|Hosting and accepting credit cards|
Accepting that is...
I'm setting up a site for a customer which includes accepting credit cards. We started down the paypal route, but customer was not happy with the paypal redirect, the pro version also requires that a paypal checkout button is placed, so no difference between pro and free from his perspective.
I've setup a pretty solid checkout. I'm not storing CC #'s in the database, only shipping addresses if customer chooses, and I might even drop that option as well after doing some digging on PCI compliance.
My question is with hosting. Customer is hosted at godaddy. When I look at the PCI compliance document, most of the certification areas are related to things I have no control over, and are in godaddys court. I have tight code, will be using ssl, etc. How do I certify the things that are in the hosts control? This isn't a large business venture, so anything more expensive than shared hosting is out. Price for merchant account and gateway are pushing the cost threshold as is.
Godaddy offers turn key shopping carts for shared hosting, so they must be PCI certifiable, right?
No, I'm pretty sure shared plans can't be made PCI compliant, by nature of having control over the environment, which you don't on shared servers.
The sure fire answer, ask them, they actually pick up the phone when you call.
You can make their dedicated servers PCI compliant, and need the assistance of an awesome system admin to address system issues, but it can be done. The Virtual Dedicated (Virtual Private, they call it) I doubt you'd be able to make PCI compliant as you don't have root, but maybe you can.
These seems to leave me and my client with a huge expensive problem. More expensive then the revenue generated for the first year would probably cover. So what, is PCI compliance setup to knock all the little guys out of the market?
PCI compliant shared hosting exists. I know of at least one good reputation host which is offering PCI compliant business class shared hosting, albeit at a price 3-5 times standard shared hosting but still cheaper than VPS.
I spent 6 hours last evening looking for a host. Not a one. Well there where some, specialized business services for level 1 merchants starting at $400-600 a month. But realistically, he's using godaddy for under $10 a month. If I can get $30-40 out of him a month I'd be lucky. I guess we'll just have to see how long we can fly under the radar.
Contrasted with your other thread (which I don't have a good answer for ATM,) are you being paid for this research?
If a client is too tight to shell out more than $10/month for a PCI compliant host, why the h*** are you doing all this footwork for him/her?
There comes a point in and developer's career in which you must separate your internal motivations from reality. What I mean is, you want to make this work for them, you want it in your portfolio, you want to build your reputation - these are internal motivations.
The reality is, this client doesn't have the budget to "do it right" and is pressuring you to find a solution for him or her. Why then, does finding a "workaround" become your job?
There may be PCI compliant solutions as suggested (I know of none) but this reveals a little more than you want to know. Say you find one, you get all that set up. For a serious solution, shared hosting will present many other limitations and problems that are going to keep coming back to haunt you.
Then off you go on a goose chase, trying to make it right, when it's not your problem. It's this client's problem, don't work for free or less than your time is worth.
I may be off mark here, sorry if I am, but too many developers assume responsibilities that are not theirs. I have this problem myself . . . and have a wife that kicks my patootie when she catches me at it.
cart32 look into them they are 49 a month the cart is PCI so will be ok. Easy to use - paypal can be added, google checkout can be added and fits her budget.
I am not 100% sure but I believe I remember you need to reach a certian processing amount before you are notified of this requirement to be tested.
I wish I knew how to quote replies here. It became my job when told him he would receive a solution with cc processing and be up and running for such and such a price. Based on my competition, this is the way I find best if I want to keep getting work.
It's been about 5 years since I've done a credit card processing page, since most folks go with paypal anymore. If you can code properly, common sense goes along way to make your page and checkout tight.
But now I have to manage hardware? That would put me out of business, let alone the customer/merchant for the extra time involved. That'a a lot of work and logs and scaning, to still have a good chance of being hacked by some super geek hacker. Hosting companies need to provide some mid-level solution, or we're all going under with exception to the large companies that have the cash to play the game.
I can't go with a standard cart. That would be so cheesy and awkward with this particular app I'm working on. If I could embed the payment portion in my page, that would be about as low as I could go with this one.
|I wish I knew how to quote replies here. |
You do it like this ..wrap the text you want to quote in these tags [quote*]I wish I knew how to quote replies here.[/quote*]..but remove the * from each ..
You'll find all the tags and how to apply them here [webmasterworld.com]
|It became my job when told him he would receive a solution with cc processing and be up and running for such and such a price. |
If there was any mistake made, this was it. However, it's never to late to say "I was wrong and to do what you want we're going to have to go in another direction."
I'm going to go off topic a bit, as I think this leads to something important for you.
|Based on my competition, this is the way I find best if I want to keep getting work. |
Hence, the downfall of most developers and providers. Myself being one, I can tell you, not only is this false, it traps you into a treadmill: always keeping up with the Jone's. Second to "question everything," another good one to live by is never allow your directives to be driven by your competition. Not in what skills you learn, not in the way you operate, and especially, particularly, and absolutely, never in your pricing.
Let me give you a scenario: I am a provider on a particular site that is well known for it's global market. Along side providers from third world countries, to whom $50 is food for their family for an entire week, I manage to collect enough jobs to keep a steady flow of work from that resource, often bidding more than the client's proposed budget.
How do I do this? By understanding it's not always about price, and proposing the best solution to the task at hand. Most providers immediately go into an "about me/us" schpiel when writing a proposal. "Pick me, pick me, look at my portfolio, I'm great." This is not how you win a job. You win a job by clearly demonstrating "here is how I would solve your problem, why it will cost what I'm asking." The "about me" comes out as a product of that. I don't need, and never, say I've been doing this for 16 years, or I'm good at this or that, I don't have to. I propose the best solution.
Time and time again, I win proposals in a literal ocean of lowball $50 bids. It's seldom about price, and I am beginning to believe, it's NEVER about price with a serious client. If it is, I (and you) don't need that job.
This little detour has relevance to the task at hand for you too. Briefly, "your budget is too small to do it right at this point, so here is what we can do for that budget." You don't have to manage software and hardware; this is not your job. You don't have to supplement with hours of managerial and administrative tasks without compensation, it's not your job - or, you're not charging enough because you're driven by competitive pricing.
If your client starts to balk at the pricing, then they are likely "one of those" that price is the only thing. You will never get respect, you will never make what it's worth, and will always be at their beck and call for little or nothing. It's hard to let go, but sometimes you just have to. But all the wiser for next time . . .
|. . . since most folks go with paypal anymore. |
If you have this impression, I'd say your business practices are drawing this type of client. The ones who would use payPal only because they refuse to pay for a merchant account are a big red flag for me. I will work with them, but going in, I know where to draw the line - this client will never fully respect what I have to say because they don't respect their own business enough to take it seriously. Why should they treat me any better? I know they always say "until we see if it works" or "just to get something started to see if it flies" but more often than not, the experiment is at your expense!
|Hosting companies need to provide some mid-level solution |
They do. They're out there, but they understand everything I've described above. If your client wants to play, they have to pay - and I suggest you take a large step back and stop paying for them with your time and sweat.
Overall, I'd re-assess the relationship with this client, set some new ground rules, if they fly away, let them. You may be surprised, once you begin demanding respect, you might get it!
Second, after reading some more, I doubt PCI compliance is going to be an issue, and here is why. If this client simply refuses to invest in their own business, you are left with implementing an economy solution. That solution is likely to be something that redirects to a payment page in "payPal fashion," if not payPal.
All you need your site to do is keep some handle on the transaction for any internal stock control or order notations. You don't need to store any sensitive info. Let your processor manage that. So one big concern just falls away, and it's all on the client and their budget. Perfect.
Golden post..rocknbil ..mes respects M
|Time and time again, I win proposals in a literal ocean of lowball $50 bids. It's seldom about price, and I am beginning to believe, it's NEVER about price with a serious client. If it is, I (and you) don't need that job. |
I agree, especially with a cart type site. I do mostly work on my own things, with occasional work for other people. On one of my own projects this past year I have spent $thousands on wages for a person to upload product into the cart. You might think this is insane, but the effort required to organize and optimize data that you get from many manufacturers is a real nightmare. Each one codes their widgets differently, needs to have html coded into the descriptions, cross linked intelligently (not automated), with the correct keyword, descriptions etc.
If your client is too cheap for real hosting and PCI compliance, they are never going to be able to afford everything else they will need to do. As rocknbil says, they are not a serious customer.
Ya, thanks rocknbil. Great post. Now I need to figure out how to draw customers at a wage I could live on.
Funniest of all, my customer wrote me this morning and said: "I don't know why we just can't use paypal" - then proceeded to quote their fees. It was his dislike for being redirected away from his page during payment in the first place that sent me in circles. at least 20 hours shot in research and modifying for different gateways. Grrr...