Starting Online Business

• Introduction
• Web Security Model
• Credit Card Transactions
• Basic Communication Model
• Advanced Communication Model
• Conslusion

SuppleHost provides hosting services for many skillful developers (directly or indirectly), who are well familiar with any programming technology (ies) of their choice, have the right background, attitude and experience. They have all the necessary knowledge and experience to create web site of virtually any complexity... but when it becomes necessary to accept credit cards through the web site, the question pops up: how? Surprisingly, with the huge size of the Internet, finding an answer for that question is a very difficult thing, which leads to another problem: how do I know that the ecommerce solution I'm offered is not overpriced? This article is intended to give a brief overview of relevant technologies and services, and give developer (designer, web site owner, etc) links to relevant resources.

Through out this article we use the term Credit Card to refer not only to credit cards, but also to debit cards, and even to virtual cards. The particular kind of card is not important; the card just needs an assigned unique number within one of the popular payment system (Visa, Master Card, etc - exact set available to you depends on Credit Card Processor you have chosen). There are few exceptions: like, Visa Electron cards provided by some banks are seriously restricted in use, have ATM and Internet transactions disallowed, however, banks clearly state this to their clients.

Probably, the main thing that every developer should always keep in mind is that credit card information should always be transferred securely. Transferring such sensitive information unencrypted over insecure public network is neither a good practice nor fair to the clients, to say least. When security issues come in, knowledge of relevant areas becomes essential. Everyone developing ecommerce-enabled web site(s) is strongly advised to read a good book on general computer security - as the least thing to do.

In the modern Internet practices backed up with corresponding software, security algorithms are used for two goals:

• Encrypt information transferred over insecure (public) network.
• Authenticate web site (Ensure visitor that he/she is connecting exactly to the web site he/she intended to).

While security algorithms may be as well used to authentificate user (visitor), or encrypt email, that is used extremely rarely.

Lets move to more practical issues. Every online transaction directly involves these three entities:

• Client (customer, web site visitor)
• Web Site, or online merchant (programming codes, hosting facility, and company staff)
• Credit Card Processor

Client/visitor and Web Site do not require additional comments; but Credit Card Processor deserves more details. Credit Card Processor is an independent business entity that provides web sites with a gateway to credit card databases of banks worldwide that have issued credit cards that online shoppers submit. Credit card processing companies are backed up with complex hierarchical database and network structures, providing relatively simple credit card processing interface for web sites.

On the modern market you will find several dozens of different credit card processors, with different incompatible processing interfaces. Also, often credit card processing companies do not provide their services directly but only via numerous resellers. Thus, all such resellers provide exactly the same technical service, but provide different level of support, have different setup and monthly fees, and sometimes, different target audience (i.e. dirrefent rules of accepting/declining merchants). These constuct the competitive market, which made doing online business affordable for anyone.

Most customers believe that as soon as they have submitted their credit card number and received receipt, the transaction is complete. It may look like that from customers' point of view, but the merchant must be familiar with credit card transactions processing in greater details.

Any credit card transaction starts with authorization. The bank that issued the credit card issues the authorization (merchants do not communicate with banks directly, but via Credit Card Processor). Authorization guarantees that the credit card has sufficient funds or credit, and locks that amount. The authorized amount stays at customer's credit card, but for merchant it is very important that as soon as transaction authorization is provided, bank guarantees that the merchant will receive the authorized amount - credit card holder can not spend the locked funds for other means. Even if the credit card will expire or become cancelled, transaction authorization will survive.

At some point in the future (ranging from few seconds to a month), authorized transaction may be settled, or alternatively, voided. Settlement transfers funds from credit card to merchant; the transaction appears at credit card holder bank statement at the moment of settlement (also, at this moment merchant is charged a small transaction fee; see below for more details). Voided transactions do not appear at credit card holder bank statement at all. Transactions that are unsettled for too long will be automatically voided. Usually the timeout is one month, but some credit card processors enforce lower timeouts.

Merchant may refund the settled transaction, if necessary. Refund may occur in full, or some credit card processors allow partial refunds, but under no circumstances refunded amount can exceed the amount of the initial transaction (refunds are usually considered as distinct transactions, and merchant is charged small transaction fee again).

Rarely do credit card holders request their banks to charge their transactions back - usually, when their credit card is stolen, or when merchant failed to deliver paid goods or services. Note that chargebacks not only substract transaction amount from merchant account, but merchant is also charged relatively large penalty, usually $20. Thus, if your customer has requested refund, and the request is reasonable, it is in the best merchant's interests to issue the refund immediatelly, not awaiting for customer to initiate a chargeback. One more note: chargebacks are the business risk merchants incur. Fortunatelly, responsible merchants that provide quality goods/services see chargebacks extremely rarely, and always have a chance to duspute the chargeback if they have reasonable proofs (in fact, the topic on chargebacks deserve a separete article).

So, doing business online, you usually follow these policies:

• Transactions are automatically settled (captured) immediatelly upon authorization. This is suitable if you provide inexpensive services where you do not expect refunds or chargebacks. The disadvantage is that customer need to wait for two actions to occur (authorization and settlement) which is almost two times longer. Usually, the delay is still matter of few seconds, but consider to adopt the following policy instead.
• Transactions that are authorized during the business day are settled with the evening batch. This is how majority of retail (physical) stores do. You usually can instruct your credit card processor to do evening settlement batches automatically.
• Authorized transactions stay unsettled until the goods are shipped out, service provided, or until refund period ends. Thus, authorization occurs automatically, but merchant need to perform certain manual action(s) to capture the money. This is best suitable for online merchants where human intervention is required for each transaction (to pack and ship goods, to approve account order, etc.)

Planning online business, choose the processing policy that suits your business better; do not forget to check if credit card processor of your choice can support the policy; and then code your web site software appropriately.

Now, lets see how to build a working e-commerce web site from available modules. The most popular model is presented on fig.1:

Fig.1

Important things to notice:

• Secure channel is provided by credit card processing company, thus you bear no additional expenses - you do not even need SSL-enabled hosting account.
• If inter-server communication occurs via a client, be aware that client may change information in-transit. Thus, information passed through the client is usually only good to present 'thank you' or 'the transaction has failed' response. It is not prudent to ship goods or provide services based solely on the information passed through the client. Merchant has access to secure reliable payment information by logging in to the secure account at credit card processor web site.
• If inter-server communication is protected by digital signature (hash), or travels directly between servers, it is usually safe to rely upon such information. But make sure to check that signature protects not only some basic information (thus ensuring that the transaction has occured successfully), but also paid amount (thus ensuring that the transaction has occured successfully in the particular amount, not lower amount).

This model has few important advantages:

• Installing such credit card processing is very simple - all developer needs to do, is to add few HTML tags to the checkout form. The form data will be posted directly to the credit card processor, which provides you with a couple of necessary secure pages.
• Secure channel is provided by credit card processing company, thus you do not have to bear expenses associated with installing own secure channel.
• Your hosting acccount do not need ecommerce capabilities, thus you can use a noticeably cheaper hosting plan instead.
• You can upgrade your service if/when necessary, without service interruption.

The disadvantage is that usually inter-server communication is weak or entirely missing, so one have to check the credit card processor database to discover payments status; but this may be sought as an advantage: you can simplify your web site programming, because a good chunk of functionality is provided by credit card processor software.

The expenses can be laid out approximately like this:

• Hosting account - if your web site is Java^TM-based, consider the SupplePlatinum hosting account, $18/month, and no setup fees.
• Credit card processor - generally, you have two options:
  • Purchase online merchant status. This usually costs $250 to $700 setup, and $10 to $25/month.
  • Rent (lease-to-own) online merchant status. Usually, you have noticeably reduced or none setup fees, but monthly fee is increased by $30..40 for the first two or three years.
  Also, every card processor will charge you a small per-transaction service fee. Usual rates are $0.30 per transaction (but sometimes up to $1.00), plus 2.2% to 2.3% of transaction amount (sometimes up to 7.5%). Rates usually depend on the 'risk level' assigned to you by credit card processor; pure or mostly online businesses get rates close to ones shown here, while businesses with retail (person-to-person) sales prevailing are eligible for noticeably lower per-transaction rates.

More advanced model is given on fig. 2:

Fig.2

Important things to notice:

• All sensitive information passes throught the web site, thus you must ensure that your programming codes are highly secure and reliable.
• You have to use your own SSL, and use hosting account that supports SSL (Supple e-Commerce).
• Some credit card processors do not provide you with online database; if you use such service your programming codes will become more complex.
• Developers are expected to have deep enough knowledge of their technology of choice, to be able to code the mandatory secure inter-server link.
• Longer testing phase is required, which delays web site going live.

Advantages of this model are:

• You no longer rely on the credit card procssor database, and may use several competing credit card processors if necessary.
• You have more options regaring payments (for example, recurring payments, or one-click checkout.)

The expenses can be laid out approximately like this:

• Hosting account - you need SSL capabilities; order Supple e-Commerce hosting plan ($33/month), no setup fees.
• SSL ceritificate signed by Certificate Authority - $125/year.
• Credit card processor - same options and fees as for the previous model.

Comparaing with the previous model, recurring monthly expenses are approximately $25 higher, and development/deployment expenses are approximately $300 to $1500 higher. Do the extra expenses justify the additional features or not, should be decided on case-by-case basis. Usually online businesses start with the basic model, and upgrade to advanced model when/if it becomes reasonable.

Apart of these two models, other models are possible; but the models mentioned here are adopted by over 95% of online businesses. Some credit card processors provide interesting features like reversed inter-server communication that slightly rearrange data flow and allow you to save on development expenses and time. Refer to the technical documentation of a particular credit card processing service for more details.

Now, relevant link should be given, so that you could start making practical steps toward launching your online business.

First element, is hosting. If you follow the basic model, you might be able to do a successful online business using our SpecialOffer hosting plan, which costs merely $3. This solution usually works well if your credit card processor provides you with a shopping cart facility. If your web site has server-side backend based on CGI-BIN and/or PHP technologies, consider ordering SuppleGold hosting plan, it costs just $10/month. For Java-based web sites we have an excellent SupplePlatinum hosting plan that starts at $18/month. If your require SSL capabilities from hosting account, then your option is Supple e-Commerce hosting plan, which costs $33/month.

Second element, is credit card processor. We have positive experience with Authorize.net, PayPal.com and ClickBank.com credit card proecssing companies. Other pupular services are GoEmerchant and EZ-Gateway. Note that Authorize.net does not provide services directly, so you need to choose from offers provided by few different resellers like 1stAmericanCardService.com or Charge.com (look at Authorize.net web site for more resellers). When choosing a credit card processor, think about which extras you may need down the road (like a physical terminal for retail sales), check how much time it will take for the funds to be made available in your bank account (this may range from 3 days to 3 months), do they provide options to accept less-popular credit cards like JCB or DinnersClub? Another important advise, do not pay money before you got all the technical documentation - if you just pay and wait for a surprise, you may get a good suprise, but you also may get a bad surprise making you sad about the wasted money.

Third element, is an optional SSL certificate. Creating keypair/cerificate is free, but to sign it for production environment you will need to use commercial services provided by established Certificate Authorities like Thawte, Verisign or Entrust, or InstantSSL. If you are an existing SuppleHost.com client, you will find step-by-step instruction how to create the keypair and certificate sign request and submit it to Certificate Authority of your choice in the "FAQs & Tutorials" section of the control panel.

Fourth element many people forget about, is advertising. This is probably the most important, and the most expensive part of successfully doing business online. Why should you invest a lot of money in software development, hosting services, credit card processing services, if you have no clients? If you do not have robust understanding how your web site will be advertised and a source of necessary funds, but nevertheless would like to start and learn in the process - you definitely want to choose the least expensive way to start the business.

This concludes the article. We hope you have learned a few things about ecommerce and the relevant components needed to design, develop, and deploy a successful online business. If you have any questions, do not hesitate to contact us.