The magazine of the Melbourne PC User Group
Selling Online In a Changing World  
Gordon Woolf
 gordon@worsleypress.com

You've got a Web site. You want it to sell for you - finding a worldwide market. First, take a step back and recall those multi-million dollar online stores which opened with a flourish and closed with not so much a whimper but with tears gushing as fast as the losses.

A small business can make money on the Web - but you have to think cheap.

Profit depends on keeping costs under control. If you can set up a selling system in time that would not otherwise be spent creating profit in more traditional ways, then you will be ready for the upswing that will come, if only someone can predict when.

Perception Is Reality

The public is becoming aware that they can buy things on the Internet more easily and often cheaper than by mail order, or by driving to the store. But they are also being hammered by the messages that they must play safe.

So, anyone inviting Internet purchases has to offer a secure way of transferring the money. That can be costly, but it does not have to be.

Giving card details over the Internet is no more dangerous than giving it to a market trader you don't know, or giving it over the phone. Most thefts of card numbers have been from the offices of traders, not during their transmission. Misuse of card numbers is more likely to be due to a rogue merchant or a rogue employee of a reputable merchant.

You may have the most secure online ordering system that money can buy, but you could still leave printouts of the details on your shop or reception counter unattended or leave the details on the PC when it is traded on an upgrade. The buyer would have been safer sending the card number by e-mail to a merchant who deleted the file and shredded the printout a month later. In the not-too-distant future, the buyer will be persuaded that his credit details should go through one stage less: straight to the card company or bank, which then tells the merchant the money is on its way to his account.
 
Shopping Carts

A "shopping cart" is a program which takes over when the visitor to a Web site clicks on a button to make a purchase. It can be on the same computer as the Web site, or it can be on a secure computer operated by the company hosting the site, or it can be in a computer farm operated by a firm specialising in handling secure transactions.
 
The transaction can also be handled in two parts. The detail collected initially, such as the items ordered and the address to which they should be sent, may not need to be transmitted at a very secure level. However, the credit card number does need to be entered over a secure connection.


Figure 1. The setup of a shopping cart is complex - mainly because of options such as freight. In this example, 
cComm Pro allows almost limitless weight and country 
combinations. Then you can add multiple choices 
for freight methods.


Figure 2. At the other extreme, the shareware program "Shopping Cart 3" offers little other than a list of 
products with pictures for each and a weight setting 
to calculate freight. But even here there are five 
setup screens.

Secure Connections

The most common secure system is known as SSL, the "secure sockets layer" and it is the change to this which brings up the little lock symbol in Internet Explorer or the unbroken key in Netscape. It is the level of security used for most Internet banking. The key or lock indicates that your information is being encrypted at your end and unencrypted at the other end. Anyone who comes across the information while it is in transit will see an unintelligible set of nonsense characters.

However, a customer needs to know where the message is going. Is it going to the firm you think you are dealing with, or has the address line changed to some strange name you have never heard of?
If so, does it matter? You may even get a message box indicating that the security certificate is current but that it's not held by the domain name you have reached.
Security certificates cost many hundreds of dollars, so many service providers and Web hosts let their customers use the host's certificate. This is acceptable as you can easily find out who is the certificate holder, but it is the main reason businesses using such a service will let the genuine host's name appear as the address; this stops the message box that many users would not understand, and which could put them off completing the transaction.

The Transaction

In our case we use, as one option on our Australian Web site hosted by Web Central in Brisbane, a simple Web order form that actually resides on a different server operated by the same hosting company. When a customer enters details here they are connected securely to that server. It sends a plain unencrypted e-mail to the merchant, advising that a new order has been received.
 
To get the details of that order, we must use our Web browser to go to the secure server, and we enter a password to get the order details and credit card information via a secure connection.

The next step up, is used on both our Web sites when the customer clicks on a "Buy Now" button. In this case the customer is immediately connected to a server at a separate company which specialises in handling secure orders. In this case we use one of the major free or low cost services, Mal's E-commerce in the United Kingdom.

Mal's company doesn't handle credit card transactions. His company just ensures that the numbers are collected in a secure way and passed on to the merchant. The details of what you have ordered are passed to Mal's computers as part of the process of transferring the buyer to the order site. This is a sequence of information which follows a question mark after the domain name.

Below is a typical sequence which is actually an order for one of our books. It passes the information from our site to Mal's. It sends the item name, the price, information which helps to calculate postage or freight such as the item's weight, and the address of a Web page to which it must return when the transaction is complete.

http://ww3.aitsafe.com/cf/add.cfm?userid=5520373&product=Publication+Production+using+PageMaker
    &price=55.00&units=310&return=www.worsleypress.com/books.htm

It is similar to the links to which search engines connect, during a search for a Web site, and it does not contain any information about the buyer, the address etc., which is added on the first stage of the visit to Mal. When details of the item ordered and the cost have been presented to the customer and agreed, the customer is then transferred to the secure server where card details are entered.

It is similar to the links to which search engines connect, during a search for a Web site, and it does not contain any information about the buyer, the address etc., which is added on the first stage of the visit to Mal. When details of the item ordered and the cost have been presented to the customer and agreed, the customer is then transferred to the secure server where card details are entered.

The customer is given a receipt number on a Web page and will usually be sent a confirming e-mail at the same time as another e-mail containing very basic order information is sent to the merchant.

To get the credit card details, the merchant has to use one password to reach his area of Mal's site, where full details of the order can be obtained, but he then has to use an additional password to reach the credit card number and details.
 
The merchant enters these in his usual way, probably by a terminal identical to that seen in any retail shop. For smaller merchants who have a retail outlet, it is probably the same terminal. Merchants who take phone, mail and Internet orders need to have approval from their bank's card department to be able to unlock the facility to enter card numbers via the keys, rather than by swiping the card itself.

Until we reach this point in the proceedings, the card number only has to be checked to see that it has the correct number of digits and that the final check digit is calculated correctly. Now, it will be checked for credit worthiness and that it has the correct expiry date. Only at this stage is there any communication with the card company's computer, via the bank's computer, to get authority for the transaction.


Figure 3. With Mal's E-Commerce, the shopper only 
enters a secure area for the entry of credit card details. 
At the merchant's end, two passwords are needed to 
get to where these details are kept.

Getting More Sophisticated

The next step forward in Web transactions is where card approval can be obtained while the customer is still online. This service is offered by well over 30 US companies, a few elsewhere in the world, but in Australia only by a few banks, and then only to users of their own merchants Web sites.

Another option for this service is the WorldPay service linked with the UK-based National Westminster Bank which adds an additional bonus for small businesses wanting to trade Internationally. This is to offer the customer the facility of paying in his/her own currency. As each additional service adds extra cost, small companies might restrict this to offering prices in US and Australian dollars and perhaps UK pounds. No longer does the Australian seller have to explain that the US Dollar price is approximate, and that the amount on the buyer's statement will be determined by the currency conversion rate on the day the transaction is processed. Buyers can be worried by that word "approximate", especially those who have never before ordered from overseas.

This kind of service is offered to New Zealand sellers via the Bank of New Zealand's BanqOnIt service, but as yet there is no indication of when the service will be extended to Australia; though it will almost certainly happen.
 
The big benefit to customers in the WorldPay and BanqOnIt transactions is that they are giving their credit card details only via a secure connection to a bank's computer. The merchant does not get those details; just a confirmation that the transaction was approved, and, sufficient information to enable supply of the ordered product.

It can be expected that this type of transaction setup, which is offered only by a minority of merchants on the Internet at present, will become the standard. Customers will come to expect it, and that will lead to more options from the banks. Choices may also be widened if the Government allows more non-banks to offer credit cards.

As a guide, the WorldPay system costs around A$600 to set up, with ongoing costs of about A$450 a year. That is on top of the normal Web hosting fees, and a fee on each transaction of approximately 4.5% That's about what a micro retailer will currently pay the card companies; slightly more than what most small retailers are paying.

Add The Software

On top of this will be the cost of the shopping cart software itself. Although it is possible to use homemade or free CGI scripts as a basis, there are more than 100 software packages recognised by the major gateway services such as WorldPay. Both the software suppliers and the gateway companies offer kits, usually free, with either additional software, or detailed instructions to make them work together seamlessly.
 
The shopping cart software ranges from free (such as those based on the original releases by Matt Wright and Solena Sol) through to commercial packages that cost anything from a few dollars to several thousand. With many of them the software is provided for a flat fee, while others offer the software at low cost if they can host your cart site for a regular monthly fee. This is an area where you have to try the demos and read the fine print. The world of commerce on the Internet is constantly changing.
 
In a future article, I will detail my short list of shopping carts and how I overcome the present procrastination to reach a final decision. 

RESOURCES

Matt Wright built one of the first Web shopping carts. Now he runs the CGI Resources Index, where as well as many other CGI scripts you'll find links to 128 shopping carts written as CGI scripts: http://cgi.resourceindex.com/Programs_and_Scripts/Perl/.

More advice on e-commerce development from http://www.tamingthebeast.net/ which is run by Michael Bloch in Adelaide.

There are at least a couple of Australian companies that produce shopping carts. WebGenie is at http://www.webgenie.com/ which is a system based on CGI scripts for Unix-based servers, and Virtual Programming Pty Ltd with VP-ASP at http://www.vpasp.com/ which is an Active Server Page system for Windows based servers.
 
Mal's e-commerce is at http://www.mals-e.com/index.htm

WorldPay is at http://www.worldpay.com/.

About the Author
Gordon Woolf, gordon@worsleypress.com is a long time Melb PC member who owns and operates the Worsley Press at Hastings, on the Mornington Peninsula.

Reprinted from the August 2002 issue of PC Update, the magazine of Melbourne PC User Group, Australia

[About Melbourne PC User Group]