Are the ecommerce package deals I keep seeing advertised with shared hosting accounts secure enough?

Make sure they offer PGP encryption or similar and you should be OK.

Or can't you do a "hold" or "authorization" when the order is placed and then a commit later?

Depends on the payment processor, if you go real-time. Some do have the option to not process until you OK the sale. There is an advantage to being able to review the order first.

I have enough confidence and programming experience to build my own shopping cart, but also enough to recognize that buying and integrating something prebuilt is often the best solution.

We have our own script. Basically a question of re-inventing the wheel vs. full control. Depends on your priorities.

I've just spent 6 months developping an ecommerce application. It's a great piece of work: multi-currency, multi-language, scalable (J2EE back-end), maintainable (separates content from presentation), secure, usable, etc...

But if I had to do it over again, I'd consider starting with something like Yahoo! stores (with my own domain name).

One nice thing about pre-fab, hosted solutions is you can usually trust their CC processing and security, and so will your clients. It's a lot less BS, and gives you more time to concentrate on selling and optimization. I would have had my first client online and selling before the Christmas rush, too...

There are a lot of packages out there, and oscommerce was a PHP program that looked interesting. Had it been coded in Java, I probably would have used it instead of rolling my own. Has anyone here had experience with it?

For the buy or build question, unless you have very specific requirements that can't be met and you can't find something to adapt, you probably should not code your own.

Or can't you do a "hold" or "authorization" when the order is placed and then a commit later?

At least with authorize.net (and presumably all of them), you have the option to "authorize" or "authorize and capture."

Authorize checks the credit available on the card and reserves a certain amount without actually charging them. You can then go in later and capture the funds, completing the transaction.

Its my understanding that mail order/ecommerce are generally supposed to authorize first, and then only capture when the item is shipped.

Unless you are planning on large volume transactions, I am not sure whether you will need a dedicated server or solution.

Afterall, our business took more $250,000 in transactions last year using $5.00 a month hosting accounts, non-secure servers, and Mal's eCommerce cart. Looking at our conversion rates, they are not lower than industrial averages in spite of this.

our business took more $250,000 in transactions last year using $5.00 a month hosting accounts, non-secure servers

Egad! What do you mean, non-secure?

And I was all worried that my customers were going to be audited- making sure all information is transmitted in SSL rather than in clear, only allowing information on a "need-to-know" basis, giving everyone separate user/pass combinations and tracking information browsing...

I'm not 100% there yet, but if non-secure means what I *think* it means, hackers and VISA will not be going after me first: I have nothing to worry about!

Its my understanding that mail order/ecommerce are generally supposed to authorize first, and then only capture when the item is shipped.

That very well may be true.

Our belief has always been: Why pay extra for immediate processing when you don't really need it? If you're selling a tangible product that will not ship for hours or days after the online order is placed, process the card manually offline if it saves some money.

The only situations where immediate processing (i.e. - getting the customer's money) is necessary is 1) if you're selling something the customer will get immediately, such as downloaded software, music, etc., and 2) if you do such a large volume that manual processing isn't realistic and more cost-effective.

There's my 2 cents....and you can capture that immediately. :)

The credit card information is entered at a secured worldpay server. Otherwise, other customer details are non-secure.

My point is that customers do not seem to mind that much even if they do not see a secure certificate on our site, or a https prefix when they enter our cart system.

You will be surprised at how many well-known companies use a free OS commerce cart on a $7.95 account with ipowerweb, or other low cost web hosters.