One thing the article mentions that is not correct is that "there's no need to be PCI Compliant as Stripe handles this whole process for you." While it is true that Stripe bundles the merchant account, you do still need to be PCI compliant. They even say as much in their Terms of Service (section 8): "You agree that at all times you shall be compliant with the Payment Card Industry Data Security Standards (PCI-DSS) and the Payment Application Data Security Standards (PA-DSS), as applicable."
It is very dangerous to think that just because you use a service you are not responsible for PCI compliance. Any business that accepts credit card payments needs to be sure and research what their exact relationship is with PCI.
Can you give an example of what specific considerations need to be taken into account re: pci compliance and stripe? My understanding is that there are more stringent requirements if storing CC numbers, and using stripe helps to shift that burden. Are there any other major non-obvious (eg, using ssl) considerations re: pci compliance if using stripe to handle recurring billing?
Securing your network / software is perhaps non-obvious, and doesn't always make the lists.
Example: you're not keeping the server up to date, and someone injects Javascript into your payment page. You could be liable.
As I understand it (admittedly not well), PCI is kind of like HIPPA/OSHA, in that there's some explicit no-no's (e.g. not using SSL, leaving patient info lying around, or not wearing hardhats) but the more important point is about maintaining a "culture of compliance".
Requirements scale with processing volume, and are generally minimal for merchants processing under 20k Visa transactions annually.
Many gateways use tokenization to dramatically reduce PCI scope for their merchants. It's fairly standard, actually. Even with tokenization, merchants have compliance obligations. The required network scans, for example, protect consumers from merchant websites being compromised ahead of the tokenization step.
Interesting. I thought you only needed PCI compliance if your server touched the card, no the front-end, but it makes sense. Nevertheless here in Spain we'll need to wait to have tokenization. There's only one gateway - unless you choose Ogone or Adyen - and hell will freeze before it innovates.
If you work with credit cards you must be PCI Compliant. It's not a "You can avoid it" However, the critical thing is that there are degrees of PCI Compliance. By utilizing a newer gateway you're dramatically reducing your PCI Compliance scope. Most likely you'll therefore only need to complete a SAQ-A (self assessment 1 page questionnaire). So i) Yes, you must be PCI Compliant no matter whom you use. ii) If you use a modern gateway like Stripe you'll dramatically reduce your scope around CC data and thus only need to do a SAQ-A (which you keep handy in case you're ever asked for it) to be "PCI Compliant". Now the caveats here are that you don't do silly things like integrate to Stripe but when a customer is having trouble take their credit card over the phone and input it for them manually etc (now you're handling data and expanded your scope) Avoid doing things like that and the SAQ-A will work.
Could you expand on this? I was on the assumption that with Stripe you could circumvent PCI compliance almost completely. I thought that you only need to comply with PCI if your SERVER touched the credit card data in any way - i.e. capturing the info from your frontend and sending to your payment gateway - and as with Stripe your server never sees it - their JS sends the info to Stripe servers directly - you are ok.
The commenter is technically correct n that very merchant does needed need to be "PCI compliant". But I can see how that coming from a competitor may look unseemly in this context. What the OP probably means is that Stripe takes out a great deal of the pain and money of becoming compliant.
I'm very interested in more stories here. Do people on HN share the OP's experiences with Paymill? Anyone working at Paymill reading this?
I know Paymill is one of Rocket Internet's many "ripoffs" of successful US companies, but as a European I really don't care about that. They executed on Zalando real well, I've no reason at all to assume that they'd not execute well on Paymill. Or, well, I had no reason to assume so until this article.
I did the required paperwork stuff before writing any code. They called me when I signed up, told me about the service and what documents they needed. It took me an hour to fill out the forms, and once I sent it it took them two days to activate the account. Later on, they had me fill in another form from some industry compliance organization, with super-cryptic and confusing stuff on it. They sent me a sample form with the correct data filled in and told me how much they hated that their customers had to do that. They've been paying me every week without issues. Haven't had to do any other paperwork since. On the first day I accepted payments, their acquiring bank emailed me to verify the addresses of several customers because they had cards issued by high-fraud banks. They all checked out, and I haven't heard from them either since. From my POV Paymill's execution is excellent, and they ANSWER THEIR PHONE immediately if I need them, and solve stuff right away (I haven't needed to do that in a long time)
There was a post on LRUG a few days ago about a user integrating with PayMill only to find that customer banks were declining charges via Paymill for "trust" issues.
Just adding a datapoint. I went through the verification and it was annoying to print, fill out, scan and send but not that horrible. The staff was helpful and followed through with the whole process. They even rang me up at one point because there weren’t any transactions coming through to see if I needed any help with the software end of things (that wasn’t the case, but nice to know they care).
As I'm a member from the dev team and have read this article and following discussions, we will write tomorrow a blog post regarding concerning issues the OP mentioned. There are really some fair points of critics, which we should consider thoroughly and change for the future. A more detailled answer tomorrow.
I looked in to Pay Mill a few months ago when I was setting up my website. Being in the UK we couldn't use stripe and so it initialy looked like a good option but then when you dig into it you find its no different than a merchant account. Ultimately I went with paypal as I could set it up quickly and then move to another option later on when the idea is validated.
We are now raman profitable and so when stripe launches over here i will probably move to it but if it doesn't we are now in a position with trading history to get a merchant account.
Stripe is apparently in private beta in the UK now, I'm guessing they're going make their formal announcement at the talk their giving at the London Web Summit in a few weeks.
I don't know if this helps but if you really require card processing facilities you should consider other merchant banks as opposed to the high-street ones which are willing to take more risks. I have had a few successful applications for organisations with no trading history on FDMS (First Data Merchant Services).
GoCardless seems like a great option but I just don't see it working on B2C websites. On the other hand, B2B seems very feasible.
I've been looking at using Paymill for an upcoming side project but now I think I might just use Braintree instead after reading this article. The purported lack of paperwork was a big selling point for me but if if this article is true (as well as other comments on here) then it's a big turn off.
Yes, Braintree's initial paperwork is a PITA, at least as bad as any other payment gateway/merchant account set-up we've seen. And actually their fees can work out very high as well in the early days, because they have a minimum level each month whether you take any payments or not.
We're still looking into them because their terms don't seem to have any of the abusive conditions that we would never sign and their reputation for good customer service is attractive, but they are very far from ideal.
It's them same with Samwers clone of Square, Payleven. They send you a cardreader immediatly but before you can use it you have to sign 5 different paperworks and wait for approvals. Just sad and the reason iZettle is still the only Square-a-like in Europe.
Read the general terms and you know why your client was rejected. You wrote it's a 'dating website' and according to the terms 'Partner negotiations of any kind' are not allowed.
Interesting. Although I don't see how a dating site is partner negotiation, you're simply paying a subscription for a service which allows you to browse members. You're not paying for the relationship or negotiating on it.
Something which might have been relevant which I didn't add was my client wasn't provided a reason for rejection. They simply stated "Our acquiring bank will not consider your application". He attempted to follow up, but still no reason was supplied.
You've hit the nail on the head. We're in the payments space and folks in the payment space know that dating sites have a very difficult time with merchant accounts. I do agree that PayMill may want to call this out more and it's frustrating for the developer. I wonder though if the owners of the site weren't aware of this.
The site in the OP is not accessible right now, but by reading the other comments I assume it's about the paperwork you have to go through after you signed up for PayMill.
My experience is that it takes an hour to sign up, then they'll send you some papers to sign and you are good to go and ready to accept payments.
Then a month later you'll get an email telling you to go through a certification done by a third-party. You'll have to download a .rtf with about 20 pages, formatted in a horrible way and go through the answers with no real guidance. You don't have to fill in a lot of information if you are using PayMill because you are not actually storing any sensitive information on your servers. That's not really PayMill's fault because it's required by law but it's _very_ annoying and I had to resubmit it twice because I missed some fields (Which isn't really that surprising if you look at the way the document is designed).
A few weeks later I had to go through another verification required by EU's money laundering laws. But it was basically just signing a document at the post office so they can verify it with your passport.
Edit: I have to add that PayMill's Support Staff is brilliant and they really care about their customers. They probably hate the required paperwork as much as we do.
Now that I have read the article I think it's not really fair to compare payment providers working under EU jurisdiction and US jurisdiction. If it'd be easy to just skip the paperwork in the EU I'm pretty sure Stripe would've just rolled out their services in Europe in the first place.
Why not? PayMill is supposed to be a clone of Stripe, therefore, I expect instant activation.
If you can't offer instant activation (Due to regulations and jurisdictions), don't be misleading with your marketing communications. Let the consumers know the real deal. Simple.
"What’s more, we normally validate all of the necessary customer documents within just 48 hours. However, in order for you to start working right away, you will receive an individual test key from us directly after you register. This will allow you to integrate Paymill even while the contracts are still being processed."
They never said they are a Stripe clone, and if you are expecting that they are one with the exact same features ("instant activation") just because they are selling the same product that's not really their fault isn't it?
They are basically saying that normally you are up and running within 48 hours and that's the case if you are not rejected. So what's misleading about that?
Actually, that statement doesn't say anything about being rejected. In fact, it is phrased in such a way that induces you to believe that after 48 hours, your account will be "processed" or "functional".
I don't really see the point of a European Stripe clone, since in Europe we're dealing with a completely different set of problems when it comes to online payment.
In many countries it's relatively painless if not trivial to set up a merchant account and start accepting payments through one of the many payment service providers, so for the internal market a Stripe-like service doesn't offer much of an advantage over tried and trusted local services.
If you want to accept payments across Europe, especially the many local direct payment solutions which are often much more popular than credit cards (and Paymill doesn't support any of them), you'll run into a whole different class of problems which any service will have a hard time solving.
But if you want to disrupt the European online payment market, then that's the problem to solve.
Before Paymill came along, I had no reasonable (not involved with going through huge amounts of paperwork and diligence just to get a price quote) way of taking payments in Germany. Merchant accounts are a pain. They are most definitely neither painless nor trivial. I hear it's better in the UK, but for me the only reasonable alternative was PayPal, who have strongly negative trust in my book. Paymill made it possible for me to take credit cards at all.
As of recently they also support the most popular local direct payment method in Germany. Given how quickly they spread from DE only to most of Europe, I expect they'll support other local payment methods eventually, but I honestly don't care much. Being able to take credit card payments is already a huge, huge step.
And at least here in Spain you should not forget the TERRIBLE way of integrating payments in your site if you're not PCI compliant. When you try to pay you end up in a ugly POS terminal that with some browsers shows misleading JS alerts when you click on the pay button.
That's what I mean. Both Stripe and Paymill only support an extremely limited set of payment methods. The average half-decent payment service provider supports way more ways of payment.
Which in the end is the major bottleneck. Merchant accounts and legal formalities are just hurdles, which any serious business can take. Yeah, it sucks, but if you can't handle that than perhaps you shouldn't be running a business in the first place.
But both we and our clients would lose most of their business if they could only accept credit cards. Hell, the only additional option Paymill offers isn't even enough to cover half the German market.
It's stupid to focus on the effort it takes to set-up payment if 75% of your potential market can't/won't use it.
Perhaps you'd be kind enough to share your idea of "average half-decent payment service provider" with the rest of us?
Merchant accounts and legal formalities aren't just hurdles if you're spending weeks getting contracts reviewed by lawyers, filling out application forms, chasing people up, and then integrating poorly documented back-ends if you get approved at all.
I know plenty of people who've been in that position with a start-up that has no trading history yet, but I've never met anyone IRL or on-line who has anything like your perspective. So do you know something we all don't, or do we all know something you don't?
The fact that they offer the same API does not make them a clone and a recent ruling between Oracle and Google would even suggest it's not a copyright issue. Theres also an exception in the DMCA that allows reverse engineering for purposes of interoperability (IANAL).
I think Paymill would be a good alternative for us Europeans if not for the pricing. 2.95% + 0.28€ for transaction is really bad if you work with low margins and far far worse what we get working directly with our bank (and don't forget you only see your money once a week).
This is similar to the issue I had with Paymill. Their bank seems to turn down applications because of a lack of trading history or because you can't meet some strange German legal requirement.
It is very dangerous to think that just because you use a service you are not responsible for PCI compliance. Any business that accepts credit card payments needs to be sure and research what their exact relationship is with PCI.
(Disclosure, I work for Braintree)