Chapter 11 [ 243 ] Storing card details has one major drawback: security. The security implications of storing card details on a server are vast; if the website was compromised in terms of security, we could leave all of our customers vulnerable, and be liable for the damage. To assist with this, there are some compulsory guidelines imposed by credit card companies (and subsequently required and enforced by the gateways) for storing card details. These guidelines are the Payment Card Industry Data Security Standards (PCI DSS). The PCI DSS species six control objectives, which are: Build and maintain a secure network Protect cardholder data Maintain a vulnerability management program Implement strong access-control measures Regularly monitor and test networks Maintain an information security policy These objectives and their associated requirements are assessed to validate compliance. Further information on PCI DSS can often be obtained from payment gateways themselves, and also the PCI website (https://www.pcisecuritystandards.org/ index.shtml). Some web hosts have specialist hosting available, which ensures compliance from a server and network infrastructure perspective, and also makes it easy for other aspects to be veried. One example is the A Small Orange business hosting service—http://asmallorange.com/hosting/business/. Not storing card details If we don't store card details, we don't get as much exibility as discussed earlier. There are generally two ways this works, we both pass the details and charge the card, or we pass the details to the gateway, obtain a token, and charge the card by passing the token and the amount to the gateway. If we use this method, with a token we are tied to that gateway, as we can't pass the token to another gateway to charge the card, because they won't have a card associated with our token. However, this method does remove a lot of the concern regarding security, although the stance taken by gateways on if PCI DDS compliance is required (and if so, to what level), varies. • • • • • • This material is copyright and is licensed for the sole use by jackie tracey on 23rd February 2010 953 Quincy Drive, , Brick, , 08724 Taking Payment for Orders [ 244 ] Other payment gateways There are a number of other payment gateways available, including: SagePay NoChex Authorize.net 2Checkout Gateway WorldPay Each of these gateways has different costs associated with them, and may have different advantages and disadvantages (for example, customers may be more comfortable using them, their dispute procedure may be too favorable to customers, and so on). More information on them can be found on their respective websites; however, I'd also recommend searching for reviews and details of experiences with them too. Payment gateway tips When looking into payment gateways, it is important to consider the following factors: Do you also need a special merchant bank account, and what is involved in setting one up (time, paperwork, costs, application process, and so on)? Monthly costs or a minimum monthly turnover through the gateway to keep the account active. Setup costs; some processors have high setup costs, but this may mean a lower monthly cost. Transaction costs; that is, how much of each transaction cost the gateway is going to keep to itself? Volume of transactions you are looking to process; some gateways offer reduced rates for higher transaction volume. Value of transactions you are looking to process; some gateways offer reduced rates for minimum monthly totals processed, others may not be cost effective when individual transactions are small. With some gateways, you may be able to negotiate special rates; this is particularly true with bank-based gateways, especially in the UK. • • • • • • • • • • • • This material is copyright and is licensed for the sole use by jackie tracey on 23rd February 2010 953 Quincy Drive, , Brick, , 08724 Chapter 11 [ 245 ] Taking payment offline Taking online payment is great; it means we can process orders quickly. However, not all customers want to pay online. For smaller, less-known e-commerce sites, customers may not trust supplying their card details. We may wish to enable customers without credit cards to make purchases from our store. This is where ofine payment comes in. When the customer conrms their payment method, and conrms the order, we simply mark the order as "pending payment", and inform the customer of how they can send payment, be this by check, in person, or perhaps through card over the phone, along with a reference number. Then when we receive the payment, we simply mark the appropriate order as "paid". Summary In this chapter, we have implemented the nal stage of our order process: the payment. We now: Can take payment online using PayPal Have an understanding of how other online payment methods work Have an understanding of how to take payment direct with a credit or debit card Can take ofine payments Have our store update orders automatically when payment is received Now we can look towards developing the administration area for our store, including managing and fullling orders, dealing with customers, creating and managing products, and other settings, such as payment methods, shipping methods, voucher codes, and product lters. • • • • • This material is copyright and is licensed for the sole use by jackie tracey on 23rd February 2010 953 Quincy Drive, , Brick, , 08724 This material is copyright and is licensed for the sole use by jackie tracey on 23rd February 2010 953 Quincy Drive, , Brick, , 08724 User Account Features Our customers can now view and search our store, place orders, and pay for them. This leaves us with two primary areas to cover: the user account and the administration area, before we have a store to use in a live environment. In this chapter, you will learn: How to create a user account area How to allow customers to change their details How to allow customers to change their password How to allow customers to see their orders How to allow customers to cancel orders User account area A user account area provides a central area for our customers to view and amend their details, apart from an area to see a history of their orders and their status. This is important as it allows customers to check on the status of their orders, which should be automatically updated, so they don't need to keep getting in touch with us to see if their order has been dispatched yet. Changing details Most user account areas allow customers to change their details, maybe they have a new e-mail address, wish to change their password, or have a new default delivery address for all future purchases. By allowing the customer to keep these details up to date, not only are we making this easier for them (they only need to change their default delivery address once, and it will remain the same for all future purchases), but we are also ensuring that our contact details for them are up to date. This means if we wish to send out e-mail newsletters, discount vouchers, and so on to our customers, we are more likely to have up-to-date details for them. • • • • • This material is copyright and is licensed for the sole use by jackie tracey on 23rd February 2010 953 Quincy Drive, , Brick, , 08724 . and is licensed for the sole use by jackie tracey on 23rd February 2010 953 Quincy Drive, , Brick, , 08724 Chapter 11 [ 2 45 ] Taking payment offline Taking online payment is great; it means we. tracey on 23rd February 2010 953 Quincy Drive, , Brick, , 08724 This material is copyright and is licensed for the sole use by jackie tracey on 23rd February 2010 953 Quincy Drive, , Brick, , 08724 User. process orders quickly. However, not all customers want to pay online. For smaller, less-known e-commerce sites, customers may not trust supplying their card details. We may wish to enable customers