[Techtalk] e-commerce

James jas at spamcop.net
Fri Sep 6 14:00:24 EST 2002 

On Fri, 6 Sep 2002, Dan Richter wrote:

> I work for a small company that's looking to add online payments to 
> traditional payment methods. We're looking at a handful of online payments 
> a month; no more. (But they're big payments from far away, so it's worth it.)
> 
> This area is completely new to me. Is there anyone out there who has 
> experience with e-commerce and can tell me what I need to know?
> 
> A question in particular: normally you would have an online system to enter 
> the credit card information, and another system that actually performs the 
> transfer of funds - usually through a middle-man. Can we do the transfer 
> part through the mail, so as to avoid going through a middle-man?

There are two key elements: a way to get the credit card details from the 
client to you safely/securely, and a way for you to use them. For the 
latter, you need to talk to a bank. In the UK, you can get a credit card 
terminal which allows you to enter a CC number and amount, just by typing 
the details in (a "Cardholder Not Present" transaction in bank-speak). It 
sounds to me as if you already have credit card support - in which case, 
just check with your bank about this.

For the former, the obvious need is for a secure WWW server - Apache can 
do this bit - and then some secure way to transfer the information. If you 
have a leased line or suitable DSL link, you could run this WWW server on 
a machine in your office, then have transactions logged directly to (for 
example) a dot-matrix printer as they happen. This way, anyone breaking in 
CANNOT retrieve customer credit card information - at worst, they could 
"Trojan" the server to send any subsequent transactions to them.

Be careful to log everything you can - you will almost certainly get 
transactions being queried, and it's much more convincing to tell the 
bank "Yes, that order was received from adsl-235-213.swbell.net at 
11:23:04 on Sept 2nd" and have a secure log to prove it...

Once the order is received, enter the details manually (not viable for an 
Amazon-type operation, but it seems suitable for your situation?) and 
email the results to the customer. Having a human being in this stage 
should also reduce the chances of you processing transactions for 
customers called "H Acker" (email root at localhost, phone 911) or similar ;)


James.

More information about the Techtalk mailing list