Secure payment gateway integration: How to make it work
N-iX
2020-10-01T12:52:16+00:00

A non-user-friendly checkout system increases the churn rate significantly. According to Invespcro, over 11 percent of customers abandon their shopping carts because of the complex checkout system, 12 - if too much information is required, 7 - if there is not enough payment option, and 14 - if t...

Secure payment gateway integration: How to make it work

A non-user-friendly checkout system increases the churn rate significantly. According to Invespcro, over 11 percent of customers abandon their shopping carts because of the complex checkout system, 12 - if too much information is required, 7 - if there is not enough payment option, and 14 - if there is no guest payment option.  

Besides, mobile shopping constitutes a significant percentage of e-commerce retail sales in the US. By 2021, Statista estimates 54 percent of all e-commerce retail to be done via mobile devices. Thus, it is critical to have a user-friendly and secure mobile payment integration in your app. 

However, when integrating a payment system, there are certain critical aspects that need to be taken into account: it needs to be easy to use, offer different payment methods, support different currencies, and be secure.

How a payment gateway works

In terms of e-commerce, that is the system that transfers the data on an intended transaction from a merchant’s mobile app or website to payment processors/banks and back. To do it securely, the system uses security protocols and encryption. 

Heavy lifting that a payment provider does for you as a merchant:

  • The authorization of a cardholder ( to identify that they have enough money for a transaction): 

  • Processing of a  previously authorized payment resulting in funds being sent to the merchant’s account. 

  • Also, they are responsible for the refund as a result of a canceled order and void (if funds were not captured yet.)

  • They are also accountable for security, compliance, and personal data protection. In most cases of the payment system integration, you as a merchant don’t need any PCI DSS compliance as you don’t store any personal data of your customers. Your payment provider takes care of that.

  • In most cases, KYC and financial monitoring are on the payment provider’s site too. 

payment gateway integration

How to choose the best payment provider  

Choosing the right payment gateway/payment provider determines the currencies you can accept, the country/countries where the transaction takes place, the transaction fee, how fast money gets in your merchant account, and the payment methods you’ll offer. Among the most common ones are STRIPE, PayPal, GoCardless, Authorized dot net. But if you operate globally, you may need to integrate various payment gateways.

  • Depending on different countries where your business operates, you may need to support various payment methods: сredit/ debit cards (mostly USA), direct debit ( mostly Europe), credit transfers. 

  • Also, depending on the country you may need to support different credit/debit cards. For instance, USA - American Express, Europe - Mastercard and Visa.

Let’s take a look at the comparison of such payment providers as Stripe. PayPal, Authorize.net, and 2Checkout.

STRIPE - operates mostly in America, targeted at e-commerce sites. It provides a good, well-documented API for developers, and is easy to integrate with.

Paypal - end-user oriented (a buyer needs to have a PayPal account), operates all around the globe and is available in 202+countries.

Authorize.net is designed for small- and medium-sized businesses. Their service also provides all the major payment method support, including PayPal payments and Apple Pay.

2Checkout provides customizable options for businesses of different sizes, as well as integrated payment solutions. Its biggest advantage is its scalability with packages for different product types.

payment gateway integration, key payment providers

There are 4 key payment gateway integration methods

1. Redirection or a hosted payment gateway

It is very common for small businesses and is used to minimize the scope and reduce liability. A hosted payment gateway acts as a third party, as it requires your customers to leave your website to complete a purchase. It is the easiest way of integration. However, it is done at the expense of the user experience. 

payment gateway integration

How it works:

1. A merchant website sends redirect instructions to the customer computer

 2. A customer browser requests a payment form 

3. The Payment Service Provider (PSP) creates a payment form and sends it back to the customer computer

4. The customer browser displays the payment form and sends card data to PSP

5. PSP receives the card data and sends it to the payment system for authorization

It’s important to note that merchants who use a redirection payment method are still liable for their customer’s payment card data. Should a hacker compromise the merchant website and redirect customers to a malicious site (one form of a man-in-the-middle attack), the merchant will most likely be held responsible and subject to the fees, fines, and penalties associated with payment card loss.

2. The IFRAME

The IFRAME, or inline frame, is a type of payment gateway integration where an HTML document (child page) is embedded into a separate HTML document (parent page). One of the advantages of IFRAMEs is that it allows the merchant site to maintain website consistency, branding, and user experience.

payment gateway integration

How it works:

1. A merchant website creates a parent payment page 

2. A customer browser requests a child page, which includes the payment form 

3. PSP creates and sends the form to the customer computer 

4. The customer browser displays the payment form and sends card data to PSP

5. PSP receives the card data and sends it to the payment system for authorization

3. The direct post

The direct post, also known as ‘browser post’ or ‘silent order post’, is different from the first two methods as the payment form originates from the merchant website instead of the PSP. This allows the merchant more control over the payment process, but also relies on the merchant’s internal security controls to protect the transaction.

How it works:

1. A merchant website creates the payment form 

2. A customer browser displays the payment form and sends card data to PSP 

3. PSP receives the card data and sends it to the payment system for authorization

As used more frequently by larger merchants, this payment gateway integration method is considered to have moderate risk. To eliminate the additional risk, merchants that use a direct post must be compliant to SAQ A-EP, which includes 139 questions and has additional security controls such as internal/external scanning and penetration testing.

4. The API

The API, also known as a ‘merchant gateway’, is unique from other ecommerce processing methods in that the merchant controls nearly the entire payment process. By controlling the payment process, merchants have access to much more information to use for customer profiles, consumer trends, and marketing analysis. 

payment gateway integration

How it works:

1. A merchant website creates a parent payment page 

2. A customer browser displays a payment form, which the customer completes and returns to the merchant website 

3. The merchant website sends card data to PSP

4. PSP receives the card data and sends it to the payment system for authorization

 API payment integration may pose high risks for ecommerce businesses as these breaches are quite frequent and may do serious damage. The merchants who use this type of payment gateway integration are eligible for SAQ-D, which is validation to the entire PCI DSS standard. It includes but is not limited to such security controls as internal/external scanning and penetration tests. 

How we helped Lebara with payment gateway integration

Lebara is one of Europe's fastest-growing mobile companies with five million active customers, 1,400 employees worldwide and operations in nine countries.

It is a telecommunications company providing services in many countries around the world, using the mobile virtual network operator business model. Lebara Mobile provides Pay As You Go mobile SIM cards, targeted towards the needs of international communities and migrant workers. 

N-iX has been working with a global telecom brand Lebara since December 2014, having built a development center that consolidates a wide range of expertise – software development, quality assurance, business intelligence development and operations, application support, database administration, infrastructure support – everything is in one place. 

As Lebara is targeted at immigrant communities in different countries, it was critical to integrate different payment providers and support various payment methods.

Payment methods used in Lebara Mobile

  1. Multiple payment methods and payment providers are supported if paying for different products with different payment methods is preferable (corporate expenses, etc.). 

  2. The user can set a payment method as primary if it is allowed to be used for recurring payments. If, however, as in this case, the user also has a saved payment method that does not support recurring payments, it will be grayed out to avoid the appearance of an error. 

  3. A number of payment methods are available depending on the market (Klarna for Germany, iDEAL for the Netherlands, etc.) 

  4. In case the user doesn’t have a saved payment method, adding a new one is simple and effortless. 

payment gateway integration

Why choose N-iX for secure payment integration: 

  • We have over 18 years of experience in remote work and management of distributed teams and have built long-term partnerships (5+ years) with companies such as Gogo, Lebara, Anoto, Currencycloud, and others.

  • We have extensive experience in fintech development.

  • N-iX is trusted in the global tech market: the company was listed among the top software development providers by Clutch, in the Global Outsourcing 100 by IAOP, recognized by GSA UK 2019 Awards, included in top software development companies by GoodFirms.co, and others.

  • N-iX is compliant with ISO 27001:2013, PCI DSS, ISO 9001:2015, GDPR, and HIPAA. The company undergoes annual external security audits as well as internal audits two times a year to ensure maximum security;

  • We provide protection for intellectual property according to the legislative and contractual agreements. Our information security teams regularly review cybersecurity policies to guarantee they are suitable, adequate, and efficient.

  • N-iX provides secure log-on procedures, password and cryptographic keys management, network security, as well as information asset management. 

 

HAVE A QUESTION?

SPEAK TO AN EXPERT

SHARE:
By Tetiana Boichenko, Mykhailo Mikulin October 01, 2020
Service
Software Product Development
With over 18 years of experience in software product development, we have [...]
Service
Dedicated Development Сenter
Wondering how companies build up new capabilities quickly? Explore [...]

Related Articles

About N-iX

N-iX is an Eastern European provider of software development services with 1000+ expert software engineers onboard that power innovative technology businesses. Since 2002 we have formed strategic partnerships with a variety of global industry leaders including OpenText, Novell, Lebara, Currencycloud and over 50 other medium and large-scale businesses. With delivery centers in Ukraine, Poland, Bulgaria, and Belarus, we deliver excellence in software engineering and deep expertise in a range of verticals including finance, healthcare, hospitality, telecom, energy and enterprise content management helping our clients to innovate and implement technology transformations.

Connect with our experts
Get in touch