Here's what I learned over the last decade about setting up credit card merchant account for my online business in which we sell an intangible good with card not present.
1. Like it or not, you are in the credit card business. It's where your revenue actually comes from and it's a few percentage points of your cost structure. It can also go horribly wrong. Learn the basics and pay attention to it.
2. Using Paypal as your merchant account vendor is not the worst thing in the world. Nor is it the best in the world. Their reports sort of suck but their support is reasonable. As far as I know, they are not real good at subscription service processing but I've never really tried it with them.
3. Be careful that any merchant account contract that you sign has a clear way to get out of it. Note, if you are a subscription site, there are two levels of getting out of it: 1. Switching to a new vendor to start processing new subscription orders. 2. Getting existing subscribers credit card info switched to a new credit card vendor. In my experience, the latter is impossible. You just have to add a new vendor for new subscribers and then over time, as users login, get them to update their credit card info and in doing so, switch it to a new processor.
4. Costs. The pricing for credit card fees to you is weird. As far as I know, there are three systems:
- one where each credit card has its own fee structure and you pay them
- a tired system where your process puts the cards in tiers and charge you by the band. By tiers I mean, debit cards vs credit cards. Credit cards with special benefits (miles, money back, free massages) vs credit cards without benefits.
- a fixed price system which Paypal seems to use.
The fees are a mix of monthly fees (for no reason), start up fees, % of bill fees, and a fixed per item processing fee. There are also fees for credit card verification, refunds, and other chargeback disputes.
5. Security. Keep your website secure. Update your CMS (ie Wordpress) at each update as well as your coding languages (ie php), and your tools. Run your PCI vulnerability scan every month. Screen your employees. When they talk about security needs, listen!
