The purpose of this entry is to review the key elements which a business needs to consider to become a payment service provider.
Many ISOs and payment service providers after several years of operations realize that they can significantly reduce their costs and optimize their processing if they rely on their own payment management platform.
However, taking everything in-house may be a challenging process because of the complexity, associated with payment processing and PCI compliance.
In this article we are going to cover the essential components of the process and the challenges of getting your own payment gateway.
Payment gateway software selection
First of all, a business wanting to have its own payment gateway solution (white-labeled or exclusive) will need some payment gateway software.
The options might be to build some software in-house, to buy some connectors and integrate them into an existing customer management product, or to license an already existing payment gateway software. When it comes to existing payment gateway software, the two common options are: to license the software and self-host it or to use a hosted version. For more information, see articles on payment processing solutions and payment gateway solutions on our blog.
The next step in the process is to decide on PCI environment where the payment gateway software is going to reside.
Payment service provider hosting
Self-hosted server infrastructure implies maintenance of a data center, availability of development personnel and annual PCI-audit. PCI-compliant hosting, on the other hand, works in the same way that a general VPS hosting (thus eliminating the need for data center and network engineers), except that the servers are located within an already PCI-compliant network.
Because of the additional PCI requirements, servers at PCI-compliant hosting are more expensive than an equivalent configuration in a non-PCI-compliant environment.
PCI compliance and card storage
An important consideration the business needs to take into account on the way to becoming a payment service provider is PCI compliance. The business will need to find the suitable PCI-auditor company, determine the scope of PCI-audit and request quotes from the preferred service provider (assessor). Examples of possible partners include security metrics and coalfire .
One of the challenges to overcome within the context of PCI-audit is the strategy for credit card storage. If you consider using some form of appliance-based tokenization, the cost of the appliance needs to be factored into the overall estimate. For additional information on tokenization (either through appliance of as service), check the respective article on our blog.
Selection of banks and processors
The final issue to be addressed is the selection of banks and\or processors which will be actually processing transactions.
In some cases becoming a payment service provider will require integration with other payment gateways, credit card processors and\or banks. In case you decide to license a payment gateway software from a third party, it is always a good idea to check what types of integrations they already have.
When evaluating the scope of potential integration efforts, consider these guidelines.
- Integrations with payment gateways tend to be easy and usually do not require time-consuming certification process.
- Integrations with banks are, generally, not complicated, and smaller in scope than credit card integrations, but some community banks may not have the technology, advanced enough to enable full automation of the processing.
- Integrations with credit card processors can be rather complex, especially, if legacy platforms are involved, and even if the software that you license, already has such an integration, it will still have to be certified under your name and your PCI environment.
Here is an illustrative example of possible costs.
Tokenization appliance $ 50 000 – 100 000
Annual PCI audit $ 25 000
Monthly PCI hosting fee (average number of servers needed is 4 (2 of them for backup)) $ 2 500 – 3 500
Additional integration with new banks/processors (each) $ 5 000 – 15 000
These estimates provide the basis for calculating the approximate cost of a common payment solution that would be required by an average payment service provider.