Blog

A journey in ProcessOut's flight journal

How to efficiently integrate Payment Gateways

by Pierre Lafanechaire on

My name is Pierre, I’m a payment engineer at ProcessOut. I’ve integrated dozens of payment gateways in our infrastructure. With my knowledge, I will try to explain all the specificities and steps that a payment gateway integration might lead to. Each one of them is different, from a technical point of view, yet the flow stays the same.


Let’s divide this into 3 steps:

  • Preparation: both the administrative side as well as the technical side.
  • Development: all the things to look forward to
  • Deployment: how to do the transition the best and safest as possible

Preparation

Your first technical interaction with a payment gateway will be with the documentation. You must assess it and decide which feature you would need and how they can fit in your current infrastructure.

Depending on the gateway, some will provide you enough details to develop entirely your integration, some will not. It is important to know which feature you desire from the documentation as it’ll be decisive in your development phase.

Some features like webhooks, auto-capture or multi-currencies will impact your code and can be tricky to manage if not prepared. The best thing to do is to dive into the documentation, identify the technical implementation of each feature and prepare your development phase with them.

Do not forget to have development credentials with all the features activated as soon as possible as it can take up a few days, or weeks, for the gateway to set them up.

It is also recommended during this analysis phase to find a technical contact to facilitate the exchanges during the development phase.

Development

If you already have a payment infrastructure live, you have to take the huge decision:

  • Upgrading the current system
  • Start from scratch

It depends on most of the time if your new provider payment flow can be fitted in your current flow. Most of the time, it is, since the payment flow is (almost) always the same. But depending on the features you would like, it might be best to start from scratch. An example is webhooks. They’re really useful in order to be synced with the gateway, allowing asynchronous payment flow, but they can be tricky to manage depending on your current integration.

As for security, you must assume that every request can be forged. Multiple mitigation systems exist, by checking the signature for example. The best is to always execute, or verify, a request that contains sensitive information directly to the payment gateway, and never trust all the information returned by your client.

Multiple parameters should always be checked on your backend :

  • Transaction status
  • Amount
  • Transaction ID
  • Currency
  • Payment Type

Safeguards are also key to have the safest integration as possible. A transaction that just has been initialized can’t be captured.

At ProcessOut, we’ve implemented an in-house solution that maps all transaction status and checks that need to be done. For example, a transaction that has been authorized can only be captured or voided, the currency must be the same and the amount should be equal if it’s a void. Each transaction has a list of operations and each one of them is verified to ensure that no anomaly exists. A benefit to that system is to be sure of the quality of our data. To deepen the topic of anomaly detection, you can read this article.

It is also important to ensure backward compatibility if you upgrade your current system, previous transactions should stay actionable. Also, depending on your migration system and volume, some transaction flows may have been started by your clients before. Let’s say for example that your client is currently doing a 3DS authentication, which is becoming more and more common since 3DS2, your system should still be able to understand the response of your client and continue the transaction. For that case, it is necessary to maintain both integrations for the time being.

The last bonus test for having the peace of mind that your integration will avoid any regression is to write automated tests for it. As sandbox environments are the same as production ones, you can mock the full payment flow of your integration and validate each transaction flow. Running those tests after each code iteration and periodically will ensure that no issues are happening in production.

Deployment

The deployment will differ a lot depending on your infrastructure and traffic. It is very dangerous to switch all your traffic at once on day 1. Since a transaction life is very long (between an authorization and a chargeback, multiple weeks -and even months- can pass), you must process transactions little by little on your new integration.

It is also key to have some good KPIs on them to track any loss of performance or issue.

At ProcessOut, we’ve implemented more than a hundred gateways since we’ve launched. The goal is to provide flexibility as well as optimizations through multiple providers with one API. Multiple benefits:

  • Fast switching between providers, with a single button and no technical modifications
  • Our smart-routing tool will route the transaction to the best provider you have available
  • We’ve built an audit tool will allow you to monitor and know which transactions are failing and how you can recover them