Written by Rajesh V
1. Preface
As both eCommerce & Retail business are growing to meet the demand, the need to upgrade the payment solution is inevitable. A cost effective solution with faster throughput and high availability is what every merchant looking for. Here are some of the key considerations which influences the selection of a payment provider. This document assumes you are familiar with the payment technology & terms.
2. PCI Compliance
- A payment provider should support PCI DSS compliance.
- Look for the provider who not only supports the PCI DSS but also assists the
merchants in arriving at the architecture which eliminates the need for PCI DSS
requirements in your local environment
- The provider should minimize the risk involved in transporting and
maintaining card data, reducing the scope and cost of your PCI compliance
3. P2PE & Tokenization
- The provider should support both P2PE & Tokenization. P2PE is mostly used in
the POS terminal at brick & mortar stores
- The provider should tokenize the card data but at the same time preserve the
last 4 digit of the card number in the token. Some providers will preserve the first
6 digits as well
- Also make sure the provider has a tool / API to support de-Tokenization. This
might be required for your customer service operations, but it is optional
- The tokens generated should be merchant/brand specific and should fail the mod 10
4. Point of Sale (POS)
- If your business is having brick & mortar stores, then consider the players who
support the POS based payment transactions
- Point to Point Encryption (P2PE) is a must to have for the transactions happening
at the store. The card data should not be transmitted between the pin pad & the
POS terminal or payment gateway in clear. The card data should be encrypted
using the cryptographic algorithms
- As the EMV and Chip & Pin based payment cards are more common, look for the
provider who supports these kinds of cards & transactions
- Also based on the payment terminals used in the stores (e.g. Verifone, Equinox)
make sure the payment provider is in the partner list of the payment terminal
supplier. This save lots of effort during upgrades of terminals and ease the P2PE
- The provider should support more than one encryption technique as different
payment terminal demands different encryption techniques
5. Ecommerce
- There is couple of ways of capturing the payments in eCommerce sites
1. Hosted payment page by the payment provider (inline frame or separate payment page) 2. Payment page hosted by the merchant (Your .com site) and http post of data to payment provider
Both the options work fine, but you select the option which gives better customer
experience for your brand
- Many providers allow merchants to customize the hosted payment page on their
gateway. Look for the features to include logo, change theme as per your style
(.CSS) and include or exclude the payment form fields in the hosted payment page
- ECommerce transactions are card not present transactions and require fraud
check. Ask your provider do they support fraud check during authorization. It is
definitely a value add and reduces charge back cost
6. Fraud Assist
- Many providers have a white label or proprietary solution for fraud validation
- As the payment frauds are on the increasing scale, considering the payment
provider who supports the fraud check is definitely a plus
- If you prefer to go with the direct integration with fraud provider (not through a
payment provider) then make a note, that the payment tokens (generated by
payment processor) could not be de-tokenized by the independent fraud service
provider. So the fraud check on the card number cannot be done. This is one of
the bottlenecks in going with the independent fraud service provider
- The fraud interface should provision for fraud filters like device, ip-address,
geolocation, linking of previous data and supports the custom fraud rules
7. Pricing
Last but not least, look at the pricing model very carefully. There may be some
fine prints.
- Providers might charge the merchants for each of the transactions, the
transactions of type Authorization / Tokenization / Settlement / Reversals /
Chargeback / etc.,)
- Some providers won't charge for tokenization every time you do the
authorization service call for the already registered card members, while some
others do charge for tokenization for each authorization call
8. Miscellaneous
- If you have international business make sure the provider support international
transactions and assist with fraud checks
- Check on the features of the reporting / admin tool of the payment providers. It
should be having the OOTB reports what you are looking for and allow the
merchants to customize the reports
- The provider should have a batch interface to authorize, tokenize & settle the
payment transactions. This will be handy during the initial phases
- Get the performance & benchmarks numbers from the provider and make sure
it is within your SLA