One of the most important functions of an eCommerce site is accepting payments on the web. Surprisingly, very little is written about this and it seems very hard for beginners to find basic information needed to outline the possibilities, and to clarify the benefits and costs of the various approaches.
PayPal
Firstly, no discussion on payment processing could be complete without discussing PayPal; one of the oldest and most well known methods of accepting money on the internet. PayPal can be driven from a website in a number of ways, and accepts payment on your behalf. Originally, payment was taken from a "virtual" balance and credited to your business's balance with PayPal. One of the significant weaknesses of PayPal for many years was that it required your customer to create an account with PayPal and to login to that account to pay subsequently, even if they were trying to use their credit card with your store.
Modern PayPal now allows charges directly to credit cards, without requiring your customer to login to pay. This has greatly increased PayPal's usefulness and removed one of the major obstacles customers faced using PayPal. However, probably the biggest advantage of PayPal is that it is very easy and simple to setup – for sale of one or two items, without a shopping cart, setup takes less than a few hours.
An important point to understand about PayPal is that they only takes payment through their own website. When setting up your website to take payment through PayPal, your developer passes the transaction through to their website which accepts the payment and credits your account, notifying your website of the successful transaction through a mechanism called a "callback" or “IPN”. As the payments come in, Paypal puts them in your account and to get access to the funds you need to make a periodic withdrawal. In the past, PayPal has been vulnerable to locking merchant accounts for little reason (for example, sufficient reason can simply be a sudden large rise in business!), so this may be one reason mature businesses tend to avoid Paypal. To be fair, my impression these days is that well run businesses have few problems with PayPal.
PayPal does offer great eCommerce flexibility, including the ability to have recurring or automated subscription payments, use of their own eCommerce facilities, and a variety of ways of taking payments including through simple links and buttons. It's degree of flexibility
A significant downside of having PayPal as the only means for accepting payment is that it indicates strongly to your users that you are only a small business. However, if users in your target market don't understand that, or don't care, this may not apply to you.
Strengths? Easy, cheap and quick to setup. Relatively secure. Powerful and flexible. Handles credit card security for you.
Weaknesses? PayPal stigma. Receiving payments into their account can be prone to issues, including locking of accounts.
Credit Card payment through a gateway
Generally speaking, most internet businesses tend to prefer to take payment through payment gateway companies, due primarily to the cheap software setup costs (often ready to go).
The use of a payment gateway requires you to setup a specialized “merchant account” allowing you to take payments over the internet – often called something like an “Internet Enabled merchant account” though the exact term varies depending on the bank. A substantial advantage of accepting payments through this method is that the payments are in your account the next day (or the day after).
To pay through a 
gateway, you’ll need to setup an account with the payment gateway as well as the Internet merchant account. During the process of setting this up the bank will want to know that you have a legitimate website selling real products and that you are an honest and ethical business with such things as delivery and return policies to essentially protect themselves against complaints and chargebacks (refunds from customer complaints) against your business. They will usually want to approve your website first and, frankly, some banks have been very much harder to deal with over the years than others. Unfortunately, already having a normal merchant account (cards processed by a card swiping terminal, helps a little but doesn’t guarantee your application will be successful. The bank may charge you for setup, as well as an annual fee (usually about $300) and may also require you to sign an agreement which includes an exit penalty, so read carefully! You can sometimes negotiate to reduce exit penalties, particularly if you have an existing non-internet merchant account. You should allow at least 2 months for setting up a merchant account – the banks will tell you it’s a few weeks, but every site we’ve been involved with has taken longer!
The two main payment gateway companies in the Australian context are eWay and SecurePay. We’ve dealt mostly with eWay for 6 years now and can highly recommend their attention to detail and customer service as second to none. eWay in particular have worked hard to have their system well supported by nearly all of the major eCommerce systems out there, so they will just work out of the box. Additionally, eWay provide ready-to-go code fragments in several common languages so implementing payment through them is actually pretty easy.
The payment gateways usually charge a per-transaction fee, which you can negotiate down as your number of transactions increase. Additionally, your merchant facility will subtract a small percentage (usually 1.25% – 2%) of the payment amount, and a little more for Amex and Diners. There is also an annual fee, and possibly a setup fee. Ask carefully what fees apply when talking to the payment gateway companies to ensure you are comparing apples with apples.
Just a small point – the payment gateways all have associated websites, allowing you to login and run reports against the day’s transactions, and to take actions such as refunds, rebills, and searches. A second small point is that many gateways will store credit cards for you, providing you with a secure token for rebilling.
Strengths? Direct card billing (no PayPal); Faster processing into your own account; Easier and cheaper to setup initially; Reporting tools tend to be strong. Lower costs.
Weaknesses? Some fees.
Direct Bank implementations
Most banks will tend to suggest you implement your payment processing through the bank’s own gateway (terminology: a few of the banks call the system they use for this “MIGS”). As each bank tends to have their own code, and little is out there in the public domain, this can require some code to be written. In the early days the banks used to just supply you with a 2-inch thick document to read but my understanding is that some do provide code fragments these days.
.png){kind=logo}
You will need to setup a merchant account as you did above, which will also be subject to ongoing fees. The most common pathway for small businesses is that they setup a payment gateway initially and then move to a direct bank implementation as their turnover grows large enough. One of the advantages with the Direct Bank payment processing is that you don't have to pay gateway fees. Check with your bank to ensure there are no other fees involved as charges vary widely.
Depending on the bank and how helpful it is, you're likely to be up for development costs to implement the website code required to send your transactions to the bank. Some banks provide sample code for this, and it seems to be gradually getting easier for developers (and thus cheaper) over time.
A significant cost to this approach is that the bank is likely to require you to prove that your website and transaction processing is secure, and may require you to be certified for “PCI Compliance” – particularly in this era where even large companies such as Sony’s Playstation Network have been compromised with stolen credit card information. As this costs the banks millions (estimated $30 per replaced card) the banks try to ensure you are taking appropriate care with customer card information. Ironically, in my experience, it’s often the older websites that tend to cause many of these problems, as aging code tends to develop security faults over time! PCI Compliance has a number of levels and can impose restrictions and costs, particularly at the higher levels where certification alone costs $20,000 or more. If you have a website compromise that results in card information being exposed, banks will probably require that you be certified before allowing you to process transactions again. As part of getting your website developed, you should talk to your developers and ensure that they actually understand the security issues involved and have taken appropriate measures to keep card information safe, as a failure here can put your business at risk.
Strengths? Less fees and lower costs.
Weaknesses? Bank tools can be inadequate; Costs more to implement; Much stricter security generally required.
Summary
This article has only been a brief introduction to the issues involved; being only a brief overview of how eCommerce payments work, and we hope we've given you a useful roadmap for choosing a payment solution for your eCommerce site.
Some of the other issues include storing card numbers, security, increasing sales "conversion" rates on your site, finding reliable ecommerce hosting, and developing an actual website; we'll touch on some of these in future articles.
Please let us know if you’ve found this article helpful, or have any questions you’d like covered, or would like to talk to us about the issues you have in getting your own eCommerce site up and running.