Accepting online payments
For many small businesses, accepting payments online offers major benefits. Customers increasingly expect this facility and it can improve your cashflow significantly.
To accept cards online, you will have to make special banking arrangements. See find a bank to process your online payments.
Online payments using cards are 'card-not-present' transactions. There are higher risks of fraud with this type of payment and banks require you to operate within a well-defined set of rules.
This guide will help you to understand these requirements and assess the options available for taking advantage of online payments.
Online payment jargon
Debit and credit card payments and their application online involve some key concepts and jargon.
An acquirer can be a high street bank or other financial institution that offers credit and debit card accepting/processing services. It acquires the money from the customer, processes the transaction and credits your account.
Internet merchant accounts (IMAs)
You need to apply for a merchant service agreement if you want a bank to handle your electronic payments. For web-based online transactions you need an IMA.
Obtaining an IMA from an acquirer may be quicker and easier if you already have 'offline' card-processing facilities set up. In this case, just ask your acquirer for an additional IMA ID for use exclusively with internet transactions. This process is normally quick, especially if the risk to your business does not change.
Payment service providers (PSPs)
A PSP will provide you with a 'virtual' till or terminal that collects card details over the internet and passes them to the acquiring bank. To take electronic payments over the web, you will need a PSP.
Your choice of PSP will depend on its cost and compatibility with your chosen e-commerce software solution. A fixed monthly fee starts at around £10, but there are some cheaper options available, starting as low as 5 pence per transaction. Usually, the higher your transaction volume the lower the rate you will be charged.
Some acquiring banks offer PSP services as part of their product and there are other less expensive options available.
Payment Card Industry Data Security Standard compliance
The Payment Card Industry Data Security Standard (PCI DSS) - is a worldwide security standard developed to protect cardholders' personal information. It includes requirements for security management, network architecture, software design, security policies and procedures, and other protection of customer account data. The standard is applicable to any organisation that stores, transmits or processes cardholder information.
PCI DSS is a set of six principles that encompass 12 specific requirements. These requirements are applicable to any organisation holding personal information and are intended to reduce the organisation's risk of a data breach.
PCI DSS: six principles
1. Build and maintain a secure network
- install and maintain a firewall configuration to protect your cardholders' data
- do not use vendor defaults for system passwords or other security actions
2. Protect your cardholder data
- protect any stored cardholder data
- encrypt transmission of your cardholders' data across open, public networks
3. Keep a vulnerability management plan
- always use and regularly update your anti-virus software
- develop and maintain secure systems and applications
4. Implement strong access control practices
- limit access to cardholder data to only those who need to know
- give every person with computer access a unique ID
- limit physical access to cardholder data
5. Monitor and test your networks on a regular basis
- track and monitor all access to your network resources and cardholder data
- regularly test security systems and procedures
6. Keep an information security policy
- always keep a policy that addresses your information security
The Payment Card Industry (PCI) Security Standard Council encourages businesses to comply with PCI DSS and become certified to help reduce financial risks from data compromises. However, it is the payment card schemes, eg MasterCard or Visa, that manage the actual compliance programme.
Failure to be annually certified can become an issue if you have a security breach and your customers' card details are stolen.
Selecting the best online payment option
You can use the following scenarios to help you choose the best option for your business.
Internet merchant account (IMA)
Your business already accepts debit and credit card payments for face-to-face transactions. You expect a fairly high number of online transactions, most of which will be simple and low risk. You need the greatest amount of flexibility in operating your business and cashflow is very important. If this sounds like your business, then you should:
- apply directly for an IMA and discuss your requirements with the acquiring bank
Your business will not have a large number of online transactions and you do not currently accept debit or credit card transactions so do not have an IMA. You have not been trading long and cannot provide a well-documented operations history.
You value the ability to attract online sales more highly than the ability to collect sales income quickly. Your business will need some flexibility in the way in which it designs and operates its website, so you should:
- consider the facilities that a payment-processing company could offer, with the possibility of moving to a less costly option later
Your business is small, you do not currently offer debit or credit card sales and you have very limited IT skills. Your products are fairly standardised and easily understood. You are prepared to pay higher transaction and fixed costs just to establish a web presence. If this applies to your business, you should:
- look at the facilities that an online market place could offer
Set up an internet merchant account
An internet merchant account (IMA) is a type of account that enables you to accept customers' credit and debit card payments directly online.
There are other ways of processing credit and debit card payments for online sales, including online payment processing services, and online market places. These also enable you to receive payment from customers. Make sure you check any ongoing charges, such as monthly fees and transaction charges.
For more information see:
- advantages and disadvantages of using a payment-processing company
- advantages and disadvantages of selling through online marketplaces
Several banks and processors offer IMAs. These are referred to as merchant acquirers or acquiring banks - see find a bank to process your online payments.
Even if you already have a merchant account for face-to-face transactions, you will still need one specifically to accept online payments directly from customers' credit or debit cards.
Card users will visit your internet shop to order your goods or services and make payments, and the funds will usually be in your bank account after three or four working days.
Beware of fraud
Online card payments are classed as 'card-not-present' transactions, because you can't physically check the card or the cardholder. If a transaction proves to be fraudulent, the money will be reclaimed from your bank account - this is known as a chargeback. Even if a card-not-present transaction is authorised by the cardholder's bank, this doesn't necessarily guarantee payment.
To help guard against fraud, where a cardholder claims that they did not authorise a payment, check to see if your online payment card processor can offer the card scheme's authentication service - MasterCard SecureCode and Verified by Visa.
Acquiring banks will charge for their services. There may be a sign-up fee of around £200, and day-to-day charges may be a fixed fee in the case of debit card transactions or a percentage of each transaction for credit cards.
In addition, where you are using a payment service provider, they will charge you for their service.
Find a bank to process your online payments
Online payments are processed by acquiring banks where businesses can open an internet merchant account (IMA). These banks include:
- Barclaycard Business
- Lloyds Banking Group
- NatWest/Royal Bank of Scotland
- Ulster Bank
The following charge-card companies also act as acquiring banks:
- American Express
- Diners Club
American Express and Diners Club will only accept payments from their own cards.
See UK Cards Association guidance on UK acquirers.
The acquiring banks have strict requirements and it's possible that even the bank you use for your business current account may refuse you - see checklist: applying for an internet merchant account. Alternatively, there are other IMA providers that you can find online.
Once the IMA has been set up, secure socket layer (SSL) technology is used to encrypt transaction data and to send the necessary customer and card details to the acquiring bank in order to authorise the purchase. You should, therefore, ensure that any web-hosting solution you are considering can support the SSL protocol.
General Data Protection Regulation (GDPR)
Under GDPR, the Information Commissioner's Office can issue fines for data security breaches. The size of the fine will depend on the size and scope of the breach, if the breach was deliberate or accidental, the affected organisation's finances and how much trouble the breach caused.
In order to help reduce security breaches, organisations need to comply with the Payment Card Industry Data Security Standard - see Payment Card Industry Data Security Standard compliance.
Checklist: applying for an internet merchant account
Banks that offer internet merchant accounts (IMAs) for accepting card payments have strict requirements. When you apply for an IMA, the bank will want to know certain details about you and your business.
You will need to:
- outline your business plan - including details of your cashflow and how you'll promote your online activities
- supply your website address
- explain the details of your product or service
- give your suppliers' details
- describe how you will deliver your product or service
- set out your terms and conditions for online trading
- work out your expected average online transaction values, your estimated turnover from online sales and your predicted number of credit and debit card transactions
- provide details of the secure server you'll use
- make your audited business accounts available
- supply your bank details and provide authority to the bank to carry out a check with credit reference agencies
- detail your trading history
- provide information about the directors or partners in the business - including full contact details
Advantages and disadvantages of using a payment-processing company
Payment-processing companies obtain payment from your customers' credit and debit cards on your behalf and forward the money to you.
They offer a useful alternative for businesses who have a smaller turnover from card transactions or who can't open an internet merchant account (IMA) with an acquiring bank. Examples include PayPal, Shopify and Worldpay.
Advantages of using a payment-processing company
Some of the potential benefits are summarised below:
Payment-processing companies relieve you of the administrative burden of managing customers' card details and running an IMA.
They save you from having to set up secure payment systems.
They have less strict application procedures than an IMA requires. For example, you'll not usually be required to supply the same level of detailed information about your business plan, trading history and suppliers.
Your application can be processed much more quickly than for an IMA.
Disadvantages of using a payment-processing company
There can be drawbacks to using a payment-processing company - consider the following:
Customers can see that the payment is not going directly to you even though they may be conducting the transaction through your website.
Payment-processing companies may hold payments for a settlement period of 30-60 days before the money reaches your account.
Charges are generally higher than for an IMA. However, costs are falling and the market for these services is competitive.
If a card is used fraudulently, the value of the transaction will be reclaimed from your business. However, you may be able to get insurance to cover this risk.
Advantages and disadvantages of selling through online marketplaces
An online marketplace can be a good alternative if:
- you're looking for an online route to customers as an optional extra to your normal sales channels
- you want to extend the number of online outlets your customers can use
An online marketplace brings together a number of online shops on the same website, often from the same sector. It hosts your online shop and processes payments for you. Examples include Amazon and eBay.
Marketplaces will often provide software to help you set up your shop and receive card payments on your behalf. You maintain and update your own shop within the market place, but most of the administration is done for you.
Many internet service providers offer online mall facilities, as do specialist companies. If you sell to a particular trade or industry, the relevant trade association may be able to put you in touch with a dedicated mall.
The Trade Association Forum (TAF) provides a directory of trade associations.
Advantages of selling through online marketplaces
Online marketplaces can be a great opportunity for some businesses, the advantages include:
- Online shopping market places give an immediate online presence.
- Sector-specific marketplaces can provide an effective route to your target market.
- They allow new opportunities for overseas sales.
- They're easy to set up for people with moderate IT skills.
- You don't need to go through the process of setting up an internet merchant account.
- You often get help and support in getting your store operational.
Disadvantages of selling through online marketplaces
It is worthwhile to consider the disadvantages that come with using online marketplaces for your business:
- Online marketplaces may often be an expensive way to sell online.
- Generally you'll have to pay a fee and a percentage of each transaction made through the marketplace - charges per transaction can be higher than processing payments yourself.
- You may also have to pay a monthly or annual fee - charges vary substantially.
- Your shop is often tied into a standard format.
Read further guidance on selling through online marketplaces.