To assist with this, there are some compulsory guidelines imposed by credit card companies and subsequently required and enforced by the gateways for storing card details.. Not storing c
Trang 1Chapter 11
[ 243 ]
Storing card details has one major drawback: security The security implications of
storing card details on a server are vast; if the website was compromised in terms
of security, we could leave all of our customers vulnerable, and be liable for the
damage To assist with this, there are some compulsory guidelines imposed by
credit card companies (and subsequently required and enforced by the gateways) for
storing card details These guidelines are the Payment Card Industry Data Security
Standards (PCI DSS) The PCI DSS specifies six control objectives, which are:
Build and maintain a secure network
Protect cardholder data
Maintain a vulnerability management program
Implement strong access-control measures
Regularly monitor and test networks
Maintain an information security policy
These objectives and their associated requirements are assessed to validate compliance
Further information on PCI DSS can often be obtained from payment gateways
themselves, and also the PCI website (https://www.pcisecuritystandards.org/
index.shtml)
Some web hosts have specialist hosting available, which ensures compliance
from a server and network infrastructure perspective, and also makes it easy
for other aspects to be verified One example is the A Small Orange business
hosting service—http://asmallorange.com/hosting/business/
Not storing card details
If we don't store card details, we don't get as much flexibility as discussed earlier
There are generally two ways this works, we both pass the details and charge the
card, or we pass the details to the gateway, obtain a token, and charge the card by
passing the token and the amount to the gateway
If we use this method, with a token we are tied to that gateway, as we can't pass
the token to another gateway to charge the card, because they won't have a card
associated with our token However, this method does remove a lot of the concern
regarding security, although the stance taken by gateways on if PCI DDS compliance
is required (and if so, to what level), varies
•
•
•
•
•
•
Trang 2Taking Payment for Orders
[ 244 ]
Other payment gateways
There are a number of other payment gateways available, including:
SagePay
NoChex
Authorize.net
2Checkout
Gateway
WorldPay
Each of these gateways has different costs associated with them, and may have
different advantages and disadvantages (for example, customers may be more
comfortable using them, their dispute procedure may be too favorable to customers,
and so on) More information on them can be found on their respective websites;
however, I'd also recommend searching for reviews and details of experiences with
them too
Payment gateway tips
When looking into payment gateways, it is important to consider the
following factors:
Do you also need a special merchant bank account, and what is involved in
setting one up (time, paperwork, costs, application process, and so on)?
Monthly costs or a minimum monthly turnover through the gateway to keep
the account active
Setup costs; some processors have high setup costs, but this may mean a
lower monthly cost
Transaction costs; that is, how much of each transaction cost the gateway is
going to keep to itself?
Volume of transactions you are looking to process; some gateways offer
reduced rates for higher transaction volume
Value of transactions you are looking to process; some gateways offer
reduced rates for minimum monthly totals processed, others may not be cost
effective when individual transactions are small
With some gateways, you may be able to negotiate special rates; this is particularly
true with bank-based gateways, especially in the UK
•
•
•
•
•
•
•
•
•
•
•
•
Trang 3Chapter 11
[ 245 ]
Taking payment offline
Taking online payment is great; it means we can process orders quickly However,
not all customers want to pay online For smaller, less-known e-commerce sites,
customers may not trust supplying their card details We may wish to enable
customers without credit cards to make purchases from our store This is where
offline payment comes in
When the customer confirms their payment method, and confirms the order, we
simply mark the order as "pending payment", and inform the customer of how
they can send payment, be this by check, in person, or perhaps through card over
the phone, along with a reference number Then when we receive the payment, we
simply mark the appropriate order as "paid"
Summary
In this chapter, we have implemented the final stage of our order process: the
payment We now:
Can take payment online using PayPal
Have an understanding of how other online payment methods work
Have an understanding of how to take payment direct with a credit or
debit card
Can take offline payments
Have our store update orders automatically when payment is received
Now we can look towards developing the administration area for our store,
including managing and fulfilling orders, dealing with customers, creating and
managing products, and other settings, such as payment methods, shipping
methods, voucher codes, and product filters
•
•
•
•
•
Trang 5User Account Features Our customers can now view and search our store, place orders, and pay for
them This leaves us with two primary areas to cover: the user account and the
administration area, before we have a store to use in a live environment In this
chapter, you will learn:
How to create a user account area
How to allow customers to change their details
How to allow customers to change their password
How to allow customers to see their orders
How to allow customers to cancel orders
User account area
A user account area provides a central area for our customers to view and amend
their details, apart from an area to see a history of their orders and their status This
is important as it allows customers to check on the status of their orders, which
should be automatically updated, so they don't need to keep getting in touch with
us to see if their order has been dispatched yet
Changing details
Most user account areas allow customers to change their details, maybe they have a
new e-mail address, wish to change their password, or have a new default delivery
address for all future purchases By allowing the customer to keep these details up
to date, not only are we making this easier for them (they only need to change their
default delivery address once, and it will remain the same for all future purchases),
but we are also ensuring that our contact details for them are up to date This means
if we wish to send out e-mail newsletters, discount vouchers, and so on to our
customers, we are more likely to have up-to-date details for them
•
•
•
•
•