Understanding Terms of Online Payment Solutions
Google "how to accept online payments" and you’ll come up with “about 151,000,000 results” After this article is published, we can chalk it up to “about 151,000,001.” The online payment industry can be daunting. A basic understanding of industry terms will go a long way to helping you deploy the best WordPress ecommerce payment gateway plugin for your needs.
In this article, we’ll cover the difference between:
- payment gateways,
- payment processors,
- payment acquirers and
- merchant accounts.
Also essential to a proper understanding of the online payment industry is an understanding of PCI compliance. We’ll touch on compliance and show you where to find the self-assessment tool for evaluating the security and compliance of your website.
What is a Payment Gateway?
Let’s start at the beginning, with payment gateways. A payment gateway is essentially a “doorway” on your website that allows you to take online payments via credit card, debit card, or echeck. In other words, it’s a software application that makes online payments possible.
Payment gateways are necessary because it is prohibited by PCI DSS (we’ll explain what this is later in the article) to transmit cardholder information directly from a website to a payment processor. A secure mediator is required.
A payment gateway differs from a payment processor in that it is a mediator between an ecommerce website and the payment processor. It is not the payment processor. It allows your website to communicate with a payment processor.
Payment gateways always require a merchant account. Most payment gateways provide merchants (online sellers) a merchant account in addition to payment gateway services. Authorize.net is one such payment gateway that provides additional services such as a merchant account. Authorize.net also can be utilized as simply a payment gateway with a separate merchant account held elsewhere.
What is a Merchant Account?
A merchant account is a type of bank account that authorizes sellers to accept debit or credit cards online. Merchant accounts hold funds temporarily (usually 2-7 days) after settlement from card issuers. Then funds are transferred to the seller’s primary bank account. Having a merchant account is necessary to use a payment gateway. Most merchant accounts also come with a gateway included. PayPal is a prime example of a simple merchant account. If you’ve ever sold anything online and received payment through PayPal, you’ve probably utilized a PayPal merchant account.
What is a Payment Processor?
The payment processor is essentially the transaction link of an online payment. Payment processors are not “seen” by the consumer. They work in the background.
Payment processors handle the authorization piece of the online sales payment transaction.
Payment processors deliver transactions to card issuers (i.e. banks that issue credit cards) for settlement.
Examples of payment processor companies are Stripe (which processes without requiring a payment gateway or merchant account), Flagship Merchant Services (which also provides a merchant account), and TSYS Merchant Solutions, which is known as a top provider of processing services for medical practices. TSYS, for example, features Authorize.net as its only payment gateway option.
If a processor is not a bank, it will form a partnership with a sponsoring bank to be able to join Visa and Mastercard. This is due to the requirement by Visa and Mastercard that only banks may join.
What is a Merchant Acquirer?
A merchant acquirer is the communication link in the online payment chain. This is who the merchant talks to. The acquirer is the business which markets directly to online sellers (merchants). The acquirer arranges payment processing services for merchants. The acquirer signs up merchants to accept payment cards. Some merchant acquirers also provide processing services (the larger acquirers) while smaller acquirers often resell the processing services to processors. Examples of acquirers are First Data, Chase Merchant Services and Wells Fargo.
Payment processors are sometimes referred to as “acquirers”, although they are two distinctly different roles. Some payment processors are also acquirers, however.
What is PCI Compliance?
PCI is actually an abbreviation for The Payment Card Industry Data Security Standard (PCI DSS) which is a set of security measures designed to ensure secure environments for processing credit card data. It came into effect in 2006 and is administered by an independent oversight council called PCI Security Standards Council created by Visa, MasterCard, American Express, Discover and JBC International.
All merchants will fall into one of four compliance requirement levels based on total number of Visa transactions over a twelve month period. These levels have increasing level of security measures required with level one being the highest level.
Penalty for Non-PCI Compliance
Any entity that stores, processes or transmits cardholder data is subject to PCI Compliance. Every site accepting credit card payments must be PCI Compliant, or face fines. These fines are imposed by the council at its discretion and can range from $5,000 to $100,000. The acquirer will be hit by the fine and will then ultimately pass the fine until it hits the merchant. PCI non-compliance may also involve the potential for increased transaction fees. PCI Compliance is a fairly complex set of regulations. Some FAQ’s regarding compliance can be found here.
How Do I Know If My Site Is PCI Compliant?
Small merchants should use a self-assessment tool made available by PCI Security Standards Council. There are different questionnaires available based upon what type of merchant environment you have. For instance, e-commerce sites and non e-commerce sites will have different assessments. Each questionnaire is a fairly straightforward series of yes/no questions.
The Authorize.net AIM environment is considered a “card not present” environment for purposes of the questionnaire. Detailed guidelines about which assessment is best for your environment can be found here.
What Is Authorize.net?
What Is Authorize.net AIM?
AIM stands for Advanced Integrated Method. AIM is the preferred method for securely connecting a website or application to the Authorize.net Payment Gateway. Fully customizable, AIM gives merchants complete control over all the steps in the checkout process. AIM allows merchants to collect payment information on an SSL payment form hosted on their web server, securely transmit transaction data to the Authorize.net Payment Gateway for settlement and generate email receipts.
The security of an AIM transaction is ensured via a 128-bit SSL connection between the merchant’s web server and the Authorize.net Payment Gateway.
For the Authorize.net AIM Developer Guide, click here.
Introduction to the Formidable Pro Authorize.net AIM Add-On
Formidable Pro now offers the Authorize.net AIM (Advanced Integration Method) add-on to create payment forms in WordPress. It keeps consumers on your website instead of sending them away to complete their transaction (such as PayPal does). Formidable Pro users utilizing Authorize.net are required to have a website with an Secure Sockets Layer (SSL) certificate due to the fact that customers are kept on the site for checkout.
Authorize.net AIM Minimum Requirements
Authorize.net AIM add-on requires merchants to have a U.S. based merchant account and an e-commerce (“card not present”) Authorize.net Payment Gateway Account. Merchant’s website must have a valid SSL certificate. Merchant must be able to store payment gateway account data securely utilizing solutions such as API Login ID or Transaction Key.
Depending upon whether or not your site is PCI compliant, there are a couple options available to you in the credit card field with the Formidable Pro Authorize.net Add-On. You can choose “Save only the last 4 digits” or “Store the whole card number." A PCI Compliant website can safely and securely store the whole card number. A non-PCI Compliant website needs to NOT store the whole card number for obvious security reasons.
Authorize.net AIM versus Stripe
Authorize.net AIM provides customization and control over your customer’s check out process. However, you will need an SSL Certification on your website at the very least. You will also need a merchant account and an Authorize.net Payment Gateway account.
If you like the customization and control of Authorize.net AIM but you want to bypass the hassle of needing a payment gateway (such as Authorize.net) and a merchant account, Stripe may be the best option for you. Formidable Pro’s Stripe Add-On allows complete customization and control over the checkout process and simplifies accepting online payments better than any other online payment solution we know of.
The unique thing about Stripe is that it essentially provides all the services of payment processors and payment acquirers without requiring a merchant account or payment gateway. It is an all-in-one solution. It also provides the most security for collecting credit cards with no extra work on your part. You can simply select the option “Do not store or POST card values”, and the card numbers will never hit your server.
Learn more about Formidable’s Stripe plugin.