Breaking down the cost of building payments in-house for vertical SaaS companies

Key considerations before you begin building payments infrastructure

Building payments infrastructure is a complex task. The payments landscape is highly regulated, and you must plan your implementation roadmap before diving in.

Gil Akos, CEO of Astra, explains why a roadmap is critical. “Implementing payments is a very long journey,” he says. “It can take a year to build a payment stack in-house, and that’s a huge drag on all the other things you’re trying to accomplish that are also business critical.”

Gil says that hidden costs like paying for overlapping processors as you migrate are common. “There’s all these pieces you didn’t know you needed that you have to build or add procedure around,” he says.

A roadmap helps you understand timelines and verify whether the effort to build payments in-house is worth the benefits.

Here are some key considerations to help you develop a roadmap:

Does the math check out?
How will users behave on your system?
Do you understand data handling needs?
What partnerships do you need?
How will you scale your infrastructure?
How soon should you go to market?

Let’s look at these considerations in more detail.

What approach will you take?

Building payments in-house is complex, and companies have successfully executed this project. However, companies like Toast that have in-house payment functions were forced to build them due to a lack of options when they were growing.

For instance, Stripe was not catering to the acquirer side of the payments ecosystem when Toast was scaling.

These days, companies that build payments in-house do so to varying degrees. For instance, modern companies like Lightspeed POS do not bring payments in-house to the extent Toast does. Instead, they work with payment partners to handle tasks that require specialized payments expertise while building other portions of the infrastructure in-house.

This approach helps vertical SaaS platforms handle the complexity that comes with payments. Gil likens this to turning a huge ship around while simultaneously making sure everything else you’re doing doesn’t break.

“You have to put a lot of things in motion and be committed to them to move the ship significantly and go in a different direction,” he says. “That becomes harder when you have your existing business and then you’re trying to get this other initiative.”

“But if you choose the right infrastructure partner in that transition [to in-house], it can be faster, with far less overhead.”

A plug-and-play solution (like Astra) can help you integrate instant payments through popular payment rails like Visa Direct, RTP, and FedNow without committing to the huge upfront costs.

How will users behave on your system?

Consider how users will behave on your platform. User behavior gives you an idea of the kind of data you will receive and the legal implications attached to it. This will increase the amount of time and money you must spend on compliance, though it may also increase the potential revenue you bring in.

For instance, if you have to support multiple currencies, handling currency exchange rate risks becomes important. Your merchants will expect competitive FX rates, and you must implement hedging programs to protect their funds.

However, these hurdles might be worth it if more user data can help you build better products, opening new revenue opportunities.

“If you want to build more products based on payments and user data, bringing payments in-house makes sense,” Gil says. “And obviously, there’s the additional margin you can earn as well.”

Create a list of user expectations and their consequences, and you’ll understand what data you must store, how to enforce data governance and the financial risks associated with it.

Do you understand data handling needs?

Making a list of data you will store is one thing. Figuring out how to store that data while remaining compliant with payment industry regulations is another task.

At a minimum, you must comply with the Second Payment Services Directive (PSD2) and Payment Card Industry Data Security Standard (PCI-DSS) protocols. These protocols define everything from data storage standards to employee training that ensures consumer data protection.

Each of these protocols has different regulations depending on the number of transactions you process annually.

PCI-DSS compliance levels

If you’re enabling non-traditional transactions like cryptocurrency or international transactions, you’ll face a different set of regulations.

Check which standards apply to you and what following each of them entails.

What partnerships do you need?

You must partner with the right entities to plug into the payments ecosystem. The most common partnerships you will need are with a sponsor bank and payment card networks (like Visa and Mastercard).

Establishing these partnerships is easier said than done. Banks and partners have assumptions about how things should work, Gil says. “So if you want to be innovative, it helps to have some volume to begin with.”

Besides, landing a sponsor bank agreement is a lengthy and time-consuming process.

Speaking to Alloy, Paintbrush Founder and CEO Stephen Walter lays out some of the challenges of landing a sponsor bank. “It’s a tiny club of new fintechs who actually get genuine bank sponsorship every year,” he says. “And it’s getting smaller.”

Walter explains that banks want extensive documentation, conduct a rigorous due diligence process and expect companies to have substantial runway before taking them on.

He also notes the compliance obligations that come with the relationship. “[Sponsor banks] need to be really confident that you are going to live up to your compliance obligations,” he says. “They’re very onerous, daily reports, weekly reports, all marketing material has to be approved by them. It’s a really high bar.”

To complicate matters, bank partnerships have hit a rough patch with regulators, like the FDIC and OFAC serving banks a raft of consent orders and creating turbulence for the bank’s partner programs.

To summarize, figuring out partnerships takes a lot of resources and time — time you could spend building your platform and focusing on your core competency.

Gil notes that this is where an out-of-the-box solution like Astra makes sense if you’re not keen on bringing this relationship in-house or wish to continue working with your current bank.

“We’re bank agnostic,” he says. “So we do not have to be directly integrated with your current sponsor bank. We can just go in and out of any source or destination account through our sponsor.”

How will you scale your infrastructure?

Your plans to scale infrastructure tie to how well you’ll sail through your sponsor bank’s due diligence process. Banks want to see how well your infrastructure will perform under stress and volume.

Building a scaling plan boils down to scaling your compliance controls. At higher volumes, for instance, chargebacks increase and put your fraud detection capabilities under stress.

You’ll have to invest in more personnel and resources to deal with the increased workload.

How soon should you go to market?

Timelines are a critical part of building payments in-house, particularly for your internal teams. Realistic timelines help you ensure zero customer disruption as you switch transactions from external processors to your internal infrastructure or launch payments as part of your offering.

Make sure you account for the time it takes to get partnerships up and running. For instance, locking in a sponsor banking relationship takes at least four to six months.

Add ample testing time, too, since any errors your merchants encounter during the payment process will reflect poorly on your brand.

The financial costs of building payments in-house

Now that you understand the key considerations behind building payments in-house let’s dive into the financial costs. Fixing exact numbers is challenging because of the varying degrees of complexity you can choose with your infrastructure.

Gil notes that, from his experience, processing upward of a billion dollars a year justifies bringing payments in-house without the help of an external partner. This number is based on earning 0.25% on each transaction.

While the costs you will encounter are varied, we can broadly categorize them under the following sections:

Initial setup costs
Development costs
Licensing and registration costs
Risk and compliance costs

Let’s look at them in more detail.

Initial setup costs

Your initial setup costs include building infrastructure and hiring engineers and development resources to build your platform.

The bottom line: Conservatively, expect to spend $1 million in the first year and at least $500,000 per year after that.

Development costs

In addition to the resources we outlined previously, you will need to build infrastructure to orchestrate payments. Here are some of the technical systems you must build:

Customer dashboards
Merchant onboarding KYC systems
Payout infrastructure connected to payment rails
Dispute management dashboards
Compliance reporting systems
Anti-money laundering (AML) protocols for each payment network

The leanest possible team you can hire will still have four employees, earning an average of $150,000 annually. This adds up to $600,000 annually.

Given the scope of this project, you can expect development to take at least a year.

The bottom line: Expect to spend at least $600,000 on development staff for at least one year.

Registration

On the surface, registration doesn’t cost as much as the previous entries. Payment networks, such as Visa and Mastercard, charge a few thousand in initial registration fees and charge commissions on each payment you process with them.

And as Gil mentioned above, access is a major issue since you cannot call Visa or Mastercard and expect to receive an invitation to sign up for their networks.

There’s also the matter of acquiring Money Transmitter Licenses, which is no small feat. Not only does each state have its own definition of what constitutes a money transmission, but you’ll need to submit an FBI criminal background check, fingerprints, financial statements and more as part of your application. Then you’ll need to renew that license yearly.

The bottom line: You will incur high costs, likely in the thousands per month, per network. Gaining access is challenging, and the hassle of Money Transmitter Licenses may not be worth the headache.

Risk and compliance costs

Risk and compliance are the most critical parts of a payments program. These activities help you meet regulatory requirements and defend against fraud, hacks and money laundering. PCI compliance is almost standard in the United States, and this takes up to five months.

Pinning a number down for costs is challenging due to differences in payment infrastructure. Here are a few estimates for a Level 1 program (these programs process more than six million card transactions annually):

Vulnerability scanning: This must happen once every quarter and costs up to $200 per IP address.
Employee training: This costs between $100 – $200 per employee. Creating a training program costs between $5,000 and $10,000.
Vulnerability testing: Also called penetration testing or pen testing, this is the most variable component. Costs can range from $15,000 to $100,000 depending on the vulnerabilities you find.
Auditing: A PCI audit conducted by a third-party professional costs $40,000, on average. This is the upfront cost. Subsequent audits will run you closer to $100,000 every year.

All of this is before you install a compliance program with employees tasked with monitoring transactions and logging reports. You will need at least one analyst ($100,000 annually) and an associate ($150,000 annually) to execute these tasks.

However, you might find yourself blowing past these numbers quickly. For instance, a company like Toast has a fully built in-house payments team of dozens of payment professionals.

Time and expertise are issues at this step. Your KYC and AML policies must comply with OFAC regulations. You must screen merchants against the Mastercard Alert to Control High-Risk Merchants (MATCH) list to make sure you are not enabling non-compliant transactions.

The bottom line: Expect to spend at least $100,000 upfront and maintenance costs of $300,000 annually.

How to own the payments workflow and avoid excessive costs

The costs we’ve detailed above are substantial. However, they make sense for a company with significantly large processing volumes.

But what if you’re not at those levels and want to leverage payments to boost growth? You could work with a payment gateway or a payment processor.

However, those options are opaque and do not aid your growth. They lack customizability and do not proactively protect you from fraud.

“You ideally want a solution that covers the parts of the payment infrastructure you know you need and the ones you don’t know you need,” Gil says. “Because that’s the part where you can really lose your shirt.”

In contrast, a plug-and-play solution like Astra solves the most common, yet less-talked-about, hurdles that vertical SaaS companies encounter when building payments.

Astra helps vertical SaaS companies grow by:

Helping you quickly offer instant payments through popular rails
Offering out-of-the-box sponsor banking relationships
Automating fraud controls
Scaling with your program
Offering a sandbox to test your product

Curious about how Astra has helped companies like Cloudtrucks, Fold and Till grow while controlling the payments workflow? Get in touch with us.