Setting up the HNB IPG for a Non-Profit Organization
I worked for a well-known non-profit in Colombo for seven years before retiring early due to personal reasons. One of my key accomplishments during that time was helping the organization set up an Internet Payment Gateway in partnership with Hatton National Bank, a project I continue to maintain to this day. This blog post is based on my firsthand experience with that implementation. I decided to publish it as more non-profits and businesses have approached me for guidance on setting up their own IPGs, often unsure of where to start. Please note that this is not a step-by-step guide, but the insights shared here should provide a solid foundation for getting started. If you need further assistance with setting up an HNB IPG or any other bank’s payment gateway, I am available for hire to guide you through the process and ensure a seamless, secure integration. Feel free to reach out for expert support.
Note: This information is relevant to all organizations, not just non-profits. The setup process remains the same, though the costs may vary.
My Reasons for choosing Hatton National Bank
Several banks and Fintech services in Sri Lanka provide Internet Payment Gateway (IPG) services. Leading entities in this domain include Hatton National Bank, Commercial Bank of Ceylon PLC, Seylan Bank, and Sampath Bank. Among Fintech services, PayHere appears to be the sole provider currently available in Sri Lanka. Hatton National Bank was selected as the IPG provider for the non-profit organization I previously worked because it’s the only bank that permits accepting donations through its IPG. Although other banks such as Commercial Bank, Seylan Bank, and Sampath Bank offer reliable IPG services, they do not facilitate the acceptance of donations. Similarly, the Fintech service PayHere does not support acceptance of donations. Therefore, while there are multiple options for selling goods and services online, Hatton National Bank is the only viable option for non-profit organizations in Sri Lanka seeking to accept online donations.
Hatton National Bank (HNB) partners with CyberSource, a global payment management platform, to offer secure online payment solutions to its clients. This collaboration enables HNB to provide advanced features such as the Zero Integration IPG-Link Service, which allows businesses to accept online payments without complex integration despite Hatton National Bank not supporting Zero Integration. The service also includes a Merchant Portal for improved transaction management and visibility. While CyberSource supports secure recurring transactions, HNB itself does not facilitate recurring payments. By leveraging CyberSource’s technology, HNB helps businesses of all sizes streamline payment processes, enhance security, and deliver a seamless payment experience, supporting multiple payment methods for efficient and secure online transactions.
Prerequisites for setting up the HNB IPG
The Hatton National Bank (HNB) Internet Payment Gateway service is offered through the HNB Card Centre. To qualify, businesses and non-profits must already be accepting physical card payments. If not, they must first establish physical card payment acceptance before applying. Non-profits must provide documentary proof of their status, while businesses must submit a copy of their business registration. If you are a place of worship, you must submit the necessary documents, such as an Act of Parliament or other official certification. Additionally, a functional website with a valid SSL certificate is required, as online payments cannot be accepted without one. It is also essential to hire a reliable developer to implement the Payment Gateway Bridge, which links your website to the HNB IPG I will elaborate on this requirement in the next section.
The cost of the HNB Payment Gateway
The IPG I helped set up was originally implemented in 2019, so costs may have increased since then. However, back then, HNB offered us the most cost-effective package. They waived the initial setup fee, and we agreed to pay LKR 35,000 per year plus 3% of every successful transaction. I believe these charges were tailored for the non-profit, and if you are a business, the costs will likely be higher. As for the Payment Gateway Bridge, our website was powered by WordPress. Although a plugin is available for setting up the Payment Gateway Bridge with WordPress (WooCommerce – Hatton National Bank Payment Gateway), it is designed for WooCommerce, meaning it requires selling something to use the plugin. As a result, we had to hire a developer to create a custom integration. Initially, we hired a freelance developer, which developed a custom WordPress plugin for LKR 25,000.
The initial setup worked for several years, but we eventually decided to move away from WordPress and switch to a different Content Management System (CMS). Since the WordPress plugin was not compatible with the new CMS, we hired a well well-known Software Development & Cloud Solutions Provider in Sri Lanka, to help. Since the new CMS couldn’t support the Payment Gateway Bridge out of the box, we hosted the new Laravel-based solution on a VPS for better security and performance (the previous setup was on a shared server), under a different domain name, and seamlessly integrated it with our parent website. The Software Development firm charged us LKR 300,000 (exclusive of tax). While this may seem like a significant cost, reliable developers are not cheap. After all, ensuring fundamental security practices is a top priority, as while the bank or payment gateway processes the card payment details, fraud risk can never be fully eliminated.
Potential Challenges and Workarounds
The Hatton National Bank Internet Payment Gateway, supported by CyberSource, only accepts Visa and MasterCard by default despite CyberSource itself supporting other cards. Therefore, if you intend to accept cards other than Visa or MasterCard, you should verify with HNB to ensure compatibility and determine if any additional setup is required. One of the main challenges we encountered, however, is updating encryption keys. CyberSource generates new encryption keys annually, and these must be added to the bridge for it to continue functioning. Since the encryption keys are embedded and encrypted in the code, we have to wait for the developer to replace the expired keys in the source code. This process is inconvenient and not practical, so I’ve asked the developers to modify the UI to allow the accountant to simply copy and paste the new encryption keys into a text box and press save. Although it’s still a work in progress, this change will save us time in the long run.
Accepting payments from foreign donors presents another challenge if the payments page is not behind a protected area. When the payments page is publicly accessible without authentication and the IPG is linked to a LKR account, it increases the risk of fraud, according to HNB. The bank has provided two options: set up a Web Application Firewall (WAF) or set up a separate IPG for foreign donors, linking it to a Foreign Currency Account. Discussions are ongoing to determine the most cost-effective and efficient option. The second challenge arose with Google Workspace when we set up the IPG and used Gmail’s SMTP servers for SMTP authentication with Basic Authentication to send receipts. After switching to Microsoft 365 Business Standard, we had to update the code to use OAuth, which incurred an additional cost of LKR 80,000.
Wrap Up
In conclusion, always ensure that Two-Factor Authentication (2FA) is enabled and required for logging into the Merchant Portal. This extra layer of security helps prevent unauthorized access, safeguarding both your organization and potential donors from fraudulent activities. Additionally, it is important to limit the number of devices authorized to access the Merchant Portal. Restricting access to only essential devices reduces security risks. Moreover, all authorized devices should have reliable and up-to-date antivirus software installed to protect against malware, phishing attempts, and other cyber threats. Lastly, when hiring a developer, make sure to secure a reliable maintenance agreement. This ensures that any future modifications or updates to the Payment Gateway Bridge can be implemented at the lowest possible cost, helping you maintain a seamless and secure payment system in the long run.
If you found this content helpful, I kindly ask you to leave your feedback in the comments section below. Sharing it on social media would also be greatly appreciated. In order to promote meaningful and respectful dialogue, I request that you use your full name when commenting. Please note that any comments containing profanity, name-calling, or a disrespectful tone will be deleted. Thank you for your understanding and participation.
Even though online banking and grocery shopping have existed in Sri Lanka for many years, the majority of Sri Lankans CONTINUE READING
In my previous post “Ground Rules for Grocery Shopping” I promised to share my ground rules for grocery shopping online. CONTINUE READING