the lowdown on…payment processing packages

Feb 01, 2001 10:30 PM  By

PAYMENT PROCESSING SYSTEMS Should you outsource or buy your own? Real-time or offline? Here’s everything you need to know when considering your payment processing options

Just as it was coming up to the 1999 holiday season, housewares marketer Cooking.com made a critical decision to bring its outsourced online payment processing system inhouse. It was a bold move for the fledgling company, which debuted with a Website in September 1998 and launched a print catalog operation in December 1999.

Cooking.com had been using an application service provider (ASP) for online payment processing and authorization during its first year of business. The ASP model, which enables companies to outsource applications via the Internet, had supplied the site with real-time credit-card authorization and processing and order confirmation without requiring the marketer to invest heavily in IT resources.

But in gearing up for the ’99 holiday season, Santa Monica, CA-based Cooking.com was concerned about security, reliability, and speed, says Jae Yim, director of site development. Transaction volume had reached a threshold – Cooking.com won’t reveal numbers – that rendered the ASP model less than satisfactory, Yim says. Because orders had to travel over the public Internet to be processed and approved, the real-time credit-card approval and order completion was subject to delays of up to 30 seconds, not to mention occasional downtime – just the kind of thing that practically begs shoppers to shop elsewhere.

“Think of a brick-and-mortar where the cash registers didn’t work,” Yim says. “It’s really critical that people can purchase from the site, because other sites are just a click away.”

So Cooking.com chose to purchase server-based payment processing and authorization software from Austin, TX-based ClearCommerce. According to ClearCommerce’s vice president of emerging technologies, Julie Ferguson, the flat fee for the software is $75,000. In comparison, an ASP typically charges nominal one-time set-up fees and monthly charges as well as a per-transaction processing fee of $0.20-$1.00. Cooking.com also set up a private direct link to credit-card processer First Data Merchant Service via a frame relay line, a type of continuous, dedicated connection.

The evaluation process behind Cooking.com’s decision underscores the salient points in selecting an online payment processing solution. The decision is simultaneously straightforward and complex.

On the one hand, the basic options are clear-cut: You can outsource, buy, or build your payment processing application. On the other hand, arriving at your decision requires extensive thinking about present and future volume, average order size, market segment, site performance, reliability, scalability, security, and IT environment (see “Evaluation and Selection Checklist,” page s14).

A matter of time One key factor that distinguishes e-commerce from other card-not-present transaction environments is the sense of immediate gratification that users derive from shopping online. “Shopping online is almost like walking out of a store with the product – customers want to leave the Website knowing that the product is in stock and their payment has been accepted and the order is being shipped,” explains Larry Bouchard, group manager of product management for Dallas-based Paymentech, which hosts a variety of transaction processing services for direct merchants.

In that light, deciding whether to implement a real-time payment processing and authorization solution or one that offers users the appearance of real-time is critical. Just more than 60% of online merchants use real-time payment processing and authorization systems, says Avivah Litan, vice president of the payment services group for Gartner Research in Washington.

Merchants can offer the appearance of real-time order processing by sending an e-mail confirmation of order receipt and a second confirmation that the order has been processed and shipped. Ideally, customers won’t be aware that the payment wasn’t authorized and processed in real-time – unless you have to contact them because their credit card wasn’t approved.

Real-time processing was a key requirement when Cooking.com migrated to the ClearCommerce solution, Yim says. The site had provided it from the beginning and didn’t want to alter customer expectations with the new solution. Also, in the event of problems with customers’ cards, “we didn’t think it would be a good idea to call people back – especially if they wanted the order the next day,” Yim says. “From a customer service perspective, it’s not a pleasant phone call, and there’s the fear of alienating the customer. From a process perspective, that would also be a lot more work for our customer service reps.”

But opting for non-real-time processing and authorization doesn’t necessarily translate into poorer customer service, notes Dave Dierolf, vice president of information technology at consumer electronics cataloger Crutchfield. The Charlottesville, VA-based marketer promotes same-day shipment of orders received by 6 p.m. Eastern time, and its use of offline authorization and processing of credit-card payments hasn’t impeded that service goal, he says.

While Crutchfield’s call center order-takers receive credit-card authorization for phone orders before the end of the call, online orders are manually entered into the company’s homegrown order processing system and then authorized via one of three private, direct links to First Data. “Our credit-card processing system preexisted the Net, and it has served us best to run Internet orders through the same way,” Dierolf says. “Our philosophy is that we are one company, so regardless of whether the customer is mailing in the order, calling, or placing it online, we have an integrated strategy.”

Dierolf estimates that the time lapse between receipt of online orders and order entry is no more than five minutes. About one-third of the approximately $200 million company’s orders come in via its Website; of those orders, 30%-40% flow through without intervention, Dierolf says. But given the nature of ordering stereo components – users often select items that aren’t going to function well together – online orders generally need at least some scrutiny by a customer service rep anyway.

While Cooking.com relies on real-time authorization and processing, and Crutchfield uses a non-real-time system, a third option exists. You could implement real-time card authorization but process payments in batches. “For many companies,” says Andrew Ari Clibanoff, an analyst with New York-based Jupiter Research, “it’s beneficial to batch payments for a better discount rate.”

Ferreting out fraud Besides the sense of immediate gratification, another major distinguishing factor of online card-not-present transactions is the increased need for fraud detection. Fraudsters are constantly uncovering new ways to use the Net to conduct deceptive transactions. And the perpetrators can bombard a site with multiple fraudulent orders more quickly than they can by calling an 800-number.

“There’s the potential to be hit very rapidly online,” Dierolf says. “If someone has stolen a credit card and calls us on the phone 50 times, he’ll eventually talk to the same operator. But on the Web, he may submit 50 orders and not be noticed.”

Merchants can get around that by programming in system alerts when a certain number of orders are placed on the same card in a given day. But the possibility underscores the need for payment processing and authorization systems to offer an extra degree of fraud detection as well as to work with a merchant’s existing fraud detection methods, from the basics such as address verification systems to customized algorithms that invoke red flags on suspect orders. (For more on preventing online fraud, see “Ask the Experts,” December 2000 issue.)

“The software solutions on the market are extremely sophisticated, but merchants want tighter integration with their current business operations,” Clibanoff adds. “That’s where a disconnect is happening, and over time a lot of vendors will work with merchants to identify how to integrate their technologies with current business operations.”

Clibanoff’s research indicates that when traffic at an e-commerce site exceeds 100,000 unique visitors, and when average order sizes are $150 and up, fraud rates increase. “The merchant’s goal should be to implement a fraud system that pays for itself, and to do that on a budget of less than 1% of sales,” he says.

Most payment processing vendors offer some degree of fraud detection, but they may not be robust enough for your liking. With both its ASP and ClearCommerce, Cooking.com devised a number of its own fraud-detection techniques to integrate into its payment processing system. Clearly, the fraud-detection capabilities of your various payment processing options will factor in heavily when it comes time to make a decision.

Hiding the seams While the Internet is a different beast that requires some rethinking of any existing payment processing and authorization solutions, your online payment processing shouldn’t stand noticeably apart from your offline solution. From the perspective of both your external customers and your internal business departments, it should be seamlessly integrated with your existing systems, says ClearCommerce’s Ferguson.

Technically, that requires selecting a system with flexible application programming interfaces (APIs) that will make it easy to integrate with existing settlement and reporting systems, the storefront and the shopping cart, and the order processing and fulfillment systems.

Ferguson suggests that if your site’s current or anticipated volume exceeds 1,000 transactions a month, you should consider an inhouse solution. (Then again, Ferguson works for a company that sells inhouse solutions.) But Clibanoff notes that if a marketer is already outsourcing payment processing for phone and mail orders, it may want to extend its outsourced solution to the Web initially and bring it inhouse over time.

That can be a challenge, even when the decision has clear-cut drivers. For Cooking.com, the migration to an inhouse solution was part of a complete site overhaul, including a migration from Microsoft Site Server to a homegrown storefront and shopping cart and to Windows 2000 for its Web and database servers. The company, which has built up a 3 million-name house file, ran into difficulties when, approaching deadline, it discovered that the class of frame relay line it had purchased from its telecommunications vendor was not compatible with Windows 2000.

Rather than start over with a new frame relay line – which typically takes six to eight weeks to install – Cooking.com opted to set up the ClearCommerce software on a Sun Solaris server. That introduced a new operating system into its environment – Solaris is a flavor of Unix – which in turn has required additional IT resources.

“We didn’t have a Unix guru on staff,” Yim says. “A couple of us knew enough Unix to get around it, but we didn’t have any Solaris expertise. ClearCommerce sent some of its people to help us implement it, but we’ve had to outsource staff who know Oracle and Unix. That’s been our biggest problem.” It seems, then, that even bringing payment processing inhouse requires outside help.

ClearCommerce, Austin, TX (www.clearcommerce.com) Category: purchased server software Products: ClearCommerce Engine, a comprehensive server software suite that supports real-time payment processing, authorization, and settlement in multiple currencies plus fraud detection; professional services available for system integration and implementation.

CyberCash, Reston, VA (www.cybercash.com) Category: application service provider Products: CashRegister, Internet-based payment processing software that allows either real-time or offline processing and accepts multiple payment methods including credit and debit cards; WebAuthorize, real-time, enterprisewide software that supports multichannel payment processing, authorization, and settlement, and transaction management; and FraudPatrol, real-time fraud detection and prevention software that uses historical consumer data, merchant data, and fraud trend information.

CyberSource, Mountain View, CA (www.cybersource.com) Category: application service provider Products: Internet Commerce Suite, a full range of products enabling real-time credit- and purchase-card authorization and processing in multiple currencies, electronic check acceptance, tax calculation, fraud screening, distribution control (including export and policy compliance), fulfillment management services, and gift certificates and promotions.

Equifax, Atlanta (www.equifaxsecure.com) Category: outsourced software Products: eIDVerifier, an outsourced solution that enables real-time user authentication and verification for customers paying by check or credit card; PayNet Secure, real-time user authentication (leveraging eIDVerifier), payment processing, authorization, and settlement software that allows payment by both check and credit cards.

Paymentech, Dallas (www.paymentech.com) Category: application service provider Products: Hosts real-time and batch authorization and payment processing via relationships with major payment processing services including CyberCash, CyberSource, and Verisign.

Here’s what you need to weigh when choosing a payment processing solution for your Website:

* What are your customers already accustomed to? If you offer real-time authorization and processing in your call center, you should probably provide it on your Website as well.

* What reporting and settlement processes are your employees accustomed to? Don’t make payment processing at your Website so different from that used for phone and mail orders that your staff views it as “that Internet thing.” Choose an application that can be seamlessly integrated with your other channels. And if you operate with a slim information technology staff, outsourcing payment processing and authorization may be the best route.

* What is your site volume today, and what do you expect it will be in 18 months? Generally, if you process more than 1,000 online orders a month, you should at least consider real-time authorization and processing.

* What is your tolerance for fraud? Merchants selling high-ticket items that can easily be fenced should consider real-time authorization and processing plus extra fraud detection features such as user identity verification. At the very least, your online solution should leverage your offline fraud detection methods and enable you to configure metrics that match the red flags your live service reps are trained to recognize, such as partial shipments.

* What are your minimum requirements for speed, performance, and reliability? A private, direct link to a credit-card processor, such as a frame relay line, can send and receive authorization within two to three seconds. Theoretically, so can a link to an application service provider (ASP), but any transaction traveling over the public Internet is subject to server bottlenecks and downtime.

* Is your Website business-to-business, business-to-consumer, or both? Different solutions accommodate different payment methods. If your site sells strictly to consumers, you may want to accept only credit- and debit-card transactions online. But b-to-b sites should also accept purchase cards, as well as checks and electronic funds transfer.

* Will you be targeting global sales via the Web? If so, select a system that supports multiple currencies.

* Does the solution you’re considering connect with your bank? You probably won’t want to start a new banking relationship just to use a particular software package.

* How does the solution you’re considering mesh with your current and planned IT environment? Assign someone from your IT staff to research all the compatibility issues down to the smallest detail. For example, does your payment processing system need to interface with homegrown or legacy systems? If so, you need one that has flexible application programming interfaces (APIs). If you will be using a private link to a credit-card processor, make sure the communications line you select is compatible with the operating system for your Web server.