I know of two ways to collect recurring payments without taking credit card numbes from your website:

1. Paypal
2. 2Checkout

Does anyone know of any others?

Thanks.

Yes. If you want to do them on a timed basis, many many payment providers will allow you to do it.

If you'd like to trigger the payments automatically from within your own system (i.e. you're a hosting provider and people can alter the amount they pay you monthly by adding and subtracting services through a remote interface, that's possible too. Actually, there's an entire standard for this called CISP. You just need to find a payment provider that will allow you to process transctions in CISP-mode, and write the custom code for your application to interface with their CISP mode ... the best one I know if is FastTransact (http://www.fasttransact.com). (They'll also let you set up timed transactions through their web interface without any coding, just like paypal will.)

Who is good at finding the most cost effective and appropriate payment system and possibly implementing it as well?

I'm asking about companies or individuals.

Thanks.

I personally like FastTransact for all payment-related services ... I've worked with them over a period of a few years, and I had my account rep's cell phone number and permission to wake her up at 2 am if something blew up.

The way CISP functions with FastTransact is that you authorize for a particular amount, and get a transaction ID back. Using that transaction ID, the expiration date, and the last 5 digits of the card, you can then run a sale against their credit card through the merchant gateway without knowing the full card number or having authorized the amount you will eventually charge. This service exists because 99.9% of contracts specifically prohibit keeping full credit card numbers on your business site in digital or electronic form. Having credit cards #'s get leaked from your business would be a world-ending event for your business, hence CISP. (Note that you specifically also want to work with POST variables at all points here, as GETs may show up in your server logs even on SSL connections, which can then be hacked...) CISP is Visa's name for the program, but they were first with it and now all cards have something close enough to work through the same kind of commands.

Chargebacks are a HUGE risk in this kind of service, so be aware that you need to have some sort of proof that you're permitted to charge their card... the business I worked for had faxed, signed contracts, but it was a b2b op. I wouldn't use CISP mode with B2C unless your transaction volume is huge, that's too much risk for me ... if your transaction volume is low, you could end up hitting your processor's chargeback limit for your business category with one or two chargebacks a month, which WILL happen as people forget that they bought your service.

I couldn't really reccomend any web dev firms that specalize in payment processing, sorry. I really only know about this because I had to implement it for a client of mine. I'm sure that you could get any salesperson or firm owner to tout their expertise in the area, just make sure they know what CISP is ... and don't accept "Don't know, but I'll get back to you later..." I know that many of the big providers don't offer a direct-CISP mode due to the chargeback risk.

worldpay under futurepay also got this feature

It depends on what country you are in and your volume, etc. You can have a merchant account and an electronic payment gateway (LinkPoint, Payflow, Authorize.net, etc (all of which are CISP compliant). They will allow you to process transactions on your secure website or you can direct the consumer over to their secure website.

CISP is Visa's program for PCI Security Standards and really does not have anything to do with chargebacks - VBV / MSC do though. The PCI standards program is broken down into four merchant levels - usually requiring the merchant to complete a questionnaire annually and a scan quarterly.

As Corey mentions, CISP is Visa's security program - the Cardholder Information Security Program. CISP has been incorporated into the PCI (Payment Card Industry) security standards that all payment gateways and merchants must be compliant with.

If your goal is to collect payments and automatically rebill customers, you can do this without any storage of card data. Just use a payment gateway that has either a recurring billing system that can be set to automatically re-bill customers or a gateway with what I call a "vault mode" whereby you can request a given customer (whose CC data is on file with the gateway) to be re-billed for a specified amount.

The other option is that you can use a billing software package like ClientExec, Lpanel, ModernBill, WHMAutoPilot, etc. to encrypt, store and re-bill customers as well. Just keep in mind that you will have to be very careful to ensure that you are hosting this data on a segregated server in a PCI compliant setup.