Redirect user for payment or let them stay on your site?


I am using Paypal subscription for charging the customers monthly. When they sign up, I have an option of either redirecting them to the Paypal site to enter the credit card details or gather this information on my site. I am not sure which one to use for development.

Pros of redirecting user to Paypal

  • Users trust paypal
Cons of redirecting user to Paypal
  • Choppy user experience. They are
    redirected back and forth.
Pros of gathering credit card information on site
  • Need to purchase a certificate as the
    page needs to be secure (https)
Cons of gathering credit card information on site
  • Users may not trust your site and
    would not like to provide CC info.
Did I miss anything? Any thoughts? thanks

EDIT: Based on the response, it appears that people are torn between these two choices


asked Feb 22 '11 at 05:12
345 points

3 Answers


My employer did some testing of their own on different payment scenarios and surprisingly a large percentage of users 88% felt safer being redirected to Paypal / other payment gateways than they did entering their own details on a website.

The group made various comments, but all were mostly along the lines of, "I use Paypal when buying on eBay" and "Paypal has payment protection" and "My card details aren't shared with a potentially bad website."

Stick with the redirection, more people trust it than most know.

answered Feb 22 '11 at 12:25
Digital Sea
1,613 points
  • Great answer. User trusts something prolific as Paypal or Amazon than your site. – Kim Jong Woo 13 years ago
  • I agree with this, I trust an established payment gateway rather then every website storing my credit card details – 108ium 13 years ago
  • @Investigator, not to mention if your money is stolen, third party payment providers like Paypal have some kind of protection up to a specific amount of which they will refund in suspicious circumstances, but so too will banks. – Digital Sea 13 years ago


Pros of redirecting to PayPal

  1. None
Cons of redirecting to PayPal
  1. User is redirected from the place they were trying to buy something from. This sets off red flags in many user's minds
  2. The site the user is redirected to doesn't match the design of your site, another red flag
  3. You don't control the information collected from the customer
  4. Many people don't trust PayPal. (Many do- but the negative and the positive balance out unless you are selling to businesses- and here the negatives outweigh the positives.)
  5. Delivery- how is it made once PayPal completes the sale?
  6. You can't even pull a graphic image from your own web site to show on PayPal- unless you have an SSL certificate- otherwise you get security warnings.
Pros of using your own SSL certificate
  1. User remains on your site
  2. Your order page matches the rest of your web site
  3. You control exactly what information is collected
  4. Your SSL certificate should inspire all the trust you need to complete the sale
  5. Once a sale is complete- your web site delivers the product
Cons of using your own SSL certificate
  1. It costs $50 or so a year
  2. Your web host has to be able to support SSL
answered Feb 22 '11 at 07:06
Gary E
12,510 points
  • I've heard the same about consumer perceptions of Paypal and off-site payment gateways and certainly agree from my end-user perspective. But where's the evidence/data on this? – Henry The Hengineer 13 years ago
  • We did A/B tests years ago. We aren't going to **ever** repeat them. Why loose money? – Gary E 13 years ago
  • +1 Great Advice,,, the only Pro i would add is that its cheaper and simpler to implement, A good temporary solution, or alternative payment for those who feel a bit cozier if they were on Paypal's site. – Frank 13 years ago


Storing credit Cards is not just a case of "owning" an SSL certificate that is the least of your issues. You are holding peoples Financial Credentials if your site is compromised you might be financially liable for any damages but your reputation would certainly be in taters.

Most Merchant Gateways and Banks and probably more importantly insurance companies expect you to be "compliant" with PCI-DSS this is a standard with levels 1-4 based on transaction amount and volume which is expected to be adhered to at the basic level it's a load of paper work as well as a requirement to have a "secure network" that's not just an SSL certificate and unless you are running in suitable hosting something you will be unlikely to achieve.

Practically none of this is hard if you have a good infrastructure and system admin who know what they are doing but before even pondering going down this route you need to understand their is a risk and cost associated with Direct Card Processing.

Often when you look at the actual costs of direct card processing via a merchant gateway along side the PCI-DSS work/paperwork/scans and yes the shiny SSL certificate not to mention the indemnity insurance suddenly the loss of the occasional person doesn't always seem to be so bad.

I'm not trying to scare you and if you are a mid sized business with a relatively health turnover (or expect to be) then looking at non hosted solutions may be a wise idea, and many merchant gateways offer PayPal as well as part of their offerings, PayPal also offer a range of offerings other then their standard and Pro services (you may wish to Look at PreApprovals via the Adaptive Payments API)

answered Feb 24 '11 at 05:59
Tim Nash
1,107 points
  • my understanding is that if I use the Paypal API, although users are entering the credit card details on my site, I don't store any of them. CC info is stored on Paypal site and I will be PCI compliant. Correct me if i am wrong. – User3462 13 years ago
  • If the form is on your site (i.e you are using PayPal Pro) then you are still required to undergo PCI-DSS the amount of work is reduced compared to still using a full gateway, but you still have to go through it. Normally with PayPal Pro you use either NVP or SOAP to process the payment often using CURL, while you may not be intentionally be storing data, if CURL errors it dumps it post fields in the log (just one example their are dozens of others) the point just because you believe your not storing the data does not mean your not :) – Tim Nash 13 years ago
  • To follow up Basically the "hosted" i.e the user goes to PayPal the compliance is covered by PayPal the non hosted i.e Pro (where it's on your site) the compliance is both you and PayPal – Tim Nash 13 years ago

Your Answer

  • Bold
  • Italic
  • • Bullets
  • 1. Numbers
  • Quote
Not the answer you're looking for? Ask your own question or browse other questions in these topics: