Archive for July, 2006

When accepting credit cards through a website, collecting the CVV2 number is essential. (If you don’t know what CVV2 is, read the blog entry “What is CVV2?“). In the ecommerce world it is an important indicator as to the potential for fraud for a transaction.

As covered in our previous blog entry, this value may be three or four digits depending on which credit card the customer is using. So how do we validate it? By checking to see which credit card the customer is using and then looking for the correct amount of digits. We’ll find out which credit card the customer is using by looking at the first number of the credit card. We’ll specifically look for American Express cards as they are the odd balls and have a four digits CVV2 number. Visa, MasterCard, and Discover Card each have a three digit CVV2 number.

We’ll take the first digit of the credit card number and then check to see if it is a three. (We didn’t do it here but you should first validate that you do indeed have a valid credit card number. See “Verifying Credit Cards Numbers Are Valid” and “Verifying Credit Cards Numbers Are Valid (Part 2)” for how you can do this). If it is a three, check to see if the CVV2 code is four digits long. Otherwise, check to see if the CVV2 code is three digits long.

Below is some sample code in PHP:


$cc_number = $_POST['cc_number'];
$cvv2 = $_POST['cc_cvv'];
$first_number = substr($cc_number, 0, 1);
if ($first_number == 3)
{
if (!preg_match("/^\d{4}$/", $cvv2))
{
// It's an American Express card but its
// CVV2 code is not four digits long.
}
}
else
{
if (!preg_match("/^\d{3}$/", $cvv2))
{
// It's not three digits long.
}
}


Believe it or not the process of establishing a true merchant account is usually fairly quick and easy (assuming your sales agent is knowledgeable in what they are doing). An account can be opened in as little as four hours or as long as a few days depending on when the application is submitted and the underwriting guidelines of the processing bank. The application process should never take longer then that without a clear and legitimate reason. If your application is taking two weeks to be approved and you’ve had little to no communication with your sales agent, something is wrong and you should consider canceling your application.

Establishing a third party account will vary from provider to provider as each has its own criteria and verification process. Your account can go live anywhere from immediately to several days or weeks. Also, the services made available to you may depend on verification of your business or personal information.

For planning’s sake the process setting up of a merchant account should be started two or three weeks before you expect to “go live”. This will allow for unexpected delays and testing of the account and gateway.

A common question asked by merchants looking to enter the world of online transactions is what shopping cart should they use for their new store. A common answer to this common question is to use os Commerce. osCommerce describes themselves as:

osCommerce is an Open Source based online shop e-commerce solution that is available for free under the GNU General Public License. It features a rich set of out-of-the-box online shopping cart functionality that allows store owners to setup, run, and maintain their online stores with minimum effort and with no costs, fees, or limitations involved.

osCommerce’s popularity is undeniable. Their website lists over 9,000 live stores running their software. You can assume this only represents a fraction of the stores actually using their software.

But is osCommerce the best shopping cart available? It does have a lot to offer an online store including:

• Robust functionality out -of-the-box
• A powerful administrative control panel
• Developers have contributed 3,500 add-ons that may be used free of charge
• Built in support for major gateways
• It’s free

Those points alone make it a solid choice for many merchants. But it does have strikes against it including:

• It is extremely difficult to customize its appearance. It is not template driven and thus you must must edit individual pages (which contain code) to achieve a unique and custom look and feel.
• It contains everything but the kitchen sink. Although many merchants will want some of the features that come standard in osCommerce, few will actually want all of them. For merchant who want only basic shopping cart functionality, osCommerce is overkill
• Although thousands of add ons have been created for it, you still need to edit individual files to add new functionality to the shopping cart.
• It requires PHP global variables to be turned on to work. Although this isn’t a security risk in and of itself, it does require the server it runs on to now have that feature turned on. This opens the potential for other scripts to have security issues thanks to osCommerce requiring this feature.
• It is rarely updated. Development is slow and updates are far between and minor in scope.

Is osCommerce right for you? Good question. It does fill the need for many online merchants. But there are a lot of alternatives out there that are worth considering. Look around and see which shopping cart offers the features you need without the hassles or extra features you don’t need.

Shortly after its release, eBay banned Google’s new payment solution Google Checkout from being used to make payments for items purchased through their website. The reasoning eBay offered for this move is that a payment service must have a “substantial historical track record of providing safe and reliable financial and/or banking related services.”

eBay did not announce when Google Checkout would be considered an acceptable form of payment. Considering Google’s recent entry into online sales with Google Base and the addition of Google Checkout, it seems as if eBay is now trying to stave off Google as a major competitor.

Source

A common question asked of new online merchants is whether they have to have an SSL certificate on their website. The answer is, it depends.

If you want a transparent checkout where your customers never leave your website then you will need an SSL certificate to make sure your checkout page is secure. Besides the fact that is a best practice, most processing banks won’t establish a merchant account for a website without one.

If you don’t want/need a transparent checkout, then you do not need an SSL certificate. All of the major gateways offer merchants the ability to send merchants to the gateway’s website where they provide their own secure order page. The downside to this is the limited amount of customization you have with that order page (little to none). It will be obvious to your customers that they have left your website.