For many small businesses, accepting payments online offers major benefits. Customers increasingly expect this facility and it can improve your cashflow significantly.
It’s easy to accept cheques or invoices for your online sales and to process payments in the traditional way. However, because buyers often use the internet for a speedy service, most sales are paid for with credit and debit cards. To accept cards online, you will have to make special banking arrangements.
Online payments using cards are ‘card-not-present’ transactions. There are higher risks of fraud with this type of payment and banks require you to operate within a well-defined set of rules and accept a higher level of commercial risk than a conventional swiped card transaction in a shop.
This guide will help you to understand these requirements and assess the options available for taking advantage of online payments.
Table of Contents
Online payment jargon
Debit and credit card payments and their application online involve some key concepts and jargon.
Acquirers
An acquirer can be a high street bank or other financial institution that offers credit and debit card accepting/processing services. It acquires the money from the customer, processes the transaction and credits your account.
Internet merchant accounts (IMAs)
You need to apply for a merchant service agreement if you want a bank to handle your electronic payments. For web-based online transactions you need an IMA.
Obtaining an IMA from an acquirer may be quicker and easier if you already have ‘offline’ card-processing facilities set up. In this case, just ask your acquirer for an additional IMA ID for use exclusively with internet transactions. This process is normally quick, especially if the risk to your business does not change.
To help protect merchants and cardholders from fraud, the card schemes have developed a service that allows cardholders to authenticate themselves when shopping online. MasterCard’s is called MasterCard SecureCode and Visa’s is Verified by Visa.
Payment service providers (PSPs)
A PSP will provide you with a ‘virtual’ till or terminal that collects card details over the internet and passes them to the acquiring bank. To take electronic payments over the web, you will need a PSP.
Your choice of PSP will depend on its cost and compatibility with your chosen e-commerce software solution. A fixed monthly fee starts at around £10, but there are some cheaper options available, starting as low as 5 pence per transaction. Usually, the higher your transaction volume the lower the rate you will be charged.
Some acquiring banks offer PSP services as part of their product and there are other less expensive options available.
Payment Card Industry Data Security Standard compliance
The Payment Card Industry Data Security Standard (PCI DSS) – is a worldwide security standard developed to protect cardholders’ personal information. It includes requirements for security management, network architecture, software design, security policies and procedures, and other protection of customer account data. The standard is applicable to any organisation that stores, transmits or processes cardholder information.
PCI DSS is a set of six principles that encompass 12 specific requirements. These requirements are applicable to any organisation holding personal information and are intended to reduce the organisation’s risk of a data breach.
Build and maintain a secure network
- install and maintain a firewall configuration to protect your cardholders’ data
- do not use vendor defaults for system passwords or other security actions
Protect your cardholder data
- protect any stored cardholder data
- encrypt transmission of your cardholders’ data across open, public networks
Keep a vulnerability management plan
- always use and regularly update your anti-virus software
- develop and maintain secure systems and applications
Implement strong access control practices
- limit access to cardholder data to only those who need to know
- give every person with computer access a unique ID
- limit physical access to cardholder data
Monitor and test your networks on a regular basis
- track and monitor all access to your network resources and cardholder data
- regularly test security systems and procedures
Keep an information security policy
Always keep a policy that addresses your information security.
The Payment Card Industry (PCI) Security Standard Council encourages businesses to comply with PCI DSS and become certified to help reduce financial risks from data compromises. However, it is the payment card schemes, eg MasterCard or Visa, that manage the actual compliance programme. Seek advice from your bank on your specific compliance obligations and how your business can become certified.
Failure to be annually certified can become an issue if you have a security breach and your customers’ card details are stolen. Penalties levied by the card schemes can be heavy depending on the number of cards compromised. Even where a merchant is certified this does not protect them from potential penalties if it is deemed that their own actions through negligence, omission or accident contributed to a breach.
Selecting the best online payment option
You can use the following scenarios to help you choose the best option for your business.
Internet merchant account (IMA)
Your business already accepts debit and credit card payments for face-to-face transactions. You expect a fairly high number of online transactions, most of which will be simple and low risk. You need the greatest amount of flexibility in operating your business and cashflow is very important. If this sounds like your business, then you should:
- apply directly for an IMA and discuss your requirements with the acquiring bank
- see the page in this guide on setting up an internet merchant account
Payment-processing company
Your business will not have a large number of online transactions and you do not currently accept debit or credit card transactions so do not have an IMA. You have not been trading long and cannot provide a well-documented operations history.
You value the ability to attract online sales more highly than the ability to collect sales income quickly. Your business will need some flexibility in the way in which it designs and operates its website, so you should:
- consider the facilities that a payment-processing company could offer, with the possibility of moving to a less costly option later
- see the page in this guide on using a payment-processing company
Online shopping mall
Your business is small, you do not currently offer debit or credit card sales and you have very limited IT skills. Your products are fairly standardised and easily understood. You do not think that your website needs any unusual features. You are prepared to pay higher transaction and fixed costs just to establish a web presence. If this applies to your business, you should:
- look at the facilities that an online shopping mall could offer
- see the page in this guide on selling through an online shopping mall
Setting up an internet merchant account
An internet merchant account (IMA) is a type of account that enables you to accept customers’ credit and debit card payments directly online.
There are other ways of processing credit and debit card payments for online sales, including online payment processing services, and online shopping malls. These also enable you to receive payment from customers. Make sure you check any ongoing charges, such as monthly fees and transaction charges. For more information see the pages in this guide on using a payment-processing company and selling through an online shopping mall.
Several banks and processors offer IMAs. These are referred to as merchant acquirers or acquiring banks – see the page in this guide on how to find a bank to process your online payments.
Even if you already have a merchant account for face-to-face transactions, you will still need one specifically to accept online payments directly from customers’ credit or debit cards.
Card users will visit your internet shop to order your goods or services and make payments, and the funds will usually be in your bank account after three or four working days.
Beware of fraud
Online card payments are classed as ‘card-not-present’ transactions, because you can’t physically check the card or the cardholder. If a transaction proves to be fraudulent, the money will be reclaimed from your bank account – this is known as a chargeback. Even if a card-not-present transaction is authorised by the cardholder’s bank, this doesn’t necessarily guarantee payment.
To help guard against fraud, where a cardholder claims that they did not authorise a payment, check to see if your online payment card processor can offer the card scheme’s authentication service – MasterCard SecureCode and Verified by Visa.
The costs
Acquiring banks will charge for their services. There may be a sign-up fee of around £200, and day-to-day charges may be a fixed fee in the case of debit card transactions or a percentage of each transaction for credit cards.
In addition, where you are using a payment service provider, they will charge you for their service.
Find a bank to process your online payments
Online payments are processed by acquiring banks. Currently, businesses can open an internet merchant account (IMA) with the following acquiring banks to receive payments from credit and debit cards:
- Alliance and Leicester
- Bank of Scotland
- Barclaycard Business
- HSBC
- Lloyds TSB
- NatWest/Royal Bank of Scotland
- Ulster Bank
The following charge-card companies also act as acquiring banks:
- American Express
- Diners Club
American Express and Diners Club will only accept payments from their own cards.
The acquiring banks have strict requirements and it’s possible that even the bank you use for your business current account may refuse you – see the page in this guide – checklist: applying for an internet merchant account. Alternatively, there are other IMA providers that you can investigate on the internet.
Find details of acquiring banks on the Electronic Payments website – Opens in a new window.
Once the IMA has been set up, secure socket layer (SSL) technology is used to encrypt transaction data and to send the necessary customer and card details to the acquiring bank in order to authorise the purchase. You should, therefore, ensure that any web-hosting solution you are considering can support the SSL protocol.
Data Protection
The Information Commissioner’s Office can issue fines of up to £500,000 for serious data security breaches. The size of the fine will depend on the size and scope of the breach, if the breach was deliberate or accidental, the affected organisation’s finances and how much trouble the breach caused. The penalty is intended to persuade organisations to comply with the Data Protection Act.
In order to help reduce security breaches, organisations need to comply with the Payment Card Industry Data Security Standard. See the page in this guide on Payment Card Industry Data Security Standard compliance.
Checklist: applying for an internet merchant account
Banks that offer internet merchant accounts (IMAs) for accepting card payments have strict requirements. When you apply for an IMA, the bank will want to know certain details about you and your business. You will need to:
- outline your business plan – including details of your cashflow and how you’ll promote your online activities
- supply your website address
- explain the details of your product or service
- give your suppliers’ details
- describe how you will deliver your product or service
- set out your terms and conditions for online trading
- work out your expected average online transaction values, your estimated turnover from online sales and your predicted number of credit and debit card transactions
- provide details of the secure server you’ll use
- make your audited business accounts available
- supply your bank details and provide authority to the bank to carry out a check with credit reference agencies
- detail your trading history
- provide information about the directors or partners in the business – including full contact details
Using a payment-processing company
Payment-processing companies obtain payment from your customers’ credit and debit cards on your behalf and forward the money to you. They offer a useful alternative for businesses who have a smaller turnover from card transactions or who can’t open an internet merchant account (IMA) with an acquiring bank.
It’s a competitive sector and costs vary, so it’s worth shopping around – see details of payment-processing companies on the Electronic Payments website – Opens in a new window.
Advantages
- Payment-processing companies relieve you of the administrative burden of managing customers’ card details and running an IMA.
- They save you from having to set up secure payment systems.
- They have less strict application procedures than an IMA requires. For example, you’ll not usually be required to supply the same level of detailed information about your business plan, trading history and suppliers.
- Your application can be processed much more quickly than for an IMA.
Disadvantages
- Customers can see that the payment is not going directly to you even though they may be conducting the transaction through your website.
- Payment-processing companies may hold payments for a settlement period of 30-60 days before the money reaches your account.
- Charges are generally higher than for an IMA. However, costs are falling and the market for these services is competitive.
- If a card is used fraudulently, the value of the transaction will be reclaimed from your business. However, you may be able to get insurance to cover this risk.
Selling through an online shopping mall
An online shopping mall can be a good alternative if:
- you’re looking for an online route to customers as an optional extra to your normal sales channels
- you want to extend the number of online outlets your customers can use
An online mall brings together a number of online shops on the same website, often from the same sector. It hosts your online shop and processes payments for you.
Malls will often provide software to help you set up your shop and receive card payments on your behalf. You maintain and update your own shop within the mall, but most of the administration is done for you.
Many internet service providers offer online mall facilities, as do specialist companies. If you sell to a particular trade or industry, the relevant trade association may be able to put you in touch with a dedicated mall – see a list of trade associations on the Trade Association Forum (TAF) website – Opens in a new window.
Advantages
- Online shopping malls give an immediate online presence.
- Sector-specific malls can provide an effective route to your target market.
- They’re easy to set up for people with moderate IT skills.
- You don’t need to go through the process of setting up an internet merchant account.
- You often get help and support in getting your store operational.
Disadvantages
- Online shopping malls are often the most expensive way to sell online.
- Generally you’ll have to pay a joining fee and a percentage of each transaction made through the mall – charges per transaction can be higher than processing payments yourself.
- You may also have to pay a monthly or annual fee – charges vary substantially.
- Your shop is often tied into a standard format.
CASE STUDY
Here’s how I set up an online payment system for my website
Foska.com is an online retailer of cycle clothing. Established two years ago as a subsidiary of a chain of high street retail outlets, the company employs 30 people. Director Tony Yerby describes how foska.com enabled its website to accept online payments from customers.
What I did
Get a merchant account
“When we set up the website, we wanted to accept online payments from day one. We already had a merchant account for accepting cards in our high street outlets, so it made sense to extend that to the website, rather than outsourcing the whole process to a payment processing company.
“We got a separate account with our existing credit card service provider who created an account for us with their online payment processing service called ePDQ. Because we’d already undergone the relevant checks, the process was quite simple.”
Integrate the system
“When a customer pays by card, the money ends up in a merchant account, which needs to be linked to your website via encryption software. The integration looked complicated, so we used a specialist to do this.
“They helped us install a system comprising an e-commerce shop window, linked to ePDQ via secure-form hosting software. This had the added benefit of allowing us to brand the site more effectively and make it more customer friendly. The two software packages we bought were off-the-shelf, although our consultant ensured they were both compatible with each other and with ePDQ.”
Address security issues
“Using trusted providers helps minimise the risks of fraud, but it doesn’t eliminate them. Because online transactions are card-not-present, if a payment proves to be fraudulent, the missing cash is deducted from your account by your card service provider.
“Our system has various security checks and controls that we can turn on and off. It’s tempting to go for the highest level of checking, but we soon realised that this rejects many valid orders – where the customer gets their postcode wrong, for example. It’s important not to let the technology take over from common sense. Our software also provides detailed reporting, including losses incurred through fraud. We monitor the figures regularly to identify any particular areas for concern.”
What I’d do differently
Start with an off-the-shelf package
“Before we brought in an IT consultant, we had started to build an online store by hiring a company to design a bespoke solution. We ended up scrapping it because it was difficult to integrate. With the benefit of hindsight, we should have gone for existing software from the start.”
Could this article be better? Are details incorrect? Do you have something to contribute or a relevant article we can link to?
We’d love to hear from you and continue to keep this a free, useful resource for everyone! Get in touch.
Every effort has been made by the author(s) to ensure this article’s accuracy but it does not constitute legal advice tailored to your circumstances. If you act on it, you acknowledge that you do so at your own risk. We cannot assume responsibility and do not accept liability for any damage or loss which may arise as a result of your reliance upon it.
Related Guides
-
Outsourcing
Outsourcing is when you contract out a business function – a particular task, role or process…
-
Responsibilities to employees if you buy or sell a business
Under the Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE), when all or part of…