On 6/30/06, David Harris <rails@gtdavid.com>
wrote:> Ok, I''m new to the world of actually charging for software, and
it''s
> taken me a full month to decide how to charge in a way that
doesn''t make
> me sleep with difficulty at nights. :) If someone can look at this and
> verify I''m on the right track or give any hints/tips, I''d
greatly
> appreciate it.
>
> Basically, I want each user to be able to apply functionality modules to
> his account, each with a monthly (or yearly/quarterly) charge, similar
> to how most Rails apps these days are charging per month. This makes
> most out of the box eCommerce solutions irrelevant as they are for
> one-time purchases. So that leaves me to a custom solution. I assume the
> steps are as follows:
>
> 1. Get a merchant account, maybe Authorize.net
> 2. Use ActiveMerchant to process payments from my site
> 2b. Make sure payment section is under SSL
> 3. Store credit card information in a highly encrypted way, possibly on
> a different server
> 4. Set up a nightly (or more often) cron job to reprocess credit cards
> when the period is due
> 5. Notify users when payment fails and do not attempt to reprocess (cost
> per transaction?)
>
> Is that all there is to it? Are there some caveats I need to know about
> potential pitfalls in this? Anyone recommend a different/better merchant
> account for a poor person? :)
I work at a payment gateway so I can probably answer these for you.
There are payment gateways that do subscriptons/recurring billing.
There are very few that are fully automated (ours is). Most make you
go into a web interface after the sale is completed to setup a
recurring billing profile for an existing customer. For example
Verisign has fully automated recurring, as does TrustCommerce (I
think. I like these guys even though they are competitors) and
ourselves (Payment Online). Authorizenet is not fully automated.
Also, although you can use a third party billing company such as
Paypal for subscriptions, it''s not a wise idea. If you ever want to
move to another provider, you can''t take the card numbers with you.
Most (but not all) pure payment gateways like us will do an export for
you if you need to move for any reason. The difference between a
third party billing company and a gateway is that you don''t need your
own merchant account for third party billing.
You cannot legally store card numbers on your own server without
complying with the Visa/Mastercard security programs (CISP and PCI).
If you do a search on google for Visa CISP it will take you to their
CISP site which as all the details. Suffice it to say it''s beyond
what most people can afford to do. The catch here is that they won''t
audit you or enforce these rules unless you are compromised, but
compliance is still mandatory. If you are compromised and found not
compliant, the fines are steep. The moral of the story is, if you
aren''t a payment gateway or very very large merchant, don''t
store card
numbers on your own servers.
Hope that helps...
Chris