Hosted Payment Page

Dan's Avatar

Dan

19 May, 2010 06:16 PM

Apologies if this has been answered somewhere -- I haven't seen any sign of it though.

I'm currently hunting for an automated billing solution on behalf of the company I work for, and the features and API of CheddarGetter seem like the best equipped to me so far. The only deficiency I haven't been able to rule out yet is a hosted payment page.

Some other services offer the ability to have the actual entry of credit card information happen through their service rather than having to be transmitted to them. I'm not exactly well versed in the realm of PCI compliance, and I'd like to avoid that rabbit hole if at all possible.

A publicly accessible version of your "New Customer" form that we could redirect to, providing the customer and plan information via parameters and simply prompting for credit card information, would be awesome. Do you actually offer something like this? If not, is it something you'd consider?

  1. Support Staff 1 Posted by Marc Guyer on 19 May, 2010 07:38 PM

    Marc Guyer's Avatar

    Dan -- Our hosted payment page is not yet available. We hope to have a full featured public payment acceptance system complete this summer. It's a fairly involved project.

    Regarding PCI, the PCI DSS is requiring all internet merchants to gain the lowest level of PCI compliance. This level is typically easy to achieve and is the same level of compliance required to pass cardholder information through your servers to the CheddarGetter API. The cost, if you choose to go with a third party service, is nominal. Initially, around $200 and an annual cost of about $50. In our opinion it's a small price to pay for increased customer goodwill and security. It also adds another level of professionalism to your online presence.

  2. Marc Guyer closed this discussion on 19 May, 2010 07:38 PM.

  3. Dan re-opened this discussion on 19 May, 2010 08:13 PM

  4. 2 Posted by Dan on 19 May, 2010 08:13 PM

    Dan's Avatar

    Thanks, Marc.

    Any chance you could point me to somewhere I might find such a third party service?

  5. Support Staff 3 Posted by Marc Guyer on 19 May, 2010 08:30 PM

    Marc Guyer's Avatar

    There are many -- We offer it through the CheddarGateway. There's also McAfee, Trustwave, and others.

  6. Marc Guyer closed this discussion on 19 May, 2010 08:30 PM.

  7. Dan re-opened this discussion on 20 May, 2010 04:04 PM

  8. 4 Posted by Dan on 20 May, 2010 04:04 PM

    Dan's Avatar

    I can't seem to find much information about your CheddarGateway -- the support page is just a stub, and the page within the CheddarGetter admin control panel gives me the impression that is something akin to an alternative to Authorize.net (and its ilk). Is this a fair conclusion, or have I missed something?

    Do you know of any resources that can help me get my head around this world of billing for SaaS? A number of requirements in the PCI DSS are pretty vague, and I'm having trouble understanding everything I need to get us ready to go.

    We have a merchant account and are equipped to use the Authorize.net payment gateway. We have an SSL certificate. All we want to be able to do is host a form for the input of Credit Card information for submission to your (or another) service (barring the existence of a hosted payment page, that is); we have no intention of storing credit card information ourselves.

    Thanks in advance for any direction you can offer.

  9. Support Staff 5 Posted by Marc Guyer on 20 May, 2010 04:38 PM

    Marc Guyer's Avatar

    Is this a fair conclusion, or have I missed something?

    You're correct. The CheddarGateway is an alternative to Authorize.Net.

    Do you know of any resources that can help me get my head around this world of billing for SaaS? A number of requirements in the PCI DSS are pretty vague, and I'm having trouble understanding everything I need to get us ready to go.

    I'm not sure what you're asking here. The main thing that different about SaaS is the recurring billing aspect. The PCI DSS is vague because it must encompass all billing models. That's why these third party services exist. They cut through it pretty well.

    we have no intention of storing credit card information ourselves.

    This is probably the largest misconception about PCI compliance. You don't have to store credit cards to be required to be compliant. If you, as a merchant, accept payment via credit card then you must be PCI compliant.

  10. Marc Guyer closed this discussion on 20 May, 2010 04:38 PM.

  11. Dan re-opened this discussion on 23 Sep, 2010 06:53 PM

  12. 6 Posted by Dan on 23 Sep, 2010 06:53 PM

    Dan's Avatar

    Our hosted payment page is not yet available. We hope to have a full featured public payment acceptance system complete this summer. It's a fairly involved project.

    I don't suppose this happened, did it? We're slogging through the PCI SAQ right now, and due to the fact that credit card information exists in our environment for that brief moment in order for our app to send it to you, it puts us in a category where we must answer hundreds of vague or non-applicable questions instead of only a handful.

    Another idea I thought of was having our form for credit card information submit asynchronously to the CheddarGetter API instead of having the cardholder info go to our server and through a CG API wrapper to transmit the data. This way the cardholder data goes straight from the client's browser to your service, putting us back into the "easy" category of compliance. The roadblock I came upon here was how to authenticate with your API without having to embed our super-important login email and password somewhere that a crafty, malicious user could uncover it with their browser's developer tools. Am I close to something doable here?

  13. Support Staff 7 Posted by Marc Guyer on 23 Sep, 2010 07:58 PM

    Marc Guyer's Avatar

    I don't suppose this happened, did it?

    Not quite. We're still working on it.

    We're slogging through the PCI SAQ right now, and due to the fact that credit card information exists in our environment for that brief moment in order for our app to send it to you, it puts us in a category where we must answer hundreds of vague or non-applicable questions instead of only a handful.

    All merchant account holders have to at least be level 4 merchant compliant. This would be true even if you were using a hosted payment interface solution. It sounds to me like you are working through the SAQ manually. I highly recommend using a third party service for this. There are several. The cost is minimal and included the required quarterly scans. They also register your SAQ for you.

    Another idea I thought of was having our form for credit card information submit asynchronously...

    Right. Managing credentials security for a client-side system is close to impossible. You also have cross-site scripting security issues. Really, you'd need some sort of dumb wrapper on your server to be a middleman. That would defeat the purpose...

  14. Marc Guyer closed this discussion on 23 Sep, 2010 07:58 PM.

  15. Dan re-opened this discussion on 23 Sep, 2010 08:30 PM

  16. 8 Posted by Dan on 23 Sep, 2010 08:30 PM

    Dan's Avatar

    All merchant account holders have to at least be level 4 merchant compliant. This would be true even if you were using a hosted payment interface solution.

    Not quite what I was referring to. If you outsource all credit card functions to another compliant service provider, the questionnaire you have to complete is almost trivial. If cardholder data exists in your environment for even a moment, then it suddenly becomes ~230 mind-bogglingly vague questions.

    It sounds to me like you are working through the SAQ manually. I highly recommend using a third party service for this. There are several. The cost is minimal and included the required quarterly scans. They also register your SAQ for you.

    We are dealing with Trustwave for our PCI compliance. We've been registered in their TrustKeeper software, where we are required to complete the self-assessment questionnaire. I wasn't present for the initial discussions with Trustwave leading up to my task of completing the SAQ; maybe there's some crossed wires going on, and we're missing out on these folks actually helping us with something?

    Not quite. We're still working on it.

    Tragic. Back to the SAQ! Thanks anyhow.

  17. 9 Posted by Jack on 12 Nov, 2010 08:25 AM

    Jack's Avatar

    Any updates on the progress of hosted payment pages? Is there a timeline?

  18. Support Staff 10 Posted by Marc Guyer on 12 Nov, 2010 02:24 PM

    Marc Guyer's Avatar

    Hi Jack, this project has stalled. Unfortunately I can't give you a better timeline.

    Related: We've been through the trustkeeper process several times now and have been able to complete the process in less than a few days. There are a few moving parts, most notably the security scans, so coordination of the right people to get things done is typically the majority of time. Are you guys stuck on anything in particular?

  19. 11 Posted by Dan on 12 Nov, 2010 02:36 PM

    Dan's Avatar

    Nope -- we jumped ship and switched to Chargify. Their hosted payment page made compliance a non-issue, and their (fantastic) vendor-supplied ruby gem API wrapper made the transition almost effortless.

    We opted for Cheddargetter initially because you had a better implementation of component based pricing at the time; but Chargify has more than caught up on that front since then. Sorry, folks.

  20. 12 Posted by justin on 24 Dec, 2010 12:19 AM

    justin's Avatar

    Is there any update on this?

    Thanks

  21. Support Staff 13 Posted by Marc Guyer on 24 Dec, 2010 12:48 AM

    Marc Guyer's Avatar

    We plan to have something ready in February.

  22. 14 Posted by Svyatoslav Ivan... on 22 Feb, 2011 07:39 PM

    Svyatoslav Ivanyuk's Avatar

    Any word on the hosted page yet? Thank you.

  23. Support Staff 15 Posted by Marc Guyer on 22 Feb, 2011 11:07 PM

    Marc Guyer's Avatar

    Hi! We're slightly behind schedule. Work is progressing quickly but right now our target completion date is March 31.

  24. 16 Posted by Svyatoslav Ivan... on 28 Feb, 2011 03:04 PM

    Svyatoslav Ivanyuk's Avatar

    ok, but I think this is your biggest weakness compared to other subscription providers. It's just so much pain (and expense) to get SSL and then PCI compliant, that everything else just pales compared to this feature.

    Thanks for working on it!

  25. 17 Posted by ManySpears on 02 Mar, 2011 03:55 AM

    ManySpears's Avatar

    Marc,

    When this is implemented, will it be included with all packages? Or will it be an upsell?

  26. Support Staff 18 Posted by Marc Guyer on 02 Mar, 2011 07:04 PM

    Marc Guyer's Avatar

    It will be included on all packages.

  27. 19 Posted by mkusmik on 27 Apr, 2011 07:02 PM

    mkusmik's Avatar

    Hi Marc,
    Are you still on target to hit the May 1 release date for the hosted payment page? We won't need the paypal integration, just hosted payment page for credit card billing. We've got everything in place with our integration to CG; just waiting on this bit before we can do complete testing.

    Thanks!

  28. Support Staff 20 Posted by Marc Guyer on 28 Apr, 2011 06:50 PM

    Marc Guyer's Avatar

    Hi there -- We're sending out an email update on this subject this afternoon. In the meantime, here's a taste:

    Unfortunately the PayPal support is too closely related to the hosted pages support so they can't be separately deployed. PayPal is currently evaluating the CG application and we can't deploy until that process is complete.

    We may be enabling access to a separate environment for a private beta of sorts.

  29. 21 Posted by ManySpears on 29 Apr, 2011 11:23 PM

    ManySpears's Avatar

    Marc,

    Didn't learn much in the email other than how to sign up as a beta tester, which I did.

    Sitting here on the eve of "Decision Day" for whether or not to subscribe under which plan, and I can't decide if CG is for me unless/until I see what the hosted pages look like. Even if you can't deploy, can you do a screenshot video tour of what the customization options might be, and how easy the UI is to build/edit/maintain hosted payment pages? Any early look would be really, really helpful.

    Thanks,

    Tom

  30. Support Staff 22 Posted by Marc Guyer on 30 Apr, 2011 11:20 AM

    Marc Guyer's Avatar

    Hi Tom -- Once we set you up as a beta tester, you'll be able to kick the tires on the new features. If d-day has passed, and you'd rather be on a legacy plan after evaluating the new features, we can do that for you. Just let us know when the time comes. We'll be setting up the beta environment this weekend and we're shooting for a Monday announcement to all testers.

  31. 23 Posted by ManySpears on 30 Apr, 2011 01:58 PM

    ManySpears's Avatar

    Marc-

    That's awesome, excellent customer-friendly support. Thanks!

    I'd still consider doing a quick sneakpeak video for the many here who are hanging in there awaiting this killer feature. Could keep some fence-sitters sitting while you wait out paypal. Just my little marketing suggestion :)

  32. Support Staff 24 Posted by Marc Guyer on 01 May, 2011 05:11 PM

    Marc Guyer's Avatar

    We're working on a marketing video but it wont be ready inside of a couple of weeks. Thanks for the suggestion!

  33. 25 Posted by cweekly on 11 May, 2011 03:17 PM

    cweekly's Avatar

    What's the status of the hosted payment page, please? Thanks

  34. Support Staff 26 Posted by Marc Guyer on 11 May, 2011 11:11 PM

    Marc Guyer's Avatar

    Hi Chris! We're scheduled for this Sunday! We'll probably send out a more formal announcement about that tomorrow.

  35. 27 Posted by mkusmik on 19 May, 2011 06:12 PM

    mkusmik's Avatar

    Testing out the hosted payment page, we are not getting the response from CG when a user completes a transaction. Has anyone else experienced this?

  36. Support Staff 28 Posted by Marc Guyer on 19 May, 2011 07:51 PM

    Marc Guyer's Avatar

    Hi there. What do you mean by "the response from CG when a user completes a transaction"?

  37. 29 Posted by cweekly on 11 Aug, 2011 03:45 AM

    cweekly's Avatar

    Hi Marc,
    Could you help with this use case, perhaps pointing me to documentation I might have overlooked?

    Our users, having created an account with us (including email address) decide to sign up for a subscription for our service. We show them screens we host outlining our various plans [possibly pulled from GG via API, otherwise duplicated on our end] and they make their selections. Then we kick them over to your hosted payment page to enter credit card info.

    We want to minimize friction and ask them to enter as little redundant info as possible. How much can we pass to you in the hosted payment page requests, to either pre-populate hosted page form field values or to obviate them (so they'd be hidden fields in your UI)?

    Working on wireframing the UX, and some of the details for this case -- as well as for subscribers who want to come back and edit their billing info -- are not clear.

    Thanks very much.

    Best,
    Chris

  38. Support Staff 30 Posted by Marc Guyer on 11 Aug, 2011 04:33 PM

    Marc Guyer's Avatar

    Chris -- Check out the end of this section of the hosted payment pages article. You can pass in those params like so:
    https://whatever.chargevault.com/create?planCode=SELECTED_PLAN

    Check out this section of the same article for some info about the update page.

    You can also decide to remove some fields from the form here: https://cheddargetter.com/admin/hosted-settings/fields

    You might also want to set some preferences here:
    https://cheddargetter.com/admin/hosted-settings/preferences

    I also looked at your CheddarGateway setup and according to your merchant account, you accept Discover as well as Visa/MC. I've already done it for you but you can set that here:
    https://cheddargetter.com/admin/gateway/edit.

    That aught to do it. Please let us know if we can help further!

  39. Jess Pendley closed this discussion on 21 Nov, 2013 07:30 PM.

Discussions are closed to public comments.
If you need help with Cheddar please start a new discussion.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac

Recent Discussions

28 Mar, 2024 10:45 PM
24 Jan, 2024 08:33 AM
11 Jan, 2024 07:13 AM
30 Nov, 2023 02:07 AM
22 Nov, 2023 08:41 AM