Building a complete online payment gateway like Paypal

Question

So this question isn't about integrating an existing payment gateway into my site. This is more of a architectural question.

I want to build a system similar to Paypal. Now I understand that Paypal offers a lot of features under the roof and I can't implement all of them at once. I want to implement the core functionality of Paypal and other such services.

So my question is (rather discussion is) around how would one go about building such a system. Some points to discuss:

1. Handle payments through existing banks. I am guessing that I would need access to local bank protocols to get this.
2. Allow users to securely store and process their payments
3. How does Paypal handle the transactions?

Thoughts?

Answer 1

First let me say this is a virtual impossibility due to the enormous burden you would have to take on financially to get a bank, or banks, to work with you on this. It's not just a case of "code it all up and find a bank". Even if you could develop a scalable, secure system getting a bank to work with you would be a hurdle extremely difficult to overcome.

Having said that...

1) No. You need to find an acquiring bank to have a relationship with. They are completely different then local banks and focus solely on electronic payments. This will require you giving them lots of money just to have the privilege of having a relationship with them. It doesn't even include what they'll ask for to cover their butts in case you go under.

2) You'll need to development your own payment system. This means you'll have software, hardware, and security issues to deal with. Of course there are also banking regulations to will need to be addressed. Not easy stuff.

3) IDK the specifics so I can't answer this question.

Answer 2

Big task, chances are you shouldn't reinvent the wheel rather using an existing wheel (such as paypal).

However, if you insist on continuing. Start small, you can use a credit card processing facility (Moneris, Authorize.NET) to process credit cards. Most providers have an API you can use. Be wary that you may need to use different providers depending on the card type (Discover, Visa, Amex, Mastercard) and Country (USA, Canada, UK). So build it so that you can communicate with multiple credit card processing APIs.

Security is essential if you are storing credit cards and payment details. Ensure that you are encrypting things properly.

Again, don't reinvent the wheel. You are better off using an existing provider and focussing your development attention on solving an problem that can't easily be purchase.

Answer 3

What you're talking about is becoming a payment service provider. I have been there and done that. It was a lot easier about 10 years ago than it is now, but if you have a phenomenal amount of time, money and patience available, it is still possible.

You will need to contact an acquiring bank. You didnt say what region of the world you are in, but by this I dont mean a local bank branch. Each major bank will generally have a separate card acquiring arm. So here in the UK we have (eg) Natwest bank, which uses Streamline (or Worldpay) as its acquiring arm. In total even though we have scores of major banks, they all end up using one of five or so card acquirers.

Happily, all UK card acquirers use a standard protocol for communication of authorisation requests, and end of day settlement. You will find minor quirks where some acquiring banks support some features and have slightly different syntax, but the differences are fairly minor. I strongly suspect (but cant be 100% sure) that this is a global protocol, given that Amex and Diners (internationally) follow the same specification.

The standards are published by the Association for Payment Clearing Services (APACS) (which is now known as the UKPA), but the standards are still referred to as APACS 30 (authorization) and APACS 29b (settlement).

Communicating with the acquiring bank can be done a number of ways. Again though, it will depend on your region. In the UK (and most of Europe) we have one communications gateway that looks after all the major acquirers, they are called TNS and there are dozens of ways of communicating through them to the acquiring bank, from dialup 9600 baud modems, ISDN, HTTPS, VPN or dedicated line. Ultimately the authorisation request will be converted to X25 protocol, which is the protocol used by these acquiring banks when communicating with each other.

In summary then: it all depends on your region.

• Contact a major bank and try to get through to their card acquiring arm.
• Explain that you're setting up as a payment service provider, and request details on comms format for authorization requests and end of day settlement files
• Set up a test merchant account and develop auth/settlement software and go through the accreditation process. Most acquirers help you through this process for free, but when you want to register as an accredited PSP some will request a fee.

Once you are registered and accredited you'll then be able to accept customers and setup merchant accounts on behalf of the bank/s you're accredited against (bearing in mind that each acquirer will generally support multiple banks). Rinse and repeat with other acquirers as you see necessary.

Beyond that you have lots of other issues, mainly dealing with PCI-DSS. Thats a whole other topic and there are already some q&a's on this site regarding that. Like I say, its a phenomenal undertaking - most likely a multi-year project even for a reasonably sized team, but its certainly possible.