check their status – that “View Your Cart” button is all important. They should be able to review what they’ve selected at any time. Sub-totals w/o shipping are important as well. And don’t forget the ‘Check Out’ button so they can finish the purchase. And always, always, always, make sure they can finish the purchase whenever they want to. In other words, put a “Check Out’ button on every page!
In addition, make sure that when they do check out they can select the shipping method and tell them clearly what it will cost. The three top shipping companies (in the US) have a variety of on-line tools to help you:
For UPS: http://www.ec.ups.com/
For FedEx: https://www.fedex.com/solutions/go/Overview?link=4#shipping
For USPS: http://www.usps.com/shipping/welcome.htm
It may sound overwhelming but with a little planning you can design a shopping cart that’s functional, quick, efficient, secure, and leaves your customer happy because they got in, found what they were after, bought it, felt is was secure, fair and fast.
A Secure Server Certificate (SSC)
These prove you are who you say you are for the customer’s peace of mind. It isn’t really a certificate. What you actually get is a digital key that you install on your webserver for your domain. When someone views your ‘certificate’ they’re viewing the digital key that you installed. That key identifies whom the key is for (had better be you), the domain it was intended for (had better match your domain), who issued the key, when it was issued, and when it expires.
Companies I’ve worked with and found to be good: Verisign http://www.verisign.com & Thawte http://www.thawte.com . This is not an endorsement of them. I’m sure there are others.
You will need to generate a key to send to the Certificate vendor and they will in turn send you the matching key. Once you receive your Key, it needs to be installed on your webserver - your webhost may do this for you unless you have an Admin interface in which case you may (operative word) find you can do it yourself. If in doubt, ask your webhost to do it.
Some hosting firms offer a generic SSL Certificate but be careful of these. The CC statement the customer gets may have the webhost’s name on it for the transaction instead of yours. Number 1: that may confuse the customer; Number 2: it's bad for name recognition; Number 3 it looks cheesy. Spring the dough and get your own.
Learn more: http://www.thawte.com/html/RETAIL/ssl/index.html
A Secure Socket Layer (SSL)
Is a protocol that provides privacy and reliability between two communicating applications. Privacy is achieved using encryption after the initial handshake to define the private key.
Learn more: http://wp.netscape.com/eng/ssl3/draft302.txt
And: http://developer.netscape.com/docs/manuals/security/sslin/contents.htm
A Secure Protocol (HTTPS)
After the servers have agreed on what secret code to use, the rest of the conversation between them occurs naturally but is encrypted. You invoke SSL by calling a URL with HTTPS instead of HTTP. Test and retest this before you publish your cart.
Make sure each and every page the customer goes to from the time you ask them to supply their info right up to and including the page that provides the confirmation and a printable receipt are all secured. Make sure any data you keep on your server is encrypted as well. Some data is necessary for sales reporting but secure it!
Security isn't necessary, however, until the customer is giving you their private information. The form(s) where they tell you who they are, where they live, their shipping address, contact info and CC# should all be protected by an SSL transaction.
A Merchant Account
You’ll need one of these to accept Credit Card payments. Merchant accounts are accounts that accept and hold credit card transaction monies. These accounts can be established through merchant service providers (MSPs) such as banks or via independent service organizations (ISOs).
Learn more here: http://ecommerce.internet.com/news/insights/econsultant/article/0,,9571_208591,00.html
A Transaction Processor (Payment Gateway)
The transaction processor is the one who actually processes the Credit Card transaction on your behalf. Some are better than others and prices are all over the place.
It's not unusual that there are a handful of fees. Be sure you're clear on what they are before you purchase. The typical fees include some sort of set up fee. This is usually a one-time fee. The next fee will be your monthly fee. Now it's not uncommon for the fees to be based upon services you've asked for - ala cart. You pick and choose what you want and the fee is the sum of the services you chose. Look for and be sure you understand if the monthly service fee is a flat fee or a percentage of sales or some combination of both. Make sure you learn where the break points are for the price changes which are often based upon either $$ sold or quantities sold. DO YOUR HOMEWORK! I can't stress this enough. Check out a bunch of these folks and compare them apples to apples.
I’m not going to name names for you but if you do a search on terms line “credit card transactions” or “accept credit cards” you will get more than enough to sift through.
In some cases, you can get both a merchant account and transaction processing services from the same organization. Be careful of pricing! Make sure you understand what you’re agreeing to before you sign.
A Secure Database
This is essential for tracking customer information. Encrypt the data. Keep the database out of the website folder(s). There are many tricks to writing code to interact with the database so that it is darn near impossible for a hack to get at the database. This is THE NUMBER ONE SECURITY RISK. Protect your clients data and yourself (from lawsuit and financial ruin).
Learn more: http://www.webmasterworld.com/forum10/1406.htm
If using MySQL: http://www.mysql.com/doc/en/Security.html
And: http://www.mysql.com/doc/en/Miscellaneous_functions.html
A Financial Tracking Tool
You need something at home/office to track all of the sales you’re making. I’m not going to say much other than make it easy on yourself and use one that will import data in a standard file format like ASCII comma delimited text or some such. Then use your programming skills to write code to export financial data from your web database. These tools are invaluable if you know how to use them.
Privacy & Security Policies
Make sure you have published policies for both of these. The Privacy Policy tells the customer what information you gather and what you do with it. DO NOT LIE NOR FIB NOR MISLEAD or thou shalt be struck down by lightening - or the IRS.
Tell them the truth. If you sell their name to other vendors say so. Give them the chance to Opt out – in fact – make it the default. Your customers are smart people and will find out if you’ve been dishonest (not that you would). If you’re honest with them, they will appreciate it. Make this Policy available on every page – many websites have it in the footer.
Learn more: http://www.privacyalliance.org/resources/ppguidelines.shtml
The Security Policy should tell the customer exactly how you protect their private information. You don’t need to tell them about how SSL works but you should tell them that their Credit Card transaction with you is protected by “enter SSC issuer here” and their private information is encrypted and kept safely and securely for their safety (and yours). Make this policy available on any page you secure and any page that leads to a secured page.
Learn more: http://www.sans.org/newlook/resources/policies/policies.htm
And most important – A Satisfied Customer
It’s all about customer satisfaction. People shop on the Internet to cut costs, save time and to track down hard to find specialist goods or services. They use the Internet to do research on goods and services too. Hmmm… what do you think would make a store successful? How about providing excellent product/service information with a quick, efficient, and secure way to purchase it?!
How the Cart actually works and the process for checkout is what makes the customer's experience positive or negative. The most successful on-line transactions are those that allow the customer to choose what they want, pay for it in a quick and efficient manner, take great pains to make sure the customer knows the transaction is secure - and is, and makes sure the customer feels good about the transaction.
The Transaction: You have control over what the customer experiences on-line. But after the sale is done make sure the customer remembers you in a good light. Make sure you inform the customer what to look for on their monthly CC report when you give them their order confirmation - i.e., what company name will appear on the statement.
Follow up with the customer
Follow ups are a nice way to say "I value your input." Give your customers the opportunity to critique you. If they don’t, don’t worry. The simple fact that you asked lets them know you’re serious about ensuring their satisfaction – they will appreciate it even if they don’t show it. If they do, you'll most often get some good insight.
Some customers may vent or you may get some wisecrackers - but always try to see through the emotional crap and find the message they're trying to deliver. Put on your "solutions provider" hat and put yourself in their shoes. Determine what went wrong, what you can and will do about it, and then do it. When it's done, let them know about it. This doesn't mean you have to make changes everytime someone complains. You have the final decision - all I'm saying is consider their point and then be fair.
Make sure the customer receives an email verification that acknowledges that they purchased X,Y,Z from You on This Date, for This Amount. NO mention of CC numbers, account numbers. Keep the personal information to a minimum – name and address.
And while it may be obvious – make sure you deliver the product/service when you said you would for the price you told them. Hidden costs and delayed deliveries can kill a business. It is better to tell the customer it will take 2 weeks to deliver and have it there in 1 than it is to say 1 week and be even a day late!
Also, be sure to have an established policy and mechanism for handling returns, rejects, and disasters. Successful companies have been brought to ruin because they had no plan to handle disaster. What is a disaster? Take for example, your SSL Certificate becomes outdated and no one noticed until customers called and complained; or someone DOES hack into your database and steals your customer’s private info. Your preparedness to handle the worst-case scenario could be your failure – or your path to success.
BTW - for more information on Credit Card Fraud: http://www.scambusters.org
And: http://www.fraud.org/welcome.htm
Final Thoughts:
Do NOT use email to transmit a customer’s personal information – EVER! Perform all verification and approvals on your website under the SSL’s protection. If you must send email – send only the bare minimum of information.
If you write an Administrative interface – use SSL to secure it. What ever financial information you see can be nabbed while you're working so wrap it up in SSL.
Additional Resources:
http://www.webmasterworld.com/forum23/1015.htm
http://www.fidelityatwork.com/servlet/HelpServlet?site=netbenfidelity&page=links
Feel free to add to or disagree with what I've written but let's make the web a secure place to shop and do our business.
[edited by: lorax at 11:38 am (utc) on Aug. 10, 2006]
