Adding a secure online payment system can be complicated, but ensuring customers trust their money is safely transmitted is just as important as the technical consideration. Angus Kidman looks at how to achieve the twin goals of functionality and security online.
Jace Lai has more than 30 years’ experience in managing payment systems, but when it came to ensuring the security of his own online business one of the first decisions he made was to use a specialised external provider to ensure security and help build consumer trust.
Two years ago, with the assistance of a business development grant from Microsoft, Lai launched Mobbiexpress, a service that allows small businesses such as taxis and tradespeople to handle EFTPOS-style payments using a smart mobile phone, PDA, or similar device.
“Basically, I had the mobile EFTPOS facility business idea three years back,” he says. “I was looking at EFTPOS terminals and thought they were a bit clumsy and not all that flexible in delivering services to the end user.”
To demonstrate the validity of the concept, Lai launched Cabbiexpress, which provides on-the-spot processing services for taxis, chauffeured cars, and other motoring services. That required two separate groups to trust his system: the customers making their payments through the devices, and the drivers themselves, who needed each individual payment to be authorised and also wanted to be able to access online records of their payment histories.
“A lot of mobile tradesmen can’t afford to do complex invoicing,” Lai said. “The bank doesn’t always provide a simple output. Because we also capture the cash income, we can do that.”
While that might be a useful service, building trust was equally important. “When you’re talking about trust, system availability is the most important element—the belief that you’re able to transact,” Lai says. “Customers are after 100 percent. When the bank goes down, we still transact. When the gateways go down, we still transact.
“The driver must trust that we can pay them. Because we settle with them on a weekly basis, they must feel comfortable that we won’t go bankrupt and run away with the hard-earned money they have made. This kind of trust is only built over time.
“The other trust is with the customer. The customer must make sure the information they send over the system is secure and will not be stolen and will not be misused. Every driver is issued with their own login so we are able to track their behaviour. We must be able to trace the transaction end-to-end. This tracking is provided to the driver online. If they see it in the report, they know they are sure to get the money.”
Having a well-established security provider is also important for minimising time spent on managing IT basics and for ensuring service continuity. “I spoke to a few people to find a provider, and Virtual.Offis came up tops,” Lai says. “That’s where we park our sensitive information. I just want to pass it on and let them worry about the security part, so I can concentrate on business development. At least I don’t have to do stupid things that way.”
The challenges faced by Lai are far from atypical. Building security into a system to ensure consumer trust is a critical issue for any online business.
“Merchants need to be aware of the kinds of security measures required for online transactions,” says Andrew Pipolo, Australian managing director for PayPal, the subsidiary of eBay, which handles online payments for the internet auction giant.
“In fact, according to a 2006 Sweeney Research survey of Australian internet users, 67 percent of online shoppers felt that knowing their personal and financial information could not be compromised was important to feeling safe while shopping online, and 51 percent of Australians don’t want to use their credit cards online for security reasons.”
“What confuses many people is the difference between a payment system and a shopping cart,” says John Debrincat, CEO of e-commerce hosting provider eCorner. “You can have a shopping cart without having a payment system. A payment system means a method of accepting payment for goods and services online.”
It is theoretically possible to provide product information online and then process transactions using existing in-store systems, accepting credit cards either by telephone or email. In practice, however, this is risky for several reasons. Most financial institutions will hold you as the merchant responsible in the event of any dispute, and the lack of speed in such transactions may drive potential customers to more electronically astute rivals.
Few businesses that move online have the time and expertise to fully maintain secure systems on their own, so using at least some external services is essential. While it can be difficult to accept that an additional company should be involved in your transaction, there are many benefits to this approach, not all of them obvious. “As a merchant, not holding customer financial information on file is a bonus: if your server is compromised, no customer financial details can be accessed,” Pipolo says.
Ideally, an online payment system should be integrated into your existing business processes. Having to copy sales data from a separate online system into your main financial system is a waste of time that could be better spent on other aspects of business development, and it also greatly increases the possibility of errors being accidentally introduced into the system.
For the ultimate in flexibility, you can hire a specialised developer to build a system that matches your exact specifications. However, this may not be a good idea, unless you truly anticipate the vast majority of your business will be online and your transaction volumes will be exceptionally high.
“Unless you are a reasonably large company with the resources to build and maintain a bespoke system it is just not worth going down that path,” says Debrincat. “Unless you have considerable experience in transaction management, even writing a full specification for your own fully developed system may be a daunting task.”
In Australia there are hundreds of providers offering payment systems. Options include specialised payment systems from banks and other financial services providers; ‘shop in a box’ solutions designed to create an online store from scratch; and packages offered through existing web services providers.
Costs for these services can vary widely, especially once transactions start being processed. Many providers will charge a monthly fee, and some will claim a small percentage of each transaction. It’s unrealistic to expect to transact online without incurring these kinds of costs, but it makes sense to shop around to get the best price relative to your expected volume of activity.
The most widely accepted method of securing transactions online is to use SSL (Secure Sockets Layer), which encrypts data being exchanged over the internet, meaning that even if a hacker manages to intercept that information they won’t be able to make any sense of it. Many payment providers will include built-in security options. Alternatively, you can get your own SSL certificate and implement security yourself, though again this is not an option for the non-technically minded. Make sure that the security features of your site are promoted in appropriate locations (basic company information pages should note the use of security, as well as the first pages which feature shopping cart functionality).
Among all these considerations, it’s important not to lose track of business basics. Delivering good service to customers that matches and exceeds their expectations will ultimately do as much to build trust as any amount of technical expertise. As Debrincat notes: “Deliver the goods promptly and follow up, and you’ll get return buyers.”
Payment System Questions
Here’s a list of questions to consider when weighing up different payment systems:
* What kind of fees are involved? Is there a monthly charge regardless of system traffic? What percentage fee is charged for each transaction? Are there extra fees for foreign currency conversions?
* What kind of user experience is created? Will transactions be handled entirely on your site, or will customers be directed to another site to complete payments? Will they be required to register with a third-party site to use the system? What payment methods are accepted?
* Is your provider an easily recognised brand name? Will customers trust them to handle transactions?
* What security systems are in place to protect against fraudulent transactions? Will you suffer from charge-backs if you process stolen cards? What are the reported fraud rates for the service?
* How easy is it to integrate online payments with your existing sites and systems? Will you have to hire a specialised contract developer? Can data be integrated directly into your financial system? Do you have easy online access to reports? Can you update prices and product details yourself?