Forum Moderators: buckworks
As you would expect there are a handful of pieces that must all work in concert to form a functional shopping experience. Focus on the experience rather than solely on the mechanics of the cart because the customer’s experience with your service is what will make or break you.
The pieces are:
A shopping cart located at some domain (www.yourstore.com)
A web server to host www.yourstore.com
A Secure Server Certificate – proves you are who you say you are
A Secure Socket Layer(SSL) – provides privacy and reliability between two communicating applications.
A Secure Protocol (HTTPS)
A Merchant Account
A Transaction Processor (aka Payment Gateway)
A Secure Database
A Financial-Tracking Tool
A Privacy & Security Policy
And most important – A Satisfied Customer
The Process In General
I say in general because there are a lot of variables and each shopping cart/ecommerce set up is slightly different from the next. But in general this is how it all works together.
You need to build/buy/download a shopping cart.
You need to secure everything from when the customer enters their personal information right up through and including when you say “Thank you for your order” and provide the customer a printable receipt of their order.
You need someone to handle Credit Card transactions for you (not just anyone is allowed to do this).
You need a way to accept payments from a Credit Card.
You need to ensure the customer has a pleasant and efficient shopping experience.
You need to know what you sold, when you sold it, to whom you sold it, and what you have left in stock.
You need to have a reliable and efficient mechanism for handling returns and customer complaints.
You should always declare what information you gather and what you do with it as well as how you protect it.
And you need to have a way to ensure and measure customer satisfaction with your service and product. Believe it or not – the service is THE MOST IMPORTANT aspect to a successful on-line business. The actual product is secondary.
Ok, let’s look at the pieces in detail.
The Cart
The cart has to have 4 pieces:
There are many free carts out there. One I’ve used and found to be good is OSCommerce: [oscommerce.com...]
You can also check out the other free carts and code snippets necessary for building your own cart at Hotscripts.com: [hotscripts.com...]
I’ll say this again, the customer’s experience is critical to your success or failure. That being said, do everything you can to make sure they have the means to:
And always, always, always, make sure they can finish the purchase whenever they want to. In other words, put a “Check Out’ button on every page!
In addition, make sure that when they do check out they can select the shipping method and tell them clearly what it will cost. The three top shipping companies (in the US) have a variety of on-line tools to help you:
For UPS: [ec.ups.com...]
For FedEx: [fedex.com...]
For USPS: [usps.com...]
It may sound overwhelming but with a little planning you can design a shopping cart that’s functional, quick, efficient, secure, and leaves your customer happy because they got in, found what they were after, bought it, felt is was secure, fair and fast.
A Secure Server Certificate (SSC)
These prove you are who you say you are for the customer’s peace of mind. It isn’t really a certificate. What you actually get is a digital key that you install on your webserver for your domain. When someone views your ‘certificate’ they’re viewing the digital key that you installed. That key identifies whom the key is for (had better be you), the domain it was intended for (had better match your domain), who issued the key, when it was issued, and when it expires.
Companies I’ve worked with and found to be good: Verisign [verisign.com...] & Thawte [thawte.com...] . This is not an endorsement of them. I’m sure there are others.
You will need to generate a key to send to the Certificate vendor and they will in turn send you the matching key. Once you receive your Key, it needs to be installed on your webserver - your webhost may do this for you unless you have an Admin interface in which case you may (operative word) find you can do it yourself. If in doubt, ask your webhost to do it.
Some hosting firms offer a generic SSL Certificate but be careful of these. The CC statement the customer gets may have the webhost’s name on it for the transaction instead of yours. Number 1: that may confuse the customer; Number 2: it's bad for name recognition; Number 3 it looks cheesy. Spring the dough and get your own.
Learn more: [thawte.com...]
A Secure Socket Layer (SSL)
Is a protocol that provides privacy and reliability between two communicating applications. Privacy is achieved using encryption after the initial handshake to define the private key.
Learn more: [wp.netscape.com...]
And: [developer.netscape.com...]
A Secure Protocol (HTTPS)
After the servers have agreed on what secret code to use, the rest of the conversation between them occurs naturally but is encrypted. You invoke SSL by calling a URL with HTTPS instead of HTTP. Test and retest this before you publish your cart.
Make sure each and every page the customer goes to from the time you ask them to supply their info right up to and including the page that provides the confirmation and a printable receipt are all secured. Make sure any data you keep on your server is encrypted as well. Some data is necessary for sales reporting but secure it!
Security isn't necessary, however, until the customer is giving you their private information. The form(s) where they tell you who they are, where they live, their shipping address, contact info and CC# should all be protected by an SSL transaction.
A Merchant Account
You’ll need one of these to accept Credit Card payments. Merchant accounts are accounts that accept and hold credit card transaction monies. These accounts can be established through merchant service providers (MSPs) such as banks or via independent service organizations (ISOs).
Learn more here: [ecommerce.internet.com...]
A Transaction Processor (Payment Gateway)
The transaction processor is the one who actually processes the Credit Card transaction on your behalf. Some are better than others and prices are all over the place.
It's not unusual that there are a handful of fees. Be sure you're clear on what they are before you purchase. The typical fees include some sort of set up fee. This is usually a one-time fee. The next fee will be your monthly fee. Now it's not uncommon for the fees to be based upon services you've asked for - ala cart. You pick and choose what you want and the fee is the sum of the services you chose. Look for and be sure you understand if the monthly service fee is a flat fee or a percentage of sales or some combination of both. Make sure you learn where the break points are for the price changes which are often based upon either $$ sold or quantities sold. DO YOUR HOMEWORK! I can't stress this enough. Check out a bunch of these folks and compare them apples to apples.
I’m not going to name names for you but if you do a search on terms line “credit card transactions” or “accept credit cards” you will get more than enough to sift through.
In some cases, you can get both a merchant account and transaction processing services from the same organization. Be careful of pricing! Make sure you understand what you’re agreeing to before you sign.
A Secure Database
This is essential for tracking customer information. Encrypt the data. Keep the database out of the website folder(s). There are many tricks to writing code to interact with the database so that it is darn near impossible for a hack to get at the database. This is THE NUMBER ONE SECURITY RISK. Protect your clients data and yourself (from lawsuit and financial ruin).
Learn more: [webmasterworld.com...]
If using MySQL: [mysql.com...]
And: [mysql.com...]
A Financial Tracking Tool
You need something at home/office to track all of the sales you’re making. I’m not going to say much other than make it easy on yourself and use one that will import data in a standard file format like ASCII comma delimited text or some such. Then use your programming skills to write code to export financial data from your web database. These tools are invaluable if you know how to use them.
Privacy & Security Policies
Make sure you have published policies for both of these. The Privacy Policy tells the customer what information you gather and what you do with it. DO NOT LIE NOR FIB NOR MISLEAD or thou shalt be struck down by lightening - or the IRS.
Tell them the truth. If you sell their name to other vendors say so. Give them the chance to Opt out – in fact – make it the default. Your customers are smart people and will find out if you’ve been dishonest (not that you would). If you’re honest with them, they will appreciate it. Make this Policy available on every page – many websites have it in the footer.
Learn more: [privacyalliance.org...]
The Security Policy should tell the customer exactly how you protect their private information. You don’t need to tell them about how SSL works but you should tell them that their Credit Card transaction with you is protected by “enter SSC issuer here” and their private information is encrypted and kept safely and securely for their safety (and yours). Make this policy available on any page you secure and any page that leads to a secured page.
Learn more: [sans.org...]
And most important – A Satisfied Customer
It’s all about customer satisfaction. People shop on the Internet to cut costs, save time and to track down hard to find specialist goods or services. They use the Internet to do research on goods and services too. Hmmm… what do you think would make a store successful? How about providing excellent product/service information with a quick, efficient, and secure way to purchase it?!
How the Cart actually works and the process for checkout is what makes the customer's experience positive or negative. The most successful on-line transactions are those that allow the customer to choose what they want, pay for it in a quick and efficient manner, take great pains to make sure the customer knows the transaction is secure - and is, and makes sure the customer feels good about the transaction.
The Transaction: You have control over what the customer experiences on-line. But after the sale is done make sure the customer remembers you in a good light. Make sure you inform the customer what to look for on their monthly CC report when you give them their order confirmation - i.e., what company name will appear on the statement.
Follow up with the customer
Follow ups are a nice way to say "I value your input." Give your customers the opportunity to critique you. If they don’t, don’t worry. The simple fact that you asked lets them know you’re serious about ensuring their satisfaction – they will appreciate it even if they don’t show it. If they do, you'll most often get some good insight.
Some customers may vent or you may get some wisecrackers - but always try to see through the emotional crap and find the message they're trying to deliver. Put on your "solutions provider" hat and put yourself in their shoes. Determine what went wrong, what you can and will do about it, and then do it. When it's done, let them know about it. This doesn't mean you have to make changes everytime someone complains. You have the final decision - all I'm saying is consider their point and then be fair.
Make sure the customer receives an email verification that acknowledges that they purchased X,Y,Z from You on This Date, for This Amount. NO mention of CC numbers, account numbers. Keep the personal information to a minimum – name and address.
And while it may be obvious – make sure you deliver the product/service when you said you would for the price you told them. Hidden costs and delayed deliveries can kill a business. It is better to tell the customer it will take 2 weeks to deliver and have it there in 1 than it is to say 1 week and be even a day late!
Also, be sure to have an established policy and mechanism for handling returns, rejects, and disasters. Successful companies have been brought to ruin because they had no plan to handle disaster. What is a disaster? Take for example, your SSL Certificate becomes outdated and no one noticed until customers called and complained; or someone DOES hack into your database and steals your customer’s private info. Your preparedness to handle the worst-case scenario could be your failure – or your path to success.
BTW - for more information on Credit Card Fraud: [scambusters.org...]
And: [fraud.org...]
Final Thoughts:
Do NOT use email to transmit a customer’s personal information – EVER! Perform all verification and approvals on your website under the SSL’s protection. If you must send email – send only the bare minimum of information.
If you write an Administrative interface – use SSL to secure it. What ever financial information you see can be nabbed while you're working so wrap it up in SSL.
Additional Resources:
[webmasterworld.com...]
[fidelityatwork.com...]
Feel free to add to or disagree with what I've written but let's make the web a secure place to shop and do our business.
[edited by: lorax at 11:38 am (utc) on Aug. 10, 2006]
just like to add...
Be VERY mindfull of your physical trash. Shred it, burn it, whatever. I had a customer get a visit from the Feds. due to a dumpster diver getting some 400 credit card #s.
Also, be carfull which countries you accept CCs from. Personally, I will not accept charges from Turkey (and a couple others). Turkey will not prosecute for CC fraud and it runs rampant over there. No offence meant to anyone who lives there, just had many orders and all fraudulent, never a good one.
One more...
When you generate your web pages for the secure side (https://), make sure everything on the page is also pulled from a secure url. Otherwise your visitors get a warning that some content may not be secure and this scares away some visitors. Means nothing really, usually just an image tag with an http:// or something like that.
Maybe some people would agree with you on that one, but one company that doesn't is Amazon. They email your email address, name, physical address and telephone number back to you.
Of course, emailing credit card details would be a bit silly (or even very stupid).
Amazon was in the news not too long ago for poor privacy practices: [itworld.com...] The article doesn't mention email but it does point to the fact that Amazon has been in the news because people have the perception of poor security where Amazon's customer's personal information is concerned.
It´s posts like these that put whole subject areas in to context for newbies that make WW worthwhile!
Im going to be doing very little work this week while I study all this! ;)
JOAT
(not that I do much work anyway...)
It´s posts like these that put whole subject areas in to context for newbies that make WW worthwhile!
Agreed. In fact, they are what makes the WWW worthwhile! Thanks, Lorax.
Buy X, get Y at Z% off (where Y can be more than 1 item and Z can bee 100% for free items)
Buy X, get Z% off the order.
$/% off off shipping. This one is especially tricky as typically you want to offer free standard shipping and then discount that value off upgraded shipping.
Coupons ($X off the whole cart)
Make sure you think the process through and get the input of every department or group you are working with (even if that is just yourself, put on your marketing hat, your merchant hat, you CFO hat, etc...). Trust me, when you are taking 1000's of orders a day (with any luck), you don't want to have to go back and rewrite your code for anything
--Chris
We ask for the customers name and address on a http form before going to a shipping server to
get the shipping amount. We then go to the secure https form to get the credit card info
and phone number.
Considering a persons address as private information is a bit of overkill. I consider name
and address as part of the public domain. Telephone numbers can be unlisted, so we keep this information secure.
I have never received any complaints either.
According to the General Principles of Fair Information Practices [cdt.org] a persons name and address are considered "identifiable information" and therefore should be protected.
Other resources that concur with this are:
[privacyalliance.org...]
[research.att.com...]
To me this means, secure the customer's personal information as well as their financial information.
I personally won't buy from a vendor that doesn't protect my name and address with an SSL wrapper and I know that many of my clients feel the same way about thier customers.
Why your customers have never complained is unknown. I know that many folks are so baffled by the web they have no clue as to how to protect themselves as they surf, buy, and download stuff. This could be the reason, it could be equally true that your customers trully don't care.
I thoroughly believe in the route of "overkill" and will go out of my way to explain to the customer why. I sleep better at night knowing their info is protected.
... who take it securely, but then email it back to you as an order confirmation at your non-secure email address. Even lorax recommends that:
"Make sure the customer receives an email verification that acknowledges that they purchased X,Y,Z from You on This Date, for This Amount. NO mention of CC numbers, account numbers. Keep the personal information to a minimum – name and address."
Strange how you think it will be secure if taken via SSL, but what you do with afterward must also be secure. If you would not buy from anyone who does not take your details through SSL, how do you know that they won't email it to you?
My only defense is if someone is going to try and capture personal information, they're more likely to try and capture web form post/get calls than they would be to try and capture an email. The forms are located on one webserver and handle many requests - and therefore would provide a higher return for their effort. Though in rethinking this through - they might just as easily hack the mail server.
The bottom line is that it is best to forego emailing anything other than a thankyou with the information about the purchase. Greet the email recipient with thier first name only and give them the "what they bought, when they bought it etc." but keep everything else out of it. The simpler the better - but just enough to remind them. Ideally, you will provide them a printable receipt wrapped in SSL and use the email to simply acknowledge receipt of the order and tell them when it's shipped.
With the amount of spam out there, I protect my personal email accounts as much as my credit cards.
The web is still new and the consumer hears horror stories about how they can be ripped off. Some of it's true but far more can be avoided by following simple guidelines. The problem for those of us who build and sell through shopping carts is there are far too few authorative web sites that people can turn to get those guidelines - someone they trust. Something akin to "Consumer Reports" here in the US where consumers go to get the skinny on the best camcorder or what to look for when buying a baby seat. Until the web becomes more mature, and more readily accepted, I think that perception will be around.
>> I protect my personal email accounts as much as my credit cards.
I should be more careful with my email address. I have a good working method for incoming spam - it is routinely deleted and occassionally pursued (much to the chagrin of the spammer in most cases). But I don't follow your example as much as I feel I should.
1) Only ask for "personal" information when it's time to checkout
2) Capture ALL identifiable information using SSL
3) Show all charges, including shipping prior to entering your personal information.
4) Entering your zipcode only will show shipping charges.
I have found these practices allow my customers to shop the final price without having to provide any information and come back after comparing other sites. (I guess since we are one of the lowest in price, this is effective)
I find it quite irritating when shopping and someone wants my information before adding an item to my cart or before I see the final price which includes shipping. I usually leave the site when this happens.
20% of people who start an order finish one. You have to probably increase that number a bit for the shoppers that look today and buy tomorrow. That looks like two people, one that finished and one didn't.
Now another interesting bit. People that land on our site searching for a particular product convert at a higher (30%) rate that those searching for the generic widget. In other words, people searching the web for blue widgets are more likely to buy a widget that people searching for just widgets.
I like to think that our conversion rates are pretty high. How's everyone else?
You have to probably increase that number a bit for the shoppers that look today and buy tomorrow. That looks like two people, one that finished and one didn't.
Which is one of the reasons for having them create a user account - so they can pick up where they left off and so you can track their purchases. I'm still on the fence regarding user accounts. In some cases they make perfect sense but in others they're more of a pain in the arse.
Thanks for sharing your numbers duckhunter.
then quit in disgust when they find that it will cost the $15 to get a single memory DIMM
Slindo,
Which is why I always try to make sure they can get the true total cost as quickly as possible. If you calculate shipping then you should add it to the cart. In my opening post I said that you should always provide the client the ability to see thier current sub-total without shipping - which you should. But you should also indicate the shipping cost and the final total based on their current selections.
If you charge a flat-rate for shipping, then a simple chart that can be accessed from anywhere can be made available.
create user accounts
The account I intend on writing will be optional for the site user (no change to the current process), mainly for pre-pop at checkout as we have plenty of repeat business.
The other options for keeping a shopping cart is cookies but they can be disabled, then your site wouldn't work. If I can't make it work for 100% of the people, then I tend to be skeptical.
On the shipping calculations, I couldn't agree more. Be up front and honest. Everyone knows these days to watch for it so if you tell them upfront what the deal is they might just trust you a little more.
To me this means, secure the customer's personal information as well as their financial information.
Not sure about international and local laws here, but in the UK the Data Protection Act [hmso.gov.uk] means to cover this to protect the consumer.
The bottom line with this law is you need explicit permission from a person to have their details available for public usage, so if anyone does find your "user" table of details then you would be breaking the law here.
Hopefully it is lawful to protect this information "with reasonable effort" as I try to build my own basic cart :)
First you need the zipcode or state to determine the shipping cost.
How much more work is it for the customer to enter their name and street address.
Besides, if the customer has gone to the trouble of entering this information, and get a resonable shipping cost, they are less likely to bail, just because the competion is a buck or two cheaper on shipping, giving that everything else is equal.
The customer will most likely say, while I entered this information, and its not worth the hassle to go somewhere else to save a buck or two.
If the customer only needs to enter a zipcode, they have less effort commited to the order process and is more likely to bail to save a few dollars.
I think in the long run, this will balance out between lazyiness and being cheap.
Playing the Devil's Advocate here: what if your competition makes it easy for them to get that full price without having to enter anything but a zip code? And on the other hand, how can you be sure they even know about your competition?
I suggest it really comes down to knowing your customer and targeting the buying habit that will net you the highest yield. This is where the gold is. Consistently 'speak' to your targeted market segment. Understand them. Learn who they are. Learn what they buy, where, when, and why.
Take for example: Land's End, L.L. Bean and Patagonia. I've never seen advertisements for these companies on TV. Why? Because of several reasons most likely.
One reason is that thier targeted market doesn't like to be pitched to via TV. It's too "low class". Their target market likes to think of themselves as members of a more earthy/natural group. A group that shuns TV in favor of being outside and being active. It's all about image.
They have name recoginition and all three of them ask for your personal information before they give you a total. Patagonia and Land's End both supply you with shipping costs (one in chart form the other using a standard fee based on $) while LL Bean expects you to wait. This is primarily based upon thier business models. LL Bean calculates shipping while the others use flat fees.
And these companies know that their products have mass appeal. This allows them some freedom to expect a bit more from thier customers. There are a lot of other nuances that go into why their websites exist and how they're set up. One can learn an awful lot by analysing the success stories out there.
