SagePay has been our preferred payment gateway partner for several years now. We have integrated their services in numerous e-commerce web applications.
Click to Apply for a SagePay Gateway Payment Account.
VSP Direct Protocol
The SagePay Veri-Secure Payment (VSP) system has been integrated into all of e-volve's e-commerce web applications. This system provides a secure and relatively simple means to authorise payment cards without the need to redirect (and risk losing) the customer from the requesting website.
Any payment card authorisation must originate from a secure server - and hence all relevant 128-bit Secure Socket Layers (SSLs) must exist and be valid. Card details are then transferred over to the SagePay servers where they are stored and before entering the authorisation process.
The customer is never made aware (other than any banners and logos on the website) that they are using a third party service. In our experience, systems which redirect the user to a third party payment gateway tend to have a higher drop-out rate.
Both VISA (Verified by VISA)and Mastercard (Mastercard SecureCode) now require online payments to pass though an additional authentication process (collectively known as 3D-Secure). This essentially requires us to pass the customer through to their card issuing bank where they are forced to input a password of their choice. The SagePay VSP Direct systems allows us to support this protocol and easily integrate it into our website(s).
The payment process is very easy when using VSP Direct. The customer enters their card details (we do NOT need to store them since SagePay do this) on our website, we then POST the data through to SagePay where they are validated, both from the source and from a continuity point of view. SagePay then create a transaction within their database to hold a record of the payment, before they contact the relevant bank. The bank then issues a response to the request, and SagePay feed this back to us by means of a set of parameters. We then notify the customer with the outcome of the transaction based on the parameter values. This process occurs in real-time, and generally takes one or two seconds to process.
As well as sending the payment values and billing details through to SagePay, we also send a text version of the shopping cart, which SagePay uses in the case of any problem.
When we create a new order within one of our databases, a parameter is dynamically generated (not the unique ID) which is alphanumeric in composition and unique to the individual order (generally is the Vendor name, the date and the Order ID all joined into one string). This parameter is passed through to SagePay along with the payment details. SagePay then use this parameter to identify our transaction within their systems. Hence, should we need to refund all or part of the particular transaction, we must therefore pass this parameter back to SagePay where they can use it to validate our request.
There are various payment options available to the vendor when utilising this system, for example, in most cases we might want to authorise payment at the point of sale, and hence any successful transaction will result in funds being taken immediately. Alternatively, we may only want to authorise the payment, but not take the funds for a few days (maybe we cannot fulfil an order immediately). In this case, a successful transaction will result in a 'shadow' being applied to the customer's account. This essentially means that the funds have been authorised and the value has been set aside within the account with payment expected to occur in the near future. (Note: Most card issuers will expire the shadow after a few days, so an attempt to release the funds can fail even though the payment was a success.)
Should you wish to go ahead with SagePay integration (VSP Direct), you will require an account - and hence an associated vendor name, provided by SagePay. They will initially provide you/us with a test space through which we develop your website and ensure all services are working correctly.
I am sure you can imagine, it takes quite a long time to develop a full e-commerce system with integrated payments/orders/refunds etc, so by using e-volve, you will be vastly reducing the time to launch period.
SagePay have other services available, and we are more than happy to go through these with you. We will always endeavour to match your business with the service available.
SagePay Approved Partner
We are part of the SagePay Approved Partner Program.
If you would like to speak to someone regarding the integration of SagePay (or any other service), then please don't hesitate to call us on 01670 501 599.
Or click to Apply for a SagePay Gateway Payment Account.
Sage Pay Go
Sage Pay Go is a service which is easy to integrate into your web application. It enables your site to accept multiple payment types (including VISA, Mastercard, Maestro, American Express and PayPal) through a secure and efficient payment gateway.
So how do you actually use the Sage Pay Go service?
There are 4 types of integration options available to you. These increase in complexity, but range from a simple payment form with not many options, to a fully integrated software platform giving you full control of your customers’ shopping experience.
1. Form Integration
This type of integration is hosted by Sage Pay themselves. Your customer is diverted from your website to the Sage Pay servers where a payment transaction is conducted. Sage Pay then returns your customer to a designated page on your website depending on the outcome of the payment.
The payment pages on the Sage Pay servers can be customised so that they reflect your website design.
Form integration is great if you have a website hosted by a third party company; however, it is limited in the fact that you do not have a great deal of scope to perform refunds etc. These must be done manually via the My Sage Pay administration tool.
2. Server Integration
This service is similar to the Form Integration, but it additionally allows you to run payment reports from your website. No sensitive card details are collected by your website, but you can collect other customer details should you require them.
Since you can store customer details etc, you can begin to create a customer management area of your own, providing information relating to their past order history.
One point to note though, is should your website be hosted by a third party, then you may be prevented from installing software required by Sage Pay in order to encrypt the sensitive data, and hence the form integration may be a better option for you.
3. Server & inFrame Integration
Using this, you essentially allow your customers to stay on your website by means of an i frame. The benefits of this are that you reduce the drop-out rate of your shopping process because your customer is confident in your product and your service.
You can also send requests to Sage Pay in order to process refunds or payment release from your management websites, thus making your order fulfilment more efficient.
Data is encrypted using an MD5 Hash algorithm, and hence you may need the ability to encrypt/decrypt the data should you wish to use it on your systems.
4. Direct Integration
This is the most complex type of integration, but, it allows you full control of your customers’ experience. Your website will take all card data, customer details, and basket contents, and you will perform a secure post to Sage Pay in order to perform the transaction. Your website will then determine the results of the transaction and your system will notify the customer accordingly. Refunds, deferred payments, voids and other payment types can all be configured to best suit your needs.
For this type of integration though, your website must sit behind a Secure Socket Layer (SSL) and you must be PCI DSS compliant.
Direct Integration is an excellent option if you already have an e-commerce application with an order-fulfilment system, and you need a new payment processing partner but do not wish to build an entirely new customer-order-logistics system.
With this system you can keep as much or as little of the sensitive data as you wish. We at e-volve have plenty of experience in dealing with encryption, but we would always advise that only the minimum amount of sensitive data is ever kept on your servers. Keeping sensitive data means you become liable for its safe keeping, and hence you must get your server(s) tested for Payment Card Industry (PCI) compliance.