[Techtalk] e-commerce

Maria Blackmore mariab at cats.meow.at
Fri Sep 6 23:48:00 EST 2002 

On Fri, 6 Sep 2002, Glenda R. Snodgrass wrote:

> > I work for a small company that's looking to add online payments to 
> > traditional payment methods. We're looking at a handful of online payments 
> > a month; no more. (But they're big payments from far away, so it's worth
> > it.)

You probably ought to bear in mind that unless you goto the trouble of
doing the whole thing yourself, whichever service you choose is going to
take a percentage of each payment to cover their costs, this is on top of
the charges from the aquiring bank

> > This area is completely new to me. Is there anyone out there who has 
> > experience with e-commerce and can tell me what I need to know?

uhm, I work for a PSP, does that count? :)
I won't say which one, because that wouldn't be particularly fair, but I'm
in the UK so that's probably a fair distance away from you

> > A question in particular: normally you would have an online system to enter 
> > the credit card information, and another system that actually performs the 
> > transfer of funds - usually through a middle-man. Can we do the transfer 
> > part through the mail, so as to avoid going through a middle-man?

uhm, can you define through the mail? as in the postal service?

I'm not entirely sure that is possible.

What we usually do is host a very simple single page on an SSL server that
the customers of our clients enter their card details into (this will also
contain some form of unique identification number so that the transaction
can be followed later).  The details pass over the SSL connection into the
secure server, from their they are passed onto the banking network by a
variety of gyrations, the transaction is logged for the customer so that
they can reconcile their accounts, and so that refunds (if any) can be
easily matched up and carried out.

> Normally you set up a merchant account with a bank, and an account with an
> Internet payment gateway which that bank uses (like Authorize.Net or
> CyberCash).

The merchant account is the important part here, you'll need to go through
a credit check and all sorts of other stuff before you get one, however if
you already take credit cards and just want to expand this to online
payments then you will probably have one already.  You will also need to
find a payment gateway, or PSP (payment service provider) to actually
handle the bit between the internet and the bank.  It's possible to do
this bit yourself, but the banks are thoroughly paranoid about what
exactly they will allow.  It's a lot of hassle, basically.
This is why companies like the one I work for exist, so that we get the
hassle.  Every so often I will be called upon to write up how the network
security is arranged (and then asked to type it because my writing is
atrocious :)

> When a payment is made, the Internet payment gateway processes the
> payment, sends you a receipt, sends info to the merchant bank, which
> gets the money from VISA or whomever and deposits it into your
> checking account 2-3 days later.

Pretty much as I said above, many payment gateways can clear transactions
through more than one bank.  Though there are often "pet" payment gateways
under the control of banks themselves.  If you approach your bank (or
indeed any other bank you fancy) they should be able to give you a list of
the payment gateways that they will allow to clear through them.  Once you
have that list then you can go shopping and find out the best deal for
you.

Some of the payment gateways will charge you a monthly fee, some
won't.  Most of them will charge you a percentage of each transaction you
put through them, some will charge you a fixed amount per transaction .. I
get the impression from my collegues that the charges are negotiable
based on what you project to put through them, but as always YMMV :)

> The big question is whether you save credit card numbers and run charges
> to those numbers each month (in which case you can save the cc numbers on
> an internal server and run a batch file to upload for processing as
> needed, save and easy to do)

Some of our customers do this, they appear quite happy with it.

> or whether the client logs in and puts in cc number and payment info
> each time they want to put in a payment (in which case you post
> directly to your Internet gateway from a secure server and you don't
> have to save cc info at all yourself, also safe and easy to do),

This is the mechanism that most of our customers use, as far as I can tell
(I run the network).  As I said earlier, this will include the customers
details as well as a unique ID number.  The ID number can either be
entered by the customer to pay for something from the world outside the
internet (eg a parking fine), or it can be passed from the shopping cart
which resides elsewhere.

Another option is that the credit card details are entered into a form
that resides on the customers own secure site/server/host/whatever, and
then that is passed across a second secured connect which is encrypted
even when passing over our internal network (once again with the id number
so the transaction can be matched up)

> or whether the client logs in and puts in only the amount and uses a
> stored cc number (which is the riskiest method and thus the most
> complex to set up).

I may well be wrong, but I do not know of any of our customers who do it
this way.  imho this is complicated by the need to keep the database
safe from the internet, but still have things interact with it.


The common thing through all this is that the credit card numbers MUST be
encrypted at all times when passing over a public network.  Banks are very
insistant on this matter, and will usually specify that they must be
encrypted with a 128 bit SSL cert at the mimimum.

If you still want to go through all this then I would recommend that you
contact your bank about it, and at the very least ask them for a list of
the payment gateways that they have approved.  In most circumstances both
the bank and the payment gateway will help you with your merchant account
application if you need one, it's in their interests to help you with this
because they will make money off this when you do :)


Please note that this isn't professional advice, it's from my own
experience, and it definately is NOT to be associated with my employer,
it's mine alone.  (If you want advice from my employer you will have to
contact them directly, not through me, though I will let you know how in
private)


I hope I've helped a little

Maria

More information about the Techtalk mailing list