Becoming a Payment Facilitator, Payment Service Provider [PSP] or Payment Aggregator. Being a Payment Facilitator can be thought of as being a Master Merchant, facilitating credit and debit card transactions for sub-merchants within your payment ecosystem. Becoming a PSP (also known as PayFac) lends itself well to some businesses that fall into the software provider classification. However, with the many advantages come some unique challenges. We’ll discuss both in this article.
9 min read
SaaS platforms and Software vendors have a unique opportunity. Whether you already offer some type of payment collectionoption or have an application that has the potential to leverage payments there has never been a better time to explore your options.
4 min read
Data Hostaging in the Payment Processing World. You may have heard of someone’s computer being hijacked with messaging demanding they pay for alleged wrongdoings or to be able to get important data back. Typically referred to as Ransomware, this malware holds your computer hostage by encrypting its data or by making it inaccessible in some way. The user is then hit then demands to pay ransom money to the cybercriminal who installed the malware. For more information a good post by Andy O’Donnell [http://netsecurity.about.com/bio/Andy-O-Donnell- 82564.htm] is at: http://goo.gl/3ymh6d.
In the payment processing space there is another form of data hostaging. In most cases businesses don’t know that data they believe is theirs really is owned or controlled by their payment gateway and/or merchant account provider. Unfortunately the only time the business discovers this is when they ask their provider for full customer credit card data.
There are multiple reasons why a business would want this. One very common reason is they are leaving one SAAS/software provider for another. E.g., they might want to move from QuickBooks to FreshBooks or vice versa. With the proliferation of technology providers and new solutions this need for data migration becomes increasingly important. Another common data exchange scenario is the business wants to change their merchant account provider from eg FirstData to Global. If the credit card processing is accomplished via a gateway with multiple back end processor integration [like FirstData| Vital | Global etc. the ability to change processors without migration concerns is mitigated.
Unfortunately for many businesses and either their gateway provider or SAAS provider the fact that the business may not be able to get what they consider to be their data is not known until the business owner desperately needs that data.
Consider the business owner selling all or part of his business. If that business assets includes recurring billing customers then without the payment data associated with that customer the business owner has no asset to sell. In certain industries like the security/alarm space it is relatively common to see a sales organization acquire a customer and then sell that alarm monitoring recurring billing account to another provider. Clearly the billing information is critical. Not having a defined compliant method to exchange this sensitive data can create significant issues.
The data exchange problem is of course data security. With PCI [Payment Card Industry] requirements that data be handled and stored securely [https://www.pcisecuritystandards.org/] the handover of this data must be done while remaining in compliance.
To remain compliant full card data must be exchanged in a secure manner. If two payment processors are involved both must be Level1 PCI compliant. The card data MAY be provided to the business if the business has fulfilled its PCI requirements.
So there are definite ways that data exchange MAY happen. If your gateway provider or SAAS partner has a defined plan to exchange data with another Level 1 PCI compliant partner and the receiver of the sensitive data also can accommodate the transfer you are in luck and the process can move forward.
Unfortunately we have seen first hand multiple instances where this process was either significantly delayed or in some instances was not successful. Not surprisingly the root issue with moving that credit card data is the processor holding the data will see a loss of business and the ensuing revenue stream. There are some well-known industry names that if you were to call and ask about the data migration process the reply would be a flat “We don’t do that”. PCI concerns will be sited and as much as the business owner pleads the response does not change. Even if legal action is threatened there is no movement as the gateway/SAAS/merchant account provider knows the contract the business owner signed spells out their right to hold the data.
Even if you are lucky enough to get your provider to agree to migrate the data you may still be forced to wait [we have seen 3 months or more] and may have to pay significant fees [$5000 from certain providers].
If you are using a payment aggregator or payment facilitator [PayFac] like Stripe or PayPal they own the customer data and it is highly unlikely you will ever be able to obtain payment related data.
The PayFac model allows service providers like PayPal or Stripe to create credit card merchant sub accounts on the fly. The issue is that they also control the customer payment experience. The business must decide if the ease and quick account set up are worth giving up control of the customer’s payment information. For one-time payments the aggregation model may be attractive. For recurring billing needs thought must be given as to whether the PayFac provider will be your forever partner.
The business must be proactive in understanding their payment partners data migration policies. As you might expect it would be rare to hear “Thank you for partnering with ABC for managing your recurring billing needs. Just so you know we will never provide any customer data if you leave-settle in for the long haul.”
Whether you are in the process of choosing a provider or have been using a solution for years you need to discover what options you have should your business needs change. In today’s world where new technologies and tools emerge daily you might have a need to change as well. In addition if an exit strategy is on the horizon you don’t want data to destroy your ability to sell your company. As a SAAS provider your clients will look to you if there are issues with obtaining data. Your business needs to understand and let your users know about potential issues if they are in need of “their” payment data.
About Agile Payments: Agile Payments [AgilePayments.com] has been strategically partnering with SAAS and software companies for over 15 years. Agile has helped these same partners add millions to their bottom line. The ability to deliver value for the SAAS provider and just as importantly their client base is their competitive differentiator. For more information and how your company can take advantage visit AgilePayments.com.
5 min read
Top 5 must haves before integrating with any Payment Gateway. The #1 MUST HAVE is probably the least thought about decision making criteria yet arguably the most important.You MUST make sure your payment gateway partner values your customers as much as you do. You know how much time and effort is spent on customer acquisition. In today’s world competition for clients is fierce. You can’t afford to spend time and money to bring on a new client only to have them disappointed with poor communication or a complete lack of support. Having confidence that your most valuable asset is being well taken care of simply cannot be overstated.
This may come as a surprise to many. After all having a great API that you can deploy quickly tends to be at the top of the list for many developers. This can be short sighted so before you make the decision to hand over your client base you owe it your business and your customers to ensure that the payment gateway partner has an acute understanding of lifetime customer value.
- What is the support plan?
- How do they you do it?
- Ask questions about front line support [time to respond/support hours]. Is this outsourced or handled internally? If support needs to be escalated what is process and time frame.
- Who handles billing issues, bank account changes, business formation changes?
- If your payment gateway provider also provides the merchant accounts you can also add questions about the application and underwriting process. What is the application turn around, what are the merchant obligations?
- Can credentials be pushed automatically into your app so that the end user has little to do?
- Do they communicate with your users about enhancements, service issues, recollection options, payment recycling strategies etc or are those customers an afterthought?
2 - Multiple payment modalities
Recurring or subscription billing should have the ability to process credit, debit cards and ACH transactions. Credit cards are the de facto billing method for many providers and offer the security of knowing at the time of sale that the customer payment is good. This comes at a price [likely 2.5% or more]. For most merchants the ACH option is an excellent alternative. Though there is no authorization component whereby purchase amount is validated for payment the additional risk of failed payment [eg a non sufficient funds or closed bank account] is mitigated by the available 90+% reduction in transaction processing fees. If the merchant perceives higher risk there are checking account verification services that can be deployed as well as automated payment resubmission. The ACH system is available in the US and some providers [limited] also offer Canada. A single platform for billing US and Canadian bank accounts and credit cards is a competitive differentiator. There is another “dirty secret” about credit card processing. Recurring payments often have decline rates that exceed 10% [due to invalid expiration dates and card reissuance- think Target breach].
3- Integration options and developer support
A Single-Stack Solution should be available – Developers shouldn’t have to use different processors, versions or stacks when integrating across those various channels. Single-stack APIs create opportunities for payment integration that in turn reduces integration time.
Multiple Development Languages – Flexibility is an advantage developers have come to expect. Legacy APIs have limited developers’ options when it comes to the use of languages. For developers, the best case scenario is a payments API that allows for all contemporary development languages, including JSON, Ruby, Python, .NET, JAVA and PHP.
Development Support – Development support seems like an obvious feature for payments APIs. But many APIs lack the resources it takes to develop and maintain payments technology. To minimize risk down the road, API support should offer developer-friendly documentation, sample code and other features that improve the development process. Test accounts should be made available same day with dev support being an email or call away.
4 - PCI Compliance Offloading
PCI compliance is often confusing and intimidating. For developers and SAAS providers the decision to embed payment processing into an application often leads to questions about obligations and repercussions regarding PCI.
Achieving Level 1 compliance is an expensive and time consuming task that also comes with frequent audits. For some companies it may be an option that best fits their business model. For most SAAS providers a much simpler and less expensive option is to partner with a payment gateway provider that can help remove the PCI burdens.
The key is to work with your payment gateway provider and create a solution that takes the application out of PCI scope. Essentially that means that the SAAS provider never touches nor stores the sensitive payment data. Typically this is accomplished via vaulting or tokenization. In the tokenization scenario the full card # is exchanged with a proxy token and when that customer needs to be billed again the token is sent in place of the credit card [or ACH data. This is often accomplished using a secure pop up “lightbox” where complete card data is entered. From there the gateway partner communicates the token back for storage and future use.
PCI compliance is a requirement in credit card processing. ACH processing currently does not have the same mandate. However it is likely there will be a corresponding data protection rules and regulations forthcoming. If your application will have an ACH component [all recurring apps should] you want a payment gateway provider that already employs tokenization for ACH transactions.
5 - Revenue Share Model
It does not seem to make much sense to leave money on the table yet many gateway partners do not offer a true revenue share model. The prevailing attitude of many developers and SAAS providers is: We do the integration and our clients choose their provider [if gateway options are offered]. There are multiple reasons why this may not be in your best interest [see reason #1 for a big one]. If you have done the hard work [and expensive] of acquiring a new client you are obligated to derive as much revenue as possible. The payment gateway partner is being provided a new client with NO acquiring cost. It seems reasonable that a revenue stream agreement should be in place for the lifetime of referred clients. Some providers take the attitude that this is somehow endorsing a gateway provider. If you believe your end users will benefit from your gateways partner’s tools for reliably getting paid and you have faith that your clients are well taken care why would you not endorse them?
Consider the SAAS provider collecting $29/month for their app. If each of those clients generated just $10/month in payment related revenue sharing you could have a 33% bump in income. In addition having a revenue share partnership tends to also produce better and more frequent communication between the SAAS provider, the payment gateway provider and the SAAS user base. Often this synergy drives enhancements that benefit all stakeholders.
Payment Gateway strategy can have long and far reaching effects on almost every part of your business. By using the suggestions above you can save time and money as well as generating new revenue streams for your business. Most importantly you deliver more value for your end users.
10 min read
Payment Gateway Integration: A Growth Strategy for developers and SAAS providers.Payment Gateways play an integral role in ecommerce and the ability to embed payment-processing functionality inside applications. Authorize.net founded in 1996 was the first to market.
There are now multiple providers of gateway services and although the technical capabilities have evolved the role of the gateway remains the same: to provide a secure method of transmitting payment data from the merchant to the back end payment processor.
For many developers and SAAS providers choosing their payment gateway partner[s] is not a decision driven by the potential for the partner to actually help grow their business. Integrate with usual suspects in gateway space, hand off the customer and hope for the best is somewhat standard. Support and funding issues, data hostaging, customer confusion on gateway versus merchant account, lack of payment options [specifically for recurring payments] and more can leave clients frustrated and looking for alternatives.