Sage Pay Options Comparison

The most professional option is Ceon Sage Pay Direct as it integrates transparently with the store, giving the best overall customer experience. However it requires a greater amount of PCI compliance as the store is handling the card details, which can add additional costs that the store might want to avoid.

Ceon Sage Pay Server and Ceon Sage Pay Form offer easier PCI compliance with lower costs for the store as these solutions mean the store doesn't ever handle card details. They are both fully capable payment solutions, however they can't be customised/integrated to the same degree as Ceon Sage Pay Direct and both suffer from poor error handling by Sage Pay.

The feature comparison tables below should make it easy to pick the option most suitable for the store.

Please Note: Anyone who has bought the Ceon Sage Pay Direct distribution and wishes to move to Ceon Sage Pay Server is entitled to a reduction on the price of the Ceon Sage Pay Server distribution! More information can be found here.

PCI Compliance? What is that?!

As of 30th September 2009, every internet merchant has to meet certain Payment Card Industry Data Security Standards (PCI DSS). Our personal opinion at Ceon is that the whole situation is a bit silly, we don't see any technical/logistical benefit in the compliance system. Nevertheless, the card companies have indicated that they intend to enforce the standards so every store must be aware of the implications.

More information can be found in the PCI DSS section on Sage Pay's website but the simple summary is:

If the store uses Ceon Sage Pay Direct it will have to have an audit and fill in a Self-Assessment Questionnaire of a "Validation Type" 4 or 5. There is a charge for submitting the questionnaire/receiving compliance status. It will also have to undergo monthly or quarterly vulnerability scanning, and possibly even more invasive validation tests, depending on how many transactions the store processes a year.
If the store uses Ceon Sage Pay Server or Ceon Sage Pay Form, it will have not have to have an audit but will have to fill in a Self-Assessment Questionnaire of a "Validation Type" 1. There is a charge for submitting the questionnaire/receiving compliance status. With Ceon Sage Pay Server, the store will also have to undergo monthly or quarterly vulnerability scanning.

Options Feature Comparisons

Integration with Zen Cart

	Ceon Sage Pay Direct	Ceon Sage Pay Server	Ceon Sage Pay Form
Customer stays on store's website:	Yes - The customer enters their card details within the Zen Cart checkout process.	No - Sage Pay's payment page is displayed in an IFrame after the customer has clicked "Confirm". This gives the appearance of remaining on the site to a certain degree. The customer may have to use scrollbars to see the whole payment form on narrow websites. When they complete the card payment the success page will be displayed as normal, the IFrame is only used for the card payment form.	No - The customer is redirected to Sage Pay's payment page. This takes over the entire browser window. This means the URI will change in the addressbar (to sagepay.com) and any sideboxes etc. will not be displayed, as the customer has left the site. They will be returned to the site when they complete their card payment.
Payment page can be styled:	Yes - As the card details form is part of the ZC Checkout Payment page, any amount of styling/customisation is possible.	Yes - Custom templates can be built using XSLT and e-mailed to Sage Pay.	Yes - Custom templates can be built using XSLT and e-mailed to Sage Pay.
3D-Secure pages can be styled:	The very nature of the 3D-Secure pages mean that they can't be styled. Each Card Issuer has its own unique look for its 3D-Secure page. If the page doesn't match the Card Issuer's exact format/look the customer is told to be wary of fraud!

Ceon Sage Pay Direct

Ceon Sage Pay Server

Ceon Sage Pay Form

Customer stays on store's website:

Yes - The customer enters their card details within the Zen Cart checkout process.

No - Sage Pay's payment page is displayed in an IFrame after the customer has clicked "Confirm".

This gives the appearance of remaining on the site to a certain degree.

The customer may have to use scrollbars to see the whole payment form on narrow websites.

When they complete the card payment the success page will be displayed as normal, the IFrame is only used for the card payment form.

No - The customer is redirected to Sage Pay's payment page. This takes over the entire browser window.

This means the URI will change in the addressbar (to sagepay.com) and any sideboxes etc. will not be displayed, as the customer has left the site.

They will be returned to the site when they complete their card payment.

Payment page can be styled:

Yes - As the card details form is part of the ZC Checkout Payment page, any amount of styling/customisation is possible.

Yes - Custom templates can be built using XSLT and e-mailed to Sage Pay.

3D-Secure pages can be styled:

The very nature of the 3D-Secure pages mean that they can't be styled. Each Card Issuer has its own unique look for its 3D-Secure page. If the page doesn't match the Card Issuer's exact format/look the customer is told to be wary of fraud!

Customer Experience

	Ceon Sage Pay Direct	Ceon Sage Pay Server	Ceon Sage Pay Form
Smart error handling:	Yes - If the customer makes a mistake when entering their card details they simply have to correct the details already entered.	No - If a customer makes a mistake when entering their card details they have to re-enter all of their card details again!	No - If a customer makes a mistake when entering their card details they have to re-enter all of their card details again!

Security/PCI Compliance

	Ceon Sage Pay Direct	Ceon Sage Pay Server	Ceon Sage Pay Form
SSL certificate required for store:	Yes	Yes	No - Payment page fully secure as it uses Sage Pay's SSL certificate. (We still recommend stores have a SSL certificate to protect customer's details when they are logging in).
PCI compliant:	Audit required (provided by a third party). Self Assessment questionnaire required for "Level 1-4" merchants. Further procedures required for "Level 1-3" merchants.	No Audit required - Full "Level 1" compliance through use of Sage Pay's server. Self Assessment questionnaire required for "Level 1-4" merchants. Further procedures required for "Level 1-3" merchants.	No Audit required - Full "Level 1" compliance through use of Sage Pay's server. Self Assessment questionnaire required for "Level 1-4" merchants. No further procedures required for "Level 1-3" merchants.

Ceon Sage Pay Direct

Ceon Sage Pay Server

Ceon Sage Pay Form

SSL certificate required for store:

Yes

No - Payment page fully secure as it uses Sage Pay's SSL certificate.

(We still recommend stores have a SSL certificate to protect customer's details when they are logging in).

PCI compliant:

Audit required (provided by a third party).

Self Assessment questionnaire required for "Level 1-4" merchants.

Further procedures required for "Level 1-3" merchants.

No Audit required - Full "Level 1" compliance through use of Sage Pay's server.

Self Assessment questionnaire required for "Level 1-4" merchants.

Further procedures required for "Level 1-3" merchants.

No Audit required - Full "Level 1" compliance through use of Sage Pay's server.

Self Assessment questionnaire required for "Level 1-4" merchants.

No further procedures required for "Level 1-3" merchants.