Magento is a great product but out-of-the-box it really lacks recurring billing support. I've come to a crossroads with my current project and need some direction.
We have exhausted every Google search and module that is under the sun for Magento to support recurring billing the way we need it to. So far, all we have come across is one module that costs $300 by aHeadWorks in the UK. We've tried the module and are extremely disappointed so far, mainly just due to total lack of support and documentation; Nobody seems to have the knowledge to answer our questions, or even attempt to.
Our goals are simple and we cannot figure out why there aren't more solutions out there to do this, so the question becomes, what is everyone else doing?
All we need to do is the following:
Skrill Moneybookers & their module isn't compatible with what we need to do (at least in the US). PayPal sucks and wants to hold our money back and also wants to redirect customers to their site to setup a billing agreement. iTransact services are fantastic but there is one module that is 2 years+ old and has no support.
The answer is recurring billing is quite a taboo in the e-commerce industry. This is mostly because the big boys, i.e. Mastercard and Visa have very strict rules governing recurring billing transactions.
Recurring billing means storing a customer's credit/debit card data, long number, expiry, and cvv2, for future processing. However, this opens up a huge can of worms in terms of security. This is why Visa/Mastercard impose rules on merchants in becoming PCIDSS compliant. Practically this means your server/website have to be certified to be secure, using a service like McAfee PCIDSS, which basically scans your server/website remotely and attempts to break it. It looks for open ports, badly configured firewall (or lack of), xss scripting flaws, mysql injection breaches, operating system security breaches, and many more. One of the most important elements with PCIDSS is having all card data encrypted.
It is a laborious process, since once you are given a report, you are also expected to repair all flagged critical issues and pass the scan. There are other steps to complete, but I shan't enumerate them all here. See the pci dss website for reference. You are also expected to keep the certification up-to-date on a quarterly basis.
Basically what this means is that Visa/Mastercard don't particularly like the smaller merchants to have this feature, as they can be of major risk to clients. If their system is breached, hackers could use the card data for criminal enterprises.
This in turn means Visa/Mastercard favor the big players in the industry to handle recurring billing, such as PayPal, Worldpay, authorize.net, etc. One port of call, one entity to fine and recover losses if there's a problem.
And now we return to Magento. Whilst it is relatively easy to create a normal payment method in Magento, since most PSPs work in the same manner [mostly], recurring billing is handled differently from provider to provider. Furthermore, some are more restrictive than others.
I can't and won't recommend PayPal as I have had extremely bad experiences with them, I can definitely recommend Worldpay + Futurepay + Invisible XML method. You would need to hire a Magento developer to write a custom module for you, but it's doable. I am currently writing a module for a client in Norway using a norwegian payment method and recurring billing.
If you still need help, get in touch, I can write a module for your store.
Hope this helps.
Cheers, Michael.