Credit Card processing without Google Checkout / Amazon / Paypal

Question

Hi all,

If I would like to process payments directly without going through Google / Amazon / Paypal, how would I go about that? Is there a Java API or some reference implementation that shows how to do such a thing or is it really that large and complicated that I need to choose a provider such as Google or Amazon?

I currently use Google Checkout as the implementation is fairly straightforward and I can easily generate reports with whatever information I want. If I implemented the solution internally, I would have direct access to all that information anyway.

Thanks, Walter

Answer 1

You'll need a provider no matter what.

You have two options:

• Use a system like Google/Amazon/PayPal.
• Use a processor like Authorize.net.

The upside of Google etc. is that the initial costs are minimal. You pay only per transaction, they handle most of the process, etc. They're effectively middlemen between you and a merchant account. The downside is that the per-transaction costs are higher.

If you're doing lots of transactions, a genuine processor like Authorize.net will be a better deal, as for a monthly fee (and having set up your own merchant account instead of piggybacking on another company's) you get lower per-transaction costs. You also have more control over the process, including handling fraud prevention as you see fit.

Answer 2

Take a look at jPOS. They offer an AGPL-licensed open source community edition as well as a professional edition with some sort of commercial license.

You should consider reading the PCI Data Security Standard specification and ISO 8583 before processing or storing any credit card information on your own.

Answer 3

I have never used Google Checkout or PayPal API for processing payments. If there is a way you can get around 'touching' any part of the credit card information and outsourcing to their web interfaces, you would want to unless there is a distinct reason why and I will explain below.

There are some considerations you must take before 'rolling your own' credit card payment gateway.

First, will this be used for in-house only? Meaning, will it be for non-commercial, in-house use? The reason I ask is because if this is intended to be a commercial product, then you will have to undergo PA-DSS certification (formerly PABP or Payment Application Best Practices). This is because VISA has mandated to their acquirers and merchants to only use PA-DSS/PCI compliant software. Therefore, it forces the software developers to develop compliant software. To be officially certified and on the PA-DSS list, you will have to pay a hefty fee to an outside auditor such as Verizon Business Cybertrust to become fully PA-DSS compliant. To give you a rough figure, it will probably cost you around $15,000 for an audit.

This all is dependent on how your application and environment is structured. We use ICVERIFY (which is now owned by First Data) for Credit Card processing. ICVERIFY 4.0.3 is on the approved list. Since our applications touch Track1,2,3, PAN, exp date, etc of the Credit Card, we also had to get approved. Boom - there goes 15K and a yearly 'listing' fee with the PCI Security Council.

Our applications interface with ICVERIFY through their REQ-ANS file interface and it is very simple. It is not expensive and can work with multiple clients at the same time. I recommend you use ICVERIFY if you decide to go this route.

If there is no reason for you to process credit cards through your application or server, then I suggest you 'outsource' the credit card processing to PayPal, Google, or some other larger entity and just get the confirmation message that the fee was processed successfuly. This will make your life much easier if you have this capability.