CRE Secure Payments LLC's technology duplicates merchants' payments pages, including logos, pictures, text and other design elements.
Greg McGraw, the Atlanta company's president and chief executive, said that, unlike other hosted payment products, CRE's service lets retailers fully control the look and feel of their websites to prevent shoppers from backing out of purchases. It also meets the Payment Card Industry Data Security Standard, he said.
"The biggest challenge for any merchant, large or small, is protecting the environment," McGraw said. "They like the convenience and continuity of accepting credit cards in their own environment, but that's where the vulnerability exists."
PCI standards require merchants and other parties that collect cardholder data to take steps to secure the information.
CRE, a subsidiary of Chain Reaction Ecommerce Inc., is one of several companies that offer online retailers "hosted payment pages," which let them accept payments without having to actually handle card data — or take on the burden of PCI compliance. Some of these companies direct shoppers to hosted checkout pages that look significantly different from a merchant's main website, which can be jarring for customers.
Other companies allow merchants to maintain the appearance of their site by inserting hosted data-entry forms into their checkout pages. Such services have become popular among midsize and larger retailers, but integrating these forms into existing payments pages can be difficult for smaller merchants, experts said.
Merchants "don't like to be connected to someone else's payment pages, because they lose control and they lose continuity and in many times it confuses the shopper," McGraw said. "They want the flexibility of owning that end-user experience. That's what we do. We give them … total control over the end-user experience."
While hosted payments pages are not a new idea, CRE's strategy is distinct, security experts said.
"It's their approach to how they create and maintain the page that's unique. I'm not aware of others that are using CRE Secure's approach," said Allen Weinberg, a managing partner with Glenbrook Partners LLC, a payments research firm in Menlo Park, Calif.
To a merchant's customers it would appear they are still on the retailer's site when in fact they are not. CRE generates a duplicate page each time a retailer's customer goes to make a purchase.
"We are cloning that website on demand every time, so there's no special templates or special programming" that a merchant needs to create, McGraw said.
CRE's service, which has been available since June 2009, has gained the most traction with small online merchants that are doing less than a thousand transactions per month. But it is also generating interest from medium and larger merchants looking to simplify website maintenance.
Currently, its smaller customers average 200 transactions a month, while its enterprise customers average about 5,000 transactions a month, according to McGraw. About 95% of CRE's clients are small or midsize, he said.
The company has more than a thousand customers and added 175 new ones in the last month.
For small and midsize merchants, CRE charges $20 per month if they have 250 or fewer card transactions per month. A merchant who goes above that is charged 10 cents per additional transaction, McGraw said.
For enterprise clients, CRE negotiates a per-transaction fee based on volume that averages 9 cents to 12 cents, he said.
Aaron McPherson, a practice director with IDC Financial Insights in Framingham, Mass., said using an outsourced payment page is a "straightforward way to avoid PCI compliance issues," especially for small merchants that don't want to send customers to a different website, with a different appearance, when they are ready to make a purchase.
