Online payment processing is probably one of the most important aspects of your ecommerce website that should provide flexibility and security. In this post, we’ll try to give you a brief introduction to online payment services. We’ll delve into the terminology, track money on its way from the buyer to the online store account, and warn you about the possible dangers and expenses.

And surely, we wouldn't be a Drupal web studio if we didn't cover the issue of online payments on a Drupal website.

Introduction to Online Payment Processing

Electronic Payment System

An electronic payment system (EPS) is a combination of physical devices and programs working together so that instead of a wallet stuffed with bills you could use its electronic — and, therefore, much more efficient — equivalent: a plastic card (Visa, Mastercard), its virtual copy, or a web wallet (WebMoney, PayPal, AdvCash). EPSs allow you to pay for your purchase with a credit card in a physical store or by using payment details on a website or in an app, pay your utility bills, or lend money to a friend without face-to-face contact.

Payment processors or payment service providers are also classified as EPSs. They act as intermediaries for the buyer, the bank, and the seller and provide a whole range of services in exchange for a certain percentage of the transfer amount. Say, when remitting money from the card of X bank to e-wallet Y is impossible or associated with extra charges, the aggregator takes on the task of an envoy of sorts. Each payment processor is convenient and inconvenient in its own way, so you should select one according to your reality, particularly, depending on the country of your business.

We have experience with such payment processors as Stripe, PayPal, Braintree, Square, Worldpay, and Ubercart.

Internet Acquiring

This term implies the ability to make online payments without producing a physical card. The user only has to type in its details on the website and comfortably click on the “Complete online transaction” button. After that, the famous magic we’ll talk about below sends your money to the ecommerce site. The card as a piece of plastic is of no use now, that’s why you can maintain a virtual card from your bank or a web wallet.

Payment Gateway

To put it tentatively, this is a channel used to send the encrypted number, date, and CVV of the buyer’s card. This is done using an intricate but safe route where nothing must happen to the data.

Frequently used payment gateways include Authorize.net, Amazon Payments, WePay, 2Checkout, Dwolla, and others. Sometimes, payment platforms take on the tasks of encryption and data transfer between the transaction parties — such functionality is available, say, in Stripe, PayPal, and Worldpay.

How Payment Processing Works

Now let’s describe in layman’s terms the process of money movement from the buyer to the store:

1. The buyer adds money to the credit card. The bank that issued the card is called the issuing bank.
2. The buyer types in the card details on the website or in the online shop application or makes payment through a POS terminal.
3. The data is sent to the payment gateway, encrypted, and transferred to the shop’s partner bank. This bank is called the acquiring bank.
4. The encrypted data comes to EPS.
5. EPS contacts the issuing bank and is either permitted or prohibited to withdraw money, in which case either the funds are not sufficient or the buyer’s account is blocked.
6. If everything is OK with the account, the issuing bank sends the purchase amount to the acquiring bank.
7. The acquiring bank credits the purchase amount to the shop’s account.

Payments Ecosystem Security

Who is responsible for data security? What is the site owner to do to protect the buyers’ payment data from leaking?

Usually, if you need to keep card details, you should select a payment processing system that allows doing this on its side (for example, Stripe). In this case, the online store website operates only with the identifiers needed to request data from the payment system. However, the data leak is still possible as the attacker might find some security gaps during setup of the web server or in the application itself and use the gaps to embed the code to collect personal data or can steal private keys for the aggregator integration.

To be on the safe side, it makes sense to maintain security updates for CMS and the modules, configure the web server and access rights correctly, and be mindful of the system functional testing to differentiate the access rights to ensure that anonymous users cannot access the orders or that buyers cannot view each other’s orders.

→ 7 must-have practices for a successful ecommerce store

Payment Platform Costs

Surely, a third-party service also wants to earn money and charges businesses a fee for some of its services. All providers of internet acquiring services are similar in that they charge a commission for each remittance. For instance, Stripe charges 2.9 % of the payment plus 30 cents and promises ‘no setup fees, monthly fees, or hidden fees’. Good client-oriented services are ready to offer you a special percentage rate based on your region, business type, and monthly revenue.

In addition to the remittance fee, payment services can charge fees for:

• Monthly usage
• Service setup
• Chargebacks
• International fund transfers

Read the plan information of each payment service provider carefully.

An online shop offering search by products, filters, payment page, personal account, etc. will require a higher-performance server as compared with an online business card or a media outlet, which is why additional expenses will be needed for the online shop hosting.

How online payment processing works in Drupal

Drupal is a very good and secure content management system the website admin uses to upload text and images. However, when a Drupal website has to do something more than just serve as a blogging platform, its functionality can be extended by integrating additional modules. The modules consist of a set of PHP, CSS, and JavaScript code that interacts with the system core and adds new capabilities. The modules and Commerce, Kickstart, and Ubercart distributives are what you need to enable your website to work with goods and cash transfers.

Though Drupal Commerce in itself doesn’t include the payment function, it offers a ready-made framework and an admin panel the function can be integrated into. The user should download the module for the Drupal Commerce platform, which is integrated with the selected payment system or gateway, and set it up in the admin panel. The list of EPSs and payment gateways compatible with Commerce includes the world-known PayPal, Stripe, Braintree, Authorize.net, and 100-plus small aggregators listed in the module documentation. If the payment gateway you wish to use on your website is missing from this list, the Drupal Commerce framework allows developing the module on your own.

What will happen if you neglect integration with the payment gateway?

We were approached by a client whose buyers, when trying to pay for the order, were pushed out to the bank website where the payment was to be carried out. The magic was unveiled and unnecessary steps were added to the payment procedure; as the result, the buyer was not happy. You’ll be lucky if the buyer finalizes the purchase, but the chances of the buyer returning reduce as there are more convenient stores. Based on programmers’ estimates, it may take tens of hours to develop a solution for Drupal Commerce integration into an unknown payment system. It’s expensive but look ahead — by saving on development now, you are likely to lose buyers and money later.

We talked about Commerce, Kickstart, and Ubercart and provided the Commerce installation and setup tips in the next post of this series:

→ How to create an ecommerce website with Drupal

What to do if you accept payments from a foreign bank?

The 16 and Under Children's Health Center is one of our clients. To enable payment for services, we used the payment gateway of Sberbank (a major Russian bank). Some gaps were found in the bank documentation: nothing was said about the case when a payment made by a foreign bank card fails. This was the case the clinic’s customers faced when they tried to pay with cards issued by Kazakh banks. The problem was resolved only after a personal consultation with the technical support of Sberbank.

The moral and recommendation would be as follows: since it is not always the developers who are to blame for all acquiring issues, contact the support teams of all services involved in the process if you are going to have international transactions.

Conclusion

Judging from experience, website owners can go very deep into the aspects relating to the differences between online payment systems, data security, and so on, but they are not always able to put this knowledge into practice. Remember the story about in-house development of the module that enables interaction with the payment gateway. As you might guess, this task requires some programming skills.

We are writing this post because we want to speak the same language with entrepreneurs but we suggest that you should delegate the tasks of the payment system implementation and setup to your contractor.