TechSoup@PND

Through an arrangement with TechSoup, PND is pleased to offer a series of articles about the effective use of technology by nonprofits.

A Few Good Methods for Processing Credit Cards

A Few Good Methods for Processing Credit Cards
By Kyle Henri Andrei, Dan Rivas

There are many factors to consider before you choose a vendor to handle your processing. Some require different types of hardware, software, and relationships with banks. The fee structures are complex, and it's often difficult to know what you will pay. And the introduction of new electronic chip technology in the U.S. is shifting the responsibilities of merchants.

In this article, you'll get an overview of how credit card processing works and a summary of your options.

Security First and Foremost

Taking credit card payments requires that you sign an agreement to uphold the Payment Card Industry Data Security Standards, commonly known as PCI requirements. Any method will require some vigilance, such as making sure payment hardware and software is secured, but some will be more security-intensive than others. For instance, using a card imprinter (described below) will require that you document and enforce procedures for handling and subsequently destroying imprinter slips, whereas using a terminal or online payment method will require fewer security measures because your payment service provider will be handling the credit card information directly.

Violating the PCI requirements can result in a substantial fine and the loss of your ability to accept credit card payments. If the information gets into the wrong hands, you also risk losing your constituents' trust.

Of course, it's possible that organizations that follow PCI requirements could still suffer a data breach. Generally, credit card and processing companies view data breaches as the fault of the organization. Some nonprofits choose to pay for cyberinsurance, which typically covers notifying customers, constituents, and donors of a data breach; credit monitoring; PR resources; and some consulting services. (Note that cyberinsurance will not protect you from data theft. It is simply a way to manage the crisis after it occurs.)

Three Steps to Processing Credit Cards

Weighing your options for processing credit card payments requires a basic understanding of how the system works. The multiple steps are complex and can involve a number of different vendors and entities.

1. Collect and enter credit card information. In order to process a payment, you'll first need to collect the credit card information from the person making the payment and transfer it, either electronically or manually, to a service that can process it. This step can range from writing down the card information and sending it to your bank to typing it into an online system or swiping the card through a specific kind of hardware.

2. Authorize and commit the charge. Once the payment information is entered, it's transferred electronically to a payment processor who authorizes it by checking to see that the account exists and has a high enough credit limit or balance to cover the charge. The processor then charges the card. However you choose to collect card information, you'll have some kind of processing specialist in the mix who will manage the electronic flow of money for credit card transactions. These companies typically do very little else, so they tend to work hand in hand with another system that provides the interface to enter information and handles any other needed functionality.

3. Deposit money to bank account. Once the card has been charged, there's one more critical step — receiving the money. The payment processor always deposits the money in a bank account called a "merchant account." Money is then automatically transferred from your merchant account into a bank account your organization controls. For most of the methods covered here, you'll need to open a merchant account through your bank or one recommended by your payment processor. All fees are extracted from your merchant account.

Credit card companies such as MasterCard and Visa also charge a fee for each transaction, so there will always be some fee to pay when you accept credit card payments. However, the size of the fees and the terms can vary substantially. For instance, your processor might charge you $25 per month plus 2.2 percent of each transaction — a solid rate for an organization with a high volume of transactions — or a simple 2.8 percent on each transaction with no monthly fee, which might be more appealing if you'll have a low volume of transactions.

If you want to take online payments, make sure your merchant account allows them and has the capability to integrate payment processing with your website. Some organizations choose an online payment vendor first and ask them for recommendations for a merchant account bank to make sure it's compatible with their online payment method.

Credit Card Processing Methods

That's how it works — but how do you start actually taking credit card payments? There are a variety of methods, each appropriate to different situations.

Credit Card Imprinting Machines | The simplest way to accept credit card information is also the one that's been around the longest. Imprinters, those little plastic swipe machines that carbon copy the credit card, make quick imprints of the credit card information for you to process later. The downside is that, if a card is declined, you won't find out until long after the payer is gone, and you might have to work to track them down. You can generally get an imprinting machine for free, or for a small fee, from the bank where you opened your merchant account.

Imprinters are an easy and inexpensive way to collect information on-site. However, you still need to process the charges later using one of the other methods, and there's a substantial risk inherent in carrying imprinting slips around, because you're essentially carrying a stack of credit cards. In fact, some people may not be comfortable having their credit card walking around on a piece of paper and may be reluctant to make a purchase.

In short, imprinters make sense if you rarely take payments or are in some kind of temporary location. However, if you need to process a large volume of transactions, it's probably not worth the increased risk and additional administrative work.

Bank Processing | If you've collected credit card information via an imprinter or through mailed-in donation-via-credit-card forms, one of the most straightforward ways to process the charges — though likely not the cheapest — is to ask your bank to do it. In this scenario, all you have to do is set up a merchant account with the bank and then deliver the paper slips, most likely in person. The bank will then process the transactions and destroy the paper forms. If you almost always receive your credit card payment information on paper, bank processing can make a lot of sense.

Credit Card Terminals | If you need to take a higher volume of payments in on-site situations, consider investing in a credit card terminal, also called a "swipe terminal." These small machines allow you to swipe a credit card, enter the payment amount on a keypad, and then process the payment. In many cases, they can even print out a receipt. Often you can buy one for a couple of hundred dollars from the bank that hosts your merchant account, or rent one for a particular event. Greater Giving's Auctionpay and similar sites rent terminals with a focus on nonprofit events.

Terminals may require a power source, although some run on batteries. They also require connectivity — generally a telephone line — to process credit cards in real time. Some terminals can connect to the processor using a cellular or WiFi connection. If you use a wireless terminal, you should make sure your connections are encrypted and use protections such as passwords and firewalls. The mobile section below offers additional guidance.

Some terminals allow you to store transaction information and process it later when you can connect to a phone line. The terminal stores the information internally — you don't have to worry about a lot of loose slips — but you still run the risk of not receiving payment for any declined cards. On most devices, once the transactions are processed, credit card data is no longer stored.

Nonprofits that want to integrate terminals with other databases — say, to process a donation and record it at the same time to a constituent record — will find it to be very difficult. If you're hoping to seamlessly tie terminal payments to your donor records, you are probably better off pursuing a different payment process. Otherwise, you'll need to add additional manual steps to make sure a record of the payment is included in your donor database.

Mobile Devices | Smartphones and other mobile devices, including iPads and other tablets, offer alternatives to the traditional credit card terminal. Mobile devices can now process transactions via 3G, 4G, or wireless connections. These work in one of two ways — either by providing a way to manually enter card numbers, or with additional hardware that can be plugged into your device, thereby offering the ability to swipe a card into the system.

Mobile payment functionality can be provided through mobile-specific vendors such as PayAnywhereSquarePayPal HereROAMpayIntuit GoPayment, and Worldpay (formerly SecureNet); through systems such as SageDharma Merchant Services, or DonorPerfect; or through free or low-cost card reader apps provided by your processing vendor.

This method has the advantage of portability, because you can process transactions anywhere you have phone reception. It also requires less hardware to purchase (provided you already have a smartphone or other mobile device). Processing vendors will often include a processing method factored into the cost of the product, while the apps will work with online processing services such as Authorize.net.

The apps offered by mobile-specific payment vendors are typically free to download, and like more conventional processing vendors, they take their fees as a percentage of each transaction. For example, Square takes 2.75 percent of each swipe, while PayPal takes 2.7 percent. Regardless of the service you choose, check the pricing information and user agreement carefully for conditions or additional fees. It's worth noting that, while Square and PayPal are popular options, not all nonprofits are comfortable working with these vendors. Some object to the murky way Square deals with suspicious payments and the long holds it places on some transactions. Some merchants that accept PayPal have complained about frozen funds, unfairly deleted accounts, and loopholes that facilitate fraud.

Additionally, there are security issues to consider. Does the app you're using encrypt the numbers for protection? When a card is swiped, does it show the full number or just the last four digits? Are the credit card numbers actually stored on your device? (Note: They shouldn't be.) Check to see if the vendor posts information about PCI compliance on its website. Remember, too, that if you plan to leave your device somewhere, such as a storefront, that it would be much easier for a thief to steal than a credit card terminal — and more attractive as a target. For more information on security and PCI compliance for mobile devices, read this article.

It's also important to consider what your constituents or customers expect. People accustomed to more traditional registers and credit card terminals may not be comfortable handing over their cards to someone using a personal smartphone to take payments. Even simply labeling or branding your card reader or mobile device with your organization's name and logo can go a long way toward reassuring skeptical constituents.

Swipe Hardware | To save time, rather than manually entering every credit card transaction, consider hardware that lets you swipe cards. You can buy such devices to connect to a laptop or personal computer via USB port, or to most mobile devices, including Apple products. The devices range in size from a basic, small card reader to a case for your mobile device with a built-in reader and extended battery. These readers can cost from $20 to more than $150. Some companies, such as Square and PayPal, provide mobile card readers for free to new customers who sign up for the service. If you're looking for an out-of-the-box point-of-sale option, Square now offers packages that are customized for specific kinds of merchants. Packages typically include the Square Stand and a receipt printer. Some also include a barcode scanner, an EMV chip reader, and a cash drawer. Pricing ranges from $429 to $659, depending on mobile device and included hardware.

However, swipe readers may be on their way out. Major credit card companies such as Visa and American Express changed their liability policies in 2015. Previously, if a counterfeit credit card was used, the card issuer accepted liability. Now, any merchant that does not have EMV chip technology — EMV chips are little computer chips embedded in credit cards — at their "swipe" terminals may be liable for losses when a counterfeit card is used. This means that if someone uses an illegitimate clone of the magnetic strip of a working card at your organization, you won't be paid for that transaction if you don't have an EMV reader. The theory behind the EMV chip is that it is much harder to counterfeit and can therefore cut down on fraudulent purchases. The technology is already common in Europe.

You may have already noticed the technology at your local grocery store, likely with a note taped over the reader. U.S. processors have been slow to implement EMV readers and to do the coding work necessary to make sure they work properly. Merchants have also been slow to adopt the technology, primarily because the chip can be a little confusing for users and EMV chip transactions are slower. Even credit card companies have been slow to issue new cards to their cardholders. Most of the experts we talked to expect the systems to be fully functional by the end of 2016.

Our experts pointed out that nonprofits face much less risk than other merchants because museum memberships, books on natural history, and logo hoodies are not commonly targeted by counterfeiters. Nonetheless, they recommend implementing the new swipe technology soon.

Many terminal brands now include EMV readers. Check with your processor to find out whether they will upgrade your terminals for free or at a discount. Square users can purchase an EMV reader for $49. PayPal's EMV reader costs $149, but you can get a $100 rebate to your PayPal account if you process $3,000 within the first three months.

Virtual Terminals | A "virtual terminal" allows you to enter credit card and payment information into an online form and process it over the Internet. You can "rent" a virtual terminal from an online payment processing specialist such as Authorize.net, usually for some combination of a monthly fee and a percentage of the transactions.

Virtual terminals don't often support swipe hardware, and thus require you to take the time to manually enter credit card information, and they don't integrate easily with constituent management systems. Such limitations mean they're probably not the best solution for processing a lot of payments, but they can be convenient options for processing a few payments if you have an Internet connection.

Online Payment Processors | A huge number of online payment vendors specialize in specific types of online payments. For instance, it's easy to find vendors who support online donations, event registration, or item purchases. Although these vendors typically provide an interface optimized for your constituents to submit payments on their own, most of these interfaces also allow your staff members to process payments.

Do your staff members get registration requests by phone? There's no reason they can't enter credit card information into the same interface a registrant would use to register herself or himself. Just make sure that any automatic emails sent out to the registrant make sense in either situation. This method might even work for in-person scenarios — for example, to process on-site registrations, or sell a few items in a store. Keep in mind that unless you buy some compatible swipe hardware, you'll need to type in credit card information by hand. This may seem odd to the person paying, as it's more typical to swipe a card in this situation.

These online payment specialists typically offer a number of features specific to their focus area. For example, an event registration tool might allow you to easily track lunch requests and print name tags, whereas online donation software might support pledges and tribute gifts. (For more information, read these free articles on this topic: A Few Good Event Registration Tools and Tools to Improve Your Online Fundraising.)

Payment-Enabled Software | If you're processing payments that need to integrate directly with constituent management software, such as donations or membership fees, most software packages let you process payments directly through that software. For example, DonorPerfecteTapestry, and Raiser's Edge, three of the more popular donor management systems, all allow you to enter payment information into the software and then process the payment and create a record for it in one step. Most of these vendors also offer the ability to take payments online, either directly or using a partner's processing system.

This convenient option lets organizations process a high volume of a single type of payment, and saves time-consuming double-entry. Like online payment processors, this solution might also work for in-person scenarios, but is optimized for over-the-phone and online transactions.

Point-of-Sale Solutions | If you want to take credit cards in a permanent physical location such as a gift shop, registration desk, or cashier station, consider more hardware-intensive options. You'll certainly want a way to swipe cards and print receipts. You could do both with a credit card terminal, or use separate swipe hardware and a receipt printer. You may also want to add up a number of items and calculate taxes, which terminals typically won't do. If you often sell a number of items to one person, you may want a price scanner and a display pole (the small screen that displays what you're ringing up to the customer).

If you're heading down this path, point-of-sale software such as Cam Commerce or Keystroke starts at a couple of hundred dollars and helps you integrate all the hardware you'll need. It's also very helpful at managing inventory. For more information, see Idealware's article, A Few Good Point of Sales Systems.

How to Decide on Your Method for Processing Credit Cards

With so many options, how do you decide what will work for you? Think through the following considerations:

  • Will you have access to the actual, physical credit card? Having cards in hand will save you time. For any volume, you'll want a method that will allow you to swipe the card (rather than typing in numbers) and print a receipt.
  • Will you have power and connectivity? Processing credit cards without an Internet connection substantially limits your options. Similarly, if you don't have a phone line, you'll need to use an imprinter, mobile device, or specialized terminal.
  • Does the transaction need to be stored in your constituent management system? Processing a high volume of donations or membership renewals that need to be tracked in another piece of software means integration should be a key concern. Payment-enabled software, an online payment processing service, or a point of sale setup can help.
  • Is this a short-term, low-volume need, or a permanent, high-volume setup? The right hardware and integration with other systems can be big timesavers, but they require some initial up-front investment. Does it make sense to use a quick and dirty method such as an imprinter or virtual terminal, or will investing in a more efficient solution save money in the long run?
  • Do you need to store credit card numbers? Doing so in any format requires strict and specific security measures under PCI requirements. Doing this in a homegrown system requires a thorough understanding of the regulations and an investment of time and money to create a system that is in compliance. It's far easier to use an online payment processor or payment-enabled software to handle recurring transactions.
  • What will your constituents expect? Don't forget this important consideration. Be careful of methods that require you to gather someone's life story in order to run a simple payment or require your staff to go through strange and time-consuming machinations with a constituent standing in front of them.
  • How much information are you willing to collect? Collecting the payer's zip code and the three- or four-digit security code will save you money and lower fraud rates, but also requires the payer to spend a bit more time.

It can be complicated to understand your options in processing credit cards. Many of the methods themselves are actually quite straightforward, however, and every organization should be able to find one that's suitable. Whether you're taking donations, registering members or attendees, selling T-shirts, or running a complex retail organization, there's a method that will allow you to take credit cards simply and securely.

For More Information

Kyle Henri Andrei is a research analyst and Dan Rivas is a managing writer at Idealware. Thanks to TechSoup and to the nonprofit technology professionals who provided recommendations, advice, and other help for the original and updated articles.

This work is published under a Creative Commons Attribution-NonCommercial-NoDerivs 4.0 International License.