Welcome to WebmasterWorld Guest from

Forum Moderators: buckworks

Message Too Old, No Replies

Selling downloadable products / selecting shopping cart software

I'm looking for secure ways to sell downloadable products.



12:12 am on Aug 7, 2002 (gmt 0)

Inactive Member
Account Expired


I'm looking for a shopping cart system that can securely sell downloadable products as well as basic physical goods. By secure, I mean:

-Customer is provided with a link, either after checkout on a page or via email, that is only valid for a controlled amount of time
-Customer cannot guess and find other products for sale by manipulating a product URL
-Best case scenario: product link is randomly generated to be unique to each customer's purchase of each product

I looked through all 157 shopping carts (phew!) on Authorize.net's supported list, and I'm still not excited about my options. The two solutions that floated to the top were StoreFront 5.0 SE (www.storefront.net) and SalesCart (www.salescart.com). You need to add a third-party module to sell in the manner described above for StoreFront, and SalesCart seems to require expensive Authentix integration. I actually purchased StoreFront, but configuring it has been a nightmare with my host and I'm still experiencing weird little quirks that make me nervous. I'm probably going to take advantage of the 30 day money back guarantee. :-/

I've also toyed around with OScommerce and Comersus, open-source solutions that have been disappointing re: installation, modification, and especially documentation. I'm a fairly savvy web developer, I know enough Javascript and ASP to be dangerous, but I'm by no means an expert. I don't know PHP, but I'm trying to get it running on Apache and it looks like the learning curve is a little steep. The overall opinion on these boards about X-Cart and other PHP carts seems to be rather negative anyway.

I'd rather not spend more than US $500 for a shopping cart that can sell downloads, and it's hard to believe one doesn't exist. Can someone help me out on this? Thanks in advance...

2:36 am on Aug 7, 2002 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 28, 2001
votes: 0

I use Yahoo Store. Works great.

It does cost $50 a month plus a small percentage, but it's well worth it for me. The sales alone I get every month from my free Yahoo Shopping listing pays for all the fees. So, as far as I am concerned, it's FREE.

10:57 pm on Aug 8, 2002 (gmt 0)

Junior Member

10+ Year Member

joined:May 2, 2002
votes: 0

Well, Natronic, that's true. I made my own system, from storage (uploading) and shopping cart to delivery (downloading).
And we are using Payworks, so payment integration is a breeze (I'm on it right now).
I will begin selling downloadable music in a few days now :)
1:16 pm on Aug 9, 2002 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Aug 26, 2001
votes: 0

Time to post a warning about selling downloadable (intangible) goods .....

It's tempting to sell downloadable goods because it's so easy and very cheap - no need to print documents and send them through the post, no need to burn CDs for music or games. People just need to make a payment and download their goods. The retailer does nothing but count their income.

But, it's also easy for fraudsters to rip people off, and the retailer will end up carrying the costs. The retailer doesn't just lose the income from a sale, they have to pay chargeback fees as well. I've seen retailers lose a lot of money by selling intangible goods, one even making a loss.

If you sell tangible goods, ie, goods that have to be delivered through the post, you can insist on only delivering to the cardholder's address (you can verify that the address given is the cardholder's address by using a card processing company that provides AVS). By delivering only to the cardholder's address, only the cardholder receives the goods. This prevents fraudsters from using stolen credit card details and getting the goods delivered to their collection address. It also gives you the cardholder's signature which can prevent a user charging back through their credit card.

If the cardholder receives a delivery that they haven't ordered, your details will be on the delivery and the cardholder can contact you to query it. You can then arrange for the goods to be returned and for the money to be refunded to the cardholder. The cardholder will know their card number has been stolen and is being used fraudulently, and can cancel their credit card. This can then prevent a lot more fraud taking place as fraudsters may use stolen details again and again. (Remember that you too may be a cardholder and may be a victim of fraud one day, so if all retailers take positive action, it helps everyone except the fraudsters).

If a purchaser has to give a physical address for delivery of goods, they are traceable, as are your goods. If you insist that the delivery address is the cardholder's address, then fraudsters cannot order goods with a fake address. You cut the levels of fraud that you suffer and cut your levels of chargebacks.

But if you sell downloads, it doesn't matter whether the address given is genuine or not, whether the purchaser is using their own card or a stolen card number or whatever. They can come to your site, place an order using any fake or stolen credit card number, any address they think up, and instantly download whatever they want. They are virtually untraceable.

If they have used a stolen card number, the cardholder can then charge back against the retailer. The retailer then loses the sale but still has to pay the transaction charges and chargeback fees. Even genuine people with genuine credit cards can fraudulently charge back knowing that the retailer does not have a signature and cannot prevent the chargeback going through.

The retailer has no hope of tracing anyone that has fraudulently ordered intangibles. The only chance would be through the IP address, but tracing it back to a particular user is virtually impossible. Apart from the problem of fraudsters using spoofed IPs and proxy servers, ISPs simply aren't interested that you lost $20 because of someone using their dial up - as far as ISPs are concerned, it's your problem, not theirs. Police aren't interested as tracing via IPs takes a lot of time and a lot of money - they'll do it for big time fraud, but not for a small retailer that sells intangibles.

So what can you do to prevent fraud? One thing you can do is switch to providing tangible goods instead. Print documents to send through the post. Burn CDs to send through the post. It doesn't cost that much to do either, and the cost can be passed on the customer. Blank CDs cost a few pence each and with the cost of burning them and postage, it can still be less than $1 to burn and send a CD to the cardholder.

OK, so you might lose some sales by charging slightly higher prices, but you will also prevent a lot of fraudulent transactions. A fraudster generally won't bother ordering from you if he cannot obtain the goods (remember that you will be verifying the cardholder's address and only sending to that address). Sure, they'll try it on and ask you to deliver elsewhere, but you're going to be sensible and stick to your company policy of only delivering to the cardholder's address, right?

Selling the CDs or printed documents can also make your business look more professional and could generate more sales - maybe more than you lose through the slightly higher pricing. If you're not convinced, why not offer tangible versions alongside the intangibles? Offer a choice of get a CD through the post or download online, both at the same price. See what happens. Offering tangible versions might work well for your products, it might not - the only way to find out is to try.

One argument against providing tangibles instead of intangibles was that "customers want the goods right now, this minute, not later". The overwhelming majority of people will normally be quite happy to wait until the morning for delivery by post. If anyone does ask for the products immediately, verify their details as soon as you get the order, call them and give them download instructions - at least you know that you have verified the order as genuine before they download. It helps if you can get a fax from them with the order number and their signature so that you have a chance of preventing a chargeback.

If you don't want to burn CDs or print documents, you could send a payment receipt by post with instructions for download instructions, preferably from a password protected area of your website. This should be sent by post rather than email as again, it's a case of only sending it to the cardholder's address (which you have verified with AVS etc) and getting the cardholder's signature. You have no way to verify that the email address given belongs to the cardholder. Sending a payment receipt by post is cheaper than burning CDs or printing documents and only the cardholder can download your products. Again, fraudsters will be unable to download anything and you can prevent a lot of chargebacks.

Anyway, have a good think about whether it is worth offering goods by download or whether it is better to offer them by post. A lot will depend on your type of business, the products you offer, and whether you can afford a high percentage of chargebacks.

7:48 pm on Aug 9, 2002 (gmt 0)


WebmasterWorld Administrator rogerd is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 2, 2000
votes: 1

Crazy_Fool, you make some excellent points about the ease of ripping off a merchant selling intangibles.

The only counter-argument, I guess, is that your cost is near zero. Unlike a physical product, a program or set of images is still there after you sell it. Your main losses are the transaction costs and, perhaps, the opportunity cost (although chances are the thief would never have paid for it anyway).

I'm working with a site interested in selling some PDF content, and I'm worried about this issue, too. Actually, a bigger threat, IMO, is the possibility of free distribution of the files by unscrupulous customers.

Back to the original question - is there a shopping cart/order processing system that is preconfigured to handle downloads? What's the preferred way to handle something like that - a readily available download and an unlock key issued when the card is processed? Access to a download page? E-mailing a file to the customer?

4:51 pm on Aug 12, 2002 (gmt 0)

Junior Member

10+ Year Member

joined:July 25, 2002
votes: 0

Try aceflex.com - it's a pre build ASP/SQL system

It comes equipped to handle software/files sales

The customer orders the goods, once their funds have cleared, the customers logs in to the site and downloads the file.

It all automated too - so you don't need to track each download - it does it for you. Automated invoicing, emails etc etc

The back office handles every accept of an e-business too

Great product - got one myself!


5:06 pm on Aug 12, 2002 (gmt 0)

Junior Member

10+ Year Member

joined:May 2, 2002
votes: 0

Excellent post Crazy_Fool, it's a big risk selling downloads.
I like the idea of the payment receipt by post with download instructions, thanks!

And Rogerd, trying to answer you question:
PDF content can be password protected, of course, nothing prevents the user to distribute the password along with the document, but at least it is no MP3 file, if you know what I mean.
About delivery, what I do is place content way out of the server's scope, in this case in a different hard drive. The download script, first, it is validated for valid user login, valid referrer (I don't user HTTP_REFERRER, but a session variable) and it is encrypted (SSL).
I create a variable with the content bought by the user (file1=0, file2=2, etc.) and present a list to him/her.
When the user selects a file for download, he/she never gets to see where the download is coming from (well, download.php?x=1&y=2, but you can't crack that because the values are relative and temporal to each user).
I do this because MP3 files are usually large in size and people might need several tries to download it succesfuly, but if your files are not very heavy (to me 250KB in my mail is ok) you could send them by email.
I haven't seen ready-made solutions for this kind of commerce.
I wrote mine, so if I could be of any assistance, let me know in my Sticky Mail.

1:22 pm on Aug 27, 2002 (gmt 0)

New User

10+ Year Member

joined:Aug 26, 2002
votes: 0

Another cart which offers a downloadble product plugin, is Actinic - www.actinic.com

You can download a 30 day trial on their site, but you will need to contact sales to trial the plugin at the moment (it's pretty new).




11:45 pm on Aug 27, 2002 (gmt 0)

Inactive Member
Account Expired


You could try Clickbank or Sharit.
I am actually thinking of selling downloadable products myself, should I use a shopping cart solution (like aceflex) or should I use a payment gateway service (like clickbank)?
2:28 am on Nov 12, 2002 (gmt 0)

New User

10+ Year Member

joined:Nov 12, 2002
votes: 0

X-Cart (from x-cart.com) is another good product for this.
2:50 pm on Nov 18, 2002 (gmt 0)

Junior Member

joined:July 31, 2002
votes: 0

another thing to consider is, if your charge backs reach a certain level, your merchant provider is gonna cancel your merchant account. although online sales are tiny in dollar terms, online fraud is a booming business and since in " card not present" transactions the merchant is 100% liable, i would urge caution.
3:01 pm on Nov 20, 2002 (gmt 0)

New User

10+ Year Member

joined:Nov 19, 2002
votes: 0

The other thing that scares me about downloadable sales, of the sort of things we produce at least, is the fear that next thing I know it will be posted on dozen or so websites free for the taking.

That's a concern even with CDs. People keep asking why we don't sell our books on CD. I tell them that if we did ever sell it on CD that one CD would probably be the last one we'd ever sell.


1:25 am on Dec 31, 2002 (gmt 0)

Inactive Member
Account Expired


One that I have been using with excellent results is Quikstore. To many feature to mention here so just go to their web site and check em out. The support from these guys is the best. I am not a reseller of their products, just a very satisified customer.


Good Luck

7:24 am on Jan 1, 2003 (gmt 0)

Full Member

10+ Year Member

joined:Dec 11, 2002
votes: 0

natronic,i know php and have been working on a shopping site in php, do gimme a sticky mail for details