Internet Merchant Account

The first thing you need in order to take credit/debit card payments online is an Internet Merchant Account with one of the main acquiring banks, such as:

• Barclaycard Merchant Services
• Bank of Scotland
• HSBC
• Streamline
• Lloyds TSB
• Alliance & Leicester
  

Even if you already have a merchant account for mail order / telephone order Card Not Present transactions, you will still need a separate Internet Merchant Account for Internet transactions. Getting an Internet Merchant Account is not always an easy process, particularly for start up businesses, as some banks may require you to have a proven record of two years trading.

Once you have an Internet Merchant Account, you will need a way of handling the payment process- this boils down to either collecting the credit card details yourself and processing them through a terminal, or getting a third party to securely process the payment and pass the funds on to you.

Processing credit card payments yourself

Many small businesses, particularly those that already have a terminal for mail order / telephone order CNP processing prefer to save the transaction costs associated with using a Payment Service Provider and process the payments themselves. This is not really a recommended option - you may be in breach of your acquiring bank’s terms and conditions and could have your approval to accept credit cards removed.

Additionally, all the credit card issuers now require merchants to be PCI-DSS compliant, which basically requires the merchant to have secure, regularly audited procedures in place to ensure the security of credit card details, again, if you are in breach you will lose the ability to accept card payments.

If you decide to take the risk, or implement PCI-DSS compliance, and collect the credit card details yourself and process them through a terminal, you need to purchase a secure SSL server and and SSL certificate for handling the card details (this provides the "Golden Padlock").

This is how it works - the shoppers browser is directed to a secure server or area and downloads the encryption key and certificate. The certificate is checked by the browser to make sure that it was issued by a trusted authority, is still valid, and relates to the right website. All data sent between the browser and the server is then encrypted before being sent, and decrypted at the other end, ensuring that personal information cannot be intercepted or tampered with by unauthorized persons.