Advances in technology and culture have brought about the demand for payments made not only in pieces of paper and metal. In 2020, the global volume of online bank transfers was equal to $5.4 billion (see the link in the end of the article), while the growth to $6.6 billion is predicted for 2021. The interest in non-cash payments stems not only from the pandemic but also from the growing convenience of this payment type as such. Though as an Internet shop owner, you have to make it possible for your buyers to pay in cash to the courier, judging from the statistics above this option won’t be a priority.
Online payment is probably one of the most important aspects in the operation of your e-commerce site suggesting flexibility and security. In this post, we’ll try to give you a brief introduction to cash-free payment on the Internet: we’ll delve into the terminology, trace money movement from the buyer to the online store, warn you about the dangers and expenses. And surely, we couldn’t have been called a Drupal studio if we omitted the issue of online payments on a Drupal website.
Introduction to Terminology
What is an Electronic Payment System?
An electronic payment system (EPS) is a combination of physical devices and programs working together so that instead of a wallet stuffed with money you could use its electronic — and, therefore, much more efficient — equivalent: a plastic card (Visa, Mastercard), its virtual copy or a web wallet (WebMoney, PayPal, AdvCash). EPSs allow you to pay for your purchase by credit card in a physical shop or by using payment details on a website or in an application, pay for electricity, gas, or water supply, or lend out money to a friend without face-to-face contact.
Payment aggregators or payment service providers are also classified as EPSs. They act as intermediaries for the buyer, the bank, and the seller and provide a whole range of services in exchange for a certain percentage of the transfer amount. Say, when remitting money from the card of X bank to e-wallet Y is impossible or associated with extra charges, the aggregator takes on the task of an envoy of sorts. Each payment aggregator is convenient and inconvenient in its own way, so you should select one according to your reality, particularly, depending on the country of your business.
We have experience with such payment aggregators as Stripe, PayPal, Braintree, Square, Worldpay, and Ubercart.
What is the Internet acquiring?
This term implies the ability to make online payments without producing a physical card. The user only has to type in its details on the website and comfortably click on the “complete online transaction” button. After that, the famous magic we’ll talk about below sends your money to the e-commerce site. The card as a piece of plastic is of no use now, that’s why you can maintain a virtual card of your bank or a web wallet.
What is a Payment Gateway?
To put it tentatively, this is a channel used to send the encrypted number, date and CVV of the buyer’s card. This is done using an intricate but safe route where nothing must happen to the data.
Frequently used payment gateways include Authorize.net, Amazon Payments, WePay, 2Checkout, Dwolla, and others. Sometimes, payment aggregators take on the tasks of encryption and data transfer between the transaction parties — such functionality is available, say, in Stripe, PayPal and Worldpay.
When selecting a payment system, make sure that it works in your country.
Online payment processing — how it works?
Now let’s describe in layman’s terms the process of money movement from the buyer to the store:
- The buyer adds money to the credit card. The bank that issued the card is called the issuing bank.
- The buyer types in the card details on the website or in the online shop application or makes payment through a POS terminal.
- The data is sent to the payment gateway, encrypted, and transferred to the shop’s partner bank. This bank is called the acquiring bank.
- The encrypted data comes to EPS.
- EPS contacts the issuing bank and is either permitted or prohibited to withdraw money, in which case either the funds are not sufficient or the buyer’s account is blocked.
- If everything is OK with the account, the issuing bank sends the purchase amount to the acquiring bank.
- The acquiring bank credits the purchase amount to the shop’s account.
Accepting payments on a Drupal website
Though Commerce in itself doesn’t include the payment function, it offers a ready framework and an admin panel the function can be integrated into. The user should download the module for the Drupal Commerce platform, which is integrated with the selected payment system or gateway, and set it up in the admin panel. The list of EPSs and payment gateways compatible with Commerce includes both the world-known PayPal, Stripe, Braintree, Authorize.net and 100-plus small aggregators listed in the module documentation. If the payment gateway you wish to use on your website is missing from this list, Drupal Commerce framework allows developing the module on your own.
And what will happen if you neglect to perform integration with the payment gateway? We were approached by a client whose buyers, when trying to pay for the order, were pushed out to the bank website where the payment was to be carried out. The magic was unveiled and unnecessary steps were added to the payment procedure; as the result, the buyer was not happy. You’ll be lucky if the buyer finalizes the purchase, but the chances of the buyer returning reduce as there are more convenient stores. Based on programmers’ estimates, it may take tens of hours to develop a solution for Drupal Commerce integration into an unknown payment system. It’s expensive but look ahead — by saving on development now, you are likely to lose buyers and money later.
We talked about Commerce, Kickstart and Ubercart in our first post and provided the Commerce installation and setup guidelines in the same post. That’s why let’s use the remaining space for other aspects. For instance, we’ll describe an exceptional case you also can experience if you accept payments from a foreign bank.
The child health clinic "Under 16 years old" is one of our clients. To enable payment for services, we used the payment gateway of Sberbank (a major Russian bank). Some gaps were found in the bank documentation: nothing was said about the case when a payment made by a foreign bank card fails. This was the case the clinic’s customers faced when they tried to pay by cards issued by Kazakh banks. The problem was resolved only in personal consultation with the technical support of Sberbank. The moral and recommendation would be as follows: since it is not always the developers who are to blame for all acquiring issues, contact the support teams of all services involved in the process if you are going to have international transactions.
Who is responsible for data security? What is the site owner to do to protect the buyers’ payment data from leaking anywhere?
Usually, if you need to keep card details, you should select a payment system that allows doing this on its side (for example, Stripe). In this case, the online store website operates only with the identifiers needed to request data from the payment system. However, the data leak is still possible as the attacker might find some security gaps during setup of the web server or in the application itself and use the gaps to embed the code to collect personal data or can steal private keys for the aggregator integration.
To be on the safe side, it makes sense to maintain security updates for CMS and the modules, configure the web server and access rights correctly, and be mindful of the system functional testing to differentiate the access rights to ensure that anonymous users cannot access the orders or that buyers cannot view each other’s orders.
Surely, a third-party service also wants to earn money and charges business internet professionals a fee for some of its services. All providers of internet acquiring services are similar in that they charge a commission for each remittance. For instance, Stripe charges 2.9 % of the payment plus 30 cents and promises ‘no setup fees, monthly fees, or hidden fees’. Good client-oriented services are ready to offer you a special percentage rate based on your region, business type, and monthly revenue.
In addition to the remittance fee, payment services can charge fees for:
- Monthly usage
- Service setup
- International fund transfers
Read the tariff information of each payment service provider carefully.
An online shop offering search by products, filters, payment page, personal account, etc. will require a higher-performance server as compared with an online business card or a media outlet, which is why additional expenses will be needed for the online shop hosting.
Judging from experience, website owners can go very deep into the aspects relating to the differences between the payment systems, data security, and so on, but they are not always able to put this knowledge readily into practice. Remember the story about in-house development of the module that enables interaction with the payment gateway. As you might guess, this task requires some programming skills. We are writing this post because we want to share the same language with entrepreneurs but we suggest that you should delegate the tasks of the payment system implementation and setup to your contractor.