Join 3,512 readers in helping fund MetaFilter (Hide)


White-label hosted credit-card processing?
August 17, 2009 11:03 AM   Subscribe

What online credit-card processor best meets these criteria?

1. 100% hosted. No PCI-DSS worries.
2. 100% branded/white-label. Use own domain (i.e. CNAME), and customize design and navigation.
3. Concentrates on just the payment step; design your own cart/sales page
4. No minimum annual revenue amount; cost structure suitable for small business.
5. Customer-service-focused (where the customer is the merchant...)

Sorry if this has been posted before; most of the other questions I could find pertain to either shopping carts or payment gateways that require you to comply with PCI-DSS. Does something like this even exist?
posted by pengale to Work & Money (9 answers total) 6 users marked this as a favorite
 
I asked a similar question recently but got no replies. I'll be watching this question with interest.
posted by odinsdream at 11:47 AM on August 17, 2009


I can offer only this:

My understanding is that if even if you found someone like this, you're still required to be PCI-DSS compliant. In that the holders of your merchant accounts will require you to be.

It's just that you'll only have to fill out the tiny 1 page questionnaire, and ultimately are responsible for ensuring that whoever you use maintains THEIR compliancy.

When the guys who I used for our QSA, (Qualified Security Assessor), came through, they said one of the easiest ways to go about things, to basically get you as close to the land of no responsibility as you can, (but are still responsible), is to use PayPal, or something like it, where you do the business side of stuff, but then send all payment stuff to paypal, let them do it, and send the customer back to you after.

I guess I'm not really answering your question, as basically, I don't think you CAN find anyone that removes the PCI-DSS worry. You always have some level of responsibility there if I understood things right.
posted by nerhael at 1:11 PM on August 17, 2009


I understand the idea of a merchant being responsible for selecting good vendors. I was talking more about offloading the technical-implementation burden while, at the same time, not having "PayPal" all over your checkout pages and having limited control over navigation. You can find posts all over the web from customers who are turned off by PayPal cart pages because they look very "small business" to the point of "sole proprietor/eBay seller with own web site."

Basically, something technically structured like PayPal Payments Standard would work if it had CNAME domain mapping and more control over design and branding. PayPal doesn't seem to do white-label unless you go with the Pro or Payflow system, in which case card data passes through your servers. Right?
posted by pengale at 1:44 PM on August 17, 2009


Yeah, the only white label you can do through Paypal would have you passing the credit card numbers through your servers. They picked up VeriSign a while back, whose Payflow Pro is what we use, and while we never have to store the numbers, the simple fact that they do reside in memory, and are touched by our code for us to post across to them, raised us at least 1 level of 'possible security risk' for PCI-DSS.
posted by nerhael at 2:25 PM on August 17, 2009


If you did it with a CNAME, you would be successfully offloading the PCI-DSS compliance. It's just a matter of finding someone who supports it and allows more control over the templates. Seems like someone would be doing this. FWIW, Shopify has a big list of payment processors that you could examine in more detail. Shopify lets you use a CNAME and they give you complete control over the visual templates. You'll still need to pick a payment processor from the list of supported ones that also allows you visual control, but you'd be halfway there.
posted by odinsdream at 2:37 PM on August 17, 2009


Amazon's Flexible Payment Service or Checkout by Amazon service would seem to be a good option for you. Their basic FPS service is a hosted co-branded payment step (you provide the cart&catalog pages), while Checkout by Amazon lets you have Amazon handle tax and shipping calculations and generate packing slips and such. They integrate with a lot of the Shopping Cart software out there too, including open source packages like Zen Cart. Also there aren't any startup fees, just a cut of revenues, so the pricing structure would be pretty suitable for a small business. Since they are hosting it, your risk is dramatically reduced. Looks like it would offer much of what you want. Their website is somewhat confusing with all the different options, but if you spend some time browsing around, it's pretty much all there.

Disclaimer: Former Amazon intern. Know some people who worked on the launch. Have nothing to gain from you using Amazon or anyone else really.
posted by zachlipton at 3:31 PM on August 17, 2009


Amazon's payment services look like an alternative to PayPal, but the co-branding means they're not in the category I'm considering. Thanks, though; I hadn't looked at them much before.

I looked at all the partners listed by Shopify. Most of them are non-U.S., but I found one lead, E-xact, which has a hosted checkout page option with no cart and some customization.

Through forums, I've found some providers with an alternative technical measure I didn't think of. At the payment step on your site, you set up the form action to post to the processor's site, which then redirects back to a page on your site with (I think) a transaction ID in the query string. So you get the white-label hosted experience but don't have to bug around with template customization. The feature is called browser redirect or transparent redirect.

Unfortunately, each provider I've found has an issue:

Braintree Payment Solutions - $250,000/month minimum order volume
DowCommerce - tons of affiliate links around the web but I can't find independent reviews (hmm!)
SecurePay - Australia-based and seems to be tied to Australian merchant banks (there's a U.S. company with the same name but I think it's different).

Does anyone have personal experience with Dow, or know of a reputable U.S. provider with a similar feature? (Or know of problems with this approach?)
posted by pengale at 4:43 PM on August 17, 2009


I've used authorize.net's processing gateway, whose "Server Integration Method" seems to meet your requirements, unless I'm misunderstanding you.
posted by ook at 5:07 PM on August 17, 2009


Good call; I missed the hosted checkout from authorize.net. Looks like they allow CSS styles, though it's still off-site and probably co-branded. The bigger issue I noticed is that, far as I can tell from the developer docs, they don't have the encrypted, signed form feature that Paypal Payments Standard has, so a savvy "customer" could submit a post request with a lowered price. Anyone know different? And of course it's not CNAMEd, though that's seeming increasingly picky.

At this point, I'm "this" close to sticking with PayPal for businesses that are too small to deal with PCI or qualify for a big-kid service like Braintree.
posted by pengale at 5:42 PM on August 17, 2009


« Older Where should we go on vacation...   |  Does anyone know what books or... Newer »
This thread is closed to new comments.