Hosted Payment Page

Dan's Avatar


May 19, 2010 @ 06:16 PM

Apologies if this has been answered somewhere -- I haven't seen any sign of it though.

I'm currently hunting for an automated billing solution on behalf of the company I work for, and the features and API of CheddarGetter seem like the best equipped to me so far. The only deficiency I haven't been able to rule out yet is a hosted payment page.

Some other services offer the ability to have the actual entry of credit card information happen through their service rather than having to be transmitted to them. I'm not exactly well versed in the realm of PCI compliance, and I'd like to avoid that rabbit hole if at all possible.

A publicly accessible version of your "New Customer" form that we could redirect to, providing the customer and plan information via parameters and simply prompting for credit card information, would be awesome. Do you actually offer something like this? If not, is it something you'd consider?

  1. Support Staff 1 Posted by Marc Guyer on May 19, 2010 @ 07:38 PM

    Marc Guyer's Avatar

    Dan -- Our hosted payment page is not yet available. We hope to have a full featured public payment acceptance system complete this summer. It's a fairly involved project.

    Regarding PCI, the PCI DSS is requiring all internet merchants to gain the lowest level of PCI compliance. This level is typically easy to achieve and is the same level of compliance required to pass cardholder information through your servers to the CheddarGetter API. The cost, if you choose to go with a third party service, is nominal. Initially, around $200 and an annual cost of about $50. In our opinion it's a small price to pay for increased customer goodwill and security. It also adds another level of professionalism to your online presence.

  2. Marc Guyer closed this discussion on May 19, 2010 @ 07:38 PM.

  3. Dan re-opened this discussion on May 19, 2010 @ 08:13 PM

  4. 2 Posted by Dan on May 19, 2010 @ 08:13 PM

    Dan's Avatar

    Thanks, Marc.

    Any chance you could point me to somewhere I might find such a third party service?

  5. Support Staff 3 Posted by Marc Guyer on May 19, 2010 @ 08:30 PM

    Marc Guyer's Avatar

    There are many -- We offer it through the CheddarGateway. There's also McAfee, Trustwave, and others.

  6. Marc Guyer closed this discussion on May 19, 2010 @ 08:30 PM.

  7. Dan re-opened this discussion on May 20, 2010 @ 04:04 PM

  8. 4 Posted by Dan on May 20, 2010 @ 04:04 PM

    Dan's Avatar

    I can't seem to find much information about your CheddarGateway -- the support page is just a stub, and the page within the CheddarGetter admin control panel gives me the impression that is something akin to an alternative to (and its ilk). Is this a fair conclusion, or have I missed something?

    Do you know of any resources that can help me get my head around this world of billing for SaaS? A number of requirements in the PCI DSS are pretty vague, and I'm having trouble understanding everything I need to get us ready to go.

    We have a merchant account and are equipped to use the payment gateway. We have an SSL certificate. All we want to be able to do is host a form for the input of Credit Card information for submission to your (or another) service (barring the existence of a hosted payment page, that is); we have no intention of storing credit card information ourselves.

    Thanks in advance for any direction you can offer.

  9. Support Staff 5 Posted by Marc Guyer on May 20, 2010 @ 04:38 PM

    Marc Guyer's Avatar

    Is this a fair conclusion, or have I missed something?

    You're correct. The CheddarGateway is an alternative to Authorize.Net.

    Do you know of any resources that can help me get my head around this world of billing for SaaS? A number of requirements in the PCI DSS are pretty vague, and I'm having trouble understanding everything I need to get us ready to go.

    I'm not sure what you're asking here. The main thing that different about SaaS is the recurring billing aspect. The PCI DSS is vague because it must encompass all billing models. That's why these third party services exist. They cut through it pretty well.

    we have no intention of storing credit card information ourselves.

    This is probably the largest misconception about PCI compliance. You don't have to store credit cards to be required to be compliant. If you, as a merchant, accept payment via credit card then you must be PCI compliant.

  10. Marc Guyer closed this discussion on May 20, 2010 @ 04:38 PM.

  11. Dan re-opened this discussion on Sep 23, 2010 @ 06:53 PM

  12. 6 Posted by Dan on Sep 23, 2010 @ 06:53 PM

    Dan's Avatar

    Our hosted payment page is not yet available. We hope to have a full featured public payment acceptance system complete this summer. It's a fairly involved project.

    I don't suppose this happened, did it? We're slogging through the PCI SAQ right now, and due to the fact that credit card information exists in our environment for that brief moment in order for our app to send it to you, it puts us in a category where we must answer hundreds of vague or non-applicable questions instead of only a handful.

    Another idea I thought of was having our form for credit card information submit asynchronously to the CheddarGetter API instead of having the cardholder info go to our server and through a CG API wrapper to transmit the data. This way the cardholder data goes straight from the client's browser to your service, putting us back into the "easy" category of compliance. The roadblock I came upon here was how to authenticate with your API without having to embed our super-important login email and password somewhere that a crafty, malicious user could uncover it with their browser's developer tools. Am I close to something doable here?

  13. Support Staff 7 Posted by Marc Guyer on Sep 23, 2010 @ 07:58 PM

    Marc Guyer's Avatar

    I don't suppose this happened, did it?

    Not quite. We're still working on it.

    We're slogging through the PCI SAQ right now, and due to the fact that credit card information exists in our environment for that brief moment in order for our app to send it to you, it puts us in a category where we must answer hundreds of vague or non-applicable questions instead of only a handful.

    All merchant account holders have to at least be level 4 merchant compliant. This would be true even if you were using a hosted payment interface solution. It sounds to me like you are working through the SAQ manually. I highly recommend using a third party service for this. There are several. The cost is minimal and included the required quarterly scans. They also register your SAQ for you.

    Another idea I thought of was having our form for credit card information submit asynchronously...

    Right. Managing credentials security for a client-side system is close to impossible. You also have cross-site scripting security issues. Really, you'd need some sort of dumb wrapper on your server to be a middleman. That would defeat the purpose...

  14. Marc Guyer closed this discussion on Sep 23, 2010 @ 07:58 PM.

  15. Dan re-opened this discussion on Sep 23, 2010 @ 08:30 PM

  16. 8 Posted by Dan on Sep 23, 2010 @ 08:30 PM

    Dan's Avatar

    All merchant account holders have to at least be level 4 merchant compliant. This would be true even if you were using a hosted payment interface solution.

    Not quite what I was referring to. If you outsource all credit card functions to another compliant service provider, the questionnaire you have to complete is almost trivial. If cardholder data exists in your environment for even a moment, then it suddenly becomes ~230 mind-bogglingly vague questions.

    It sounds to me like you are working through the SAQ manually. I highly recommend using a third party service for this. There are several. The cost is minimal and included the required quarterly scans. They also register your SAQ for you.

    We are dealing with Trustwave for our PCI compliance. We've been registered in their TrustKeeper software, where we are required to complete the self-assessment questionnaire. I wasn't present for the initial discussions with Trustwave leading up to my task of completing the SAQ; maybe there's some crossed wires going on, and we're missing out on these folks actually helping us with something?

    Not quite. We're still working on it.

    Tragic. Back to the SAQ! Thanks anyhow.

  17. 9 Posted by Jack on Nov 12, 2010 @ 08:25 AM

    Jack's Avatar

    Any updates on the progress of hosted payment pages? Is there a timeline?

  18. Support Staff 10 Posted by Marc Guyer on Nov 12, 2010 @ 02:24 PM

    Marc Guyer's Avatar

    Hi Jack, this project has stalled. Unfortunately I can't give you a better timeline.

    Related: We've been through the trustkeeper process several times now and have been able to complete the process in less than a few days. There are a few moving parts, most notably the security scans, so coordination of the right people to get things done is typically the majority of time. Are you guys stuck on anything in particular?

  19. 11 Posted by Dan on Nov 12, 2010 @ 02:36 PM

    Dan's Avatar

    Nope -- we jumped ship and switched to Chargify. Their hosted payment page made compliance a non-issue, and their (fantastic) vendor-supplied ruby gem API wrapper made the transition almost effortless.

    We opted for Cheddargetter initially because you had a better implementation of component based pricing at the time; but Chargify has more than caught up on that front since then. Sorry, folks.

  20. 12 Posted by justin on Dec 24, 2010 @ 12:19 AM

    justin's Avatar

    Is there any update on this?


  21. Support Staff 13 Posted by Marc Guyer on Dec 24, 2010 @ 12:48 AM

    Marc Guyer's Avatar

    We plan to have something ready in February.

  22. 14 Posted by Svyatoslav Ivan... on Feb 22, 2011 @ 07:39 PM

    Svyatoslav Ivanyuk's Avatar

    Any word on the hosted page yet? Thank you.

  23. Support Staff 15 Posted by Marc Guyer on Feb 22, 2011 @ 11:07 PM

    Marc Guyer's Avatar

    Hi! We're slightly behind schedule. Work is progressing quickly but right now our target completion date is March 31.

  24. 16 Posted by Svyatoslav Ivan... on Feb 28, 2011 @ 03:04 PM

    Svyatoslav Ivanyuk's Avatar

    ok, but I think this is your biggest weakness compared to other subscription providers. It's just so much pain (and expense) to get SSL and then PCI compliant, that everything else just pales compared to this feature.

    Thanks for working on it!

  25. 17 Posted by ManySpears on Mar 02, 2011 @ 03:55 AM

    ManySpears's Avatar


    When this is implemented, will it be included with all packages? Or will it be an upsell?

  26. Support Staff 18 Posted by Marc Guyer on Mar 02, 2011 @ 07:04 PM

    Marc Guyer's Avatar

    It will be included on all packages.

  27. 19 Posted by mkusmik on Apr 27, 2011 @ 07:02 PM

    mkusmik's Avatar

    Hi Marc,
    Are you still on target to hit the May 1 release date for the hosted payment page? We won't need the paypal integration, just hosted payment page for credit card billing. We've got everything in place with our integration to CG; just waiting on this bit before we can do complete testing.


  28. Support Staff 20 Posted by Marc Guyer on Apr 28, 2011 @ 06:50 PM

    Marc Guyer's Avatar

    Hi there -- We're sending out an email update on this subject this afternoon. In the meantime, here's a taste:

    Unfortunately the PayPal support is too closely related to the hosted pages support so they can't be separately deployed. PayPal is currently evaluating the CG application and we can't deploy until that process is complete.

    We may be enabling access to a separate environment for a private beta of sorts.

  29. 21 Posted by ManySpears on Apr 29, 2011 @ 11:23 PM

    ManySpears's Avatar


    Didn't learn much in the email other than how to sign up as a beta tester, which I did.

    Sitting here on the eve of "Decision Day" for whether or not to subscribe under which plan, and I can't decide if CG is for me unless/until I see what the hosted pages look like. Even if you can't deploy, can you do a screenshot video tour of what the customization options might be, and how easy the UI is to build/edit/maintain hosted payment pages? Any early look would be really, really helpful.



  30. Support Staff 22 Posted by Marc Guyer on Apr 30, 2011 @ 11:20 AM

    Marc Guyer's Avatar

    Hi Tom -- Once we set you up as a beta tester, you'll be able to kick the tires on the new features. If d-day has passed, and you'd rather be on a legacy plan after evaluating the new features, we can do that for you. Just let us know when the time comes. We'll be setting up the beta environment this weekend and we're shooting for a Monday announcement to all testers.

  31. 23 Posted by ManySpears on Apr 30, 2011 @ 01:58 PM

    ManySpears's Avatar


    That's awesome, excellent customer-friendly support. Thanks!

    I'd still consider doing a quick sneakpeak video for the many here who are hanging in there awaiting this killer feature. Could keep some fence-sitters sitting while you wait out paypal. Just my little marketing suggestion :)

  32. Support Staff 24 Posted by Marc Guyer on May 01, 2011 @ 05:11 PM

    Marc Guyer's Avatar

    We're working on a marketing video but it wont be ready inside of a couple of weeks. Thanks for the suggestion!

  33. 25 Posted by cweekly on May 11, 2011 @ 03:17 PM

    cweekly's Avatar

    What's the status of the hosted payment page, please? Thanks

  34. Support Staff 26 Posted by Marc Guyer on May 11, 2011 @ 11:11 PM

    Marc Guyer's Avatar

    Hi Chris! We're scheduled for this Sunday! We'll probably send out a more formal announcement about that tomorrow.

  35. 27 Posted by mkusmik on May 19, 2011 @ 06:12 PM

    mkusmik's Avatar

    Testing out the hosted payment page, we are not getting the response from CG when a user completes a transaction. Has anyone else experienced this?

  36. Support Staff 28 Posted by Marc Guyer on May 19, 2011 @ 07:51 PM

    Marc Guyer's Avatar

    Hi there. What do you mean by "the response from CG when a user completes a transaction"?

  37. 29 Posted by cweekly on Aug 11, 2011 @ 03:45 AM

    cweekly's Avatar

    Hi Marc,
    Could you help with this use case, perhaps pointing me to documentation I might have overlooked?

    Our users, having created an account with us (including email address) decide to sign up for a subscription for our service. We show them screens we host outlining our various plans [possibly pulled from GG via API, otherwise duplicated on our end] and they make their selections. Then we kick them over to your hosted payment page to enter credit card info.

    We want to minimize friction and ask them to enter as little redundant info as possible. How much can we pass to you in the hosted payment page requests, to either pre-populate hosted page form field values or to obviate them (so they'd be hidden fields in your UI)?

    Working on wireframing the UX, and some of the details for this case -- as well as for subscribers who want to come back and edit their billing info -- are not clear.

    Thanks very much.


  38. Support Staff 30 Posted by Marc Guyer on Aug 11, 2011 @ 04:33 PM

    Marc Guyer's Avatar

    Chris -- Check out the end of this section of the hosted payment pages article. You can pass in those params like so:

    Check out this section of the same article for some info about the update page.

    You can also decide to remove some fields from the form here:

    You might also want to set some preferences here:

    I also looked at your CheddarGateway setup and according to your merchant account, you accept Discover as well as Visa/MC. I've already done it for you but you can set that here:

    That aught to do it. Please let us know if we can help further!

  39. Jess Pendley closed this discussion on Nov 21, 2013 @ 07:30 PM.

Discussions are closed to public comments.
If you need help with Cheddar please start a new discussion.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac