NOTE: This post is not sponsored and SUMO Heavy is not affiliated with Spreedly in any way. We feel that they provide an amazing service and love their product.
On September 16th, 2020, some of our clients experienced a major payment gateway outage that lasted for approximately 40 minutes. In many cases when this occurs, there is nothing you can do as a store operator. During the outage, not a single customer could check out. Once the issue was resolved, it was revealed that it was related to a certificate expiration.
Preliminary investigation revealed that this outage was due to an mTLS client certificate expiration that was not flagged ahead of time by our certificate management system
I can't think of a team that hasn't been bitten by a certificate expiration. Even in a world where we have access to certificate management systems across the major cloud platforms, often for free, bad stuff happens and vendors have vendors. The chain of responsibility is so long that it's nearly impossible to have complete control over your technical operations.
If you have an online store, have you ever considered that you have options? Back in 2014, we were introduced to Spreedly through a marketplace project that had dozens of payment gateways. Rather than integrate directly with each gateway, we integrated through Spreedly once and configured each gateway from there. Then, in 2018 we had a client ask for help in reducing the scope of their PCI compliance. The problem was that having multiple payment gateways, implementing and maintaining vendor-hosted payment forms becomes complex -- and maintaining each integration as new features are implemented adds to that complexity.
Bear in mind that while most eCommerce platforms allow more than one payment gateway to be configured, not all platforms support all integration types for all supported gateways.
Spreedly is a payment orchestration platform, which provides many solutions for managing your payments workflow. For our specific use cases, the benefits were numerous and we only took advantage of a handful. On the surface, Spreedly allows you to integrate once, then configure multiple payment methods. Tokens are generated by Spreedly, and are portable across gateways, allowing merchants to switch between gateways with a few clicks. Finally, depending on the integration, Spreedly offsets much of the technical PCI compliance for your project.
Building new features for each payment gateway as they are rolled out can be more complicated than it feels on the surface, especially when dealing with implementations such as 3DS2. Gateways will implement support at different times, and will have familiar flows but with slightly different requirements.
Having a single point of integration allowed us to build a single module that supports the features we need, such as a hosted payment form, 3DS1, 3DS2, and tokenization -- and the rest of the configuration is managed in Spreedly. The amount of time saved in development alone is worth it.
Normally when you have multiple payment gateways, each generated card token for saved credit cards will belong to the gateway which generated it. This means that a token created with Cybersource cannot be used on Authorize.net, and the customer would need to re-save their card if you changed gateways.
Spreedly solves this problem by "owning" the token. Since a token for a saved credit card is created via Spreedly, it can be used across multiple gateways without the customer being impacted. On top of that, they can even assist in obtaining the tokens from your existing gateway and importing them into Spreedly.
Without Spreedly, imagine you have Braintree as your primary gateway with Authorize.net as a backup. You have them both configured in your platform, and when your primary suffers an outage, you switch to your backup gateway. This can create a nightmare scenario for you and your customers.
From a customer's perspective, their saved credit card won't work and for new customers, if they save a card then it won't appear for future logins when you switch back.
Things get much worse for you as the merchant. For example, if you authorize a card when the purchase is made, you could have issues capturing when the order ships (Side note: I do realize that this isn't necessarily the case, and that a robust implementation would work as expected, but it's an simple example to describe the point).
Once we developed Spreedly integrations for the platforms our clients ran, we could change the gateway on the fly with no impact to the customer or operations. Saved cards continued to work, and payments were routed to the correct gateway by Spreedly.
This is a big one. As you move up the PCI chain to level 1, your requirements and responsibilities become much more complex. If not using hosted payment forms or off-site payments, you may need to put deep consideration into the architecture of your payment implementation.
Offsetting PCI scope can save money in the long run, and you can feel safe regarding liability. In some cases, it may help with platforms that may be nearing end of life or that are difficult to patch.
PCI compliance is very different when you get to level 1, and the pool of expertise you will need to bring into your company will grow. Additionally, ongoing development, scanning, and maintenance strategies become more prevalent.
Sure -- this sounds perfect. So why isn't everyone doing it? Honestly, like everything else there's a time and a place. We work with clients of all sizes, and until you reach a tipping point, a solution like Spreedly may be cost prohibitive. Pricing is based on a monthly fee plus a charge per API call and each level supports a different number of integrations.
Additionally, there are no official eCommerce platform integrations. This makes sense, as each implementation will vary slightly, but it does add an upfront development cost.
Finally, you may not have a need for it at all even as a larger merchant. Many gateways are offering enterprise level service, such as Braintree, CyberSource, and Authorize.net. These are offerings we are currently not working with, so your mileage may vary -- but they are available.
Well, that's pretty much it. Spreedly is awesome, and if you have a high-value or high-volume (or both!) business, we definitely recommend considering a solution like Spreedly to handle your payment routing. It's an amazing service, and everyone we have interacted showed expertise in both the product and technical aspects of the platform.
With that, if you are currently reviewing your PCI strategy and have questions, please reach out to us through any of our channels and we'd be happy to talk.
If you’d like to learn more about SUMO Heavy, drop us a line, give us a call or contact us on social media.