Excellent post and very informative except that I have personally had a bad experience with PayPal, and the result is that I will never use them again for anything, including purchases from already established sites.
There are others, including 2Pay which I will use.
The whole post is Spot on though.
Hey Nancy... no problem with the "rant"!!
I've also dealt with many posts asking how to create this or that type of shopping cart. Will this work or that?
About the only addendum I would like to add to your excellant post is that when choosing a shopping cart... you SHOULD START at your BANK and work backwards to the Web site.. not the other way around!
So in other words... don't just choose a third party shopping cart and and expect your bank to accept your choice!!
Most major third party shopping carts require that you first have a "Merchant Account" at your bank. Your bank will NOT allow that shopping cart to directly connect into it (gee... I wonder why). Each bank will have an approved "gateway" that they use as an interum connection between the shopping cart and the bank. For example:
but each "gateway" only approves/works with certain third party shopping carts.
So I'd recomend that clients wanting to create a "Shoping Cart" ALWAYS start at their bank and THEN work backwards to their Web site. If a "Merchant Account" is too much... then go PayPal or some non-direct link to your bank. But if the object is to process credit cards and deposit into your bank account (which means you need a Merchant Account)... then you had better start at your Bank and end up at your Web site... NOT the other way around.
Another good point! It would seem foolish to invest $300 in Cartweaver, learn the PHP or ASP back end of it, set the whole site up, get an SSL certificate, and put everyhting to the server... only to discover that your business CAN'T do business... with your financial institution that is.
There should be a FULL tutorial out there somewhere that covers all the bases of starting an e-store, not only from a HTML standpoint, but commercial, legal and financial as well.
The idea that someone can go buy Dreamweaver (or worse yet, only download a 30 day trial) and "voila!" they're an instant webmaster, is as foolish as thinking that buying a ticket on a cross-country flight will make someone a pilot.
Thanks Curtis, Adninjastrator and PZ for your constructive input. All excellent points.
<Start with the bank>
Absolutely. Especially if the Merchant already has POS (Point of Service) -- a brick & mortar shop where the credit card user is standing in front of him.
On-line Merchants need a CNP (Card Not Present) account. Fees for CNPs are somewhat higher owing to greater risk of fraud & charge backs on the internet.
POS Merchants have a Gateway to process credit cards. A physical terminal or box is connected to a phone line or internet cable and used at checkout to approve or decline purchases on the spot. Similarly, on-line Merchants need an internet Gateway to approve or decline purchases. Often the same Gateway company can provide both services.
Finally, On-line Merchants need a Shopping Cart that is compatible with their internet Gateway's protocol.
As PZ said, any shopping cart can collect order details. But only a PCI compliant cart can collect customer data (card holder's name, address, credit card # & expiration date). The level of encryption required for this standard is very high to safeguard customer data as it's being collected, stored and transmitted to the Gateway.
I prefer to hand off customers to a secure payment processing agent like https://PayPal or https://Authorize.net for order completion. It costs a little more but it's much safer for me as a web developer and the site owner who is ultimately responsible for protecting his customer's data. Unless you really know what you're doing, it's much better to let the experts handle this step.
@Curtis, I've had good experiences with PayPal. But other options are good to know about. Especially for non-profits who may not be able to use PayPal. Please post any others you've had good experiences with.
I like to work with 800cart.com
They have a really user friendly setup, and 24/7 live phone or chat support for integration or billing questions/problems.
I have done several stores and they're all mounted on Secure servers. I have had several clients of mine request that they receive an email of the credit card number being used in payment. No Thank You! I won't do that. "But what if their card doesn't go through?" Then they'll telephone you if there is a problem. And you can use your terminal or wait for a check to clear.
I do not store any credit card data on my servers. Period. Credit card numbers are destroyed after the session, as well as all other information pertaining to the session. If their own web browser is set up to autofill stuff, that is their own issue.
All servers doing financial transaction have security certificates. All information that might have something to do with a financial transaction, password, etc is encrypted.
Unfortunately, it's not enough just to have a security certificate on your servers. If customers enter cc data on your domain, then it has to be PCI compliant.
Handing off all the transaction to a payment provider doesn't have to interrupt the flow of the checkout, nor introduce the payment provider's branding. For a seamless transaction for the customer (read... better completion rate), check out mijireh.com. It looks as though they are initially a wordpress only solution, but they have an API for integrating with other solutions.
Your design, Our security
If you decide to use Shopify I recommend you setup an affilaite program to get more sales. I use OSI Affiliate Software http://www.osiaffiliate.com it is called, but there are other solutions out there.
Im not sure if this is the right thread to post on, I am trying to do add secure forms to my website, they are opting into a company donation so it will have personal information on the form (ie. social security #). I have a fillable form but I want their personal information to be protected!!!
Don't do it. It's too risky. Set-up a PayPal account to accept donations. And I fail to see why anybody would want to give out their Social Security #. The potential for identity theft makes my skin crawl.
When major companies are breached like my health insurance provider was recently, they pay for it. In my case, they have to pay a service like LifeLock for 2 years x each member who's info was compromised. Can you afford that?
We have a paypal but this is different, I think the best way is for them to
print of the form and submit it through paper. Thank you!