I wasn't sure if I should post this here, as I don't know exactly what I need so I didn't know the area to post it.

We here at work are looking for a way to recieve payments online with our website. We have looked into Pay Pal and also Ecommerce from the bank. We have a programmer here so the backend stuff isn't going to be a problem we just don't know a few things.

Pay Pal is a good option except it takes some of your profits and it also doesn't really look like your own site, kind of like going of site to buy somthing. I don't really like that idea.

E-Commerce is just way to expensive right now. We won't be going through a ton of stock just yet so I don't know if it's worth the price. I like the flexibility of it all and that it's just us and the Banks that run it, no middle men, but still, so much money.

Does anyone else have some ideas? We baisicly want someone to be able to order a product, input their credit card number, have it proccessed, once it goes though we get and fill the order.

Anyone? Thanks! :tie:

I wasn't sure if I should post this here, as I don't know exactly what I need so I didn't know the area to post it.

We here at work are looking for a way to recieve payments online with our website. We have looked into Pay Pal and also Ecommerce from the bank. We have a programmer here so the backend stuff isn't going to be a problem we just don't know a few things.

Pay Pal is a good option except it takes some of your profits and it also doesn't really look like your own site, kind of like going of site to buy somthing. I don't really like that idea.

E-Commerce is just way to expensive right now. We won't be going through a ton of stock just yet so I don't know if it's worth the price. I like the flexibility of it all and that it's just us and the Banks that run it, no middle men, but still, so much money.

Does anyone else have some ideas? We baisicly want someone to be able to order a product, input their credit card number, have it proccessed, once it goes though we get and fill the order.

Anyone? Thanks! :tie:

Well if your programmer can create a secure (ssl) backend then you could have the information put into a secure database for later retreival to manually run the credit card numbers.

If your not expecting a huge volume of orders this might be a good way to go.

If it proves to be bigger than you expected you could then move to an e-commerece system through your bank.

sound like a fun project your working on

That's what we have been doing for our fledgling ecommerce clients.

You can make it look fancy, should you want.

lots of laws surrounding storage of sensitive data. Be sure to research laws for your region. Also I would go with a banking solution more security and you have their insurance backing you up. BUt you will definately need a ssl certificate which could get expensive. We have a 128 bit that costs us 800 bucks a year. Got to www.verisign.com for more info. Actually they have a bunch of info there that can help you.

we recommend deletion of info immediately upon retrieval. It is then up to the client to retrieve and delete every day.

Rev and Fester, here's a question.

No matter what, wouldn't we have to get an SSL Cert in order to be able to even take their Credit Card Numbers over the internet AND THEN we have to make sure we have a secure server to store the information on AND THEN delete that information as soon as we proccess their card number?

certificates are cheap.

about $150 Amercian, if I'm not mistaken.

once you have the requirements for the cert, all else falls in line. You do not need a separate server, just a secure section of one.

you store the info the cust inputs on a secure site. you then go to a display on that secure site to view the cust info, and delete it (it is not secure for you to print it out) as soon as it is viewed and approved. We recommend the client actually input the info right into the cc machine from the screen, and delete it upon authorization.

certificates are cheap.

about $150 Amercian, if I'm not mistaken.

once you have the requirements for the cert, all else falls in line. You do not need a separate server, just a secure section of one.

you store the info the cust inputs on a secure site. you then go to a display on that secure site to view the cust info, and delete it (it is not secure for you to print it out) as soon as it is viewed and approved. We recommend the client actually input the info right into the cc machine from the screen, and delete it upon authorization.

Yup!

What he said

Make sure if you do it that way, that you encrypt the CC numbers in the database or wherever you are storing them. The SSL only encrypts the transmission from the client (webbrowser) to the server. Once, the server has it, it is plain text again. If someone were to hack into your server, they could potentially read the numbers. SSL is just to keep anyone from intercepting the transfer accoss the wire.

What I do for 2 of my clients is get the CC from the user over an SSL connection. Then immediatly encrypt the CC and store it in the database. Then, the client runs a report to get the all the orders. This report is over an SSL connection too. It decrypts the numbers, and displays them. The client then runs all the CCs through their credit card machine and deletes them permenatly from the database.

Thanks Fester, Rev and DDD - the help is much appreciated!

Thanks Fester, Rev and DDD - the help is much appreciated!http://www.joe-ks.com/archives_jan2003/DonutLand.jpg

gonna sell to cops, eh Tuknuk?

You got it!

But around here it's Tim Hortons!

http://www.cybersalt.org/cleanlaugh/images/d/donutsafe.jpg

Don't worry, all the donuts are safe!

but those are Tuknuk State license plates.

ahhh, you get the humor

Depending on where you are there is a thing called the "safe harbor agreement"..I ran into that recently on a project. Cover your bases to avoid a law suit. And remember when doing things secure. Paranoia is your friend.

rev 150 bucks huh? ANd that is 128 bit encryption? I bought mine from versign and they hit me for 800 bucks. Maybe we are talking about 2 different things.

this is what I got
http://www.verisign.com/products/site/secure/index.html

I'm not sure. I've partners which take care of that. One of which is an ISP owner. Maybe that helped.

yeah I think he may have the hook up.....Because I researched certs and they all hovered around 800 large.....and I do believe you may have to have a separate server for it. Because you have to register it in IIS. And my experience was once in IIS you have to be careful what applications you register there because it can cause problems. But then again that could have been a MS bug.

I claim that ignorance is bliss in these cases.

:D

128-bit SSL only $150
http://geotrust.com/web_security/index.htm - Verisign is crazy... They want you to spend $30 on a domain registration too.

I think this is a sample of you get what you pay for. I have never heard of this company therefore would not trust it. The verisign authentication is like having a ADTalarm system and a Pitbull and a Rotweiller guarding your site. But if it works it works. My friend found ssl for cheaper than that....lol

Well I have used Geotrust on my own projects and recommend them to clients. The only thing you really need to check for when getting an SSL cert from a company is that they are in a list of authenticated providers otherwise IE or your browser with throw up an alreat saying that the certificate isn't recognized.


I think this is a sample of you get what you pay for. I have never heard of this company therefore would not trust it. The verisign authentication is like having a ADTalarm system and a Pitbull and a Rotweiller guarding your site. But if it works it works. My friend found ssl for cheaper than that....lol

The site me, my dad, and 3 employees run:

http://www.macromotive.com (http://www.macromotive.com/)

We use SSL Certificate and the user inputs the credit card numbers and they are stored on our secure server until we manually use our back end Bank of America merchant account and they charge us 3%.

Paypal charges much more.

We also have an eBay division that just I run for blow out inventory and drop ships:

http://cgi6.ebay.com/ebaymotors/ws/eBayISAPI.dll?ViewSellersOtherItems&userid=macromotive

Wow Guys, this is a TON of great information. Thank you so much!

Telekinesis, how much did you pay for your certificate, do you know?

My god those 4WD prices are cheap.. With the changeover to Aussie $$$, theyr'e about 2/3 of the prices we pay here.. But then i suppose they're alot more common in the us..

Sorry for the thread hijack..

Hi-jack the thread all you want!

We offer really good prices. On all our Airaid Intake Systems and Throttle Body Spacers we are doing FREE Ground Shipping right now. We also have random stuff up like Super Duty Lift Kits and Hypertech Power Programmer III.

( A little shameless promotion ) ;)

EDIT: Sure Shot, we pay $250 a year for our certificate.

Hi-jack the thread all you want!


EDIT: Sure Shot, we pay $250 a year for our certificate.

Ta Hell you will! No Hi-Jacking!


And thanks Dan :)

GoDaddy $50 https://www.godaddy.com/gdshop/ssl/ssl.asp?isc=&se=%2B&from%5Fapp=&rhl=hw%5Fdefault%2Easp&mscssid=513282

Oh, one thing I found out....my Sprint cell phone only recognizes Verisign and some other companies certificates. If I browse a secure site on my phone and it doesn't have one of their certs, I can't see the page. I was going to do do some reporting to view on my cell, but I can't do it over an SSL connection. We went with a geotrust certificate which is actually an Equifax certificate.

Great advice all. Really helpful for me too. One thing though, once you have the certificate, do you use the company you have bought it from as the secure server?

nope you input the certificate into IIS on your server

Ah. that seems like the trickier part then...

actually it is very easy if you are using a windows server.....

All a secure certificate does is, the the user (their browser) that the site is running on an SSL connection and that the company issuing the certificate has verified that the company now with the certificate(your site) is who they say they are. On servers other than windows servers, you can set your site up through an SSL connection without even having a certificate. Windows makes you get one to go over SSL. However, this certificate doe not have anything to do with the secure connection. The webserver creates the secure connection, and the certificate is just passed to the client so that the neat little lock will show up in the users browser window and make them feel all warm and cozy about the transaction.

Verisign is really expensive, but from what I see they do the most "background" checking to ensure you are (as the buyer of the certificate) who you say you are. Geotrust uses some kind of phone verification thing (I have gone through it several time buying certificates for clients) and Godaddy does a look up of your companies Dunn and Bradstreet report. If you don't have one, then you have to physically fax them your business creditials (I am in the process of doing that right now for a client). From a buying perspective geotrust is the easiest to get (least hassle) for the price.

All a secure certificate does is, the the user (their browser) that the site is running on an SSL connection and that the company issuing the certificate has verified that the company now with the certificate(your site) is who they say they are.

Dude you forgot to mention the 128 bit encryption....lol.....pretty important part.

Dude you forgot to mention the 128 bit encryption....lol.....pretty important part.
But the certificate doesn't do that. The web server does. The certificate just tells the web server what you want. If you are working on a non-windows server, you can do all this without a certificate. A certificate does nothing. It is just their to make the user feel good. The server is either connection over SSL or it isn't, has nothing to do with the certificate.

I hate to admit it DDD, but BL is right.

it really is just a warm fuzzy blanket, for the end user.