19 comments

[ 0.22 ms ] story [ 40.1 ms ] thread
Tip Hat to the author for updating this. FYI Braintree's gateway was under similar margin and competitive pressure as a regular "Full stack" provider. There is a point where one can build their on PG. Or there are generic no name alternatives that run in the 1 - 3 cent range. These are bare bone services but once folks hit scale they replace (by building up deep understanding of payments) much of the value add of Braintree (acting as a super friendly partner bringing you into the online world) would bring.
Very informative. We are a payments company (http://www.juspay.in) based out of India. We came to similar conclusion just after the inception of the company. Instead of building a payment gateway, we built a solution that acts as a wrapper on top of payment processors and positioned our product as a specialization in cards processing. And today, some of the biggest companies in India are using our product (1-click checkout).

Our positioning gives us better margins than processors and the icing on the cake is that we are also not exposed to fraud related risks. Settlement process in India is cumbersome and mostly manual. Being a completely engineering team, we are happy that we aren't dragged into settlements and related issues as well.

One of the big downsides for us is that we don't get to have a big float like the processors.

Wow. Interesting.

As having having used several at different scales in both tech and business capacities, general feedback on payment gateways is:

  - developer support (libraries, examples to get apps going quickly and sandbox APIs)
  - clear communication of due-diligence process for new accounts
  - advance notification for production changes
  - discussion of security and audit standards (makes customer due-diligence, internal selling easier)
 
Stripe and others shake things up a little whereas traditional US/multinational basically didn't care about anyone, especially customer service unless you happen to be a Fortune 100 that can yell at their mgmt at a high level.
(comment deleted)
Basic processing may be a commodity but the service is so essential and the data so valuable that there are numerous opportunities to add value (and charge for it) be it fraud detection, analytics, cash management, loyalty, etc.
(comment deleted)
Payment processing is a commodity when things are easy. If you're shipping T-shirts with cheesy movie quotes to college students, you don't have a problem. If you're selling credits for nude webcam chat, things get more complicated.

You get people waking up with hangovers regretting the $500 they spent. You get married men denying that they ever used the site. You get Ukrainian hackers running up charges on stolen cards. You start to wonder if people are laundering money through the site. You get mountains of chargebacks & fraud - preventing most processors from even wanting to do business with you, let alone compete for your business. The ones that will do business with you are going to charge an arm and a leg to deal with the risk.

I had the misfortune of working on a site that ran one of these businesses. They had to run a pool of processors - selecting which one to go through based on how trusted the customer was, how suspicious a transaction looked & even what part of the world they (and their card) were from. Being able to funnel transactions through a single commodity gateway rather than having to add & remove new processors every month as they dropped our account would have been a dream.

I got firsthand experience of this as well. We built a system that leveraged Bayesian filtering for risk measurement and transaction approval (above and beyond CVC and AVS) in high risk markets.

When things were going well, they were great but when they weren't it was really bad. In short, card issuers tend to side with clients (card holders_ and even with the best risk management, it is not an easy business to get right.

I am curious, why are most payment gateways about $25 to $50 /month? Seems like such a commodiy. Why isn't someone offering a $5 -- $10 gateway?
Some of the newer gateways (Braintree, Stripe) don't have monthly fees - but there is a tradeoff. Both of those guys have a high per transaction fee (25-30 cents) and also a relatively fixed discount rate (I haven't heard of anyone negotiate it down with volume). They also don't have some of the extra features other gateways offer: ACH/EFT transfers, Interac Online (canada), card-present transactions (lower discount rate), etc.

For example, I use Beanstream (canada), my monthly fee is about $70, but I pay a much lower discount rate (as I can plug in my own merchant account), and my per transaction fee is only 10 cents. When I do 4,500 transactions in one month for a big event, that saves me $900 alone. I can also do automated ACH transfers to my clients (I provide event ticketing software), Interac Online support, and more. My business model is also TPPA (third party payment aggregation) so the risk is much higher. They also have great customer support.

But the $70 does hurt. I think more and more gateways will start to have to offer no monthly fees much like Stripe/Braintree.

I'd switch to Stripe in a heart beat if they worked with 1ShoppinCart.
Why? 2.9% is almost a full 1% higher than what you can get otherwise. On top of 1sc's 1% transaction cost, you're looking at 4% just for processing!
There might very well be. Check feefighters, it depends on volume and type of transactions.
We work with credit card vendors and to me, it seems like an easy business. You have many companies that want to be PCI compliant and they want to save money and they want reliable service. With credit card processing, it is really quite easy . Charge a credit card, validate, reject, etc. Can you handle all of my transactions? Is your API clean?

The one issue I see:

* Some vendors are slow. E.g. 3-5 second transactions

* Too expensive

* No good PCI compliant user interface. E.g. if I want to embed an iframe into my application. These are kludgy.

Other than that, what a great market to be in. And not just credit card transactions but banking/ach transactions, wire transfers, the whole 9 yards.

Unfortunately, it is not that easy because you are just one part of a larger financial system and have to deal with horribly outdated banks, etc.

I used to work at WePay and a lot of the complex technical work we did was to make sure that the craziness and unreliability of the entities lower in the chain never reached our customers. In a credit card transaction there are multiple parties including the issuing bank, the acquiring bank, the processor, the gateway, the card network, etc. Issuing banks in particular often return bogus error codes, time out, or have provide inconsistent results. I remember Delta SkyMiles rewards cards being particularly problematic.

And with payments there is very little margin for error because you are dealing with people's money. Customers get very upset when you cannot charge their card, and it is not helpful to try to explain that the problem is downstream (for example the issuing bank is returning bogus error codes). The worst is the dreaded "general decline"; which is when an issuing bank declines a CC transaction but doesn't tell you why.

The ACH network is even worse. There is no synchronous way to determine if an ACH transaction was actually successful. NSF errors (not sufficient funds) can come in 3 days after the initial transaction. I hope that Dwolla's planned ACH replacement actually takes off because it would be a huge improvement.

Ahh Credit Card processing. Let me tell you a story about being a credit card processor. PCI and if you are not PCI compliant don't even bother trying to be a processeor. Not only that if you are processing CC's you need to have a bank to sponsor you. Here is the key to being the best CC processor in the world.

1. Fraud detection 2. Speed of processing 3. Security 4. Security 5. Security 6. Security 7. Did I mention security ? If you can master those you will be king.

Real time processing is a panecea but be careful what you wish for.

It's a game of pennies. Not dollars.

Also your system needs to be able to take in any input. Oh and the companies who send you these files to process are not exactly state of the art. 20+ year old mainframe systems. I can tell you the hours our processors spent trying to unscrew non comma delimited files.

If you are processing your credit card information in India I won't tell you how unsecure companies operate over there. VMWare is not the way to scale up! But hey it's your money.

I was a Systems administrator/ Security officer for one of these companies. I am so glad I am not doing that now. They could not pay me enough.

Curious. Was it the paperwork, snort setups or something else?
Paperwork was part of it. It's Crossing your T's and dotting your I's. Go price out a company who can do a PCI Audit for you. It starts at 40K and climbs rapidly.

Also who is minding the store? Are you a 24x7 operation? If you are you should have someone who is constantly monitoring your network. If you get breached and fail to disclose it you can be looking at jail time. Also if you do disclose you were breached you may be out of business.

Being a processor is not just creating an app that can process CC numbers. The security behind the scenes better be fort knox and you need to be constantly training your people about security. The first thing out of any persons mouth should be.

So tell me what is the secure method you will be using to transfer these CC numbers over to us?

Our developers are creating a new app and we need to make sure you are following security best practices.

Not to many developers think about security when developing apps. If you do get one who is security concious you better treat them like gold.

Don't even talk about the next upgrade to the Sales weasels otherwise they are selling it to the first customer who gets thier attention. Remember thier job is to sell and they will sell thier mother to close the deal. As soon as it's closed they get paid.

Yes, absolutely, settlement should be a commodity business.

The "complexity" is down to fraud issues, a factor of the system's design and a 'feature' for the network operators. Why? It creates a myth of expertise, training, competition-stifling "existing investment" and an ecosystem around the things which also provides weighty large-numbers to wield in arguments with regulators and other bodies.

Major network operators of debit and credit cards today are American Express, Bank of America (Mastercard/Cirrus/Maestro), Visa, JCB (Japan), China Unipay.

There's very few of them really. The prior three could be viewed as an extremely valuable US intelligence asset; the others, being primarily domestic, also... but only in a national context. Governments then (or even pre-emptively in the case of China) issue further regulations, pretending to be in the interest of the consumer, but really to prevent any effective competition. This is similarly the case with countries like Australia refusing to adopt the IBAN.

Improved objectiveness an a fair platform for "settlement path agility" (in the same vein as SSL "trust agility") was explained in my rambling post with bits missing from yesterday on the future of financial settlement @ https://news.ycombinator.com/item?id=6455277