One thing the article mentions that is not correct is that "there's no need to be PCI Compliant as Stripe handles this whole process for you." While it is true that Stripe bundles the merchant account, you do still need to be PCI compliant. They even say as much in their Terms of Service (section 8): "You agree that at all times you shall be compliant with the Payment Card Industry Data Security Standards (PCI-DSS) and the Payment Application Data Security Standards (PA-DSS), as applicable."
It is very dangerous to think that just because you use a service you are not responsible for PCI compliance. Any business that accepts credit card payments needs to be sure and research what their exact relationship is with PCI.
Can you give an example of what specific considerations need to be taken into account re: pci compliance and stripe? My understanding is that there are more stringent requirements if storing CC numbers, and using stripe helps to shift that burden. Are there any other major non-obvious (eg, using ssl) considerations re: pci compliance if using stripe to handle recurring billing?
If you work with credit cards you must be PCI Compliant. It's not a "You can avoid it" However, the critical thing is that there are degrees of PCI Compliance. By utilizing a newer gateway you're dramatically reducing your PCI Compliance scope. Most likely you'll therefore only need to complete a SAQ-A (self assessment 1 page questionnaire). So i) Yes, you must be PCI Compliant no matter whom you use. ii) If you use a modern gateway like Stripe you'll dramatically reduce your scope around CC data and thus only need to do a SAQ-A (which you keep handy in case you're ever asked for it) to be "PCI Compliant". Now the caveats here are that you don't do silly things like integrate to Stripe but when a customer is having trouble take their credit card over the phone and input it for them manually etc (now you're handling data and expanded your scope) Avoid doing things like that and the SAQ-A will work.
Could you expand on this? I was on the assumption that with Stripe you could circumvent PCI compliance almost completely. I thought that you only need to comply with PCI if your SERVER touched the credit card data in any way - i.e. capturing the info from your frontend and sending to your payment gateway - and as with Stripe your server never sees it - their JS sends the info to Stripe servers directly - you are ok.
The commenter is technically correct n that very merchant does needed need to be "PCI compliant". But I can see how that coming from a competitor may look unseemly in this context. What the OP probably means is that Stripe takes out a great deal of the pain and money of becoming compliant.
I'm very interested in more stories here. Do people on HN share the OP's experiences with Paymill? Anyone working at Paymill reading this?
I know Paymill is one of Rocket Internet's many "ripoffs" of successful US companies, but as a European I really don't care about that. They executed on Zalando real well, I've no reason at all to assume that they'd not execute well on Paymill. Or, well, I had no reason to assume so until this article.
I did the required paperwork stuff before writing any code. They called me when I signed up, told me about the service and what documents they needed. It took me an hour to fill out the forms, and once I sent it it took them two days to activate the account. Later on, they had me fill in another form from some industry compliance organization, with super-cryptic and confusing stuff on it. They sent me a sample form with the correct data filled in and told me how much they hated that their customers had to do that. They've been paying me every week without issues. Haven't had to do any other paperwork since. On the first day I accepted payments, their acquiring bank emailed me to verify the addresses of several customers because they had cards issued by high-fraud banks. They all checked out, and I haven't heard from them either since. From my POV Paymill's execution is excellent, and they ANSWER THEIR PHONE immediately if I need them, and solve stuff right away (I haven't needed to do that in a long time)
There was a post on LRUG a few days ago about a user integrating with PayMill only to find that customer banks were declining charges via Paymill for "trust" issues.
Just adding a datapoint. I went through the verification and it was annoying to print, fill out, scan and send but not that horrible. The staff was helpful and followed through with the whole process. They even rang me up at one point because there weren’t any transactions coming through to see if I needed any help with the software end of things (that wasn’t the case, but nice to know they care).
As I'm a member from the dev team and have read this article and following discussions, we will write tomorrow a blog post regarding concerning issues the OP mentioned. There are really some fair points of critics, which we should consider thoroughly and change for the future. A more detailled answer tomorrow.
I looked in to Pay Mill a few months ago when I was setting up my website. Being in the UK we couldn't use stripe and so it initialy looked like a good option but then when you dig into it you find its no different than a merchant account. Ultimately I went with paypal as I could set it up quickly and then move to another option later on when the idea is validated.
We are now raman profitable and so when stripe launches over here i will probably move to it but if it doesn't we are now in a position with trading history to get a merchant account.
Stripe is apparently in private beta in the UK now, I'm guessing they're going make their formal announcement at the talk their giving at the London Web Summit in a few weeks.
I don't know if this helps but if you really require card processing facilities you should consider other merchant banks as opposed to the high-street ones which are willing to take more risks. I have had a few successful applications for organisations with no trading history on FDMS (First Data Merchant Services).
GoCardless seems like a great option but I just don't see it working on B2C websites. On the other hand, B2B seems very feasible.
I've been looking at using Paymill for an upcoming side project but now I think I might just use Braintree instead after reading this article. The purported lack of paperwork was a big selling point for me but if if this article is true (as well as other comments on here) then it's a big turn off.
It's them same with Samwers clone of Square, Payleven. They send you a cardreader immediatly but before you can use it you have to sign 5 different paperworks and wait for approvals. Just sad and the reason iZettle is still the only Square-a-like in Europe.
Read the general terms and you know why your client was rejected. You wrote it's a 'dating website' and according to the terms 'Partner negotiations of any kind' are not allowed.
Interesting. Although I don't see how a dating site is partner negotiation, you're simply paying a subscription for a service which allows you to browse members. You're not paying for the relationship or negotiating on it.
Something which might have been relevant which I didn't add was my client wasn't provided a reason for rejection. They simply stated "Our acquiring bank will not consider your application". He attempted to follow up, but still no reason was supplied.
You've hit the nail on the head. We're in the payments space and folks in the payment space know that dating sites have a very difficult time with merchant accounts. I do agree that PayMill may want to call this out more and it's frustrating for the developer. I wonder though if the owners of the site weren't aware of this.
The site in the OP is not accessible right now, but by reading the other comments I assume it's about the paperwork you have to go through after you signed up for PayMill.
My experience is that it takes an hour to sign up, then they'll send you some papers to sign and you are good to go and ready to accept payments.
Then a month later you'll get an email telling you to go through a certification done by a third-party. You'll have to download a .rtf with about 20 pages, formatted in a horrible way and go through the answers with no real guidance. You don't have to fill in a lot of information if you are using PayMill because you are not actually storing any sensitive information on your servers. That's not really PayMill's fault because it's required by law but it's _very_ annoying and I had to resubmit it twice because I missed some fields (Which isn't really that surprising if you look at the way the document is designed).
A few weeks later I had to go through another verification required by EU's money laundering laws. But it was basically just signing a document at the post office so they can verify it with your passport.
Edit: I have to add that PayMill's Support Staff is brilliant and they really care about their customers. They probably hate the required paperwork as much as we do.
Now that I have read the article I think it's not really fair to compare payment providers working under EU jurisdiction and US jurisdiction. If it'd be easy to just skip the paperwork in the EU I'm pretty sure Stripe would've just rolled out their services in Europe in the first place.
I don't really see the point of a European Stripe clone, since in Europe we're dealing with a completely different set of problems when it comes to online payment.
In many countries it's relatively painless if not trivial to set up a merchant account and start accepting payments through one of the many payment service providers, so for the internal market a Stripe-like service doesn't offer much of an advantage over tried and trusted local services.
If you want to accept payments across Europe, especially the many local direct payment solutions which are often much more popular than credit cards (and Paymill doesn't support any of them), you'll run into a whole different class of problems which any service will have a hard time solving.
But if you want to disrupt the European online payment market, then that's the problem to solve.
Before Paymill came along, I had no reasonable (not involved with going through huge amounts of paperwork and diligence just to get a price quote) way of taking payments in Germany. Merchant accounts are a pain. They are most definitely neither painless nor trivial. I hear it's better in the UK, but for me the only reasonable alternative was PayPal, who have strongly negative trust in my book. Paymill made it possible for me to take credit cards at all.
As of recently they also support the most popular local direct payment method in Germany. Given how quickly they spread from DE only to most of Europe, I expect they'll support other local payment methods eventually, but I honestly don't care much. Being able to take credit card payments is already a huge, huge step.
The fact that they offer the same API does not make them a clone and a recent ruling between Oracle and Google would even suggest it's not a copyright issue. Theres also an exception in the DMCA that allows reverse engineering for purposes of interoperability (IANAL).
I think Paymill would be a good alternative for us Europeans if not for the pricing. 2.95% + 0.28€ for transaction is really bad if you work with low margins and far far worse what we get working directly with our bank (and don't forget you only see your money once a week).
This is similar to the issue I had with Paymill. Their bank seems to turn down applications because of a lack of trading history or because you can't meet some strange German legal requirement.
[+] [-] jtdowney|13 years ago|reply
It is very dangerous to think that just because you use a service you are not responsible for PCI compliance. Any business that accepts credit card payments needs to be sure and research what their exact relationship is with PCI.
(Disclosure, I work for Braintree)
[+] [-] dave_sullivan|13 years ago|reply
[+] [-] jusben1369|13 years ago|reply
[+] [-] sdepablos|13 years ago|reply
In fact in their site https://support.stripe.com/questions/what-exactly-do-i-need-... they state
"As for the explicit requirements you need to meet PCI compliance requirements:
* When accepting payments using Stripe, you have to use Stripe.js * Serve your payment page over SSL"
[+] [-] pbreit|13 years ago|reply
[+] [-] skrebbel|13 years ago|reply
I know Paymill is one of Rocket Internet's many "ripoffs" of successful US companies, but as a European I really don't care about that. They executed on Zalando real well, I've no reason at all to assume that they'd not execute well on Paymill. Or, well, I had no reason to assume so until this article.
[+] [-] Kliment|13 years ago|reply
[+] [-] peterjancelis|13 years ago|reply
I agree with you - as a European I don't care about it being a clone, at least they make an effort to serve my market.
[+] [-] georgespencer|13 years ago|reply
[+] [-] jokull|13 years ago|reply
[+] [-] CarlHoerberg|13 years ago|reply
[+] [-] d0mme|13 years ago|reply
Best, Dominic
[+] [-] tpsc|13 years ago|reply
[+] [-] samwillis|13 years ago|reply
We are now raman profitable and so when stripe launches over here i will probably move to it but if it doesn't we are now in a position with trading history to get a merchant account.
[+] [-] ig1|13 years ago|reply
[+] [-] Rulero|13 years ago|reply
I don't know if this helps but if you really require card processing facilities you should consider other merchant banks as opposed to the high-street ones which are willing to take more risks. I have had a few successful applications for organisations with no trading history on FDMS (First Data Merchant Services).
GoCardless seems like a great option but I just don't see it working on B2C websites. On the other hand, B2B seems very feasible.
[+] [-] lucian1900|13 years ago|reply
[+] [-] jamesmoss|13 years ago|reply
[+] [-] CarlHoerberg|13 years ago|reply
[+] [-] tobiasbischoff|13 years ago|reply
[+] [-] weitzj|13 years ago|reply
[+] [-] mikeseeh|13 years ago|reply
[+] [-] Rulero|13 years ago|reply
Something which might have been relevant which I didn't add was my client wasn't provided a reason for rejection. They simply stated "Our acquiring bank will not consider your application". He attempted to follow up, but still no reason was supplied.
[+] [-] jusben1369|13 years ago|reply
[+] [-] dewey|13 years ago|reply
My experience is that it takes an hour to sign up, then they'll send you some papers to sign and you are good to go and ready to accept payments.
Then a month later you'll get an email telling you to go through a certification done by a third-party. You'll have to download a .rtf with about 20 pages, formatted in a horrible way and go through the answers with no real guidance. You don't have to fill in a lot of information if you are using PayMill because you are not actually storing any sensitive information on your servers. That's not really PayMill's fault because it's required by law but it's _very_ annoying and I had to resubmit it twice because I missed some fields (Which isn't really that surprising if you look at the way the document is designed).
A few weeks later I had to go through another verification required by EU's money laundering laws. But it was basically just signing a document at the post office so they can verify it with your passport.
Edit: I have to add that PayMill's Support Staff is brilliant and they really care about their customers. They probably hate the required paperwork as much as we do.
[+] [-] Kliment|13 years ago|reply
[+] [-] bencevans|13 years ago|reply
[+] [-] dewey|13 years ago|reply
Now that I have read the article I think it's not really fair to compare payment providers working under EU jurisdiction and US jurisdiction. If it'd be easy to just skip the paperwork in the EU I'm pretty sure Stripe would've just rolled out their services in Europe in the first place.
[+] [-] rmoriz|13 years ago|reply
[+] [-] onemorepassword|13 years ago|reply
In many countries it's relatively painless if not trivial to set up a merchant account and start accepting payments through one of the many payment service providers, so for the internal market a Stripe-like service doesn't offer much of an advantage over tried and trusted local services.
If you want to accept payments across Europe, especially the many local direct payment solutions which are often much more popular than credit cards (and Paymill doesn't support any of them), you'll run into a whole different class of problems which any service will have a hard time solving.
But if you want to disrupt the European online payment market, then that's the problem to solve.
[+] [-] Kliment|13 years ago|reply
Before Paymill came along, I had no reasonable (not involved with going through huge amounts of paperwork and diligence just to get a price quote) way of taking payments in Germany. Merchant accounts are a pain. They are most definitely neither painless nor trivial. I hear it's better in the UK, but for me the only reasonable alternative was PayPal, who have strongly negative trust in my book. Paymill made it possible for me to take credit cards at all.
As of recently they also support the most popular local direct payment method in Germany. Given how quickly they spread from DE only to most of Europe, I expect they'll support other local payment methods eventually, but I honestly don't care much. Being able to take credit card payments is already a huge, huge step.
[+] [-] lucian1900|13 years ago|reply
[+] [-] crazygringo|13 years ago|reply
EDIT: never mind, apparently it was fixed in the meantime.
[+] [-] smagch|13 years ago|reply
https://github.com/keikubo/webpay-ruby
[+] [-] revelation|13 years ago|reply
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] sdepablos|13 years ago|reply
[+] [-] d0mme|13 years ago|reply
https://blog.paymill.com/2013/02/25/customer-feedback-on-our...
Best, Dominic
[+] [-] calpaterson|13 years ago|reply
[+] [-] cocoflunchy|13 years ago|reply
Luckily there's still Readability...
Edit: well I'm not sure what just happened, but the whole layout has changed... everything is good now.
[+] [-] lobster_johnson|13 years ago|reply
[+] [-] zakshay|13 years ago|reply