Taking Credit Card Payments Online

By EveryCity on 16 Jul 2009

Taking credit card payments online is an absolute minefield. In this entry we hope to explain some of the different ways you can bill your clients. There are many methods and all have different pros & cons.

Often we are asked by clients how they should store credit card details.  Our response is the same every time which is, if at all possible, you do not want to store anyones credit card details on your servers. It is actually possible to do pretty much anything with a client in terms of billing without storing the credit card data.

Considerations when deciding how payments are taken

  • – Amount of work for developer thus cost
  • – Delay to for payments to reach your bank account
  • – Level of PCI Compliance required if any
  • – Whether you want the client to be able to return and checkout again without re-entering credit card details

Route 1: All in one solutions E.g: Paypal, WorldPay


  • Little or no compliance required
  • Quick, easy and cheap to set-up
  • Pretty much any developer will be able to do this
  • No  merchant bank account or trading history required


  • Client is taken away from your site and to merchant site  (then returned to your site after payment)
  • It can take up to 30 days to actually get the cash into your business bank account
  • Not possible to bill varying recurring amounts

Ideal for:

Sites taking single payments for products and who do not have a huge developer resource, although a number of very large brands use paypal.


Paypal claim that websites adding their services have had increases of sales of on average 16%

Examples of Implementations:

redirect credit card payment page

Route 2: Merchant Account + Payment Processor: E.g. HBOS + Sagepay / Paypoint


  • Delay of getting payments into your business bank account is 0-3 days
  • Can be integrated to look seemless with sign-up forms & checkouts
  • Can be more flexible
  • Possible to bill varying recurring amounts (Requires continuous authority on Merchant account)


  • May require PCI DSS Compliance depending on implementation
  • Take more time and skill thus will probably cost more to have implemented
  • Potentially greater risk as you may be directly handling credit card details depending on your implementation
  • You need to have a business bank account to get a merchant account and it is not always straight forwards

The three main types of implementation of Route 2

Full re-direct

This is where the client is passed on to the payment portal of the processor as with the all in one solutions above.  Typically these pages can be customised to your branding but will not look like your homepage.


This is where the payment form is partially integrated into your site using an IFrame which means that the client stays on your site but the payment page is hosted with the processor.

iframe credit card payment

Fully integrated

This is where your form is completely customisable and you can integrate the payment information at any step.  Typically this will be via the payment processors API.

API Credit card payment form

As your application/site will be handling credit card details you will need to be PCI compliant to some degree.  As before we suggest if at all possible not to store any credit card details if possible.

See our entry on going fully integrated here: Going fully integrated to take credit card payments (link will be here soon)


Overall there are alot of different ways to take credit card payments online. Often people will start with a provider such as Paypal and then integrate a payment processor. If you would like some advice on which is the best feel free to get in contact with us and we’ll help advise you.

Other useful articles:

Taking credit cards for recurring billing or varyied recurring billing amounts PCI Compliance, what do I need to do as an ecommerce site?

Disclaimer: This article should be taken alongside advice from a professional PCI Compliance assessor. Every City Ltd take no responsibility for any liability you may acquire from following any of these courses of action.