What is the payment flow from beginning to end of an ecommerce transaction? This is the credit card processing payment flow for MOST but not all gateways.

1. If ecommerce, the customer places an order. The ecommerce solution defines what data will be passed to the gateway. It uses an API to pass specified data to the gateway.
2. The gateway receives the transaction information and securely passes it to the payment processor.  Each gateway defines what data it will pass to the processor and it may collect more information than it passes. Each processor defines what information it will accept from a gateway.  The API uses the approved data and data format. The gateway must be certified to connect to the processor via a rigorous approval process to ensure security. The gateway transaction file includes yes/no parameters that were predetermined at the account set up level. For example, the “zip code must match or decline the transaction”. The gateway may also kill the transaction before sending to the processor based on merchant risk parameters that were set up.
3. The processor submits to credit card interchange network.
4. The credit card interchange network routes the transaction to the customers credit card issuer.
5. The credit card issuer approves or declines.
6. The credit card interchange network relays the answer back to the processor.
7. The processor records the transaction details and deposits funds in your account per your merchant account terms. It relays the results to the gateway.
8. The gateway records the transaction results and passes it to the ecommerce solution, which then stores on the customer record.  Again, the ecommerce solution defines which data it will accept from the gateway.

At the very beginning I noted the above applies for most but not all gateways. The exception is if the gateway is also a switch. In that case, the switch can bypass steps and go straight to the credit card issuer. This is more rare and none of the most popular gateways can do this.

The essential elements of an ecommerce store are the shopping cart, payment gateway, security certificate and merchant account. All payment processors that we work with now require a certified PCI Compliant shopping cart.

The store or shopping cart components include order and content adminstration, inventory managment, product management, customer management and search engine optimization among other elements.

The payment gateway is just that- a gateway that allows the secure transmission of credit card and debit card payments from the shopping cart to a merchant processor. The gateway is a standard security mechanism for the internet.

The security certificate is issued to a business. Digital security certificates provide two essential security functions: authentication and encryption.
The business is verified to be legimate. It also enables the SSL protocol,or secure socket layer for encrytion, which includes displaying HTTPS and the little lock symbol that appears in browsers.

The last element is the payment processor. Merchants accept credit and debit cards by opening a merchant account with a payment processor. Just like you can’t go to the federal reserve to do your personal banking, you can’t go to Visa and Mastercard to do your credit card processing. Payment processing is offered through banks, payment processing companies and independent service organizations (ISO). Sometimes the same company offers their services through all channels. For example, First Data offers payment processing  directly and also through banks they have partnerships with, and through registered ISO’s. Because of the complexities of the industry, the best prices and value are not necessarily achieved by going direct. In fact, indirect service thrives because of value added and volume partnership pricing.

In the past, processors required a secure gateway, however this has now been extended to the actual shopping cart software as well in some cases. One reason is that some carts allowed for storing card data unencrypted somewhere on a server. For some shopping carts, getting certified is a formality. For others, there are security issues somewhere within the process- whether front end or back end, and work is needed before the cart can be certified.

The quick solution for those carts that are not compliant has been to disallow credit card processing except for paypal and google payments.

Virtually every cart accepts authorize.net as a gateway and it’s one of the most popular. I recommend it, when appropriate. The Orbital Gateway may be a cheaper solution for those processing on the Paymentech platform, however not as many carts have Orbital integration.
Orbital Gateway Integration & Certification Program - Orbital is a Chase Paymentech gateway and only works with those processing on the Chase Paymentech platform. Merchants must complete either the shopping cart certification, or use a hosted payments solution such as CenPOS or CRE Secure.

If you don’t have a internet merchant account already, our suppliers have some very specific requirements that you need in addition to traditional merchant account requirements. I hear all the time from people how ‘the other vendors’ don’t require as much paperwork or they don’t ask the same types of questions. Well folks, the ‘other vendors’ may not be helping you build a successful PCI Compliant business with the right price plan either. The items on the list below are so basic, they are essential elements to setting up your business for success.

These are Visa requirements for ecommerce merchant accounts. A document with these questions answered is turned in with the merchant application along with a print of the checkout page to prove the info is there. If the information is not on the site, the application cannot be submitted until it is ready. If the site is under development, screen shots can be submitted that have the required information.
INTERNET REQUIREMENTS CHECKLIST (All answers must be yes.)

1. Website active and URL on application?
2. DBA on site MATCHES name on application?
3. Customer Service number or email listed?
4.  Return/Refund policy present?
5.  Merchant’s Privacy Statement is included?
6.  Website Secure Order Page?
7. Products/Services listed with price?
8. Delivery Method and Timing are clearly stated?
FAQ

Can you give me the code for our web programmer for ecommerce checkout?

What you really want to know is the gateway information. That information is sent directly to the merchant. The merchant can share whatever data with you they like.  If you need help with your web site development, we have seasoned USA professionals available on an hourly fee basis.

What if my web site is not live yet? We cannot submit your merchant application without the information above.  Screenshots from your web developer, or artist renditions that show this information can be used in lieu of a live web site.

Can you set up my gateway account? Yes. We are an authorized reseller for major gateways. We cannot obtain a gateway account for you before there is a merchant account because the merchant account ID and processing platform are needed as part of the set up.

Why do I need a separate merchant account for ecommerce orders?

1. When you are issued a merchant account, it is based on specific information presented. When you use a retail account to process ecommerce orders, you are no longer complying with the original agreement. A card not present or mail order / phone order (MOTO) account is not the same as an ecommerce account. Again, it goes to how you agree to collect and process credit card orders. As shown above, there are additional criteria that must be presented to obtain an ecommerce merchant account. If you don’t comply, your account can be closed any time.
2. Aside from compliance, you’ll always want the right type of account to qualify for the lowest interchange rates. There are specific criteria to be met for every type of account and card presented. If you have a retail swipe account, the expectation is that you swipe a card. When you don’t, you get downgraded to a higher rate. If you make an ecommerce transaction on an ecommerce merchant account, you can qualify for rates lower than what the swiped non-qualified rate would be, but also higher than what a swiped transaction would be. Without getting into more depth, the main point is, you want to QUALIFY for the best rates for any given card presented and that can only happen when you have a merchant account that matches the types of transactions you are presenting to the card associations.
3. You’ll lose virtually any customer dispute for ecommerce transactions on a retail merchant account. Since a retail account expects to receive magnetic stripe data and a signature, when you cannot produce it you will lose disputes.

If you plug a PCI Compliant credit card processing terminal into a VoIP connection, then your processing is no longer compliant.

This explanation attempts to detail why. Traditional phone = analog. Traditional lines use hardware to send data ie the copper line. When using a 2008 compliant credit card terminal, the desktop terminal sends encrypted credit card data from the merchant to the processor and back using analog signals.

VoIP = digital. VoIP traffic flows across the Internet in unencrypted packets, which means anyone that has access to the network between sender and recipient can intercept them. So the desktop terminal may be compliant, but once the data is on the open network, the merchant set up is no longer PCI Compliant. Even though there are optional packages that can be attached to some VoIP networks, they do not meet current PCI compliance standards for the credit card processing industry.

If you attach a magnetic card swipe to your computer the transaction is processed using SSL security. It is not the same as VoIP. SSL uses a cryptogaphic system. It has two keys to encrypt data- a public key known to everyone, and a private key known only to the recipient. The magnetic card reader can be used with many POS systems and a high speed DSL, cable modem or T1 line.

Internet, ecommerce, and virtual terminal transactions all use SSL.

There are important considerations to check for both mag card readers and ecommerce transactions. Each requires a Gateway. The Gateway enables secure, real-time payment processing of credit card transactions. It is not the same as a credit card processor. Most people don’t realize that gateways and ecommerce stores must pass specific information through to the credit card processor to get better rates. Most systems focus on fraud protection, but do not necessarily pass through critical data required to meet specific interchange requirements. Sometimes the store doesn’t pass the data, and sometimes the gateway doesn’t pass the data- it all depends on company capabilities.

I’m not a tech expert but in general, the description above is sufficiently accurate to explain why. Bottom line: Visa & MasterCard officially state there is no acceptable VoIP solution that meets PCI Compliance requirements.