If you're doing test charges for SAAS, you're doing it wrong.
The subscription is worthless without you flipping a little bit in your database somewhere, right? You could flip that little bit at any time if you suspected the account was fraudulent, right? Great news. Assume everybody is telling the truth that they're authorized, even if they fail AVS. If the charge is later disputed, rescind it and (optionally) lock the account. If it is not later disputed, hey, it must have been authorized.
This is time tracking not file hosting -- scamming 25 days out of the provider doesn't provide you any benefit. You should expect fraud rates to be negligible.
Why is locking the account optional? Well, really, clanging the doors shut on a legitimate paying customer is a lot worse for you than letting 10 illegitimate people take up another record in your database.
(Oh noes, how will I scale with invalid records in my database?! Oh wait, I charge people money which means I scale practically by definition.)
So sure, give people a few extra days to get their details re-entered before you shut down their access. The time is free to you.
In my business (selling downloadable software), after I have handed over the Registration Key the horse is out of the barn... and I could care less. They're free to me. You can try paying me with an e-check, which is basically a promise that 5 days from now you'll have money in a checking account ready for me, and e-checks come with NO verification for those 5 days. I'll still give you the key as soon as you hit the submit button. If you were dishonest or fumble-fingered your account number... oh well? Paypal will send you an email to retype it, if you do that is great, if not then I'm not out any money am I.
Actually, you should expect fraud rates to be high, but not because potentially legitimate customers are ripping you off. It's because when a fraudster gets a new shipment of stolen credit cards, he wants to test them out online before, say, walking into Best Buy where he might get busted for using a card reported stolen.
So you're not losing revenue, since these guys weren't going to pay you for your SaaS anyway, and you're not losing capacity since they won't actually use it. So what's the problem? The problem is that chargeback fees (that you pay them for the service of taking the money back) can be $25 or more.
If it becomes a big problem, you'll probably find ways to detect common fraudulent usage patterns. For instance, since your variable cost is zero, you might avoid putting through a charge until they actually use your service.
> Why is locking the account optional? Well, really, clanging the doors shut on a legitimate paying customer is a lot worse for you than letting 10 illegitimate people take up another record in your database.
That's really simply a decision based on how you wish to operate your business, don't you think? We've decided to require CCs up front based on a number of factors.
Doesn't make the pains of validating and charging CCs any less.
If you require CCs up front, charge a set-up fee - that's easier to explain to potential customers (a well accepted concept, whereas test charges sound shady to most non-geeks, and even to some geeks). And it makes you more money. So long as the set-up fee is reasonable, people are unlikely to mind. They expect to whip out their credit card when they buy something.
Here's one: American Express charges 1% higher than Visa and Mastercard, and is brutal to businesses when a customer tries to chargeback a legit charge. And yet, unless you're in a very low margin business, it's profitable to take AMEX because they have an excellent clientbase that you really want.
I thought about it a lot, decided I couldn't beat 'em, so I might as well join 'em, and got an AMEX Gold Card. The reason AMEX gives you all kinds of crazy-awesome rewards and bonuses and great customer services is because they stick it to business. 1% of gross is HUGE. If you have 10% profit margins independent of credit card processing, you lose 20% of your profits to Visa/MC, or 30% to AMEX. Someone's going to slay the credit card company beast someday, because they're evil and don't add that much value to business for what they charge, but we don't have free authenticated ACS debits yet.
So yeah, you need to take AMEX unless you're low-margin or the only game in town and very necessary. And they scalp you, but you suck it up.
Also for people without a business background: Gross profit is what you charge (Hamburger at Burger King: $1). Net profit is the money you make from it after you pay costs. Burger King doesn't make $1 per burger, since they have to buy meat, ship it to their stores, have it prepared, etc. Losing 3 cents out of every dollar to AMEX instead of 2 cents to Visa/MC doesn't sound like much, but it's huge if you're only making 5 cents per burger.
That's why fast food didn't take credit cards for so long - I hear the CC companies inked deals at lower than normal rates for some huge-volume small-margin companies like Walmart, McDonald's, etc. The credit card companies want more widespread use of their cards so people start using them for everything. As a small merchant, you're not going to get that and it's yucky. It's part of the game right now unfortunately, but that AMEX additional 1% of GROSS is really huge in many industries.
Same with Sam's Club/Costco kind of places. Their margins are below what those credit cards charge out of the gate (except for Discover) but their order volume is so high that they were able to negotiate with at least Visa or Mastercard.
Actually, Costco does NOT take credit cards, with the only exception being Amex.
They will takea Visa/Mastercard Debit card, but you have to enter the PIN. Debit charges are processed at a lower rate, since they're essentially an interface for ACH, and having a valid 4-digit PIN entered (plus buying stuff on a membership card) supposedly eliminates fraud.
(I was there this past weekend to capitalize on their great deals on flat screens.)
It's not so unreasonable for Visa to take 2% (they often take more than that.) Outright fraud costs them around 1% (though they'll never reveal their stats.) Doing collections costs them a lot, and they lose some to cardholder bankruptcies. They do provide a valuable service of isolating you from all these. Taking checks probably costs you a larger percentage of revenue than credit cards.
Fraud in online transactions is almost always charged back to the business. It may be different face to face, I'm not sure. And then they make money on interest.
My ideal online payment solution (and I think it'll happen later) is for everyone to have a number they put into a site to buy. Then they have to log into online banking and approve the charge. There'd be a description of the company and the charge automatically with the debit, and "Approve / Decline / I Don't Know This User" choices or some such.
It'd reduce fraud to near-zero levels, and I don't think it'd cost too much to set up. Credit cards will live on for a long time as short term credit, but I reckon banks could offer that at much more reasonable rates with a much better idea of people's finances and credit profiles. And with widespread enough adoption, merchants could start telling CC companies to take a hike. Heck, the bank could even make it a "card that you control" or something to not break from the card tradition.
I have to disagree with the general feeling and the details of this.
1. The web sites for credit card processors & merchant account services are completely useless
That depends on the site. Protx has awesome documentation at http://techsupport.protx.com/ (see the "Advice" bit on the left). I'd even use it when building for other providers, because much of it is very generic.
3. Address verification (AVS) is voodoo
All the verification systems are voodoo (except the security number). Hell, even the credit card number is voodoo. Why? Because the customer could have made a mistake while typing them in. The bank lets you decide how to handle it. That is a little unclear to most cc processing beginners, but it can be resolved easily: use 3D-secure. This shifts the liability back onto the bank and you don't have to worry about that crap anymore.
4. Test charges are pretty much unavoidable
Both of the times I've had to build a cc processing system, I haven't needed "test charges". If you really need to verify a card ahead of time, don't use test charges, charge a proper setup fee. Why do you think so many sites charge setup fees?
6. Errors are incomprehensible and your credit card processor is useless at helping you solve validation issues.
Dunno what kind of merchant they're using... I get descriptive errors from my accounts.
7. When you ask why stuff doesn’t work, even due to Stuff Nobody Told You, they think you’re kinda dumb.
Again, it goes back to the first point... get a better provider that has decent documentation.
Credit card processing is a pain, but it's not that terribly hard.
i'll disagree with #2 as well. i setup a merchant account with braintree and they handled the establishment of amex, discover, visa, and mastercard accounts all for me.
the only thing i would add is that once you have your american express merchant account, login to their website and immediately switch to electronic statements. otherwise they charge you a $5 fee every month for paper statements.
The stuff listed in the article is true for one of the most popular / well-supported processing gateways, Auth.net. If there are better alternatives, we sure weren't able to find them. Their biggest competitor is TrustCommerce and they seem to have the same web site, information, support problems.
Well, you can't generalise from a single gateway. I'm not trying to generalise to say that what I'm saying is true for the whole industry, but I've used 2 different providers so far and not had the experience that you've had.
So your article might have been better titled "6 things they don't tell you about authorize.net"...
We use Auth.net with one of our clients who processes an order about every 5 minutes around the clock. They started with LinkPoint which was horrible (bad support/high failure rates), and Auth.net is like a vacation in comparison.
Can I ask approximately what your client's failure rate is with Auth.net? This is a problem we're struggling with - out of 10 different payment attempts, we get maybe 1 successful payment (yes, some of the attempts are bogus, but that still seems pretty bad). It might be worth switching to Auth.net or something else, but the only reason would be the failure rates, and that information isn't very easy to find.
Failure of what? legit transactions? Are you saying that there are times when someone enters data that you know is correct and it still fails you?
That should never happen.
If you have full AVS checking, you might hit against the incapability of most users (quite understandably) to type in their address exactly the same way as on their credit card bill. For this reason, we (at my previous start-up) disregarded the address part of the verification (but still required post code and CCV2). Address failures aren't a good indication of fraud, since most legit users will mistype their address.
Well, the payments seem to fail for every possible reason imaginable (and many of the error messages aren't very descriptive), so it feels like death by a thousand cuts. The problem is that we're new to this game, and reliable information seems surprisingly difficult to find. Maybe it's perfectly normal to see 9 out of 10 people entering bad information or carders trying out numbers, but that seems high to me, and tech support has been useless.
We'll look into what AVS options we have available, and I'm also reading through the Protx link you posted.
This is a bit lengthy to debug via HN comments, but feel free to chat me on IRC (freenode), where I hang out as (predictably) swombat for a chat about this, I might be able to help in figuring out what's going on since I've implemented 2 such systems already...
We are in the Online Travel Industry, for people who dont know the forward book and high possibility of cancellations (Chargebacks) makes travel regarded in the same category as Adult Porn and Online Gambling sites in terms of risk.
It has taken us 7 months to get a card merchant facility, the bonding and legal registration requirements alone for trading are pretty damn difficult within the UK so following this we were hit with little or no co-operation from Merchant facilities, despite holding an IATA bonded Licence, UK TTA Licence and ATOL Licence, literally no card acquirers would touch a new travel startup it really shed some light on the way the industry can make or break a business. Common conversations would start with..."what sector"...."online Travel"..."oh we dont like that..sorry"!
If I were aware of the utter disdain towards travel companies worldwide from card merchant services then I certainly would not have gone into the sector.
Suffice to say we eventually got our card acquirer 2 weeks ago after 7 months of applications!, we eventually tried 7 UK merchant services & high street banks, 7 offshore merchant services - Panama / Belize / Delaware / Amsterdam / Estonia / China / Cayman Islands and were not even entertained by Google Checkout / Paypal / Neteller!!
Additionally to give you guys an idea, our margin is about 10-12% of the Total Transaction Value, on the two occasions we actually got to terms of business they wanted a 10% rolling reserve for 6months (our margin!!) and on top would require a rate of 5.5% on credit AND debit cards!! therefore for each transaction when charging the customer a 2% CC fee we would infact be losing 3.5%. A completely unworkable situation, in essence...we've seen your business plan and your financials and if you want to trade your gonna have to bootstrap and borrow for your first year at least!!
Luckily we have managed to find an excellent company in Moneybookers who are very open to negotiation...terms started at 180 rolling reserve of 10%, we have negotiated down to 45 days and 3% Rolling Reserve and a credit card rate of 1.9% which given our margins is MUCH more workable!!
Sorry if this sounds like an anti merchant rant but when i saw this topic I had to share the problems we have experienced, after finishing complete integration with 45 xml suppliers, building a custom platform and new social media elements for travel and obtaining every licence under the sun its literally been 7 months of uncertainty and hell while we have had a fully working site just sat there!!
Its not that the fraud rates are high but rather that if an airline or supplier in the chain fails then the credit card company are liable for the refund to the customer. The Risk lies with them.
So for example XL Airways going bust earlier this year had a massive impact on the merchant service provider as where products werent sufficiently bonded the liability lay with them.
In such a high value turnover industry I can understand the risk element to the credit card company, but you would assume that becoming a member of 3 required bodies with bonding in place would be adequate! Clearly not in 99% of the cases!
Another fact: everything is negotiable, once you have enough volume. So if you're building a serious business, don't worry if the first merchant account charges fees that eat into your profit margin. Once you get the volume up to a few million a year you'll have the leverage you need to negotiate a better deal.
I'd take a serious look at Braintree for credit card processing http://www.braintreepaymentsolutions.com/. I'm not affiliated, we're a customer that uses them for processing. Reading stories like this, I'm glad we do.
When we signed up they gave us a heads-up on almost every one of these facts (i.e. warning us up front to authorize a minimum of a dollar or many banks would reject it). They called AMEX on our behalf to get the service hooked up so we didn't have to. They've also given us tons of technical advice, like how to improve accuracy on AVS checks and details on what some of the esoteric failure codes really mean.
I recently used CyberSource for a project. I'm not the best programmer by any means but was able to get it up and running fairly quickly. (No affiliation with CyberSource)
Last time I looked they have a minimum bar of $250,000 of business a month, or they're not interested in you. Thus not an option for people starting out.
And, dare I ask without sounding like a complete user, what would you use if you were only doing < $1000/month. Would a credit card processor even touch you or is it basically just paypal?
Paypal and Google Checkout are both good alternative options to look at. In some cases when you factor in all of the upstream credit card processing charges you'll even pay less.
This discussion is probably dead, but just in case:
Within the last year, I've been in the position of doing <$1k/month on a credit card processor, and it was actually a delightful experience. The company I originally worked with was bought/renamed or something and I haven't had to deal with them in quite a few months, but I can probably dig up a contact. Email me if you like.
They don't have any exceptions. I paid for the rails SAAS kit and then talked to Braintree and it took a week's worth of email just to get them to send me the application. They told us that if we didn't do enough volume they would cancel our account.
I ended up just going with Payflow Pro (Paypal). Had to rewrite most of the SAAS kit..
I've used the Auth.net live support option several times and have always gotten the information I've needed much quicker than calling.
As far as test charges go, Auth.net has a "test" mode, and since they batch daily, you can charge whatever you want and then just void it before the batch even when it's in live mode. I don't see any issues there or why you have to worry about 'small charges' either.
Merchant Services is a relatively shady and EXTREMELY cut throat industry. The good news is that you have tons of options and can play providers against each other. The bad news is that some places are shady with their terms and hidden fees. If you're thinking of doing a lot of $$$ volume, it's very much worth spending some time and talking to as many people as possible.
Well, if you happen to be using Website Payments Pro UK or Canada as opposed to US, they don't bother mentioning they don't support AmEx and Discover until you call them and ask why the payments aren't going through.
The subscription is worthless without you flipping a little bit in your database somewhere, right? You could flip that little bit at any time if you suspected the account was fraudulent, right? Great news. Assume everybody is telling the truth that they're authorized, even if they fail AVS. If the charge is later disputed, rescind it and (optionally) lock the account. If it is not later disputed, hey, it must have been authorized.
This is time tracking not file hosting -- scamming 25 days out of the provider doesn't provide you any benefit. You should expect fraud rates to be negligible.
Why is locking the account optional? Well, really, clanging the doors shut on a legitimate paying customer is a lot worse for you than letting 10 illegitimate people take up another record in your database.
(Oh noes, how will I scale with invalid records in my database?! Oh wait, I charge people money which means I scale practically by definition.)
So sure, give people a few extra days to get their details re-entered before you shut down their access. The time is free to you.
In my business (selling downloadable software), after I have handed over the Registration Key the horse is out of the barn... and I could care less. They're free to me. You can try paying me with an e-check, which is basically a promise that 5 days from now you'll have money in a checking account ready for me, and e-checks come with NO verification for those 5 days. I'll still give you the key as soon as you hit the submit button. If you were dishonest or fumble-fingered your account number... oh well? Paypal will send you an email to retype it, if you do that is great, if not then I'm not out any money am I.