23
Mon, Dec
1 New Articles

Credit Where Credit Is Due

Commerce - Other
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Credit card processing is one of those things that can make or break a business, especially if you're trying to establish a B2C (business-to-consumer) presence on the Internet. Unless you have some sort of monopoly on your particular product, you had better have the ability to take credit cards.

But credit card processing didn't start because of the World Wide Web. Internet sales are hardly the only place where a business might need to take a credit card. On the contrary, in the small-to-medium business space, where the iSeries plays best (are you listening, IBM?), there are perhaps half a dozen different uses of a credit card, and most of them have little to do with the general consumer.

What Is Credit Card Processing?

Being the naive waif that I am, I assumed that credit card processing was pretty much a simple "tell me how much to pay" sort of thing: The vendor sends a message to the credit card company, and it says OK (or not). As it turns out, it's much more complex than that. Two things make up the credit card transaction: the players and the plays.

The Players

The players include the merchant (the one doing the selling, which in this case would be you), the "acquirer" (the one who pays the merchant and gets paid by the credit card company), and the authorization network (somebody you contact electronically to post transactions). There is a bit of paperwork involved, as well as some cost, both up front and annually, to set this all up.

The Plays

Once you have everything set up, there's still the matter of what happens in a credit card transaction. Transactions types come in many forms. Heck, there are two just for selling stuff. The first is a normal sale, which is typically used in point-of-sale (POS) systems such as grocery stores and gas stations. In this case, the consumer has already taken possession of the merchandise or service, and the sale is both authorized and shipped in one swoop. Note the terms "authorized" and "shipped"? Well, that's the second kind of sale: First, the buyer authorizes something to be purchased and the vendor puts a hold on the credit card for that amount. Later, when the actual merchandise ships, the hold is released and the actual amount is booked as a sale. This is typically for things like Internet purchases or hotel rentals.

Two other transaction types are the credit, which simply refunds money to a consumer's account, and the authorization reversal transaction, which is used to back out some money that was on hold before settling the transaction. This latter transaction is typically used when vendors such as hotels or car rental companies over-authorize the amount to handle "incidentals" (like wrecking the car or emptying the minibar).

Finally, there is a batch settlement transaction that runs typically at the end of the day. It verifies all the day's transactions and triggers actual payment into the merchant's bank account.

The Big Decision: Make or Buy

Although this was always a question that needed to be asked in any requirements phase, in the old days (when we wrote code with stone hammers) it was rare that you would find something as complicated as credit card processing in a shrink-wrap package you could purchase.

Today, that's not the case. Quite a few vendors out there sell credit card processing solutions of one kind or another for the iSeries. The vendors for iSeries solutions include folks like Curbstone and ROI Corporation. This is by no means an inclusive list nor an endorsement of any particular vendor; any vendors who would like to promote their solutions are invited to participate in the forum for this article (or better yet, purchase an ad from MC Press, or at least register yourself in the free MC Press Buyer's Guide!). As a disclaimer, I have a business relationship with Curbstone but no affiliation with ROI.

Speaking of business relationships, one of my clients is a company by the name of NBS Consultants, Inc. NBS sells an ERP system called PICS and recently added credit card processing to its base system. Early on in the decision-making process, it became clear to the company's president, Ken Hare, that no one packaged solution would address all the possible requirements of his various clients: "There are at least six different places where credit cards might be used in a given business and dozens of different authorization networks." With that sort of complexity, it became clear that, for NBS, writing their own solution was simply more cost-effective than trying to find a package that fit every conceivable scenario.

Remember that NBS is a software vendor, so its environment almost certainly is more complicated than that of the average shop. You may not need the extra flexibility that a roll-your-own system provides. At the same time, as has been demonstrated so dramatically in our own industry, change is the only constant. Take particular care to think about future requirements when you address the make vs. buy question.

Where Will You Use Credit Cards?

Among the first tasks during the process of enabling credit card support is identifying the areas of your business in which credit cards will be used. If you're like me, the first two things that you think of are POS devices and B2C Internet sales (and their low-tech cousin, the phone sale). As Hare points out, though, numerous other transactions involve credit cards, from paying your A/R balance to making a purchase on a B2B Web site. Then there are will-call sales, which have slightly different rules, depending on whether the purchaser physically has the card at the time of pickup.

Which Cards Will You Accept?

One of the next steps of the process is identifying the cards you will accept. The standards seem to be MasterCard, Visa, and American Express. The American Express Corporate card is a regular addition. The last two players are Discover card and Diner's Club, both of which have a more limited scope.

Also, once you've started accepting credit cards, can checks be far behind? As it turns out, the processing for checks using something like the TeleCheck authorization network is similar to that of standard credit card authorization. Even if you're not taking checks today, you may want to consider the possibility before making a final decision.

Where Will I Interface into My Systems?

This is key. There are perhaps a half dozen places where you'll need to update your system to handle credit card processing. The most obvious are order entry and the downstream functions of invoicing and general ledger. Each of these needs to be tied to the actual process of sending transactions to the authorization network. Determining whether your business is POS or mail order will identify the type of transaction and the timing of it within your order process. And then you have your batch posting, which should also generate the settlement transactions.

But that's not all. There may well be other areas of your system that require additional processing. An example is accounts receivable, where you may need to make provisions for allowing customers to pay their bills via credit card.

And the Answer Is...

The more of these options that you need to enable for your business, the less likely it is that a single vendor package will be able to fit your needs. But if you really don't want to reinvent this particular wheel, there are plenty of products to choose from. Do the research, and then do the math. Just remember that this means adding one more point of failure into your systems. According to Hare, "When problems occur, you now have a three-point triangle of responsibility to manage: your software, the third-party interface software, and the authorization service and associated network."

Communications

This is the purely mechanical aspect of transaction processing: getting the transactions to the authorization network and back. This is actually a good place to segment the discussion, because you could theoretically write your own interface to your back-end systems and use a third-party solution for just the communication.

Hybrid Techniques

Let's quickly address these hybrid techniques. In this scenario, custom software modifications and/or business procedures are designed to use either dedicated devices or PC-based solutions. While quick to implement, either of these directions adds an additional point of failure to the system as well as the same third-party complications as just buying a complete solution. A dedicated device is probably less likely to fail but will usually require manual re-keying of data. A PC-based solution, on the other hand, can probably be interfaced programmatically but adds all the extra overhead of an additional computer. Depending on how many locations you have, this can be both expensive and administratively challenging.

Writing Your Own

The other option is to write your own communications subsystem. While today's iSeries is a much better environment for communications than either the AS/400 or S/38 was, this area is hugely (and unnecessarily) complex because of the lack of standardization among vendors. Communications with authorization networks can be via the Internet using HTTPS or VPN or even proprietary protocols. There are also networks that use frame relay or even dial-up connections. This may be the most difficult part of the make vs. buy decision, especially since a requirement to change authorization networks may well require a whole new round of communications programming (and communications programs are still among the most difficult types of programs to debug).

You might think that you can stick with a single network, but that's not always the case. According to Hare: "Businesses have many reasons to switch their credit authorization services over time: change of banking relationship, attempts to reduce associated transaction-processing fees, speed of transaction processing." So the thing to remember here is that if you want to build your own software, be sure to make it flexible.

OK, Now That I Know the "What," How About the "How"?

This column is not meant to be a product review, so let's assume that you've decided to write your own credit card interface. You still have several rather large issues to address.

User Interfaces and Program Interfaces

The obvious requirement is for additional input capabilities. You'll need to be able to enter credit card information. What data is required will depend on the transactions and even on the business type. For example, there are sometimes unique requirements for will-call when the purchasing card is not present, such as when someone buys you tickets on their credit card for you to pick up at show time.

You may also be noticing more often that POS devices are asking for your ZIP code; an example is the self-service line in Home Depot. In order to prevent fraud, more of this sort of information is being required, and your interfaces will have to change accordingly (not to mention that they'll need to be flexible enough to handle the minor differences between applications). But this requirement isn't just to satisfy the security needs of the credit card companies. In some cases, they offer incentives in the form of discounted processing rates for transactions with these extra security checks.

Multiple Authorization Networks, Card Types, and Programs

You really need to plan ahead in this area. Your database needs to be quite flexible. As noted earlier, there are lots of good reasons to switch networks, which means that anything hard-coded has a potential to bite you later, including URLs, login IDs, passwords, merchant IDs, and even transaction history.

Little things like the CVV2 (Card Verification Value) number are different for each card type. Hare says that there are other variations that people are beginning to expect: "Will you need to support debit cards? Gift cards? Loyalty programs? These all require additional database and program support."

Database Security

In these days of identity theft and credit card fraud, it's clear that the integrity and security of your database is of preeminent importance. Certain rules define which pieces of data can be stored and how. For example, as far as I know, you can never store a CVV2 number. Other pieces of information ought to be encrypted; just because you don't need to encrypt data doesn't mean that you shouldn't. The beauty of the iSeries is that you can encrypt data relatively easily, so that's one more weapon in your arsenal if you decide to go the self-written route.

What's the Best Answer?

Ha! Thought you'd trick me into a recommendation, eh? In this very difficult area of business, I couldn't possibly make a suggestion without carefully analyzing your particular business processes. That's what you'll need to do in order to decide which route is best for you. Credit card processing is more and more of a necessity, that's for sure. But choosing the right path is a difficult decision.

I will go out on a little bit of a limb here. If you have only a small number of people who can authorize credit card payments and you don't expect to grow a lot soon, I'd probably recommend that you opt for an all-in-one solution (either PC-based or a dedicated device) that can handle your load at a reasonable expense. But if you plan on handling any sort of Internet business or have a lot of distributed call centers, you're going to need to automate, and then the make vs. buy decision becomes much more involved.

I'd like to thank Ken Hare for taking the time to provide us with his expertise on this subject, and I'll leave you with his final words on the topic: "This stuff must work every day. Money--same as hard cash--is at stake."

Joe Pluta is the founder and chief architect of Pluta Brothers Design, Inc. He has been working in the field since the late 1970s and has made a career of extending the IBM midrange, starting back in the days of the IBM System/3. Joe has used WebSphere extensively, especially as the base for PSC/400, the only product that can move your legacy systems to the Web using simple green-screen commands. Joe is also the author of E-Deployment: The Fastest Path to the Web, Eclipse: Step by Step, and WDSC: Step by Step. You can reach him at This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: