Sign in to follow this  
SeymourClearly

[web] E-Commerce hosting and shopping cart questions.

Recommended Posts

Hey, I've recently been asked to takeover an ailing e-commerce site, and whilst in terms of web development I'm fairly experienced, I've mainly produced corporate sites and so I've had limited exposure to e-commerce. Right now, the site is hosted under a "managed account". The host is expecting my client to pay them each time a change is made to the site, including when adding products, so I'd like to move the site to a new host. The site isn't generating much traffic right now, so there's no need to have dedicated hosting or huge bandwidth allowances. I've actually been looking at the intermediate plan from Crystal Tech: http://www.crystaltech.com/dotnet.aspx. It seems to fit the bill but being as I'm just scouting around at the moment, I was wondering 2 things: 1. If you've used Crystal Tech, how good has the hosting been? 2. Could you recommend some other ASP.NET 3.5 host? Also, is it worth using a premade shopping cart or producing one myself? I'm asking this more on a security basis than anything else. I'm guessing that if I did write a cart myself, I'd still have to purchase/lease something to allow me to make payments with it anyway? What about the security of existing carts? Are there any specific questions I should be asking as to how secure a cart is? For example, the Crystal Tech package comes with "CTzencart". I've never heard of it so I'd like to know it's safe to use before committing to anything. Any feedback would be appreciated. Thank you.

Share this post


Link to post
Share on other sites
While I haven't ever used ASP, I've done plenty of e-commerce sites with PHP and Python. In each case I've created a custom shopping cart of my own, so I can't comment on pre-packaged cart solutions. However, if you want to roll your own cart system you can do it fairly easily:

1. Sign up for a merchant account with a bank (this is where funds from purchases on your e-commerce site get deposited)
2. Above bank sets you up with a "payment gateway," for which bank is usually a reseller. I've used authorize.net with great success and would highly recommend them.
3. Write code to interface with your payment gateway. This typically involves POSTing all of the necessary credit card and transaction information to a SSL-secured URL and parsing the response.

As far as security is concerned, make sure all of the pages that accept sensitive user information are encrypted with SSL (i.e. disallow normal HTTP requests on those pages or redirect to SSL URLs). Don't plan on storing any complete credit card numbers in a database unless you can meet PCI (Payment Card Industry) security requirements. Make sure user sessions have expiration dates and get cleaned regularly to avoid sensitive information sticking around on your server. Beyond that, normal security practices apply--lock down the server as best as possible.

Other than the payment aspect, a cart is really pretty simple and just consists of storing some persistent info in the user's session store on the server. Since every e-commerce site I've ever worked on has been different, I'm not sure how great pre-packaged solutions work in general anyway.

Hope this helps.

EDIT: I forgot to mention that merchant accounts typically have monthly fees associated with them, and you're going to incur a slight fee for every transaction you make via your gateway. Of course nobody is excited to do this, but that's life.

Share this post


Link to post
Share on other sites
Thanks a lot for info! Really helpful. It's given me a few other questions now though. :)

If I decided to make my own shopping cart, which quite honestly I'd much rather do as it makes me 100% responsible if anything goes wrong, what do you do with regards to tax? The business I'd be working with is based in Colorado so does that mean only tax laws from Colorado would apply to each sale item? I'm guessing that would mean I'd simply add 5% (or whatever the figure is) to each transaction.

Really appreciate the response, especially with regards to the PCI requirements; I never knew there were industry standards to meet.

Thanks a lot bud. :)

Share this post


Link to post
Share on other sites
In all of my systems, I make sales tax configurable (i.e. you can change which state sales tax should be applied to and what percentage). At checkout time, if the billing state (not the state that goods are being shipped to) is the same as the one configured for sales tax, tax gets added. My understanding is that only residents of the state in which the goods originate have to pay sales tax as part of the transaction.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this