Tell me more ×
Answers OnStartups is a question and answer site for entrepreneurs looking to start or run a new business. It's 100% free, no registration required.
up vote 3 down vote favorite

I am using Paypal subscription for charging the customers monthly. When they sign up, I have an option of either redirecting them to the Paypal site to enter the credit card details or gather this information on my site. I am not sure which one to use for development.

Pros of redirecting user to Paypal

  • Users trust paypal

Cons of redirecting user to Paypal

  • Choppy user experience. They are redirected back and forth.

Pros of gathering credit card information on site

  • Need to purchase a certificate as the page needs to be secure (https)

Cons of gathering credit card information on site

  • Users may not trust your site and would not like to provide CC info.

Did I miss anything? Any thoughts? thanks

EDIT: Based on the response, it appears that people are torn between these two choices

share|improve this question

3 Answers

up vote 4 down vote

My employer did some testing of their own on different payment scenarios and surprisingly a large percentage of users 88% felt safer being redirected to Paypal / other payment gateways than they did entering their own details on a website.

The group made various comments, but all were mostly along the lines of, "I use Paypal when buying on eBay" and "Paypal has payment protection" and "My card details aren't shared with a potentially bad website."

Stick with the redirection, more people trust it than most know.

share|improve this answer
Great answer. User trusts something prolific as Paypal or Amazon than your site. – Kim Jong Woo Feb 23 '11 at 4:30
I agree with this, I trust an established payment gateway rather then every website storing my credit card details – mprem Jun 12 '11 at 18:24
@Investigator, not to mention if your money is stolen, third party payment providers like Paypal have some kind of protection up to a specific amount of which they will refund in suspicious circumstances, but so too will banks. – DigitalSea Jun 14 '11 at 4:40
up vote 1 down vote

Pros of redirecting to PayPal

  1. None

Cons of redirecting to PayPal

  1. User is redirected from the place they were trying to buy something from. This sets off red flags in many user's minds
  2. The site the user is redirected to doesn't match the design of your site, another red flag
  3. You don't control the information collected from the customer
  4. Many people don't trust PayPal. (Many do- but the negative and the positive balance out unless you are selling to businesses- and here the negatives outweigh the positives.)
  5. Delivery- how is it made once PayPal completes the sale?
  6. You can't even pull a graphic image from your own web site to show on PayPal- unless you have an SSL certificate- otherwise you get security warnings.

Pros of using your own SSL certificate

  1. User remains on your site
  2. Your order page matches the rest of your web site
  3. You control exactly what information is collected
  4. Your SSL certificate should inspire all the trust you need to complete the sale
  5. Once a sale is complete- your web site delivers the product

Cons of using your own SSL certificate

  1. It costs $50 or so a year
  2. Your web host has to be able to support SSL
share|improve this answer
I've heard the same about consumer perceptions of Paypal and off-site payment gateways and certainly agree from my end-user perspective. But where's the evidence/data on this? – Henry the Hengineer Feb 21 '11 at 20:47
We did A/B tests years ago. We aren't going to ever repeat them. Why loose money? – Gary E Feb 21 '11 at 22:17
+1 Great Advice,,, the only Pro i would add is that its cheaper and simpler to implement, A good temporary solution, or alternative payment for those who feel a bit cozier if they were on Paypal's site. – Frank Feb 22 '11 at 20:40
up vote 0 down vote

Storing credit Cards is not just a case of "owning" an SSL certificate that is the least of your issues. You are holding peoples Financial Credentials if your site is compromised you might be financially liable for any damages but your reputation would certainly be in taters.

Most Merchant Gateways and Banks and probably more importantly insurance companies expect you to be "compliant" with PCI-DSS this is a standard with levels 1-4 based on transaction amount and volume which is expected to be adhered to at the basic level it's a load of paper work as well as a requirement to have a "secure network" that's not just an SSL certificate and unless you are running in suitable hosting something you will be unlikely to achieve.

Practically none of this is hard if you have a good infrastructure and system admin who know what they are doing but before even pondering going down this route you need to understand their is a risk and cost associated with Direct Card Processing.

Often when you look at the actual costs of direct card processing via a merchant gateway along side the PCI-DSS work/paperwork/scans and yes the shiny SSL certificate not to mention the indemnity insurance suddenly the loss of the occasional person doesn't always seem to be so bad.

I'm not trying to scare you and if you are a mid sized business with a relatively health turnover (or expect to be) then looking at non hosted solutions may be a wise idea, and many merchant gateways offer PayPal as well as part of their offerings, PayPal also offer a range of offerings other then their standard and Pro services (you may wish to Look at PreApprovals via the Adaptive Payments API)

share|improve this answer
my understanding is that if I use the Paypal API, although users are entering the credit card details on my site, I don't store any of them. CC info is stored on Paypal site and I will be PCI compliant. Correct me if i am wrong. – user3462 Feb 23 '11 at 22:07
If the form is on your site (i.e you are using PayPal Pro) then you are still required to undergo PCI-DSS the amount of work is reduced compared to still using a full gateway, but you still have to go through it. Normally with PayPal Pro you use either NVP or SOAP to process the payment often using CURL, while you may not be intentionally be storing data, if CURL errors it dumps it post fields in the log (just one example their are dozens of others) the point just because you believe your not storing the data does not mean your not :) – Tim Nash Feb 24 '11 at 9:36
To follow up paypal-business.co.uk/help-and-resources/pci-compliance/… Basically the "hosted" i.e the user goes to PayPal the compliance is covered by PayPal the non hosted i.e Pro (where it's on your site) the compliance is both you and PayPal – Tim Nash Feb 24 '11 at 9:38

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.