Looks fantastic. I'm interested already and we don't have an immediate need for the API - but even the web UI looks great.
Very little information on your site, though. Some questions strike me:
- What path does the money take from the customer to the user of your service (e.g. me), and how long does it take to get there?
- What kind of backing/insurance/licenses do you have? If you're a tiny startup, there's risk for users of your system if you go bust and any money in transit disappears.
Very good points. I hope you will put up more substantial information on your web site.
Consider that we are supposed to trust you with our customer's credit card information, their and our money. Currently I'm thinking: Who are you and why should I trust you? There is no information on your site which would give me any confidence. I'm sure you have all the info, but please share it with us.
OMFG THANKYOU!!! We've been ridiculously disadvantaged with no Stripe, Dwolla, WePay, Square etc. So many startups have been launched and funded (in the states) that were possible primarily due to Stripe integration. Not much of a choice here other than PayPal.
"But I guess we Australians should be used to being ripped off by now" With such a "dog beaten" attitude I'd say it's self fulfilling. Perhaps wait to see what those fees are, relative to your other options in Australia, before drawing such a depressing conclusion?
I know this is likely going to be better than "other options in Australia", and I respect their efforts for making this happen, but that's not my point. I was comparing "options in Australia" to "options in the rest of the world".
The same happens with a lot of different things, such as the cost of computer hardware/software, furniture/home appliances, cars, etc. Occasionally it's possible to work around it: I buy most of my gadgets from Amazon or other US/EU online retailers, and even with international shipping it's cheaper than buying locally. Unfortunately we often get hit hard on the larger, more expensive items that are impractical to import: IKEA furnitures cost 3x as much as in the US, cars 2x as much.
Economies of scale, it's a lot easier to sell to 300 million people than 20 million.
Plus we have the 2nd highest minimum wage in the world (over 2x as high as the US, our welfare is almost as high as their minimum wage) and we live in an amazing country, so it all balances out.
I'm very interested to understand why they have a monthly fee - surely having an easy to implement payment API would mean AU developers flock to it given our lacklustre other choices?
Paypal is the most common option in Australia but for one reason or another they never launched Paypal Pro there which means that people are stuck with the older IPN based flow which has some disadvantages ( More confusing, doesn't make it clear that you don't need paypal account, poor Google Analytics integration )
Firstly, its fantastic to see a service that will hopefully provide a breath of fresh air to a sector that has almost become archaic, and therefore difficult to use, in Australia.
What sort of red-tape has been causing you the most trouble?
Also, are you partnering with one of the banks?
[update: never mind, found one of the co founders, http://dompym.com/ pretty impressive, he's ex SAP and ex Clear Interactive, acquired by the NZ exchange]
I'll say "thank you" after I know more about the pricing and fees and how long it will take before my money appears in my bank account. It's great that you are setting up something like this and I really hope for the best. Would love to use it, but as others have commented, down here we are used to being ripped off, so when I see "monthly charges", I'm already a bit weary. Still hopeful, but a bit concerned.
Also, I really hope this will work for Kiwis as well?
Presumably, the service will be better.
Banks in Australia usually need a deposit of one years of sales if you take yearly subscriptions. Then you need to go to a payment processor, who charge their own fees structure on top. But the banks do give you decent service, in that you have someone to call when something goes wrong.
The worst part of PayPal is undoubtedly the service, I've had experience where they locked the account and demanded social security no.s and registration information (via fax) for which there are no Australian equivalents. After months of them asking for things that don't exist, it took a complaint to the Financial industry ombudsman for them to de-restrict the account to allow us to withdraw the funds.
Yeah PayPal has its own problems of course such as the horrible service like you mention. I had a payment dispute once where neither the customer or the seller (me) had an issue, but PayPal had automatically flagged it as suspicious for reasons they wouldn't specify. Mind you that was 1 problem in several hundred transactions, so it wasn't too bad for me overall. I just think $50/month would be hard to bear when you've got PayPal in the same market at no monthly fee and a lower rate.
Awesome, thanks for this. A couple of years ago I was trying to get setup with a merchant account at BankWest for online C/C processing - the BW guys in their online merchant team were totally taking the piss. Kept me waiting for 8 weeks without an answer - so in the end I had to go with PayPal.
Awesome news. Like many Australian devs I have been feeling a distinct lack of love from other payment solutions. And now I see in a comment above that braintree is on its was as well.
Who knows, maybe VCs will start investing in Aussie based startup as well?
Don't believe the hype. It's more difficult to raise capital in Australia, but it's completely possible. You need to network hard in order to make connections, but the money is out there.
+1 there's absolutely no reason why they cannot get it working for New Zealand -- considering most of our banks are actually owned by Australians, and typically use the same systems!
That's great to hear! I'm a NZ developer, and this would be a pretty big incentive to get a few of my small startup ideas off the ground. Paypal sucks.
Using an HTTPS connection is all well and good, but it is not enough. HTTPS is susceptible to man in the middle attacks [1], and securing the params with a pre-shared secret key is essential.
The extra cost in 'complexity' is really far outweighed by the (warranted) extra security.
ssltrip requires a valid root ca, or an ssl library that doesn't check the signing chain. After using it though, the parameters are unencrypted and so can simply be sniffed.
Are you attempting to reencrypt the parameters with another key? If so then why run that through https?
> Are you attempting to reencrypt the parameters with another key? If so then why run that through https?
I think they are talking about generating a hash from all of the parameters in the request + a secret, pre-shared key. Doing so prevents MITM attacks from changing the parameters.
This article also inspired me to lockdown my own API I designed, its really good advice. The question is only, they wanted to provide a very simple interface, what is the right trade-off security vs. developer UI?
I can't see any point in signing the params - an attacker only cares about the CC info, not some hash value. The only use for a secret key would be to encrypt all the params. But SSL already does that...
I was thinking about this too--what access does that API key give someone? Even if it's just to charge a card, it's a risk since it can be used by bad people to validate stolen credit cards.
Either I put my secret key in the javascript and initiate the request in the browser (thus leaking my secret key), or I accept the inputs onto my server and forward the request to Pin, thus increasing PCI compliance burden because now sensitive data is passing through my server.
I'd like this more if it functioned closer to Braintree's transparent redirect. https://www.braintreepayments.com/developers/api-overview No sensitive data ever touches my servers (customer's POST goes to Braintree, and then they redirect to my server with a query string token that I use to validate the tx with Braintree).
It looks like they provide pin.js so that your server never has to accept the credit card details, but rather a single-use token (much like Stripe, I believe).
Oh, that's cool, thanks for the docs link. I like the way the API hijacks the form submit and replaces the card with the token. I'm still a but curious as to what a nefarious user could do with your "publishable API key," but this is much better than I had initially thought.
> I'm still a but curious as to what a nefarious user could do with your "publishable API key,"
I suspect very little if they don't also have your 'secret' API key. I guess they could request a single-use token for a card, but I don't think they could then do anything with it.
Can someone explain why a separate payment system is needed for Australian developers? My nieve understanding is that credit cards are global from a consumer perspective (i.e. a credit card will work in any country in the world). Are things different from a developer perpective? If so, why?
Are things different from a developer perpective? If so, why?
Broadly speaking, because the credit card industry is a massive, bloated, inefficient mess, and the effort and liability required for a small business to participate in that mess directly can literally be business-destroying. And that's assuming the Powers That Be graciously allow you to play their little game at all, which may take several weeks of approval process to decide, and will almost certainly come with silly levels of fees on each transaction and terms so one-sided they could right a sinking ship even if you do jump through all of their hoops.
Having an intermediary that can provide a simple API that just works instead of having to integrate with some absurdly complicated and poorly documented API offered directly by the big players can save weeks of hassle. Similarly, having an intermediary that can take care of compliance with the dreaded PCI DSS (the industry security standards) is also a huge win. Finally, because the intermediaries tend to be bigger fish in the pond, you will often get a significantly better deal out of them in terms of how quickly you get your money, and how much of your money you actually get to keep.
All of this is particularly true for start-ups with no trading history, which of course will include just about any new on-line business. Once you've got a proven track record you can give solid answers to the financial questions and actually make the big boys compete for your business as they should, at least to some extent, but if you're starting from zero then the first thing a lot of these companies see is a huge potential fraud risk, particularly if you're in any kind of "dubious" industry or, again like many on-line SaaS businesses, you want to use a continuous payment authority to take recurring payments from a customer's card and not just a one-off transaction.
Unfortunately, there has to be some sort of big player on the other side of any intermediary (or, possibly, several big players used for different kinds of transaction) and so it's not unusual for these intermediaries either to be limited in geographic scope or to provide a partial service but still require you to sort out your own connections with a payment gateway and/or merchant account based in your region (though the intermediaries will probably be able to help with that process, which is still better than nothing). Thus while the US appears to have an effective and fast-growing young industry in payment processing services, those of us in other regions can only look on with jealousy and bow down before the mighty PayPal/Google/other vast multinational with a self-contained payment service.
> My nieve understanding is that credit cards are global from a consumer perspective (i.e. a credit card will work in any country in the world).
As someone who has credit cards from 3 different countries, I can tell you that's very wrong. I'd like to think my CC works anywhere, but oftentimes when they ask for a ZIP and I don't have one, that's a deal breaker. Sometimes when the person sees the card is from another country (name of country is in the bank name) they refuse to use it, even when it matches my accent and driver's license.
Also it would have been nice if VISA had a global "credit rating" instead of a separate one for each country. Unfortunately, I now have zero credit in my new country, which is painful when I have amazing credit in my previous country. (all VISA cards)
Also it would have been nice if VISA had a global "credit rating" instead of a separate one for each country. Unfortunately, I now have zero credit in my new country, which is painful when I have amazing credit in my previous country. (all VISA cards)
Pro-tip: if you deal with a bank that has branches in both countries, and you're sufficiently good of a customer that they can justify an hour of work for you, you can get around not having a credit history in your newest country of residence. CitiBank, for example, has an employee in Tokyo whose only job is being attached to an Experian terminal to make credit decisions for American expatriates. (It is highly likely that branch level employees at most CitiBanks are unaware of his existence, so the high-percentage plays are either speaking to their wealth management group, speaking to their "executive relocation" group, or sending the bank a letter.)
There are two sides to the equation. Owning a credit card and using it and b) accepting a credit card and processing money. The latter part is all driven by local/national banks and rules and regulations.
It's not the customer side that's the problem; it's the third party sevices. Nothing is available here. Stripe isn't available here. Google Checkout isn't available here. Recurly is possible through a PayPal gateway, but you still need a merchant account for that, and it's a huge mission to bill in USD (something you take for granted when you are inside the US, but by default, merchant banks will charge your customers in your local currency).
Hosted PayPal is country-agnostic, but it looks amateur hour.
Really hoping that this will be like the old PayPal, where you could just setup an account (or multiple!) and just go and start collecting credit card payments.
Can't do this anymore as they only allow you to link your bank account to a single PayPal account. Also there are a lot more ID requirements nowadays, so you can't just setup a virtual business like you used to - a separate account for each new website.
I can understand why, but surely a suitably long holding period (account probation period) would solve the fraud and chargeback issues caused by the scammers who ruin it for the rest of us!
I wouldn't say there's a whole lot of idea in this ("bring Stripe to Australia please" is not new) but I'm hoping the implementation and pricing are both great.
The major problem with financial transactions is that each country (or I guess, _most_ countries) have different laws regarding banking, fiduciary responsibility etc.
Paypal/Amazon/GCheckout work globally because they use CC and charge handsomely for the privilege. Companies like Pin, Stripe and Dwolla are trying to cut out the idea of merchant accounts (which create the major hassle for a lot of small practitioners), but that means tailoring your service for local laws = hard problem.
I can't tell you how happy I am to see this. I was excited to hear about Braintree expanding to Australia a couple of days ago, but this is much more promising.
Do you have plans to incorporate recurring charges as well?
I would be curious to know why you think this looks more promising than Braintree.
Disclosure: I work at Braintree. I'm not trying to shill here - I'm genuinely curious about how people think about our stuff vs. other payments companies.
Mostly on my end it is because it is because they are a new player in the game and need to make an impact (be it via lower pricing or other value-added means) and also because they are an Australian company. I'm also hoping that this will bring a little more competition to this space in our country as it has been stagnant for quite some time.
In saying that, 'more promising' was probably a poor choice of words and I am not discounting Braintree at all. As an early stage startup your pricing took me back a little but not enough to sway me away. I have signed up to your mailing list to be made aware of when you guys launch here and am also looking forward to checking out your offering.
Thanks for the interest. It is always good to see companies provide a presence on these forums and certainly accentuates your products to me.
Ohhhh thank goodness! We've been waiting a long time for something like this. It's ridiculous how long it takes to get set up on WPP or eWay with a merchant account.
Holy crap I love you guys so much! :D I have seriously been looking for a good payment processor that isn't paypal for over 5 years now, EVERYONE is US only.
It's supposed to mean that the API responds with JSON data (as opposed to, say, XML). "REST" here just means we use standard URL patterns and rely on HTTP verbs (e.g. GET), to get stuff done.
No, "gb" are the initials of one of the developers. They're targeting Australia first, but I guess world domination is always possible if things go well.
Very little information on your site, though. Some questions strike me:
- What path does the money take from the customer to the user of your service (e.g. me), and how long does it take to get there?
- What kind of backing/insurance/licenses do you have? If you're a tiny startup, there's risk for users of your system if you go bust and any money in transit disappears.