Accepting credit card payments online is more difficult than it seems it should be, and matters are complicated by new and evolving systems that not only combine previously distinct aspects but also are redefining the payment process and creating entirely new options. If you aren't already intimately familiar with how the myriad pieces of e-commerce interact please read our primer on gateways and merchant account. We'll attempt to explain what is needed and why.

Some FoxyCart functionality may require or allow a transaction to be processed without a Card Security Code (the “CSC”, the numbers on the back of most cards). Some gateways, however, may disallow transactions without a CSC passed through. The situations where the CSC will not be transferred to the gateway are:

• Subscriptions
• Unified Order Entry (aka “Super Password”)
• Returning customers using previously saved payment info

If you're using this functionality we strongly recommend turning off the CSC requirements in your gateway's settings, if possible. FoxyCart will always require a CSC, so a CSC will be sent when possible, but there are certain situations where the CSCs simply might not be available (as with recurring billing / subscriptions).

Also, please note that the CSC is not allowed to be stored, per PCI DSS.

Gateways that may require additional steps or features in order to process transactions without a CSC include:

• PayPal Payments Pro

Almost every gateway provider also provides their customers with test accounts (also called development accounts or sandbox accounts) for use on the gateway's test environment. A test account will work on the test environment, but will not work on the live environment. Similarly, a live account will work on the live environment (the one that processes real transactions from real customers), but will not work on the gateway's own test environment. The two environments are generally completely separate, and any account on one will not work on the other.

To make testing easier for FoxyCart users, FoxyCart provides the ability to enter your own test account information with which to test. What is critical to understand is that, in almost all cases, a live account will not work on if the test gateway is selected in FoxyCart. FoxyCart will send the transaction to entirely separate systems based on your store's settings.

An important but often misunderstood piece of credit card processing is the relationship between “authorization” and “capture”. The easiest way to explain it is by using a gas station as an example. You drive up to the pump and insert your credit card, at which point the card is “authorized” for (let's say) $75. This authorization checks with your bank to make sure you have the funds, just like a normal transaction, but doesn't yet charge the card (“capture the funds”), since the final dollar amount is unknown. Once you have finished pumping and the final transaction amount is known (say, $45.03), the system issues a “capture” for $45.03. The first part is an “authorization only”, or “auth-only”, transaction. The second part is the capture.

(Another option would be for the gas station (or any merchant) to authorize a small amount like $1 just to make sure that it's a valid card, then upon completion clear that auth and issue an auth+capture for the full amount in one go. That approach can be sub-optimal, though, as a $1 charge might go through fine, but a $75 charge might fail for insufficient funds. This approach also requires storing payment information in one way or another, which can lead to its own challenges.)

The other, much more common way to process transactions is to do the authorization and capture at the same time, referred to as an “auth/capture” or “auth/capture”. Imagine buying groceries: You go to checkout, the total charge is determined, and your card is charged (both auth'd and captured at the same time).

Where things get confusing is on the proper usages of an auth-only transaction. It is often thought of as a way to accept pre-orders or to handle trial billing periods. While you could use an auth-only to handle these types of charges, it might not be a great idea for a few reasons.

• Authorizations effectively “hold” the amount authorized. So if you auth $300, that $300 is unavailable to the customer even if you haven't captured the funds. (If you don't capture and the auth expires, the funds will be released back to the customer, but in the meantime they may have overdrafted their account.)
• Authorizations don't last forever. 3 days is probably as far as you'd want to go under normal circumstances, and 30 days appears to be the upper limit, though the exact details will depend on a number of factors, including the card type (Visa, MasterCard, AmEx, etc.).

A better use of auth-only transactions would be to handle expected variations in product delivery or final charges. For example, if your shipping charges vary by factors that FoxyCart cannot account for, or products may not be available regularly, you may want to auth-only then adjust the final transaction amount before capturing the funds. Important to note, however, is that you can never capture more than you've initially authorized when using a traditional gateway. Some gateways allow you to capture only as much as has been authorized, while others ¹⁾ may allow you to capture up to a certain percentage of the authorized amount, but not more than a certain dollar amount higher.

In most situations we strongly recommend doing an auth+capture. If you do have specific requirements that necessitate auth-only processing we encourage you to test thoroughly and keep up to date on any changes your gateway may make that impact that functionality.

Payment errors are a fact of e-commerce life, but fear not: They're typically easy to understand once you know what you're looking for. Please read our primer on payment processing errors, because knowing is half the battle.

Please read this info, then vote for your desired gateway.