CiviCRM may be used for fundraising with or without processing online contributions. For example, you could use CiviCRM to support a direct mail and telemarketing operation and require online donors to mail in checks. You can also accept in-kind donations online without setting up a payment processor. However, the power and potential of the software is better realized when you implement a fully integrated online payment system.

Some organizations continue to use external online donation systems as they begin to use CiviCRM, which involves transferring the transactions to CiviCRM in order to use it as their centralized CRM for segmentation and reporting. This is a cumbersome approach given the ease of using CiviContribute to process online donations.

Most organizations doing online donations, event registrations, and membership and subscription payments will find it worthwhile to set up online payment processing in CiviCRM.

Payment processors, sometimes known as payment gateways, assist in transferring payments from payers to you, the payee receiving the funds. CiviCRM relies on the processor to do the complicated work of connecting banks and credit card/debit card companies together to make sure money is properly moved from the donor's account to yours. The CiviCRM core team and the CiviCRM community have worked to create plugins for about a dozen payment processors. Information on each, and links to configuration pages for some of them, can be found at http://wiki.civicrm.org/confluence/display/CRMDOC32/CiviContribute+Payment+Processor+Configuration. In order to use CiviCRM for online financial transactions, you'll need to choose one of these payment processors, set up an account with them, and configure CiviCRM to work with it.

If you are just starting out and trying to decide among several processors available to you, the number of considerations to take into account when choosing a payment processor can be bewildering. We recommend starting your decision by determining which ones are available in your country. For most CiviCRM users, you will have a variety of options.

You may also find that none are available in your country or that you would like to use one that is not yet supported. For example, you may be using a payment processor for your point-of-sale terminal or check processing, and would like to add online payment processing to your existing account with them. There are instructions available for developing new payment processor plugins for CiviCRM (visit http://wiki.civicrm.org/confluence/display/CRMDOC32/Creating+Additional+Payment+Processor+Plugins).

Most payment processors provide technical documentation to assist developers in creating a plugin for packages like CiviCRM, since it increases their volume of business. A variety of consultants are available to assist you and the community in creating and supporting a plugin for other payment processors (http://civicrm.org/professional). If you find that there are compelling reasons for using a different one, others might want to use it as well.

E-commerce websites, including sites that accept donations to non-profits, interact with payment processors in two common ways as illustrated in the following two diagrams:

In the first architecture, the e-commerce website itself securely handles the credit card or other financial account information by talking to the payment processor behind the scenes, while the user waits for payment to be processed.

The second approach, is a low-end one in which the e-commerce website interacts with an external payment processor that serves its own user-facing pages. In this method, your e-commerce website calculates what needs to be paid, then sends the user to the payment processor's secure website where the payment is handled, after which the payment processor site sends the user back to the e-commerce site.

If configured properly, both systems will transmit sensitive information like credit card numbers in securely encrypted methods. Since CiviCRM does not store sensitive information regarding the transaction, both the methods offer good e-commerce security.

While both approaches are viable and effective, there are pros and cons to both:

We recommend using a payment processor that offers internal hosting for all but the lowest volume sites. If you are new to online payments and don't yet know what kind of volume your constituents will generate, consider implementing the simpler external hosting solution until you can gauge the response and determine if internal hosting is worth the additional cost.

Internal hosting requires you to obtain and set up an SSL certificate because your site must communicate securely with your users' browsers to process their credit card details. External e-commerce hosting, where your users are transferred to your payment processor's site to process the transaction, is secured using their SSL certificate.

SSL is a communications protocol that allows your users' browsers to talk to your server without anyone listening in. It does this by securely encrypting the information that goes back and forth using special keys. Internet users are becoming familiar with the fact that pages with http:// at the start of their address are not secure, while those with https:// can be secure. Browsers also display a small lock icon when displaying secure pages:

The cost of SSL certificates continues to come down as they are commoditized, and the ease of installing them continues to increase. Hosting providers like RimuHosting remarket RapidSSL certificates for as little as USD$40 including installation. Security companies continue their efforts to create demand for higher-priced SSL products with more features, such as dynamic "Certified by" logos for your site, having your organization name appear in the browser address line, and higher levels of warrantee. Try shopping around for a good price on whatever certificate you select (http://www.namecheap.com/ssl-certificates is a good source at the time of writing this book).

While considering different payment processors, other factors come into play as well, such as which credit cards are supported, the cost of different options, and whether they support advanced features such as recurring contributions. In our view, it rarely makes sense to save money on payment processors at the expense of usability since just a few lost donations are generally more "expensive" than the savings. However, there are often significant differences in the cost of payment processors that provide the same level of usability. These differences are highly dependent on the number and size of donations and what credit card or other payment instrument is used.

One factor that can play a significant role in cost is the payment processor and whether it requires you to have a merchant account. These usually involve separate charges for your bank, though sometimes they may be bundled into the payment processor's charges. Automatic transfers into your merchant account instead of requiring regular manual interventions to get money out of your account at your payment processor can prove useful and worthwhile for higher volume organizations.

Here are some of the charges you should ask about when comparing the cost of different options, even though they may be minimal for some processors and/or merchant accounts:

Use an estimate of the number of transactions and their value per month to compare the processors. Higher fixed monthly costs paired with lower commissions and per transaction charges favor organizations with stronger online fundraising, while ones with small or nascent online fundraising tend to benefit from paying lower fixed charges and the accompanying higher percentages.

Organizations without deep experience in fundraising tend to overlook the importance of a steady stream of income from monthly pre-authorized payments and the higher amounts of total donations they engender from donors. We strongly encourage making recurring payments a priority in fundraising plans, and as a result believe that you should select a payment processor with a plugin that supports them, or consider funding the enhancement of plugin that has yet to implement that functionality for a processor. For organizations with a good prospect list for pre-authorized payments, any extra charges for this functionality will be a good investment.

PayPal Standard and PayPal Pro are two of the most widely available payment processors, and the ones that receive the best core CiviCRM team support. While PayPal Standard is a widely available, inexpensive, and an easy-to-implement option, you should be aware of several caveats before you select it. As an external payment processor, it suffers from poorer usability that results in a higher rate of abandonment, as users are confused with the redirection to an external site for the processing step. This is more than just lost revenue, as users often hit the "back" button when confronted with payment processor usability problems which may cause unexpected results in CiviCRM (or other e-commerce applications), especially for event registrations. These problems may require staff time to sort out.

In fact, the poor usability of PayPal Standard goes well beyond the poor usability of other external processors. Some of this appears to be due to deliberate decisions by PayPal to discourage direct payment with credit cards and encourage people to set up and always use a PayPal account. Users who try to pay with credit cards rather than a PayPal account get security warnings that are debatable. If people have, at any point, set up a PayPal account, it prevents them from paying directly with a credit card. This can make it difficult for users to understand how to pay. In addition, users with PayPal cookies in their browser for any reason may also experience problems completing their transactions.

Be aware that PayPal places a three to five-day delay on transferring funds into your bank account. While some delay will always be expected, PayPal's tends to be longer than many other solutions. Since PayPal is often targeted by fraudsters, their increased aggressiveness in combating fraud results in "false positives", meaning that your account may be suddenly frozen for a variety of reasons without warning.

Organizations claiming non-profit or a charitable status seem to have additional security scrutiny. Further, if your bank account name does not exactly match your PayPal account name, you may have difficulty getting your money out as PayPal will not release funds from a PayPal account in the name of John Smith to a bank account under Judy and John Smith's name. Obviously, having your funds frozen or unavailable for undetermined periods can cause significant issues in your normal operations.

We recommend getting started early on setting up a payment processor account and a merchant account, if necessary. This can take days or weeks to complete, and may involve providing the founding documents of your organization, which may be in a safety deposit box, and official certification of non-profit status.