Payment Service Providers (PSP) that work in Switzerland

The following is a lost of payment service providers (PSP) that work in Switzerland. This is work in progress and content will change frequently.

Datatrans ( – it’s an independent Payment Gateway Provider based in Switzerland. Datatrans is a bit special in that it doesnt offer acquiring. This means that you still have to set up a business relationship with a third-party acquirer such as PostFinance or a Credit Card Acquirer Bank. Datatrans then integrates all of them. Datatrans is a powerful online payment solution, but expect some additional efforts to set up a separate business relationship with an acquirer.

Beyond the standard credit cards and wallets (such as Apple Pay), it also supports PostFinance, PostFinance Card and Twint, a huge advantage in the Swiss market. It features an intuitive user interface for payment, there is publicly accessible demo available in the documentation (Lightbox Mode). It features a good User Experience via an easy to integrate frontend interface. It is developer friendly, featuring a clean programmable interface (API) and a good documentation and technical support. The state of the admin interface is unknown at the time of writing, will update soon.

Stripe ( – Stripe is an international acquirer that supports the major credit cards. It has good support for subscription payments. It features an intuitive user interface for payment, there is publicly accessible demo available in the documentation. It is developer friendly, featuring a clean programmable interface (API) and a good documentation. The admin interface is extensive and offers a lot of control like reimbursements.

Paypal ( – PayPal is an international online bank that supports the major credit cards. It features a good user interface and has a publicly accessible demo online here. It’s recommended to use the smart payment button and not the standard payment button as the standard one provides a sub-standard user experience. Other than that, paypal is developer friendly, featuring a clean programmable interface (API) and a good documentation. The admin interface is extensive and offers a lot of control like reimbursements.

BrainTree – – BrainTree is a subsidiary of PayPal and is positioned in the area of customized, integrated payment solutions (similar to Stripe or checkout). Its technical interface is more developer-friendly than PayPal’s and the focus of the solution is not PayPal as a brand but providing a good checkout and payment experience for the user. Check out their support here.

Checkout ( – is a UK-based international acquirer that supports the major credit cards. Last time I checked (2020) they allowed only merchants with an existing history and >50k in online payments per month. Also the service didn’t offer a lot of payment options for Switzerland, but this might rapidly evolve. It also supports Apple Pay in Switzerland. It features an intuitive user interface for payment, there is publicly accessible demo available in the documentation (checkout.js). It is developer friendly, featuring a clean programmable interface (API) and a good documentation. The admin interface is simple but clean and easy to use.

SIX Payment Services ( – Formerly Saferpay, SIX Payment Services is the payment solution by the Swiss payment provider SIX. It is owned by Swiss banks. SIX also offers offline payment services via phone. SIX supports all major credit cards and wallets such as Apple Pay. The user interface for payment requires a custom setup by the developer, there is no publicly accessible demo available. It is not very developer friendly. Last time I checked (2019) the admin interface was outdated and didn’t offer a good User Experience.

PostFinance Checkout ( – PostFinance Checkout supports the major credit cards plus TWINT and PostFinance Card, which is a major advantage in the Swiss market. The user interface for payment requires a custom setup by the developer, there is no publicly accessible demo available. While it offers out-of-the-box integration with some eCommerce Systems like WooCommerce (for WordPress) via plugins it is not very developer friendly and has only basic documentation.

PayRexx – A Swiss up and coming Payment Service Provider which includes acquiring via PayRexx Direct. It supports all Swiss means of payments. It has a great admin interface and allows to integrate with the different third party payment means (like PostFinance and Twint) in a simple way. PayRexx has different ways of frontend integration, they show an easy one here: but at this point it doesn’t appear perfect yet (i.e. PostFinance Checkout on the web is not responsive)

freeze requirements with pip-compile as a best practise

Have you ever been in a situation, where you wanted to setup a project you haven’t been working on for a while and it failed with a cryptic error for no apparent reason?

Chances are that you didn’t freeze your requirements and one of the new packages you just installed got upgraded and the new code is incompatible with your codebase and this causes a random error!

This could be avoided by freezing requirements.txt after the initial development phase of a project. This solution however prevents an efficient upgrade process later on. What would an efficient dependency upgrade process look like?

  • Unfreeze all dependencies
  • run pip install –upgrade on all dependencies
  • test the project, if there are problems, find and downgrade the problematic package or upgrade the project’s code. If everything is ok, go to next step
  • freeze all dependencies again, check changes into source control and deploy.

Enters pip-tools with pip-compile!

pip-compile does exactly that. In order to be able to easily upgrade all packages, pip-compile works with two separate files.

  1. It contains only the packages added by the developer. Typically, this is also the place where the developer adds comments next to a package, explaining why it is needed and describing any quirks or special information. The developer does NOT add any version numbers here, unless it’s required to make the project run (example: package-name>3.5 # doesnt work with a lower version)
  2. requirements.txt This file contains the compiled output from pip-compile including any dependent packages. No manual edits should be done here, they would be overwritten upon subsequent compilation. All packages are frozen in this file (= have a version number assigned). The project uses this file to install dependencies. It’s important that this file is included in source control (git).

⚠️ Warning! Pypi packages can have specific versions marked as prereleases. Those are ignored by pip-compile! If you want to use a prerelease the corresponding version has to be updated manually in requirements.txt after compilation.

Pip Compile Workflow

  • the developer manages packages in – generally **without** versions
  • then create a new requirements.txt with docker-compose run --rm web pip-compile > requirements.txt
  • docker-compose exec web pip install -r requirements.txt or just simply docker-compose build web
  • Testing, QA & fixes, checking changes into source control, finally deployment

Pip Compile Setup

  1. Add pip-tools to requirements.txt
  2. Copy requirements.txt to
  3. Run pip-compile >> requirements.txt
  4. Rebuild the project to ensure everything works
  5. You can now remove all or some of the version pinning from your

django doesnt work out of the box with multiple gunicorn/uwsgi workers 🤯

This is really incredible but django has an extremely unfortunate default CACHE setting that is not ok for production environments, it defaults to a local memory cache that is not shared between different gunicorn or uwsgi workers. As a result, each worker can have a different state, even database values might differ in a django form!

Read here and here

Solution: Set up memcached (apt get install memcached also you need to enable sockets if you want to use unix sockets, otherwise change the below config to use tcp instead) and set up django to use that cache backend in production environments:

'default': {
'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
'LOCATION': 'unix:/var/run/memcached/memcached.sock',

django CMS PageField

In the (it’s an extended ForeignKey field:

from cms.models.fields import PageField

faq_page_link = PageField()

How to use it in a template?

<a href="{{ instance.get_absolute_url }}">Demo Link to the FAQ Page</a>

Todo: What form widgets are available and how can they be configured on a PageField model field?

5 things you wish you’d known before founding and scaling a business in Switzerland

Nobody told you in business school, I bet.

1. Who needs a GmbH or AG?

You can start your business as a Einfache Gesellschaft. No need to spend money for a GmbH or AG. Einfache Gesellschaft allows you to use any business name you like, open a Swiss bank account in the company name (just sign a simple shareholder agreement Gesellschafter-Vertrag) and use the company name for your postal address.

If the financial risk of your business is going beyond 20k CHF you should consider founding a GmbH as the Einfache Gesellschaft doesn’t protect you as an individual from claims against the company.

2. Contracting individuals in Switzerland

Switzerland is a liberal country and contracting somebody for a job or a project is a breeze? I am sure everybody would agree, except the SVA. When it comes to social security, self-employed must prove their independence because SVA wants to protect regular employees from being forced into self-employment by their employer to save social security contributions. Before you sign an agreement with a self-employed individual, you should ask him/her for written confirmation letter from the SVA that proves his/her self-employed status.

Here is what can happen if you don’t: If you contract someone who is not recognized as self-employed and the SVA notices – and they eventually will because SVA have access to tax statements – your company will be subject to fines and back payment. The biggest cost (and pain) for your company however will be the administrative effort involved in figuring out all those contracting engagements years back.

Note that this only applies to contractors based in Switzerland because only those are subject to social security contributions to SVA.

3. VAT – register early

The ESTV (Swiss federal tax office) requires you to sign up for paying VAT for the year in which you surpass CHF 100k in revenue. Beware, don’t just wait for this to happen in the middle of your business year – you haven’t charged VAT on your invoices from earlier in that year. If later in the year you find out that your business will surpass 100k CHF in revenue, you will be forced to retroactively charge your clients the VAT. Decide on the first day of the year whether your company is likely to do more than 100k of revenue in the next 12 months and if yes charge VAT on your invoices from the very first day on.

4. Bezugssteuer

You might rejoice when you hear that your business doesn’t pay VAT on anything purchased or contracted from outside Switzerland. But nobody has told you about the Bezugssteuer. Make sure you pay Bezugssteuer whenever there is no VAT on the invoice you receive from a company outside of Switzerland, The Bezugssteuer is due even on that Cloud subscription of yours.

5. Dividends & Verrechnungssteuer

Congratulations, your company is doing good and you would like to take out some money of the company. Slow down – ESTV will only accept payments from the company to individuals as dividends if 1) your company declares earnings in its financial statement at the end of the business year 2) some of these earnings are declared to be paid out on a specific date as dividends in the protocol of the shareholder meeting.

We’re not done yet. Dividends are subject to Verrechnungssteuer. Your company is required to pay 35% of the dividend directly to ESTV. Yes that’s right, your shareholders only receive 65% of the dividends. They have to reclaim the rest via their personal tax declaration in the following year. Therefore it is good practise to define the 31.12. of the year as dividend payout date, as the shareholders then can reclaim it in their tax declaration only shortly after. It’s pretty crazy but even so some time will pass until all the money is where it belongs: year 1: financial statement of the company, year 2: dividend payment, year 3: personal tax declaration of the shareholder, year 4: ESTV pays back the Verrechnungssteuer. Four more years! 🤯

What if you (as a shareholding individual) need the money right away? If your company makes a payment to you the ESTV will classify it as salary and you will pay full SVA social contributions and income taxes on it (after the earnings of your company already got taxed). That sure hurts. It’s therefore better to receive this money as a Gesellschafter Kontokorrent loan. The money technically still belongs to the company (and you have to pay due interest for the loan to your company) but you don’t have to declare it as income in your personal tax statement and can offset the loan later against the dividend payment.

There is no incentive anymore to keep the shareholder’s loans up for longer than needed, so in most cases it’s best to settle them as soon as possible. For dividends, Federal income tax is discounted by 40% while the Staats- und Gemeindesteuer in the Canton of Zurich is discounted by 50% in order to reduce double taxation of company earnings.

Disclaimer: This is not legal advice which means you are discouraged to base your decisions on this article. Consult a lawyer.

A Google Analytics UTM Tag Guide for Marketeers


  • Stick with the values recommended by Google Analytics for source and medium UTM tags
  • Keep the campaign UTM tag in the same format across all different advertising networks / channels. For the same campaign, use the same name across different network / channels.
  • Assign ownership for UTM tagging to one single person to protect your Google Analytics data quality
  • Don’t use UTM tags on internal links as they overwrite the origin of your user sessions and thus destroy your acquisition data.
  • No room for mistakes as Google Analytics acquisition data is immutable. Your UTM parameter tracking will stay with you for live.

Why marketeers should read this

With great power comes great responsibility. You might not be aware of the fact that anyone with the power to create a link to your page (or even just browse it) has the power to impact the source / medium (Aquisition > Channel Attribution) data of your Google Analytics reports by adding UTM parameters to the end of the URL.

Marketeers use UTM parameters to attribute the source and type of user sessions on their websites. For example if a marketeer purchases some advertising on a news website, the marketeer will send not only the URL to his/her own website landing page (to which the ads should link) but he/she will prep the URL with Google Analytics UTM parameters. Like this, the marketeer will know how many users came from that news website.

Marketeers in charge of bigger websites will have many different active traffic sources at any given time. Google ads, bing ads, facebook organic content, facebook paid ads, email marketing, … and many more. For all these online marketing activity the marketeer will want to know how many user sessions they deliver for any given period of time, so he/she can determine the return on advertising investment on any single traffic source.

How you should track user sessions from Facebook in Google Analytics

Let’s take Facebook for example. For many professional marketeers, Facebook is more than just a traffic source, it’s at least three: 1) Users clicking on links in third-party posts on Facebook. These we can’t control and they will just show up as social traffic from Facebook. 2) Users that click on links on our own business posts on Facebook. Since we can control the content of such posts, we want to use UTM tags for those links 3) Users that click on our paid ads on Facebook. These we want to distinguish from the previous two traffic sources by using UTM tags.

Here are the most important utm parameters that Google Analytis recognizes.

utm_source: In Google Analytics, the source field of a user session is one of the most important pieces of information. Adding utm_source to a link will override the source that is determined by Google Analytics automagically. For example, a user that comes to your website from will create a user session in Google Analytics with the source As this value is used in other parts of Google Analytics we recommend to not alter this behaviour and only use the real domain from where traffic is coming from. So, for Facebook posts or paid ads, you would always use a link like

utm_medium: In Google Analytics, the medium field of a user session is the most important piece of information. Adding utm_medium to a link will override the medium that is determined by Google Analytics. Google Analytics automagically recognizes traffic mediums such as: organic, none (for direct traffic), referral, cpc, social. Medium is heavily relied on by Google Analytics to create the default channel grouping. Read more about recognized values here: – We recommend to stick to these conventions under any circumstance.

utm_campaign: In Google Analytics, the campaign field of a user session is heavily relied upon by the Campaign tab which includes Google Ads. Google Ads Auto-tagging feature will use the campaign names in Google Ads to populate the campaign field in Google Analytics automagically. Beware: Google Analytics will update the campaign field even retroactively if the Google Ads campaign names are changed. We therefore recommend to create guidelines for campaign naming across all paid media networks, including Google Ads, Facebook Ads, and that news website you have booked ads with, too. This essentially means, that you define a global name for your campaigns, and that same campaign name is then used for all media, manually by setting the utm_campaign parameter or automatically via Google Ads campaign names. A good naming convention for campaigns is as follows:


or a bit more machine-readable (this is useful for bigger marketing teams and marketing activities with dozens of different campaigns for filtering and automation):


utm_content: In Google Analytics, the content field is reserved for further information about the ad or text around the link that was clicked upon. This field is normally not set by Google Analytics, so it’s left for you to fill with information for your ad campaigns.

Are there UTM parameters in internal links on your website?

Sometimes a marketeer would like to know whether users have clicked on a specific button, teaser or other element on their journey to a key page. It is best practise to add a query parameter such as to such elements. These query parameters are then registered by Google Analytics as part of the page path of the pages visited by users. A marketeer can then filter user sessions by such a query parameter and determine what share of users have reached a key page via such elements.

Mistakenly, sometimes, UTM tags are used for such objectives. This is wrong and UTM parameters should be removed urgently from internal links when found.

Why is this so bad? The scope of UTM tagging is to determine where user sessions on your website originate. UTM parameters on internal links will overwrite this information and it is forever lost. Campaign tracking will be wrong, as some of the user sessions that should belong to a campaign of yours will loose that attribution as the UTM source / medium tags will take precedence when the user clicks on an internal link using UTM tagging on your website.

Oops I did it all wrong. Can it be fixed?


Most Google Analytics data, including source, medium, campaign and content fields are immutable – this data cannot be deleted or changed in Google Analytics – for the rest of your life.

The only thing you can do is correct the wrong UTM parameters as quickly as possible to at least have correct acquisition data in Google Analytics in the future.


It’s best not to sway too much from the default Google Analytics way of classifying incoming user sessions with the source and medium dimensions.

When more than one person is involved in campaigning and online marketing activities, designate one person to have ownership of the UTM parameter setting process. This person should provide UTM parameters for any campaigning activities. Such central management of UTM tags make sure that Google Analytics doesn’t stop making sense without anyone noticing.

Check many different URLs in jenkins with a simple bash script for uptime monitoring

This is a simple script to check whether URLs are reachable over HTTP(S). This comes in handy for example when a project has many different (secondary) domains that redirect to the main domain.



# remove commas
for i in "${!urls[@]}"; do     

#for i in "${!urls[@]}"; do     
#    echo "$i"
#    echo "${urls[$i]}"
#exit 0

for i in "${!urls[@]}"; do
    echo "Checking status of ${urls[$i]}"
    code=`curl -sL --connect-timeout 20 --max-time 30 -w "%{http_code}\\n" "${urls[$i]}" -o /dev/null`

    echo "Found code $code for '${urls[$i]}'"

    if [ "$code" = "200" ]; then
        echo "Website '${urls[$i]}' is online."
        sleep 3
        echo "Website '${urls[$i]}' seems to be offline. Waiting $timeout seconds."
        echo "Monitor finished with failures, at least one website appears to be unreachable."
        exit 1

echo "Monitor finished, all good."
exit 0

Create a Google Account on your existing non-gmail email address

What?? Yes, it’s possible!

You can log into Google services like Google Drive or Google Photos with your existing or email address.

Some context: A Google Account and a gmail address are not the same thing. A Google Account is required to log into Google services such as gmail, google drive, youtube, etc. Login with Google even lets you use your Google Account (instead of a username and password) to log into third-party services that support it.

Note: When you create a gmail address a Google Account is automagically created with it.

Google lets you create a Google Account for any email address, specifically for your work address.

Why does it matter?

Other people might want to add you to Google services. If you don’t have a Google Account on your work address, these people will see this error, here is an example from Google Analytics:

It’s recommended to use your official work address for Google (and other) services you use for work, instead of your private (or secondary) gmail address. This way, system administrators can identify individuals when looking at a list of authorized users which increases security for everybody at your company. Nobody knows who is, but everybody can recognize

How? Here is how to create a Google Account with your non-gmail email address:

  1. Go to
  2. Click on Use my current email address instead
  3. Enter your official work email address
  4. Finalize the registration providing the required information

If Google complains that there is already a Google Account for this email address, then please click on Sign in instead and sign in, use the Forgot password? link to recover your password if necessary.

Now your work email address (respectively the Google Account attached to it) can be used by other people to add you to Google Services, for example Google Analytics.

Django and Security

Many people have asked me: Is django secure?

Luckily, with django we don’t have to worry about basic security at all. Here is a list of basic security stuff that django supports right out of the box.

  • Cross site scripting (XSS) protection
  • Cross site request forgery (CSRF) protection
  • Full CORS support
  • SQL injection protection
  • Clickjacking protection
  • Host header validation
  • Session security

On top of this we lock down production deployments as follows:

  • Set SECURE_HSTS_SECONDS. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
  • SECURE_CONTENT_TYPE_NOSNIFF set to True, so your pages will not be served with an ‘x-content-type-options: nosniff’ header. You should consider enabling this header to prevent the browser from identifying content types incorrectly.
  • SECURE_BROWSER_XSS_FILTER set to True, so your pages will not be served with an ‘x-xss-protection: 1; mode=block’ header. You should consider enabling this header to activate the browser’s XSS filtering and help prevent XSS attacks.
  • SECURE_SSL_REDIRECT set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.
  • SESSION_COOKIE_SECURE set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
  • Set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
  • DEBUG set to False in deployment.
  • X_FRAME_OPTIONS set to ‘DENY’. The default is ‘SAMEORIGIN’, but unless there is a good reason for your site to serve other parts of itself in a frame, you should change it to ‘DENY’.

Additional Security Features

django features a range of third-party open source modules that improve security, for example access logging and application firewalling: