Question for the e-commerce pros

Hi all,
Im a webmaster venturing into my first e-commerce site (outside of PayPal). The customer I'm going to do this for is most likely not going to be doing over $1000.00 a month for some time so I think that 2CO, PayQuake or similiar will do just fine (unless I hear otherwise...hint hint) . I have two questions though:

1. The customer sells food items of various weights. How do I calculate their shipping costs for various products? Do you calculate an average? Or is it based on the cost of the item? This is for domestic shipping only (US).

2. The customer already has a POS system with a keyed entry pad for CC processing. Technically it would seem feasible that I could write a PHP script to email the data to them, thereby eliminating gateway/merchant fees. I'm concerned obviously about the security of this. What are the security holes in this method? Is it a viable method or is this looked at as bad business practice?


Thanks Prior for your advice. Thank heavens for this forumn or I'd be lost in a sea of mis-information.

LiquidD

I would be very wary of sending CC information "in the clear." That is, in plaintext format (a.k.a. not encrypted). The only way I would consider doing this is if the email is sent over SSL or encrypted in some way. Sure, chances are still relatively slim that the information will be stolen, but it's definitely better to be safe than sorry when it comes to sensitive information. I know that I would be mad as hell if this happened to me in this way--I would think it was because of irresponsible and incompetent "computer experts!"

But generally, you should be aware that most email is sent as plaintext.

Hello LiquidD,

If you are only interested in domestic shipping for products of a certain weight, an average charge may be an option. You would want to figure out the most it would cost to ship your largest item the farthest distance, as well as the cost of shipping that item to the nearest distance. Averaging these two will likely give you a good esitmate, and make sure that you recieve enough to cover your shipping
on the whole. As the business progresses, you (or your customer) will soon see if any trends arise, like if you ship to one location frequently, that would alter your average shipping cost. Another alternative might be to find a service like our own that can communicate with UPS, or USPS to return an actual calculated value based on weight and location/destination ZIP codes.

I would definately also agree that an application sending credit information over any type of unsecured link would be frowned upon. Not only can this look unprofessional, but as you probably understand, can definately leave the information open to be stolen. Some form of Secure Socket Layer encryption is a must when it comes to hosting, and retrieving credit information over the net.

There are definately some expensive options on the internet these days that take care of all of this, however, you might be surprised to find that some options may not be as expensive as you think. Give me a shout at [email protected] if you would like to discuss some of the possibilities that I have encountered in terms of merchant accounting solutions, and e-commerce solutions :)

You can use something like the tools UPS uses to let web applications get shipping prices real time from them for the shipping. The website UPS has for putting this together is here and you might also have your client read this.

If you want to e-mail credit card data I would suggest finding a way to send it securely. I know a site that does this for its customers contact the folks at GMA Games and ask them if they can suggest how to do it, or maybe you could see the program they use.

HTH,

Stick with the offline POS. It will save you time, sales, money and headaches. One of my biggest clients has been doing it this way for years, and it's a dream to do it this way. There is actually less fraud, less failures, less customer complaints this way than using a online gateway.

I know this goes against the conventional wisdom, but I've tried both and this way works 100 times better.

Obviously you need to encrypt and secure the process, so use a developer and programmer who knows what they are doing.

If you get an SSL cert for your client you should be able to use this script to securely store the CC info in a data file inside the
cgi-bin. Then your client can just download the file and process the orders offline using the POS.

The program is called Master Form v3 and is sold at WillMaster.com.

Wow. Lots of options. Thanks for all your help. I will be researching all of your recommendations and asking more questions when I'm more prepared. Thanks again!
LiquidD

My advice would be to find a solution that connects directly to USPS or UPS to capture the actual shipping rates. People that get stung on shipping rates typically won't return to shop with you again.

CC processing is handled in various ways, however, according to MasterCard and Visa Internet orders should be handled online. Additionally, it is a security violation to store the CVV2 codes on any computer system. Those codes are security codes to protect the cardholder and the merchant. By taking the credit card information online and processing offline, you break the security you could have by handling cc processing online.

There are many merchant account sales people, but rarely do you find someone that actually has a direct connection to the processor. There are a few processors and one of those is First Data. Due to a unique situation, I've found a connection to First Data through an organization I associate with. That organization is http://www.emerchantsgroup.com. The rates are really good. If it is not an imposition and just for tracking of where the referral came from (I don't get paid) please say that Apple Pie Shopping Cart referred you.

I worked with a customer who had weight-based food products, and they were set up with MIVA merchant, which has a weight/postage feature built in. I can't say I liked MIVA overall (too difficult to customize), but it might offer a quick solution to a complex problem.

The thing to remember about many shopping cart systems is that many search engines can't index all the pages within a site. I've studied this issue for many years while doing research and development for my shopping cart. Until ALL search engines are able to go inside cgi directories, traverse sites with ? and & in the URLs and any other garbage it is highly recommended that you find a system that works properly from the word "go".

Apple Pie is absolutely right about the search engine problems. There are ways around the ? and & url problems, such as scripts and programs to rewrite the urls, but again if you can avoid these and get it right from the start you'll have greater success.

Avoiding those problems was a goal of mine when developing Apple Pie (search engine friendly) Shopping Cart. I succeeded in reaching this goal and the apple pie shopping cart is now presenting a data base driven website as if all pages are static pages.

There are no duplicate pages and all the other problems of site administration has been made extremely easy. Basically, if you can use Windows you can use my Apple Pie. It is truly as easy as apple pie.

If you have questions feel free to contact me.

Hey all,
Thanks for the info. I've dove in to all the suggestions and come up with the plan of action.

1. Well, as much as I'd like to save the customer money I think that isolating them from the CC information may be the wisest idea (email or otherwise). They are not terribly tech-savvy and I can just imagine the headaches. So, I'm going to use a gateway/merchant service for now. Regardless of their POS system (which is now infected with viruses since they weren't protected..ugh..)

2. The Shipping was a big concern for me. Thanks rdlynch for the info on that. I'm glad that UPS incorporates such features for e-commerce. So I'll have them (the end user) register with UPS and I'll get to play with some new toys...errrr tools.

3. I host the sites on my own server (PHP, MySQL) so I'll be using those technologies to dynamically serve up the content. Apple Pie you have a very valid point about search engine placement. I'm going to use several non-php pages to bump up their rankings for now (I use WebPosition Gold to aid in that dept.)

Now one last question on the gateway/merchant accounts. Are most of them fairly easy to POST the data to? When I used PayPal I simply sent several variables (ID, cost, description) to a cgi/bin which took care of the tallied costs, cart etc. Will it be pretty much the same for 2CO or PayQuake? Or do they receive their information differently?

Again, Thanks to all you e-commerce pros. You have been such a great help. I owe you all a beer.

LiquidD

Hello,

Actually most of the gateways like 2co, paysystems, authorize.net, etc. all let you pass values from your site to their applications.

With someone like 2co the client could enter their details and choose the products they want from your application and then they would enter their cc info on the 2co website.

You would pass all the values in of course.

I actually found paysystems http://www.mypaysystems.com/ to be the easiest for doing this.

With a real-time gateway like authorize.net the customer stays on the company site they are buying from. You would just need an SSL cert, and be able to use php to program into the authnet gateway.

I forget what authnet calls the system they use.

HTH,