Credit Where Credit Is Due

Commerce - Other
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Credit card processing is one of those things that can make or break a business, especially if you're trying to establish a B2C (business-to-consumer) presence on the Internet. Unless you have some sort of monopoly on your particular product, you had better have the ability to take credit cards.

But credit card processing didn't start because of the World Wide Web. Internet sales are hardly the only place where a business might need to take a credit card. On the contrary, in the small-to-medium business space, where the iSeries plays best (are you listening, IBM?), there are perhaps half a dozen different uses of a credit card, and most of them have little to do with the general consumer.

What Is Credit Card Processing?

Being the naive waif that I am, I assumed that credit card processing was pretty much a simple "tell me how much to pay" sort of thing: The vendor sends a message to the credit card company, and it says OK (or not). As it turns out, it's much more complex than that. Two things make up the credit card transaction: the players and the plays.

The Players

The players include the merchant (the one doing the selling, which in this case would be you), the "acquirer" (the one who pays the merchant and gets paid by the credit card company), and the authorization network (somebody you contact electronically to post transactions). There is a bit of paperwork involved, as well as some cost, both up front and annually, to set this all up.

The Plays

Once you have everything set up, there's still the matter of what happens in a credit card transaction. Transactions types come in many forms. Heck, there are two just for selling stuff. The first is a normal sale, which is typically used in point-of-sale (POS) systems such as grocery stores and gas stations. In this case, the consumer has already taken possession of the merchandise or service, and the sale is both authorized and shipped in one swoop. Note the terms "authorized" and "shipped"? Well, that's the second kind of sale: First, the buyer authorizes something to be purchased and the vendor puts a hold on the credit card for that amount. Later, when the actual merchandise ships, the hold is released and the actual amount is booked as a sale. This is typically for things like Internet purchases or hotel rentals.

Two other transaction types are the credit, which simply refunds money to a consumer's account, and the authorization reversal transaction, which is used to back out some money that was on hold before settling the transaction. This latter transaction is typically used when vendors such as hotels or car rental companies over-authorize the amount to handle "incidentals" (like wrecking the car or emptying the minibar).

Finally, there is a batch settlement transaction that runs typically at the end of the day. It verifies all the day's transactions and triggers actual payment into the merchant's bank account.

The Big Decision: Make or Buy

Although this was always a question that needed to be asked in any requirements phase, in the old days (when we wrote code with stone hammers) it was rare that you would find something as complicated as credit card processing in a shrink-wrap package you could purchase.

Today, that's not the case. Quite a few vendors out there sell credit card processing solutions of one kind or another for the iSeries. The vendors for iSeries solutions include folks like Curbstone and ROI Corporation. This is by no means an inclusive list nor an endorsement of any particular vendor; any vendors who would like to promote their solutions are invited to participate in the forum for this article (or better yet, purchase an ad from MC Press, or at least register yourself in the free MC Press Buyer's Guide!). As a disclaimer, I have a business relationship with Curbstone but no affiliation with ROI.

Speaking of business relationships, one of my clients is a company by the name of NBS Consultants, Inc. NBS sells an ERP system called PICS and recently added credit card processing to its base system. Early on in the decision-making process, it became clear to the company's president, Ken Hare, that no one packaged solution would address all the possible requirements of his various clients: "There are at least six different places where credit cards might be used in a given business and dozens of different authorization networks." With that sort of complexity, it became clear that, for NBS, writing their own solution was simply more cost-effective than trying to find a package that fit every conceivable scenario.

Remember that NBS is a software vendor, so its environment almost certainly is more complicated than that of the average shop. You may not need the extra flexibility that a roll-your-own system provides. At the same time, as has been demonstrated so dramatically in our own industry, change is the only constant. Take particular care to think about future requirements when you address the make vs. buy question.

Where Will You Use Credit Cards?

Among the first tasks during the process of enabling credit card support is identifying the areas of your business in which credit cards will be used. If you're like me, the first two things that you think of are POS devices and B2C Internet sales (and their low-tech cousin, the phone sale). As Hare points out, though, numerous other transactions involve credit cards, from paying your A/R balance to making a purchase on a B2B Web site. Then there are will-call sales, which have slightly different rules, depending on whether the purchaser physically has the card at the time of pickup.

Which Cards Will You Accept?

One of the next steps of the process is identifying the cards you will accept. The standards seem to be MasterCard, Visa, and American Express. The American Express Corporate card is a regular addition. The last two players are Discover card and Diner's Club, both of which have a more limited scope.

Also, once you've started accepting credit cards, can checks be far behind? As it turns out, the processing for checks using something like the TeleCheck authorization network is similar to that of standard credit card authorization. Even if you're not taking checks today, you may want to consider the possibility before making a final decision.

Where Will I Interface into My Systems?

This is key. There are perhaps a half dozen places where you'll need to update your system to handle credit card processing. The most obvious are order entry and the downstream functions of invoicing and general ledger. Each of these needs to be tied to the actual process of sending transactions to the authorization network. Determining whether your business is POS or mail order will identify the type of transaction and the timing of it within your order process. And then you have your batch posting, which should also generate the settlement transactions.

But that's not all. There may well be other areas of your system that require additional processing. An example is accounts receivable, where you may need to make provisions for allowing customers to pay their bills via credit card.

And the Answer Is...

The more of these options that you need to enable for your business, the less likely it is that a single vendor package will be able to fit your needs. But if you really don't want to reinvent this particular wheel, there are plenty of products to choose from. Do the research, and then do the math. Just remember that this means adding one more point of failure into your systems. According to Hare, "When problems occur, you now have a three-point triangle of responsibility to manage: your software, the third-party interface software, and the authorization service and associated network."


This is the purely mechanical aspect of transaction processing: getting the transactions to the authorization network and back. This is actually a good place to segment the discussion, because you could theoretically write your own interface to your back-end systems and use a third-party solution for just the communication.

Hybrid Techniques

Let's quickly address these hybrid techniques. In this scenario, custom software modifications and/or business procedures are designed to use either dedicated devices or PC-based solutions. While quick to implement, either of these directions adds an additional point of failure to the system as well as the same third-party complications as just buying a complete solution. A dedicated device is probably less likely to fail but will usually require manual re-keying of data. A PC-based solution, on the other hand, can probably be interfaced programmatically but adds all the extra overhead of an additional computer. Depending on how many locations you have, this can be both expensive and administratively challenging.

Writing Your Own

The other option is to write your own communications subsystem. While today's iSeries is a much better environment for communications than either the AS/400 or S/38 was, this area is hugely (and unnecessarily) complex because of the lack of standardization among vendors. Communications with authorization networks can be via the Internet using HTTPS or VPN or even proprietary protocols. There are also networks that use frame relay or even dial-up connections. This may be the most difficult part of the make vs. buy decision, especially since a requirement to change authorization networks may well require a whole new round of communications programming (and communications programs are still among the most difficult types of programs to debug).

You might think that you can stick with a single network, but that's not always the case. According to Hare: "Businesses have many reasons to switch their credit authorization services over time: change of banking relationship, attempts to reduce associated transaction-processing fees, speed of transaction processing." So the thing to remember here is that if you want to build your own software, be sure to make it flexible.

OK, Now That I Know the "What," How About the "How"?

This column is not meant to be a product review, so let's assume that you've decided to write your own credit card interface. You still have several rather large issues to address.

User Interfaces and Program Interfaces

The obvious requirement is for additional input capabilities. You'll need to be able to enter credit card information. What data is required will depend on the transactions and even on the business type. For example, there are sometimes unique requirements for will-call when the purchasing card is not present, such as when someone buys you tickets on their credit card for you to pick up at show time.

You may also be noticing more often that POS devices are asking for your ZIP code; an example is the self-service line in Home Depot. In order to prevent fraud, more of this sort of information is being required, and your interfaces will have to change accordingly (not to mention that they'll need to be flexible enough to handle the minor differences between applications). But this requirement isn't just to satisfy the security needs of the credit card companies. In some cases, they offer incentives in the form of discounted processing rates for transactions with these extra security checks.

Multiple Authorization Networks, Card Types, and Programs

You really need to plan ahead in this area. Your database needs to be quite flexible. As noted earlier, there are lots of good reasons to switch networks, which means that anything hard-coded has a potential to bite you later, including URLs, login IDs, passwords, merchant IDs, and even transaction history.

Little things like the CVV2 (Card Verification Value) number are different for each card type. Hare says that there are other variations that people are beginning to expect: "Will you need to support debit cards? Gift cards? Loyalty programs? These all require additional database and program support."

Database Security

In these days of identity theft and credit card fraud, it's clear that the integrity and security of your database is of preeminent importance. Certain rules define which pieces of data can be stored and how. For example, as far as I know, you can never store a CVV2 number. Other pieces of information ought to be encrypted; just because you don't need to encrypt data doesn't mean that you shouldn't. The beauty of the iSeries is that you can encrypt data relatively easily, so that's one more weapon in your arsenal if you decide to go the self-written route.

What's the Best Answer?

Ha! Thought you'd trick me into a recommendation, eh? In this very difficult area of business, I couldn't possibly make a suggestion without carefully analyzing your particular business processes. That's what you'll need to do in order to decide which route is best for you. Credit card processing is more and more of a necessity, that's for sure. But choosing the right path is a difficult decision.

I will go out on a little bit of a limb here. If you have only a small number of people who can authorize credit card payments and you don't expect to grow a lot soon, I'd probably recommend that you opt for an all-in-one solution (either PC-based or a dedicated device) that can handle your load at a reasonable expense. But if you plan on handling any sort of Internet business or have a lot of distributed call centers, you're going to need to automate, and then the make vs. buy decision becomes much more involved.

I'd like to thank Ken Hare for taking the time to provide us with his expertise on this subject, and I'll leave you with his final words on the topic: "This stuff must work every day. Money--same as hard cash--is at stake."

Joe Pluta is the founder and chief architect of Pluta Brothers Design, Inc. He has been working in the field since the late 1970s and has made a career of extending the IBM midrange, starting back in the days of the IBM System/3. Joe has used WebSphere extensively, especially as the base for PSC/400, the only product that can move your legacy systems to the Web using simple green-screen commands. Joe is also the author of E-Deployment: The Fastest Path to the Web, Eclipse: Step by Step, and WDSC: Step by Step. You can reach him at This email address is being protected from spambots. You need JavaScript enabled to view it..