Integrating payments into a web application

If you ever make a web application, and you want it to make money, sooner or later you have to deal with integrating a payment system. Here at BitTorrent Bundles, I’ve been tasked with integrating a payment system with our product, and it’s been hell to deal with.
Once you deal with payments, you have to deal with legal issues, with PCI, with SSL and security, with international currencies and conversions and all this baggage that comes with it.

What kind of third party payment systems are out there?
Well, making our own payment system is definitely a major hassle since we would have to deal with PCI compliance, so a third party system is definitely the way to go, since we wouldn’t have to store any credit card information and the legal ramifications with that. Who do we have?

1) Paypal – which is the oldest and has the most ‘legacy’ API if you will, but is generally the most accepted among consumers, especially consumers without a credit card.
2) Balanced Payments – haven’t vetted this one enough yet, but the API Docs leave a lot to be desired.
3) Stripe – Stripe is generally pretty good, has excellent API Docs and examples, and makes it easy to integrate, but is not a ‘white label’ solution.
4) BrainTree – similar to Balanced Payments in that they let you have a white label solution, but has more thorough API documentation.

The one I’ve started with is Stripe mainly because of their ease of integration – just embed Stripe’s JS scripts in your page, make the API call to Stripe, get the token and send it to your database, thats it. In addition they have some of the most excellent documentation I’ve seen from any service.

There’s still a lot of challenges to go through when implementing this however, the questions in particular being:

  • How do Publishers sign up? How do we get their bank account information?
  • How do we take a cut of the payment and still distribute funds to them?
  • How do we deal with currency conversion and international customers?
  • How do users redownload torrents?
  • How do we deal with SSL issues since is not SSL certed?

These challenges are new to me, and people are still uncomfortable with the idea of paying for something on BitTorrent, which people have used for years to pirate content for free. But trust me, this is the first step to get BitTorrent more validation as a legitimate user created content peer the likes of Youtube, or iTunes. First, I can address these problems as follows:

How do Publishers sign up? Stripe connect has a surprisingly robust implementation that allows us to get the publisher to enter their user information through Stripe and post back to us with a token that allows us to use their Stripe access token to create their bundle. This means we can bypass Bank account information, something we can’t do if we integrate with BrainTree or BalancedPayments.

How do we take a cut of the payment and still distribute funds to them? This is tricky. You can either create a “master” Stripe account akin to a BrainTree marketplace merchant account and use that publishable key and secret key to create charges and customers on behalf of the publisher, and pass in the application fee at charge time, and use the Transfer API to distribute the funds to publishers. OR use each publisher’s publishable and secret key, and the payments go directly to each publisher; this is the intent of Stripe Connect.

International payments: This is also very tricky. According to Stripe they do support 130 currencies but the Stripe account has to be settled under one currency. This is the same case for other payment services as well. The only way to get multiple sub-accounts settled in multiple currencies is to use Stripe connect for each publisher separately, or the BrainTree equivalent, Partners API. But if we have a master account, then it has to be that one currency.

How do users redownload torrents?: We were thinking of storing the users email and authenticating against that. But instead, I figured we can use the confirmation email to validate the email itself, and provide a download link with a confirmation token attached to validate the torrent download. The download link and the token can either expire or not.

SSL issues: We are looking to SSL cert the entire Bundles site, including localhost, which uTorrent needs to download torrents from the web, especially over SSL. This also avoids the issue of having to open a popup window from the page to avoid Man in the middle attacks and have a way of communicating to the parent window.

Here’s something cool I learned while researching this: We normally want to use HTML5 PostMessage to communicate between windows, but IE8-10 doesn’t support postmessage between popup windows, but the child window has direct access to the parent window through window.opener, even in IE8!! But we have to attach a global window method for this to work, so outside of IE using postmessage is still preferable like so:

//In your parent window
$(window).on('message', _.bind(this.postMessageReceiver, this));
if (isIE) {
   window.postMessageReceiver = _.bind(function () {
       //do redirect stuff here 
   }, this);

//in your child window
  function postMessageToParent () {
        if (isIE) {
        } else {
            var o = window.opener;
            o.postMessage('Event has happened', '*');






Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.