humanly possible, but simply to make it secure enough that the potential ill-gotten gains from cracking your system wouldn't be worth the time and money involved in doing so. Experts agree that popular secure protocols like SSL are more than adequate to achieve this goal.
So, how to get SSL up and running? Your ISP will handle most of it for you, although they may charge a small fee for doing so. Your ordering page will have to be placed on a secure server, and you will need to obtain a digital certificate. Only the page with the actual order form needs to be on the secure server. A digital certificate may be obtained from one of several certification authorities (perhaps the best known is Verisign, and the process is pretty simple. You have your ISP generate a Certificate Signing Request, then you go to the certification authority's Web site and fill out and submit a form, including the Certificate Signing Request. The certification authority will charge you a fee (Verisign currently charges about $350), your ISP will install the certificate for you, and you're good to go.
SSL-secured page URLs begin with https:// instead of http://, and most browsers automatically indicate to the user whether a page is secure or not. However, it never hurts to remind your visitors that their credit card information is protected by SSL. If you'd like to learn more about Internet security, there are links to several FAQs at: Yahoo! Computers and Internet:Security and Encryption:FAQs. The Verisign site also has links to various security resources.
Getting a Merchant Account
Banks are famous for making their cost structures complicated, so that you can't easily compare costs among different banks, and merchant accounts are no exception. Most banks charge a percentage of each transaction, called a discount rate, and a fixed per-transaction fee. There is often a fixed monthly fee, a monthly minimum order, and a one-time setup fee as well. A payment-processing system, whether hardware- or software-based, is an additional expense, as we shall see.
Fees for merchant accounts are like interest rates on loans - they vary depending on the perceived level of risk to the bank. Users of credit cards may refuse to pay certain charges for a variety of reasons, ranging from returned products to honest errors to fraudulent charges. Banks want to encourage the view of credit cards as a safe and convenient way to buy, so they are generally pretty lenient about allowing buyers to make chargebacks, as they are called. The risk to the bank, of course, is that chargebacks may occur after the merchant has already been paid, and the bank could be left holding the bag. How favorable a deal you get therefore depends not only on how large a company you have, and how long you've been in business, but also on what kind of business you're in. Banks have stats on the rates of chargebacks and other hanky-panky in various different industries. Somebody in the business once told me that porno Web sites average over 50% chargebacks, meaning that over half of the charges made don't get paid in the end.
Banks do several things to limit their exposure to chargeback risk. They may ask you to personally guarantee the account agreement, meaning that if your company ends up owing money to the bank, you will be personally liable. Naturally, companies in businesses that have a high rate of chargebacks, especially those selling big-ticket items, will pay less favorable fees. Banks will also hold back a certain percentage of your money every month as insurance against future chargebacks. If you are deemed to be a high chargeback risk, it could be months before the customer's money makes it through the system to your bank account. The bank's chargeback policy has a dollar cost, because money in your bank account earns interest for you, while money owed to you by the bank does not. Be sure to get all the details of a bank's chargeback policy.
As with loans, insurance and other such financial services, some banks simply don't offer accounts to businesses in their "high-risk" categories, while others are happy to do business with anybody, for a suitably high price. Some of the businesses considered "high-risk" are what you'd expect - anything to do with porno, gambling, MLM or GRQ (get rich quick). Weight-loss programs, herbal remedies, and (don't ask me why) water filtration equipment are considered slightly less risky. If your business is on the official poo-poo list, you'll be forced to deal with a smaller bank, and pay premium fees.
Whatever you're selling, an Internet-based store is automatically in a higher-cost category than a traditional merchant. In a traditional store, the customer's card is "swiped" through a gadget that reads the data in the magnetic stripe, and transmits that data to the card issuer, which either authorizes or declines the transaction in a matter of seconds. The cardholder also signs a receipt. Such "cardholder present" transactions present little risk to the bank, and thus earn the lowest merchant rates. Merchants doing transactions when the cardholder is not physically present, whether over the phone or whatever, will pay a higher rate. Merchants doing business over the Internet will pay yet another slight premium, just for general purposes. When you apply for a merchant account, the bank will ask you what percentage of your transactions are "cardholder not present" transactions, and offer you a rate accordingly (for Internet merchants this will of course be 100%).
No comments:
Post a Comment