So You'd Like to Accept Some Payments (Through Code)Published 2021-10-2
Just my jumbled notes while trying to understand payment processing...
There is a lot of confusion surrounding credit card processing and merchant accounts. Some of the most common areas of confusion are the different types of organizations that sell the services, what entities actually process the transactions and the fees and pricing structures that continue to form an unsolvable mystery for most merchants. - BrainTree
For customer convenience, you can't beat PayPal and Amazon Pay.
For the lowest risk to your own cash flow, however, you'll probably want something like Align Pay (not Stripe) for handling Credit Cards.
PayPal is King
PayPal is #1, over 50% Market Share:
Stripe kinda sucks
From the developer perspective, Stripe is a dream come true - the docs are beautiful, it's easy to get up and running - it's great!
But for the user, it kinda sucks - rather than seeing a logo you're already familiar with and just clicking a button or two, you get a semi-white-labeled experience and have to physically pull out and enter in your credit card.
And for the business, well... much like PayPal, Stripe will freeze your accounts on a whim.
Whether the slightest tickle from the algorithms that something seems out of place (even when everything is perfectly legit), or an outcry from online mob of twitter groupthink wackos, both PayPal and Stripe are bad for business.
You need a "high risk" processor
Ironically, if you want low risk in your payment flow, you'll need a "high risk" processor.
Generally these will have no political affiliation and will allow you to sell items that can't be sold to minors.
And, rather than just an email address, you'll actually have to supply some of your business info up-front and set up a merchant account - this puts you in a place of security.
AlignPay is the most similar to Stripe in its ease-of-use (they use NMI's
collect.js for a pretty CC form), but here are some other's to consider as well:
FinTech Buzzword Bingo
ISOs, MSPs, ISVs, VARs, Issuers, Pay-Facs, Aggregators, Acquirers, and Merchant Accounts, Oh my!
After a full night of research, a day of letting it settle, and then another several hours of review, I think I've just about got my head around what all these terms mean.
Here's a the list of terms. The bad news is that they all get misused, by everyone involved.
- The Golden Rule:
- He who has the gold makes the rules. As far as these terms are used officially and correctly, Visa and MasterCard define most of them, as well as the rules of engagement for credit card (and other?) transactions.
- Card Association
- The logo of the card. Visa, MasterCard, American Express, Discover, etc. The logo is the association... though I'm not sure what else they do other than take part in the profits - seeing as how they don't actually offer you credit (the bank does that). Well, except for American Express - they do act as the bank.
- You. You're the one interacting with customers - trading goods or services for their money via credit card, debit card, or ACH, etc. You (or your business) is the Merchant.
- Acquiring Bank
- The Bank of Your Merchant Account (or your Pay-Fac's Merchant Account bank). Also known as just "Acquirer". This is the bank that holds the funds from the customer's credit card before they go into your actual bank account. See Wikipedia: Acquiring Bank for a pretty good explanation. See also Merchant Account below.
- Payment Processor
- A Multi-Billion Dollar Company You've Never Heard Of. Typically either Fiserv (formerly First Data), Elavon, FIS (previously WorldPay, and Vantiv) or Chase Paymentech (which also has a new name). It's NOT Wells Fargo or PayPal, and probably not any company that you're directly interacting with (although it may appear on some paperwork somewhere). There are a few exceptions, and this is probably the most misused term because no one would fault you for naively thinking that the company you signed up with to process your payments is... y'know, your payment processor - but it's not.
- ISOs (and MSPs)
- Payment Processing Resellers. Independent Sales Organization (ISO) is Visa's term. Merchant Service Provider (MSP) is MasterCard's term. There are some nuance differences between the two terms, but they essentially mean "reseller". Probably the largest ISO is Wells Fargo, which is an ISO of Fiserv (previously First Data). However, the reseller programs are multi-tier, and it seems that most other companies are registered ISOs of at least Wells Fargo, and often additional banks (which are in turn ISOs of Fiserv, or other actual payment processors). This may be the company that you signed up with, that you previously believed was processing your payments. See a big list of examples below.
- ISVs (and VARs)
- Enterprise IT Partners. These terms stem from the big 90s IT companies. These are NOT FinTech-specific terms. Independent Software Vendor (ISV) means companies like Intuit, Salesforce, VMWare, Tableau and - believe it or not - Apache Software Foundation, that enterprise companies partner with for additional services. Value Added Reseller means companies like CDW and Ingram Micro that purchase software, devices, and/or equipment from one company, bundle it, and sell it to another. Although these are generic terms mostly for enterprise businesses and I don't know of any companies in this space that deal specifically with merchants and payments, an example FinTech ISV would be a white-labeled app for beauty salons (maybe Intuit has something like this?) and an example FinTech VAR might be a company that sells a package including a Clover register system (basically an iPad cash register), a WordPress web portal, QuickBooks for accounting, and some other stuff all pre-configured and ready to use - a "business in a box" sort of thing.
- Payment Gateway
- E-Commerce Only: The thing between the Customer's Bank and your Merchant Account. This can refer to the business and/or software platform linking between your customer's bank (the Issuing Bank) and your merchant account (the Acquiring Bank). It picks the right banks based on the country you're in and the country they're in, and what's commonly compatible between the two of you. For example: the customer may have a Visa card that was Issued by Wells Fargo in the USA, and you may have your Merchant Account with First Data (through VeriPay as an ISO), using AlignPay as the Gateway, which uses NMI's Collect Checkout as the software. Or something like that. I think. I believe Authorize.net was one of the early gateway platforms in which you had to manually enter your account information. See Bambora: PayFac vs Gateway vs Merchant Account
- In-between an ISO and a Pay-Fac. Payment Service Provider (PSP) is like a Pay-Fac, but where you get your own Merchant Account (meaning your business passes credit check / underwriting process). To be clear: this means you get the money directly into your own account, NOT like PayPal, Stripe, etc. I think AlignPay, 2nd Ammendment Processing, PaymentCloud, etc fall into the PSP category.
- Payment Facilitator (also PayFac) is (maybe?) a very specific term which seems to be used very ambiguously. What seems most concrete is that when you use a PayFac, you don't get your own Merchant Account. It refers to companies like PayPal and Stripe, specifically when referring to how they charge customers on your behalf (meaning the money is deposited in an account under their name), keep track of which money in their account belongs to you by their own means, and allow you to transfer money from them to your bank account. In essense, a company that doesn't require you or your business to pass a hard credit check in order to start doing business and they pay you (rather than you being paid by the bank on the other end of the credit card). You may get your own sub-account MID under the PayFac's Master Account (and the customer might see both names - in the form of
SQ* Joe's Businessor
PayPal* Jane's Business- on charges and credit card statements). These are high risk to your business because they are NOT "high risk" processors AND since they add another layer between you and the money, they assume the legal risk of your business, and hence have a very, very low risk tolerance.
- "High Risk" payments vs High Risk companies
- Freezing your accounts, stopping payments, and selling to minors. Companies such as 2nd Amendment Processing, AlignPay, NMI, and PaymentCloud all deal with "high risk" payments. Any company that deals with "high risk" payments will likely require you to have your own Merchant Account, and have a small monthly fee ($10 - $100) for that account. The key benefits are that you're much less likely to have your payments stopped or accounts frozen, more likely to have customer support to talk to if something does go wrong, and you'll be able to sell "high risk" items (essentially meaning things that can't be sold to minors). In short, they're much lower risk to your business. Companies like PayPal and Stripe DO NOT process "high risk" transactions, which makes them high risk to you. At the slightest tickle of their algorithms that something might look wrong (even when everything is perfectly legit), or just social pressure from twitter groupthink wackos, they'll stop your payments, freeze your accounts and good luck figuring out what's going on or why (or getting restitution). That said, it is their money (not your customer's money) that you're dealing in.
- Payment Aggregator
- A Pay-Fac that's NOT a Merchant of Record. You don't get your own MID when you use a Payment Aggregator. This is a company - such as PayPal, Stripe, or Square - that aggregates (collects, receives) card payments into their Merchant Account (as opposed to payments going into your Merchant Account), and pays you from their own account. They assume the liability for fraud and chargebacks - which they will likely pass onto you - unless, of course, you are the fraudster and cannot be found - in which case they absorb the loss, cancel your account, and possibly pursue legal action. See also AginePayments: Payment Aggregation.
- Merchant Account
- Line of Credit & Bank Account. The account that's used for holding the money from Credit Card and ACH (e-check) transactions before they're deposited into your bank account. This is considered a Line of Credit because the money is available to you at the end of the day, but it's still possible that the customer might cancel the order and you might issue a refund. And although you're being paid next-day, the customer won't actually get their credit card bill with the charge for 30 - 45 days, after which they have 90 days to dispute the charge - and they might not even ever pay it (though that's not something you have to worry about). Also, the charge may be reported as fraudulent (in which case you'll probably have to eat the cost).
- Psuedo Routing & Account Number The Merchant ID is a reference to your Merchant Account (and changes if you change services). This is similar to a bank account number. It should be kept private - despite the fact that, much like a bank account number, it's on all of your paper and e-statements (and probably somewhere in your online portal too).
- Merchant of Record
- The Name on the Credit Card Statement. Not an official term in the Visa or MasteCard ISO/MSP rules, but generally understood as a Platform or Marketplace whose name shows up on the customer's credit card stamement - rather than the party that's actually providing the good or service. For example, when you "take an Uber", "rent from Airbnb", or "purchase on Amazon" (or ebay or Facebook Marketplace), rather than seeing the name of the business the money is actually going to (likely a self-employed individual, a small LLC, or a Chinese manufacturer), you'll see the name of the marketplace. You've probably seen a charge like this from PayPal or Stripe on your credit card and had no memory of who or what you actually bought. The same is true for Patreon, Etsy, Gumroad, GoFundMe, etc. A Merchant of Record may not have to register as a Payment Facilitator or Payment Aggregator and may not to have to play as strictly by the Visa/MasterCard rules. See also AgilePayments: Merchant of Record and Venable: Will the real Merchant (of Record) please stand up.
RAW NOTES AHEAD.
|First Data |
Examples of Merchants
Merchants are small, medium, or enterprise businesses that sell stuff to people. Could be retail. Could be SaaS. Doesn't matter. Merchant.
If you're reading this, that's probaly you. Here are some companies like you:
Independent Software Vendor
If you’re an ISV providing merchants with a software that makes running their businesses simpler, you’re already on the right track. When you integrate payment acceptance into your software, you’ve then turned your offering into a more complete solution. - https://cardconnect.com/launchpointe/isv-growth/integrated-payments-101
In the context of payment services industry, an independent software vendor (ISV) is a company that develops and provides specific technological solutions. These solutions’ main purpose is to make merchant lifecycle and customer’s payment experience smooth and seamless. An ISV can be selling its software to beauty salons, restaurants, fitness centres, e-Commerce websites, and POS companies. But it does not take active part in merchant lifecycle (from underwriting to funding to chargeback management). And this is, probably, the main difference between an ISV and a PayFac. An ISV can choose to become a payment facilitator and take charge of the payment experience. But for this purpose, it needs to build a strong relationship with an acquirer that will underwrite it as a PayFac. If necessary, it should also enhance its KYC logic a bit.
Examples of ISVs
Not necessarily payments...
ISOs & MSPs
There are really two types of merchant service providers: processors and resellers (resellers are known in the industry as Independent Sales Organizations (ISO's) and/or Merchant Service Providers (MSP's)). (https://www.braintreepayments.com/blog/merchant-account-basics/)
Independent Sales Organization (Visa's term)
White-label business that goes through a payment processor ???
The intermediary company between "merchants" and the "acquiring banks" that take in the payments from credit card transactions
Member Service Provider (MasterCard's term)
Pretty much an ISO, but has some nuance differences...
Examples of ISOs
- Wells Fargo is an ISO of First Data (now Fiserv)
- AlignPay ?
- ChargeBee ? used by calendly, okta, freshworks, getaccept
- CanyonPay ?
- CardConnect is a registered ISO of
- Wells Fargo Bank, N.A., Concord, CA
- Synovus Bank, USA, Columbus, GA
- BBVA USA, Birmingham, AL
- MetaBank, N.A., Sioux Falls, SD
- CryptoBucks is an ISO of Wells Fargo
- Braintree is a registered ISO and MSP of Wells Fargo Bank
- EPNA (Electronic Processing of NA, LLC)
- is a registered MSP/ISO of Elavon Inc., Atlanta, GA,
- and a registered ISA of Total Systems Services, Inc., Columbus, GA.
- Gravity Payments, Inc. is a registered ISO/MSP of
- Wells Fargo Bank, N.A., Concord, CA
- Synovus Bank, Columbus, GA
- Heartland is a registered ISO of
- Wells Fargo Bank, N.A., Concord, CA
- The Bancorp Bank, Philadelphia, PA
- Merchant e-Solutions, Inc. is a registered Agent of Wells Fargo Bank, N.A., Concord, CA, and a registered ISO/MSP of
- Synovus Bank, Columbus, GA
- Fresno First Bank, Fresno, CA
- Payscout is a registered ISO of Wells Fargo Bank, N.A., Concord, CA.
- Payscout is a registered ISO/MSP of Commercial Bank of California, Irvine, California.
- Payscout is a Registered ISO/MSP of BayCoast Bank.
- Payscout is a Registered ISO/MSP of Synovus Bank.
- Payscout Inc is a registered ISO/MSP of Deutsche Bank Trust Company Americas, New York, New York.
- Payscout Brazil is a registered PSP in Brazil.
- Payscout is a registered PSP with China UnionPay.
- Payscout is a registered ISO with VISA EU and MasterCard Intl.
- Payscout Malta Ltd. is a registered Financial Institution with the MFSA in the European Union.
- Payscout is a registered PF in LAC.
- American Express may require separate approval.
- Paysafe is a registered ISO of
- Deutsche Bank AG, New York, NY
- PNC Bank, N.A., Pittsburgh, PA
- Wells Fargo, N.A., Concord, CA
- Woodforest National Bank, Houston, TX
- BMO Harris Bank, N.A, Chicago, IL
- Fifth Third Bank, N.A. ,Cincinnati, OH, USA
- Merrick Bank, South Jordan, UT
- is a registered Independent Sales Organization (ISO) of
- Fifth Third Bank, N.A., Cincinnati, OH.
- Peoples Trust Company, Vancouver, BC, Canada
- Wells Fargo Bank, N.A., Concord, CA
- Wells Fargo Bank, N.A., Canadian Branch, Toronto, ON, Canada
- is a registered Encryption Support Organization (ESO), Payment Facilitator (PF), Third-Party Servicer (TPSV), Merchant Service Provider (MSP), and Third Party Agents (TPA) of Fifth Third Bank, N.A., Cincinnati, OH.
- is a registered Independent Sales Organization (ISO) of
- PaySimple is a registered ISO of
- Fifth Third Bank, N.A., Cincinnati, OH
- Wells Fargo Bank, N.A., Concord, CA
- VeriPay® is a registered ISO of Wells Fargo Bank, N.A., Concord, CA
You can become an ISO through an ISO:
As a Payscout ISO or Registered Agent, you will be backed by the credibility of a financially stable merchant solutions provider...
Typically an ISO will have a footer somewhere on their payment-related pages, disclosing the bank or organization for whom they are an ISO.
ISOs are resellers.
banks will private label the services so that it's difficult to distinguish whether they are a processor or ISO - https://www.braintreepayments.com/blog/merchant-account-basics/
Aliant Payments Inc. / DBA CryptoBucks is a registered Independent Sales Organization of Wells Fargo Bank, N.A., Concord, CA.
High risk merchant services provided by EMS
© 2021 Aliant Payments. All rights reserved.
The concept of a value-added reseller or a VAR emerged in the IT industry. A VAR is an entity that enhances the value of some third-party core product or service. It additionally customizes the product according to the user’s needs. In the payment services universe, VAR model became a stage of evolution of a traditional ISO. Initially ISOs just referred merchants to acquiring banks they had partnerships with. That is, they resold merchant accounts, issued by acquirers to the applicants. Around 2011 card networks defined the PayFac model and set the rules of the game for PayFacs. At that same time, percentage of US merchants that signed acquiring contracts through VAR started to grow rapidly. Particular add-ons, which a VAR can offer, usually, concern troubleshooting, consulting services, and, occasionally, hardware. Some analysts consider the VAR as an intermediary evolution link between ISO and SaaS/ISV. - https://paylosophy.com/var-isv-next-generation-iso-outside-payment-facilitator-paradigm/
If you don't have Merchant Account with a Merchant ID (MID), you're using a Payment Facilitator (Pay-Fac). If you have a Merchant Account, you can become a Pay-Fac.
The payment facilitator owns the master merchant identification account (MID). In order to process transactions, the acquirer (merchant) must apply for a merchant account.
All Pay-Facs, around the world: https://www.mastercard.us/en-us/business/overview/start-accepting/payment-facilitators.html
PayPal is a classic example of a PayFac, or master merchant serving myriad small sub-merchants. Cardholders know and trust PayPal, so when shopping with an unfamiliar small merchant, they don’t have to worry about sharing their credit card information — they just pay through PayPal. When they look at their bank statements, they’ll see a charge to PayPal which a payment facilitator then relayed to a sub-merchant. In that case, PayPal is both the PayFac and the merchant of record. - https://www.pymnts.com/news/retail/2017/payfacs-versus-merchants-of-record-who-will-win/
Many platforms and marketplaces help merchants accept payments by providing online services... merchants using the platform no longer need to establish direct relationships with acquiring banks or payment gateways. - https://stripe.com/guides/payfacs
- Gateway: Stripe
- E-commerce: Shopify, Squarspace
- Invoicing: Xero, FreshBooks
- Fundraising: Blackbaud, Kindrid
- Booking: Mindbody, FareHarbor
- Travel and ticketing: Airbnb (Yoodlize?)
- Retail: Tradesy (Etsy?, Jane?)
- On-demand: Uber, DoorDash
Examples of Pay-Fac
Hosted vs Integrated
- Hosted - PayPal redirect, Stripe iframe / checkout.js
- Integrated - Data sent to your API, user doesn't leave your site, no iframe
This module provides for processing payments in Drupal Commerce version 1.x (for D7) by using a payment gateway tokenization function known as "Collect.js" with a Direct Post API, greatly enhancing security with minimal impact on the end-user experience. This API was developed by Network Merchants, LLC and is used by other processors because NMI repackages the API for various other ISOs. If your payment gateway uses Collect.js, this module will work for you. (Tip: If your gateway's Help/Integration section looks the same as this manual, then it is compatible with your gateway.)
- Merchant e-Solutions (now part of Cielo)
- TD Bank
Processor / Acquiring Bank
Processors - Also known as Acquirers, processors are distinguished by their ability to actually process a transaction. To be a processor, a company must have the technical capability to receive transaction data from a merchant via a telephone line or the internet and then communicate with the appropriate financial institutions to approve or decline transactions. ... they primarily work through ISOs to acquire and maintain their merchant base ... (https://www.braintreepayments.com/blog/merchant-account-basics/)
Examples of Credit Card Processors ("major acquirers")
- Chase Merchant Services (was Chase Paymentech)
- Elavon (U.S. Bancorp)
- Fiserv (was First Data, also owns Clover)- what Wells Fargo uses
- Vantiv (now Worldpay)
- WorldPay (now FIS)
Other "payment processors"
- bambora (ingenico, worldline)
- Vericheck https://www.vericheck.com/become-an-iso/
Are these real? Or in name only?
Examples of Processors
- American Express ?
- Electronic Merchant Systems
- First Data (now Fiserv), now owns Clover (hardware)
- IMS (Integrity Merchant Solutions)
- TSYS (now Heartland)
- worldpay from FIS
Payment Gateway Provider
Examples of Payment Gateways
- USAePay (bought by NMI)
Where do these things go?
Clover vs Square
Stripe is an ISO with First Data Merchant Services (FDMS, I believe now owned or controlled by Wells Fargo) doing the actual processing and, as such, assumes a different legal role than PayPal (which is a VAR for Paymentech).
- EMV (the chip in credit cards)
- P2PE (the standard for encryption? maybe just means the mandate "you must use TLS"?
- CreditCall [was] a payment service provider and payment gateway (now NMI)
- Payment Gateway is the software similar to how PoS Terminal is the hardware
- Authorize.net is Visa's Payment Gateway Softawer??
PayPal is not a merchant account. It’s a third-party processor, and it aggregates all of its sellers’ accounts into one large merchant account. Because you are not the sole owner of this account, it cannot be used with the Authorize.net gateway.
Is my business bank account the same as a merchant account?
No. A merchant account is a type of bank account that allows businesses to accept payments by payment cards, which are typically debit or credit cards. It’s similar to a credit line for your business to accept payments or issues refunds.
A merchant account is unique to you and your business. When you apply, the underwriter will look at your industry, your processing history (if any), your personal credit, your business’ creditworthiness, and other factors. Once approved, your business can start accepting payments.
NMI enabled Stax by Fattmerchant - https://www.nmi.com/blog/enhancing-product-enabling-growth
- PoS: clover
- Reporting: cardpointe
- Breach Protection: cardsecure
- Portfolio Management: copilot
- Device Software + Cloud + NFC: bolt
- offers bank and merchant solutions
PayFac vs merchant of record vs master merchant vs sub-merchant
Gateway Service Provider
A gateway may have standalone software which you connect to your processor(s).
- By signing up with NMI as a reseller, you can offer your merchants complete payment solutions that enable them to begin selling right away
Merchant of Record
Who appears on the bank statement.
- Chase Merchant Services ??
- First Data ??
The sensitive data (i.e. credit card number) is stored on an encrypted system and you use a token as a form of authorization to use it as needed
This pricing model works by adding a constant margin onto the underlying interchange-rate. It’s widely considered the fairest model in the industry. - https://www.canyonpay.com/faq
As we’ve adopted the phrase omnichannel, we have to be able to support commerce in any environment, whether it’s mobile, whether it’s online, whether it’s card present, [or] retail face-to-face. We are agnostic to environment.
What's a Gateway?
What's a Pay-Fac?
What's an ISV?
By AJ ONeal
Did I make your day?
Buy me a coffee