January 22nd, 2010
Adding Payment Gateways while maintaining Data Security and Focus
As a startup, we face many of the classic trade-offs between getting things done quickly and getting them done the best way possible. The right answer is usually somewhere in the middle. Since we’re dealing with our customers’ money and business transactions, we err on the side of doing things slowly and methodically, especially on core issues.
Hundreds of people want us to add other payment gateways. This is absolutely true for people outside the USA, because they can’t use our currently-supported gateway, Authorize.net, which means they can’t use Chargify. And that’s a shame!
We’ve been gathering info since November on what gateways people want. In parallel, we’ve been investigating ways to add gateways – quick ways vs best ways.
If you’re a developer, you might ask why we don’t write code for each of the different gateways’ APIs. Especially with things like ActiveMerchant (in Rails), we should be able to add gateways very quickly. Yes, but…
CREDIT CARD DATA SECURITY
Consumers, merchants, and banks are rightfully concerned about credit card data security. In an effort to protect all parties, the Payment Card Industry (PCI) has established standards for how credit card data should be stored and handled. That’s why you see the term “PCI Compliant” at many steps in the payments processing chain.
Because we handle recurring transactions for our customers, we have to store credit card data somewhere. Storing card data is inherently risky. Anyone storing a lot of credit card data has a big bullseye on their back and that bullseye will only grow larger as they store more data.
Storing data ourselves would require us to maintain a group within Chargify that would be devoted (at least part-time) to credit card data security and all the related tasks, like handling a breach or a suspected breach. While I’d like to claim that we can handle that requirement, we’re a small company and we have to choose where to put resources. Other companies have this covered and do a better job than we could do, so paying someone else is a better option that ultimately results in better security for Chargify customers.
Some payment gateways take on the secure storage role: they offer secure data storage as an add-on. Authorize.net is one of them. For $20/mo per merchant, it’s a steal! But some gateways don’t offer this, so that presents us with a problem: We’d like to support those gateways, but we’re not willing to sacrifice credit card data security.
We’ve partnered with a financial institution that securely stores credit card data and connects to payment gateways worldwide. This gives us the best of both worlds: data security and gateway flexibility for our customers.
This path will restrict us a little bit: gateways that don’t have their own storage and that are not supported by our partner will not be available through Chargify.
But our gateway selection is about to get a lot bigger!
I really like this solution because it gives all these benefits:
- More gateways
- Better data security than we could provide
- Allows us to maintain business focus