Selling Payment Processing: Making Smart Choices For Your VAR/ISV Business

Once a VAR or ISV makes a decision to pursue monthly recurring revenue opportunities in payment processing, the big question becomes how? Two Moneris subject matter experts offer guidance on the big decisions that must first be considered.

Businesses today are moving at a lightning fast pace, and it can be overwhelming for ISVs (independent software vendors) and VARs (value-added resellers) to keep up with the latest IT products, technical certifications, and industry regulations. One of the best ways solution providers are finding peace in these turbulent times is by offsetting their project-based revenue (e.g. traditional software and hardware sales) with the sale of subscription-based services and other recurring revenue opportunities.

One of the most profitable service opportunities channel companies can offer their retail/hospitality customers is payment processing. Not only are these services the perfect complement to point of sale (POS) hardware and software implementations, they allow VARs and ISVs to build closer relationships with their customers, and they open doors for a host of add-on sales and services.

In this whitepaper, we’ll explore the key decisions solution providers need to consider before selecting a payment processing service, starting with the level of integration. We will also explore key considerations within semi-integrated and fully-integrated payment processing services, such as direct-to-acquirer (DTA) and gateway-based options.

Key Integration Differences and Why They Matter

One of the first choices VARs and ISVs have to consider when selling payment processing is the level of integration between their POS systems, business applications, and the payment terminal. Here is a summary of the three differences and the pros and cons of each:

1. Non-integrated. In this scenario, the entire payment system is separated from the merchant’s network. An example where you might see this is an independently owned (i.e. mom and pop) business, such as a local pizzeria. The cashier enters the transaction into the cash register or POS system, then has to key-in the transaction into the payment terminal before reentering the customer’s credit/debit card. The upside is that the merchant is completely outside of scope for PCI-DSS (Payment Card Industry – Data Security Standard) requirements. However, the downsides are many. For starters, it takes longer to accept payments because of the double data entry required. Plus, it takes longer to reconcile the POS system to the standalone payment device. When the pizzeria is slammed with customers on a Friday night, the lengthy transaction times can cause some customers to take their business elsewhere. Additionally, there is a higher chance of making a payment error by accidentally entering a wrong number into the payment terminal (e.g. $244 for an order of pizza and wings as opposed to $24). Also, many of the data analytics benefits associated with other types of integration are minimized or lost altogether.
     
2. Semi-integrated. In this scenario, the payment terminal still communicates directly to the acquirer, protecting the merchant from PCI scope. At the same time, however, the terminal is connected to the merchant’s cash register, which eliminates the problem of double data entry mentioned earlier. The drawback is that semi-integrated configurations do put merchants into PCI-DSS scope with regard to the software development kit (SDK) that is used to connect the POS system and payment terminal. In most cases, the SDK and the associated switch already comply with PCI-DSS standards and include the end to end encryption of sensitive cardholder data, so the merchant’s concerns are minimal. Additionally, semi-integrated payment processing offers an added layer of flexibility, which allows, for example, VARs/ISVs or standalone terminals to print receipts.
    
3. Fully integrated. In this option, also called the direct-to-acquirer model, the entire payment system resides inside the merchant’s infrastructure — the POS systems, terminals, servers, and firewalls. These systems are connected directly to the payment processor (i.e. host). This scenario offers merchants the most control as well as the fastest processing times, and it is most often implemented by large merchants and channel partners. It also comes with some potential downsides, which we will address in the next section.

The Pros and Cons of the Direct-to-Acquirer Payment Processing Option

In a DTA environment, the VAR/ISV (aka partner) is given an API (application programming interface) from the payment processor. “From there, we support the partner during their development into the merchant POS system and against any required specifications and industry regulations,” says Karen Cox, VP, Payment and Retail Solutions – Core Payments, Moneris. “Once that process has been completed, the partner is supported through a certification process to ensure the API works properly and complies with the required industry standards.”

According to Cox, the coding can vary widely from partner to partner, primarily due to a wide range of features and functions they may want to include. “When building core payment acceptance features for a hospitality customer, the partner will have to decide how it is going to handle tipping, for example. Perhaps the customer would like to have predefined tip examples to choose from, making it easier for restaurant patrons to know what a 15 percent, 18 percent, and 20 percent tip would be without having to do the math themselves. If the merchant wants to handle split payments, where a customer can pay part of the bill with a $10 gift card and the remainder with cash, additional coding is required to add it into the VAR/ISV’s POS system.”

On average, it takes three to six months for partners to go through the design and certification process for a DTA project, which is why it’s often cost-prohibitive for a small to midsize merchant to pay for the software developer’s fees, which can easily be 10s of thousands of dollars. However, “Moneris reduces these costs by providing payment software that is pre-certified to all required industry standards, and when used in conjunction with our automated test tools, can cut the development time in half,” says Cox.

Another important thing to note about any of the solutions is that industry change is constant.  All modes of integration will require ongoing touchpoints to add features or new industry acceptance mandates. The person responsible for making the changes also can change. In DTA connections, the ISV or VAR is ultimately responsible for maintaining this. Acquirers can provide an easier path with pre-certified software reflecting the latest changes, and they can remotely provide updates in a push or pull fashion. These changes do require various levels of re-certification, however, which prebuilt payment software can simplify.

It is not mandatory for partners to take every update, however. “Once a partner has certified its solution with Moneris, for example, we will continue to support it and never force them to upgrade to a newer version,” says Cox. “Sometimes, however, payment schemes, such as Visa, MasterCard, American Express, or Discover will mandate that acquirers’ middleware partners certify to the latest standard.”

Acquirers, on behalf of the industry regulators, are not the only ones that can force a partner into updating its middleware. Some of the U.S.-based payment processors, for example, only recently started focusing on and complying with EMV (Europay, MasterCard and Visa), a global standard for chip card technology that’s been in use in Europe and Canada for several years. Judging by the number of merchants that missed the October 1, 2015 “liability shift” date, there is good reason to believe that outdated middleware – and the sheer number of moving parts required to make such an update – is partly to blame.

Another example of a situation that would force some VARs and ISVs to update their middleware would be the POODLE vulnerability, an attack that exploits the way some browsers handle encryption. Some payment processors, for example, which supported only the SSL (secure socket layer) standard were forced to update to the newer TLS (transport layer security) standard. Any of their VAR/ISV partners would have had to follow suit and upgrade their middleware. 

For tier-one merchants that process millions of transactions a minute, escaping middleware/gateway fees (which are usually assessed on a cents-per-transaction basis) and choosing the fully integrated model usually makes the most sense. Additional benefits ISVs/VARs can offer include the ability to integrate accounting, CRM (customer relationship management) and other business applications with payment processing. This drives additional cost savings and efficiency gains and is becoming increasingly important in today’s quest to improve the customer experience.

Don’t Underestimate the Advantages of a Payment Gateway

When we look at payment gateways, the first benefit that jumps out is that it is a much quicker and easier implementation path for partners and merchants. Instead of eating up six months in development and certification time, the average gateway-based service takes nearly half the time. “In this model, the payment processor, such as Moneris, has already done the most difficult step of certifying its gateway to the host,” says Patrick Brophy, eCommerce Product Manager at Moneris. “All that is left for the partner is to integrate the gateway to the POS system or kiosk, which is a much simpler process.” In fact, much of the coding required to complete the integration is often already completed by the POS vendor or gateway provider, so it becomes only a matter of copying and pasting snippets of code.

But, there’s much more to the gateway than just a quick path to payment processing, says Brophy. “Some gateways, like the one offered by Moneris, offer several value-added features, such as real-time transaction reporting. This can come in handy as a way to give online retailers a means to track their transactions online, and prepare their shipments, for instance. Or, if cashiers need to void or adjust transactions, they can perform a payment lookup rather than requiring customers’ receipts.”

A hosted pay page, such as the Moneris Gateway Hosted Pay Page, is another payment gateway value-add that can be used by VARs/ISVs to quickly enable merchant websites for purchases, preauthorization, and tokenizing cardholder data for later use. Because a hosted pay page exists exclusively on a gateway provider’s secure servers, any sensitive payment information entered by the consumer does not touch the merchant’s website. As a result, the merchant may qualify for an abbreviated validation assessment. The Moneris Gateway Hosted Pay Page also comes with no additional setup fees or ongoing fees, and merchants can have as many pay pages as they need.

Automated/recurring billing is another advantage of using a payment gateway. The Moneris Gateway, for instance, offers Moneris-managed or merchant-managed recurring payment schedule options, and both options are included at no additional cost. Because the cardholder is not present during a transaction recurrence, each recurring transaction is designated CNP (card not present), which is considered a higher fraud risk and higher fee transaction by card issuers. To offset these risks and fees, Moneris allow merchants to enroll in Moneris Gateway Account Updater services, including: Visa Account Updater (VAU) and Automated Billing Updater (ABU) for MasterCard payments. The updater services communicate with card issuers on a regular basis to confirm cardholder data is still current. If an update is needed (e.g. a card has expired or the expiration date has changed), the card issuer will alert Moneris, and we will update the card on file. This process will happen automatically if the merchant is enrolled in Moneris’ Account Updater program and using a Moneris-managed service. Merchants also have the option to manage their own cardholder updates, making requests as needed via an API or secure batch file.

One of the added burdens multinational merchants face is integrating payments for Canadian and US regions. By working with a gateway provider like Moneris, VARs and ISVs have access to our universal transaction API (application programming interface), which does the heavy lifting required for integrated transaction processing. Additionally, Moneris offers integration support through a team of trained specialists who understand the Moneris Gateway and the development resources available to build solutions.

Tokenization is one of the most valuable security features VARs and ISVs should consider adding to their payment offerings. “Tokenization replaces sensitive data [e.g. credit card information] with a non-sensitive equivalent [usually in gibberish machine code] that only the acquirer can interpret,” says Brophy. “If a hacker somehow gains access to the network the only thing visible is the token data, which has no value to the criminal.”

Aside from the tier-1 merchants mentioned earlier who may notice the slight latency (fractions of a second per transaction), compounded over thousands of transactions, Brophy says gateway-based payment processing is the way of the future.

Turn to Moneris to Determine Which Level of Integration Is Right for You

Although you now have a better understanding of the key differences in payment processing integration, choosing the right payment processor is an equally invaluable consideration.

As a joint venture between the RBC Financial Group and BMO Financial Group (including Chicago-based BMO Harris Bank N.A.), Moneris is built on the strength, security, and stability of two globally respected banking and financial service institutions. We process more than 3 billion credit card and debit card transactions a year for more than 350,000 merchant locations across North America, reaching businesses in every industry including retail, hospitality, education, ecommerce, and healthcare.

If you are a VAR or ISV that is interested in bundling payment gateway or payment processing services with your POS offerings, Moneris can help. Our dedicated staff of more than 20 integration specialists and knowledgeable channel account managers is available to answer your questions and guide you toward the best decision for your company and your customers.