Many people new to websites and/or ecommerce are confused at

the in and outs of ecommerce. Even many people who are fairly

adept at scripting can set up a store using some popular

package such as OSCommerce and then are left stumped by the

idea of making it work with a payment gateway to actually

collect money and put it into their account. In this article, I

will give a brief overview of how the system is set up to

collect your money. I will then discuss briefly what to look

for in evaluating payment gateways. As usual, I will keep this

basic and understandable just as I do with all of my articles.

The Basics - How Funds are Collected

Ecommerce simply refers to the practice of shopping online.

From the site owner's perspective, it entails collecting funds

from sales transactions on their website and depositing that

money into the bank. In order to collect funds, you need to

have a merchant account and a payment gateway (discussed

below). Basically, when a person enters their credit card

number on a website, the card number and buyer information is

sent to a payment gateway. This is done securely. The payment

gateway will interface with a payment processor to check

availability of funds as well as any other criteria set for

accepting transactions. If the funds are available, the payment

processor will then deduct the funds. The payment gateway will

then report back a successful transaction to the merchant, at

which point the merchant's shopping cart system will respond by

displaying a "Thank You" type message to the buyer. Funds will

sit until the transaction is settled, which means the funds are

collected and deposited to your bank account. Until a

transaction is settled, the transaction will not post to your

bank account and the corresponding debit will not post to the

buyer's credit card account.

Merchant Accounts

A Merchant Account is a special type of account specifically

for online retailers. They are designed to allow non-POS (point

of sale) transactions using credit cards, or transactions where

you don't have the person's credit card in hand. In other

words, you don't have a card swiper. A merchant account is not

the same as a bank account. It acts as a go-between between

your payment gateway and your bank account, accepting funds

from credit cards which are then deposited into your bank.

A merchant account is a relationship based on trust between you

and the issuing bank. The bank takes funds from the buyer's

account and deposits into your account. A payment processor

takes care of checking for availability of funds and debiting

from the credit card account. The bank issuing the merchant

account is trusting that you will fulfill your end of the

transaction by providing the product or service that the buyer

purchased. In case where this does not occur, the buyer can

dispute the transaction. This puts the issuing bank on the line

because they are then obligated to return the funds to the

buyer's card (a chargeback). Therefore, merchant providers are

taking a risk in allowing a merchant to take credit cards under

their name.

The organization providing your merchant account will do

underwriting on the account when you apply to check your

credit. If you have a history of too many chargebacks, you may

be denied. In fact, too many chargebacks can result in you, as

a merchant, being put on the Terminated Merchant File (also

called The Match File). This is a blacklist which will

effectively prevent you from ever receiving a merchant account

again.

Payment Gateways

A payment gateway serves as the front end to your merchant

account, allowing you to manage funds, transactions, and the

like. It also serves as a connection between your website and

your merchant account. It takes data submitted via your secure

order forms and presents it to your processing bank. The

processing bank then approves or declines the transaction and

sends its response back to the payment gateway. The payment

gateway then turns around and provides this data back to the

merchant for appropriate handling of the transaction. A payment

gateway, then, does not offer services such as merchant accounts

or shopping carts, although some of the larger-known gateways do

provide such options as value-added services.

Some of the better known payment gateway services are

Authorize.Net, Verisign, 2CheckOut.com, Linkpoint,

Paysystems.com, Worldpay.com, and MerchantCommerce. Some of the

things to look for in a payment gateway are compliance with

CISP, SDP and DISC (security initiatives put out by the major

credit card companies), virtual terminal (to be able to accept

transactions over the phone by typing in their data rather than

only relying on your website), fraud prevention, recurring

billing, methods of integration, cost and whether they can

accept e-checks or not.

Fraud prevention is a big one because, as stated above, too

many fraudulent transactions will result in chargebacks which

could end up putting you on the Match List and your merchant

account closed. Some of the common fraud detection mechanisms

are Address Verification (AVS) which compares the customer's

address with that on file with the issuing bank, CVV2 which

makes use of the 3-digit security code on the credit card

(4-digit on American Express cards).

Most gateways will provide instructions on how to interface

with their servers from your web store. Most gateways offer two

methods of integration.

One method is to have your site POST a form to the gateway's

server which is pre-populated with your customer's information.

At that point, the customer will provide the customer with the

payment form which allows them to type in their credit card

number in a secure environment. After processing occurs, the

customer is then routed back to your website along with the

results of the transaction. Your site again takes over the

process. This method is usually easier to set up for site

owners and it also means the site owner does not need to

purchase their own SSL certificate (allowing secure

transactions on the site itself). The tradeoff is that you do

need to send your customers off of your website for payment

collection. Many gateways offer ways to make the payment form

look like your website using customized headers and footers,

but the fact remains that the visitors are leaving your

website.

The second method is totally invisible to the customer. If the

site owner has an SSL certificate, they can set up security on

their own site. This means they can host the payment form

themselves, totally customizing it to their website. When the

customer submits payment, your site will securely and invisibly

submit the information to the payment gateway. The payment

gateway will do the usual processing and then invisibly send

the response back to the merchant's website, allowing it to

respond properly. From the customer's perspective, they never

left your website. And they never did. This type of setup

requires an SSL certificate as well as access to the CURL

library.

Many gateway providers can get you set up with a merchant

account at the same time as the gateway. So, in most cases, you

do not need to sign up for them separately.

Conclusion

Hopefully this has given you a brief introduction to how credit

card payments are processed on the internet.