Upgrade Your Drupal Skills

We trained 1,000+ Drupal Developers over the last decade.

See Advanced Courses NAH, I know Enough

Shopping on a Drupal-based eCommerce website

Parent Feed: 

Accepting payments on a Drupal website

Drupal is a very good and secure content management system the website admin uses to upload text and images. However, to enable this website to do something more than just serve as a blogging platform, its functionality can be extended by integrating additional modules. The modules consist of a set of PHP, CSS, and JavaScript code that interacts with the system core and adds new capabilities. The modules and Commerce, Kickstart, and Ubercart distributives are what you need to enable your website to work with goods and cash transfers.

Though Commerce in itself doesn’t include the payment function, it offers a ready framework and an admin panel the function can be integrated into. The user should download the module for the Drupal Commerce platform, which is integrated with the selected payment system or gateway, and set it up in the admin panel. The list of EPSs and payment gateways compatible with Commerce includes both the world-known PayPal, Stripe, Braintree, Authorize.net and 100-plus small aggregators listed in the module documentation. If the payment gateway you wish to use on your website is missing from this list, Drupal Commerce framework allows developing the module on your own.

And what will happen if you neglect to perform integration with the payment gateway? We were approached by a client whose buyers, when trying to pay for the order, were pushed out to the bank website where the payment was to be carried out. The magic was unveiled and unnecessary steps were added to the payment procedure; as the result, the buyer was not happy. You’ll be lucky if the buyer finalizes the purchase, but the chances of the buyer returning reduce as there are more convenient stores. Based on programmers’ estimates, it may take tens of hours to develop a solution for Drupal Commerce integration into an unknown payment system. It’s expensive but look ahead — by saving on development now, you are likely to lose buyers and money later.

We talked about Commerce, Kickstart and Ubercart in our first post and provided the Commerce installation and setup guidelines in the same post. That’s why let’s use the remaining space for other aspects. For instance, we’ll describe an exceptional case you also can experience if you accept payments from a foreign bank.

The child health clinic "Under 16 years old" is one of our clients. To enable payment for services, we used the payment gateway of Sberbank (a major Russian bank). Some gaps were found in the bank documentation: nothing was said about the case when a payment made by a foreign bank card fails. This was the case the clinic’s customers faced when they tried to pay by cards issued by Kazakh banks. The problem was resolved only in personal consultation with the technical support of Sberbank. The moral and recommendation would be as follows: since it is not always the developers who are to blame for all acquiring issues, contact the support teams of all services involved in the process if you are going to have international transactions.

Data security

Who is responsible for data security? What is the site owner to do to protect the buyers’ payment data from leaking anywhere?

Usually, if you need to keep card details, you should select a payment system that allows doing this on its side (for example, Stripe). In this case, the online store website operates only with the identifiers needed to request data from the payment system. However, the data leak is still possible as the attacker might find some security gaps during setup of the web server or in the application itself and use the gaps to embed the code to collect personal data or can steal private keys for the aggregator integration.

To be on the safe side, it makes sense to maintain security updates for CMS and the modules, configure the web server and access rights correctly, and be mindful of the system functional testing to differentiate the access rights to ensure that anonymous users cannot access the orders or that buyers cannot view each other’s orders.


Surely, a third-party service also wants to earn money and charges business internet professionals a fee for some of its services. All providers of internet acquiring services are similar in that they charge a commission for each remittance. For instance, Stripe charges 2.9 % of the payment plus 30 cents and promises ‘no setup fees, monthly fees, or hidden fees’. Good client-oriented services are ready to offer you a special percentage rate based on your region, business type, and monthly revenue.

In addition to the remittance fee, payment services can charge fees for:

  • Monthly usage
  • Service setup
  • Chargebacks
  • International fund transfers

Read the tariff information of each payment service provider carefully.

An online shop offering search by products, filters, payment page, personal account, etc. will require a higher-performance server as compared with an online business card or a media outlet, which is why additional expenses will be needed for the online shop hosting.


Judging from experience, website owners can go very deep into the aspects relating to the differences between the payment systems, data security, and so on, but they are not always able to put this knowledge readily into practice. Remember the story about in-house development of the module that enables interaction with the payment gateway. As you might guess, this task requires some programming skills. We are writing this post because we want to share the same language with entrepreneurs but we suggest that you should delegate the tasks of the payment system implementation and setup to your contractor.

Original Post: 

About Drupal Sun

Drupal Sun is an Evolving Web project. It allows you to:

  • Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
  • Facet based on tags, author, or feed
  • Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
  • View the entire article text inline, or in the context of the site where it was created

See the blog post at Evolving Web

Evolving Web