Prayagasoft - web designer India, Ecommerce developer india, Ecommerce design

Payment and Order Processing

There are a number of catalogue Web sites being run by UK companies, varying from large sophisticated book retailers to small ‘mom and pop’ operations. The most popular payment mechanism is payment by credit card, and clearly such payments must be secure. However in a review of a number of such sites, we found that only a minority offered credit card payment over a secure link.

Other options are:

Credit cards over an insecure link

Purchase orders only

Purchaser contacted later by phone or post

Purchaser prints form and faxes it

The few sites that accept credit card information over an insecure link are almost certainly in violation of their agreement with the bank that is accepting their payments. They are also taking on the business risk of fraud. The risk does not stop at the bank but gets passed on to the merchant. .

Issues for these sites are:

Perceived non-availability of secure payment methods. We discuss payment methods and security issues below.

Inability of the design shop that developed the Web site to implement a complex catalogue or secure payment system.

Difficulty in finding a commercial Web site hosting operation that will offer a suitable secure environment.

Perceived cost of setting up a merchant server.

Most of these issues are perception rather than reality. There is no reason why a merchant should not be able to offer a fully functional catalogue site with a proper secure payment mechanism. This can be done very cost-effectively.

What is involved in credit card processing?

The steps in credit card processing are as follows.

Authorisation

The merchant must first obtain authorisation for the charge from the merchant’s credit card processing company. Authorisation simply means that the card has not been reported stolen, and there is sufficient credit on the card. It results in the customer’s credit limit being temporarily reduced by the value of the transaction.

There are two ways in which authorisation may be obtained:

Manual: The merchant downloads details of the sale from the computer that is acting as Web server. The merchant then requests authorisation using their normal method such as a point of sale (POS) terminal or PC program.

Automatic: The server software communicates directly with the credit card processing company computer and arranges authorisation on-line.

Clearly option 2 is preferred, but this is more complex and the costs are greater.

Capture

The final stage is for the credit card to be debited. This can happen at the same time as authorisation, provided that the merchant guarantees that delivery will take place within a certain fixed time. Otherwise capture should take place when the goods are shipped.

If the merchant's business is such that capture can take place immediately, then this can also happen automatically. Otherwise a second manual process is required.

Chargeback

Regretably, there is sometimes a further stage at which the customer is dissatisfied and arranges for the transaction to be cancelled. Because many Internet sales are made to overseas customers, many banks perceive that there is an increased risk of chargebacks. It has been reported that some merchants will not accept orders to Russia because of the frequency of chargeback.

Note that the fact that a payment has been authorised by the bank does not provide any protection against chargeback.

Other Payment Methods

The discussion above has concentrated on credit card payments because they are the most efficient for most purchases.

However there are a number of alternatives, and you should offer as many of these on your site if you can, for example fax and telephone ordering should almost always be offered.

Fax

Simply printing an order form and faxing it to the merchant is feasible and reasonably secure. The form can be the secure order form - simply offer this as an option in the text.

Telephone Order

Offer customers the option of calling in their order, using the order form as a prompt. Many will prefer this, and the order form will be useful in confirming product codes and prices.

Micro-payments:

Whereas credit cards are fine for significant purchases, they are not efficient for a purchase of only a few pence (a micro-payment). There are systems being developed which operate like an electronic purse which can be recharged using traditional payment mechanisms. The purse can be depleted without formality for these small payments. Micro-payment systems are seen as a significant future development. The main players are:

Mondex – originally developed in the UK but now operated by Master Card. This relies on the use of SmartCards to hold the value, and payments can be made from card to card without any intermediary. This makes the Mondex card a powerful substitute for cash, and with cheap smart card readers becoming available for PCs, a very acceptable Internet payment method.

Visa Cash has been developed by Visa.

Cybercash already has an electronic wallet concept to retain credit card information and pass it securely to a merchant (see below). This concept can readily be extended to electronic cash for micro-payments.

Ecash is an early cash system, which is unlikely to survive in competition with giants like Visa.

Remember that micro-payment systems are often seen as less secure than other payment methods. For example the smart card can be stolen, like a real wallet. A trade off against security is part of the concept. For this reason there will normally be an upper limit to transaction and wallet sizes.

Proprietary Payment Systems

These were developed before secure server technology was widely available. They operate in different ways.

Cybercash uses an ‘electronic wallet’ to hold credit card details and to transmit them securely using their own encryption software.

First Virtual uses a system of e-mail messages to confirm the sale.

The problem with all of these proprietary systems is that they require the user to do something to set themselves up, either to install special software or to register with the organisation.

Electronic Cheques

These are quite possible and are in use in the USA.

Purchase Orders

For business purchases a purchase order would be appropriate.

Security Issues

Why is the Internet different?

There is a widely perceived risk attached to payments made via the Internet, and this perception is in some circumstances justified. This is not like making a phone call or sending a fax. The information sent from the customer to the Web server may pass through many different stages before being delivered. The information is in digital form, and at any stage an unauthorised individual may scan every message looking for credit card numbers (which are easily identified).

The difference between this process and a telephone call or fax is that the scanning process can be automated. It is as easy to check every message as to check a single one.

Secure Socket Layer (SSL)

It is therefore essential that traffic be scrambled (or encrypted), and the standard SSL protocol developed by Netscape provides a high level of protection. The US government views encryption technology as munitions, and therefore the only version of SSL available worldwide is the relatively weak 40-bit version. However, this version is quite strong enough to protect against automated scanning as described above, as it takes over an hour to crack one message.

Browsers that support this technology indicate that a secure session is in progress by showing a dialog box, or in the case of Netscape Navigator by showing a blue key on the screen.

Beyond the Blue Key

Even if the customer is protected by SSL technology, it is clearly important that the information remain secure.

Once stored on the Web server, and before being passed to the merchant, the information is at risk from someone breaching security on the server and examining the files. Protection from this can be provided by either:

Encrypting the information stored on the server

Using a ‘firewall’ to protect the information. A firewall is a device (or a piece of software) which limits access to a server to specific types, such as ‘Web traffic only’. An important UK acquiring bank (Barclays) insists that credit card data be held behind a firewall.

The further stage of sending the information to the credit card processor, and to the merchant must similarly be protected.

The ‘blue key’ which Netscape Navigator provides to show that a secure session is under way is therefore no guarantee of total security, and the reputation of the merchant (or the payment process) is also important.

In an attempt to overcome these weaknesses, the industry has developed the SET specification. SET stands for Secure Electronic Transactions.