Technology Blog

American Express

By Michael Thwaite Michael Thwaite

"American Express? That'll do nicely... Wait, how much?"

Not long after launching, we had a few schools sign up in no time. Who knew that this was useful to schools? – Except Pamela?

It was not long before the schools started asking for the ability to take payments online to cut out that check-cutting step for the parents.

In 2006, when we first added PayPal support, the world was so different when it came to online crime. I must admit that the payment part of the system was overly simple by todays standards. We never experienced any security breaches nor would I expect to but, it was more because I ran the whole thing from my basement behind lock and key than any sophisticated security. Back in 2006, I had a payment page that simply had a form on it, that form collected the details for the card then sent it behind the scenes via a secure channel to PayPal for approval. If approved, they would send back a confirmation and, later, follow that up with a receipt. It was always more secure than collecting checks though.

As time progressed, PayPal proved to be a reliable partner and, one that increasingly offered us improving rates as our volume increased. Our only gripe with PayPal was the rate for American Express; they charged more for American Express transactions than we charged for the whole system.

The Payment Card Industry or PCI began to look more closely at how web sites were accepting credit card payments and they soon began to insist that to be PCI compliant, you had to self-certify that you were behaving yourself. PayPal chose to promote a company called 'Trustwave' that had a very old and crappy flash based website. Once a year I'd have to answer an hour of questions on what we stored (nothing) and how we audited what we stored (still nothing).

The first hint of trouble crept up on us around 2017 when increasing security demands saw Trustwave performing penetration tests to make sure our site was secure and then producing reports that called for changes to made lest we loose our certification... It wasn't that they were simply often wrong, insisting on pointless changes but, that they charged us for this service!

The train began to really start coming off the rails in about 2019 when PayPal transaction processing started to become unreliable and, as anyone who works with PayPal will attest, they're always on break when you call, email, chat, send carrier pigeon.

The search began in earnest to find a new provider. We tried out Square who were initially OK but then, they folded as I suspect that they'd promised us a better rate than they could actually afford and needed an out when the volume started to arrive! We don't recommend Square. Next up was Stripe and, well, I have to say their integration is great, it's reliable and they also support ApplePay, GooglePay and more.

With today's integrations, PCI compliance is actually not a thing that we get involved with; so good is the integration with Stripe that the processing is all performed on their website - we never see any payment information at all and that I'm very happy with!

Within a month of switching on credit card payments, more than ¾ of payments were being processed on the site. We had to set up a mechanism of transfers to the schools and PTOs to allow them to drawdown the funds. It was at this point that we had to begin to charge a fee for the service - there was no way that we could afford the processing fees for credit cards.

It took us some time to determine the true costs of credit cards, PayPal is pretty direct, it's a transaction percentage and a processing fee per transaction but many card providers use something called 'Cost plus' which is basically their costs plus a fee however, the cost of the processing is so convoluted! It's made up of small fees around handling and processing - there's a lot different fingers in the pie and, different cards have different fees.

<rant>

We all love our cash back and points yes? Well, don't! That cash back has to come from somewhere and the source is, yes, you guessed... you. There's no free money and the cash-back comes from the costs passed on to the vendor but it's become a vicious circle, the credit card providers can't compete if they don't offer consumers cash-back but that cash back is passed on to us and we pass it to the school and they add it to the price of the meal.

But guess where the credit card providers learnt how to do it?

</rant>

I'm not entirely sure I fully get all of the pricing nuance even today! However, the easiest thing to do was run the system for a month and watch the total in the bank account - yes, that was the basis for pricing FoodDays. With that we decided to pricing it as a simple percentage, it was easy to understand and fair to those that did high or low volume of sales and, that's the model we still use today. A model that ensures that we take as little out of the fundraising efforts of the schools and PTOs.

 

Tech deep dive:

Setting up payments in the early days involved getting your own SSL certificate (back when SSL was good enough!). This was pretty tricky in 2003 and involved rigorously proving that you were the administrative contact for your domain - no CloudFlare or Let's Encrypt!

With SSL in place, I could take payment information directly on a form and submit it to PayPal via their SOAP API using connectors that were very familiar from my FX API days.

To confirm that the transaction is valid, PayPal calls back to a handler on the FoodDays side that receives the call then, echo's back the received key to PayPal to ensure that the origin of the call is in fact PayPal. All in all, a pretty secure solution that's still in place today for those that want to use PayPal or Venmo on our platform.

Today, we use a combination of key signed requests and transfer or the browser session to Stripe after first setting up a receiving session with them. The resulting webhook call back to FoodDays requires a server-side key and secret to verify the results. Fortunately, almost all of the work is carried out using the Stripe nuget supplied package along with one of the best implementations for a sandbox test environment I've ever seen!