When my brother and I were growing up, we loved watching “America’s Funniest Home Videos.” At least once an episode, Bob Saget would say “Kids, don’t try this at home” right before a guy in the video did something to damage his – well, you know.
Today, I’m going to give you the same advice about taking credit card payments on your website: do not attempt to by-pass PayPal and host your own payment processing forms. It sounds like a brilliant idea, especially if you’re none too fond of entrusting your business interactions to PayPal. But unless you’re willing to spend several hours on paperwork and lots of money on private website hosting, you’ll end up feeling just like the guy from “America’s Funniest Home Videos.”
Allow me to elaborate
Back in January, I decided to try my hand at developing my first online training course. One of the things that I really wanted was a registration form and a payment form that were one and the same. No clicking “register” and being sent to PayPal for my clients! I wanted them to read the course description, register, and pay all on one page.
Classy, simple, elegant. I was convinced I had to have an all-in-one form, and that I could bypass PayPal to do it.
The first part of the process easy: I approached my bank and asked about their Merchant Services accounts. (For those unfamiliar with banking terms, Merchant Services is a fancy bank term for “how we help you collect your client’s money.”)
As it turns out, Merchant Services had an online check-out form for me to use, and were running a special that month that would waive the nominal set-up fee. And, it would only cost me $10 a month, plus 2% – 3% per transaction to cover the credit card processing fee!
Three weeks later, I had set up my check-out form on a test site and successfully “registered” with two separate $1.00 test amounts. The check-out process was a two-step affair, instead of a seamless one-step form, but I considered myself a genius for accomplishing what I had wanted easily, quickly, and cheaply.
Then I encountered this little thing called PCI compliance. What should have been a simple piece of paperwork turned into three months of bureaucratic nonsense.
PCI Compliance – aka “The Devil”
Before we go on, let me say that I am all for PCI compliance – it ensures that organizations who deal with credit card and payment card data are taking proper measures to protect their clients’ financial data. Just as I would want my credit card information to be protected, so too did I want to protect my own clients.
I had already purchased an SSL certificate from my website hosting company, so that my clients’ credit card information would be encrypted as it traveled from my website to my bank’s processing server. Naively, I thought that all I would have to do was fill out some paperwork prove to the bank that I had this encryption certificate, and everything would be smooth sailing.
Never under-estimate “some paperwork”
In reality, my bank had partnered with a third-party company whose job was to monitor PCI compliance for its clients. In order to verify my PCI compliance, I had to answer a 12-category questionnaire about my website and how I processed credit card data.
Each category had 5 to 20 questions, and because my bank did all the credit card processing, I had to call them three times for answers. I also called my webmaster twice to answer the questions about how my website processed information. (Tech-savvy I may be, but I do not speak website server programming.)
After I had answered this ginormous survey, I then had to submit my website for a PCI scan. Once again I was on the phone with the third-party company. Why, I asked, did my website need to be scanned when I was not processing or storing clients’ credit card data anywhere on my website?
They assured me that it had to be done, for the simple fact that a client entered their credit card number on my website. It did not matter that I never saw or stored a single megabyte of that information anywhere on my system. As soon as a client clicked the “register” button, all their credit card information was sent from my website via SSL encryption to my bank’s server.
The Last Straw
To make a long story short, my website failed its PCI scan. There were several issues with WordPress plug-ins, which may or may not have been fixable. But the deal-breaker was the error message about a piece of software running on my website server.
I have an account through Host Gator, for which I pay about $100 a year to rent a corner of one of their shared servers. As it turns out, to have a server that is PCI compliant would cost me at least $60 a month. And no, sorry, they can’t refund an SSL certificate purchase, either.
PayPal or no PayPal, this was utterly ridiculous. I had wasted at least an hour a week for nearly 4 months, learning more than I ever wanted to know about storing (or not storing, in my case) credit card information, only to find out that I would have to shell out a ridiculous amount of money just to prove that I was not storing my customer’s credit card data.
I threw up my hands, walked into my bank, and cancelled my merchant services account. As soon as I got home, I bought a $200 Gravity Forms plug-in license and installed it on my website.
45 minutes later, I had hooked my registration form to PayPal and tested it. 100% success! As a bonus, new clients were also automatically added to my email list. Genius.
The short upshot of the story is: if you’re on a budget, stick with PayPal. It’s easy to set up an account, clients understand how to use it, and there are tons of ways to integrate it on your website.
If you are going host your own one- or two-step check-out form, be aware that you’re in for a mountain of red tape, and a huge upswing in website hosting costs. Not to mention several months of paperwork headaches.
The longer upshot of the story is this: sometimes, it’s ok to step outside the box and try something new. And if it doesn’t work, you re-adjust your goals and find another way around the problem. After all, nothing ventured is nothing gained.
P.S. Tune in next Tuesday for more behind-the-scenes lessons from www.felicityfields.com.
[hana-code-insert name=’Felicity Fields Author Bio’ /]