To process payments, you need PCI compliance. The easiest way to be PCI-compliant is never to see payment methods data. Below are the various payment methods and compliance required:
- API Payment method you need PCI SAQ-D self-certification
- Components payment method, you only need PCI SAQ-A
- Hosted Pages is the highest level of quick integration. PCI SAQ-A.
Payment Integrations Overview
API
Option1: Send form data from the front-end to the API with user-id
Option2: Store non-sensitive tokens from API on the user or customer-id from PSP (Payment Service Provider), used to request data later
Components Based
Embed component from PSP (payment service provider), so we don’t access sensitive information.
Receive tokens in the form of webhooks to the backend or front-end tokens.
Hosted Pages
Just redirect to the PSP checkout page.
Redirect back to the fallback page, or thank you.
Receive webhooks to the backend system.
Webhooks
Webhooks help to sync the state of PSPs and the backend
Like push notifications, provide a seamless user experience
HTTP Post request to backend endpoint in the admin interface, with a valid cert
Most important webhooks
- Payment/Checkout
— Succeeded
— Failed - Subscription
— Created
— Changed
— Canceled
How to process
- Check the authenticity of the request by Token / Password
- Usually signed with a cryptographic signature; if invalid, discard.
- Check IP source, usually provided
- Check the uniqueness of the request and stored data not to have duplicates
- Parse event types and data, then store it
- Send a success message to PSP when done
Necessary to-dos
- Connect customer ID from PSP to user table in the backend
- No need to store data stored on the PSP (hard to maintain) we need a single source of truth
- Avoid redundant data if possible while optimizing for performance (keep data the customer needs to see instead of calling the API every time the customer needs it.)
- Use IDs to connect entities, not names and email addresses, as they change.
NOTE: Usually, libraries exist to parse data from servers to PSP, but be prepared to do it manually.
Database Model
Plan global entity model > you need subscription model > link to plan and customer.
Product global model > linked to one-time payment >
Customer model > linked to subscription, one-time payment, charge
Charge model > linked to customer and invoice
Invoice model > linked to charge
Recommended
- Create a top-level model for the organization that the user is linked to.
- Link products or services to the organization.
- Each product or service should have a license no matter where the license comes from, which comes from a subscription or one-time-payment Webhooks.
- The license model also helps in testing offline without ISP.
Development and Testing
- Usually, PSP provides the testing system since the production system can be expensive.
- Set up webhooks, and test fixtures.
- If you want to receive test webhooks, you need to have valid connections to the internet and an SSL certificate.
- If not, you need a service like a webhook.site to connect to webhooks, on your local host.
- If you have many developers, it’s better to use multiple testing systems instead of using just one.
UI/UX
“95% of our purchase decisions making takes place in the subconscious mind, so users should feel safe, and secure.”
This can be achieved by making users feel safe and secure by doing the following:
- To feel safe, you need precise communication and remove all fears
- Provide relevant FAQs
- Encourage users they made the right choice
- Talk about (Warranty, Money-back guarantee, support, and quick start guides) in the last steps of the payment.
- Then provide these services after they paid.
NOTE: Some airlines have sketchy add-ons that make it hard to book a flight, at the original price.
What does a user want?
- Buy service
- Use coupon codes
- Trial service
- Right taxes added
- Change billing interval from yearly to monthly or reverse
- Upgrade, or downgrade the subscription
- Cancel subscription immediately or end of the billing period
- Change billing information, method, and details
- Want legally compliant invoices
- Want refunds
- Want to easily get help (knowledge-base/FAQ) /contact you
Most of these wants are covered by the PSP
Providing Services / Licenses
Webhooks are the backbone, used to sync state.
The most important webhooks are:
- Subscription Created web hook
- called when user orders
- create license in database prorated
- welcome email
- getting started
- connect PSP customer to user, bypassing user-id to components, api, or hosted pages
- Payment Successful
- set license active
- set license expiration date
- set grace period
- Payment Failed
- inform the user, about the failed payment
- suspend a license, or downgrade to a free plan, after the grace period
- communicate all steps to the customer
- keep data, and delete if the deadline expires
- Subscription Changed
- change from a trial period to a paid plan
- change from monthly to yearly
- modify and update license
- make the necessary migrations
- Subscription Canceled
- move to a free plan
- suspend the license immediately or after the billing period
- always keep the data if you can, just in case the user changes their mind
- respect EU GDPR, inform the user, and make it possible to delete data
- just be wary that the user can be too comfortable downgrading if you keep the data
Metered Billing (Charge for use)
Pros
- Leads to higher customer lifetime value
- Is perceived as fair billing
- You can influence customer behavior
Cons
- Unpredictable revenue
- Perceived as complex
- Hard to price right
- Unnecessary if the product doesn’t rely on costs
How to implement
- Check if PSP already provides the API
- Each dimension can be given a price
- If PSP does invoices, there is another approach
- Detect when the invoice is created via webhooks and when it’s still in draft mode
- Before the invoice is finalized, add custom invoice items, to the invoice, and calculate metered on your own.
Legal and Accounting
- Ask the lawyer for needs, for the area of business
Invoicing
- Send out invoices
- Requirements vary by headquarters
- Archive invoices for a defined period
- Invoices cannot be changed after the issue, only new invoices can be created
- Invoices need numbers and dates
- Needs to have the correct tax rate and amount
- VAT-ID or EIN of the customer, and the merchant might be needed in some scenarios
How to implement
- Ideally: Use an external service for invoicing, because it allows you to stay legally compliant
- PSP usually provides invoicing with payment solutions
- Make sure to stay compliant, as the legalities of invoices change frequently
- Make sure your PSP has all the legal requirements
Taxing
- Need to calculate the correct tax rate and the tax amount for the customer, per customer.
- Has a lot of factors depending on geography
- Europe has EU OSS
- Businesses in some areas have different tax rates than individuals
How to implement
- Usually with IP address you can get the customer location, and charge based on that
- Make an individual or business checkbox
- If the business validates EIN or vat ID, get the name and use the location to calculate.
- Make it easily malleable
Proration
- Calculate the amount paid before the plan changed, i.e., $20 a month, and the plan changed within 15 days, only charge $10 for the 15 days.
- Decrease or increase the next invoice
- Usually managed directly inside the PSP
- Affects usage quotas on the backend
- Affects customers’ balance
Dunning (payment collection)
- This is the process, of methodical payment collections
What reasons for it?
- Locked credit cards
- Insufficient funds
- Expired cards
- Regulations like PSD2/SCA (Strong Customer Authentication)
How to solve it?
- Gentle reminders at strategically determined times to customers
- A simple method is sending email reminders on a fixed schedule
- PSP usually provides a smart system to monitor this using usage statistics, and you can customize the emails of the individual dunning event
Legal Aspects
- Be PCI and GDPR compliance if you have EU clients
- PSD2/SCA regulations, aka two-factor authentications, doing payments
- Trial Period End Notification must notify users seven days before the trial ends
- Check more with lawyers and accountants in your area
- There are many PSPs, and you should integrate them properly. No need to reinvent the wheel