View Full Version : Shopping Carts 101 - A basic primer

09-05-2003, 06:56 AM
Here's a little something I wrote for another Board. I thought it might be of use for some here: heed the warning in the first paragraph!

Shopping Carts 101

This is not a definitive guide. It is intended to be a starting point. You already know that you should do your homework before you get involved with shopping carts. 'Nuff said.

As you would expect there are a handful of pieces that must all work in concert to form a functional shopping experience. Focus on the experience rather than solely on the mechanics of the cart because the customer?s experience with your service is what will make or break you.

The pieces are:

A shopping cart located at some domain (www.yourstore.com)
A web server to host www.yourstore.com
A Secure Server Certificate - proves you are who you say you are
A Secure Socket Layer(SSL) - provides privacy and reliability between two communicating applications.
A Secure Protocol (HTTPS)
A Merchant Account
A Transaction Processor (aka Payment Gateway)
A Secure Database
A Financial-Tracking Tool
A Privacy & Security Policy
And most important - A Satisfied Customer

The Process In General:
I say in general because there are a lot of variables and each shopping cart/ecommerce set up is slightly different from the next. But in general this is how it all works together.

You need to build/buy/download a shopping cart. If you're on WestHost then you could use the Miva Cart.

You need to secure everything from when the customer enters their personal information right up through and including when you say 'Thank you for your order' and provide the customer a printable receipt of their order.

You need someone to handle Credit Card transactions for you (not just anyone is allowed to do this).

You need a way to accept payments from a Credit Card.

You need to ensure the customer has a pleasant and efficient shopping experience.

You need to know what you sold, when you sold it, to whom you sold it, and what you have left in stock.

You need to have a reliable and efficient mechanism for handling returns and customer complaints.

You should always declare what information you gather and what you do with it as well as how you protect it.

And you need to have a way to ensure and measure customer satisfaction with your service and product. Believe it or not ? the service is THE MOST IMPORTANT aspect to a successful on-line business. The actual product is secondary.

Ok, let?s look at the pieces in detail.

The Cart:
The cart has to have 4 pieces:

a way for the customer to view and select items for purchase;

a way for you to add, edit, and delete items for sale;

a way for you to track orders, fulfillment and inventory;

and a way for you to generate sales reports or import data into your accounting and/or materials management software

There are many free carts out there. One I?ve used and found to be good is OSCommerce: http://www.oscommerce.com/index.php

You can also check out the other free carts and code snippets necessary for building your own cart at Hotscripts.com: http://www.hotscripts.com

You can use the Miva cart supplied here at WestHost or you can buy a cart.

No matter which option you choose some customization will be necessary to establish the look and feel you want. Not to mention editing product images and adding products to the store. The point is - nothing works straight out-of-the-box.

Be sure your cart works as you expect it to. The customer?s experience is critical to your success or failure. That being said, do everything you can to make sure they have the means to:

navigate quickly - both to your products and to their cart;

buy the products - a 'Add to Cart' button right next the product is important as is a way to indicate quantity quickly (see a trend here? - convenience)

check their status - that 'View Your Cart' button is all important. They should be able to review what they've selected at any time. Sub-totals w/o shipping are important as well. And don't forget the 'Check Out' button so they can finish the purchase.

And always, always, always, make sure they can finish the purchase whenever they want to. In other words, put a 'Check Out' button on every page!

In addition, make sure that when they do check out they can select the shipping method and tell them clearly what it will cost. The three top shipping companies (in the US) have a variety of on-line tools to help you:

For UPS: http://www.ec.ups.com/
For FedEx: https://www.fedex.com/solutions/go/Overview?link=4#shipping
For USPS: http://www.usps.com/shipping/welcome.htm

It may sound overwhelming but with a little planning you can design a shopping cart that?s functional, quick, efficient, secure, and leaves your customer happy because they got in, found what they were after, bought it, felt is was secure, fair and fast.

A Secure Server Certificate:
These prove you are who you say you are for the customer's peace of mind. It isn't really a certificate. What you actually get is a digital key that you install on your webserver for your domain. When someone views your 'certificate' they?re viewing the digital key that you installed. That key identifies whom the key is for (had better be you), the domain it was intended for (had better match your domain), who issued the key, when it was issued, and when it expires.

Companies I've worked with and found to be good: Verisign http://www.verisign.com & Thawte http://www.thawte.com .

You will need to generate a key to send to the Certificate vendor and they will in turn send you the matching key. Once you receive your Key, it needs to be installed on your webserver - your webhost may do this for you unless you have an Admin interface in which case you may (operative word) find you can do it yourself. If in doubt, ask your webhost to do it.

WestHost offers a generic SSL Certificate but be careful of these. Not all shopping cart scripts can work with shared certificates. Also the URL won't have your domain name. It will look something like secure.westhost.net/youruname/ I personally don't like this but a couple of my customers didn't want to spring for their own Cert.

Learn more: http://www.thawte.com/html/RETAIL/ssl/index.html

A Secure Socket Layer (SSL):
Is a protocol that provides privacy and reliability between two communicating applications. Privacy is achieved using encryption after the initial handshake between your webserver and the CC transaction gateway company's server (like Authorize.net or LinkPoint).

Learn more: http://wp.netscape.com/eng/ssl3/draft302.txt
And: http://developer.netscape.com/docs/manuals/security/sslin/contents.htm

A Secure Protocol (HTTPS):
After the servers have agreed on what secret code to use, the rest of the conversation between them occurs naturally but is encrypted. You invoke SSL by calling a URL with HTTPS instead of HTTP. Test and retest all of the pages that should be wrapped in SSL before you publish your cart.

Make sure each and every page the customer goes to from the time you ask them to supply their info right up to and including the page that provides the confirmation and a printable receipt are all secured. Make sure any data you keep on your server is encrypted as well. Some data is necessary for sales reporting but secure it!

You don't need to invoke SSL until the customer is ready to give you their private information. The form(s) where they tell you who they are, where they live, their shipping address, contact info and CC# should all be protected by an SSL transaction.

A Merchant Account
You?ll need one of these to accept Credit Card payments. Merchant accounts are accounts that accept and hold credit card transaction monies. These accounts can be established through merchant service providers (MSPs) such as banks or via independent service organizations (ISOs).

Learn more here: http://ecommerce.internet.com/news/insights/econsultant/article/0,,9571_208591,00.html

A Transaction Processor (Payment Gateway):
The transaction processor is the one who actually processes the Credit Card transaction on your behalf. Some are better than others and prices are all over the place.

It's not unusual that there are a handful of fees. Be sure you're clear on what they are before you purchase. The typical fees include some sort of set up fee. This is usually a one-time fee. The next fee will be your monthly fee. Now it's not uncommon for the fees to be based upon services you've asked for - ala cart. You pick and choose what you want and the fee is the sum of the services you chose. Look for and be sure you understand if the monthly service fee is a flat fee or a percentage of sales or some combination of both. Make sure you learn where the break points are for the price changes which are often based upon either $$ sold or quantities sold. DO YOUR HOMEWORK! I can't stress this enough. Check out a bunch of these folks and compare them apples to apples.

In some cases, you can get both a merchant account and transaction processing services from the same organization. Be careful of pricing! Make sure you understand what you're agreeing to before you sign.

A Secure Database:
This is essential for tracking customer information. Encrypt the data. Keep the database out of the website folder(s). There are many tricks to writing code to interact with the database so that it is darn near impossible for a hack to get at the database. This is THE NUMBER ONE SECURITY RISK. Protect your clients data and yourself (from lawsuit and financial ruin). It is a good policy to destroy the CC information as soon as possible. Keep shipping and billing info but get rid of the actual CC info. That way your less likely to become the target of a hacker.

Learn more: http://www.webmasterworld.com/forum10/1406.htm

If using MySQL: http://www.mysql.com/doc/en/Security.html
And: http://www.mysql.com/doc/en/Miscellaneous_functions.html

A Financial Tracking Tool:
You need something at home/office to track all of the sales you?re making. Choose a tool that will import data in a standard file format like ASCII comma delimited text or some such. Alternately, if you go with Quickbooks or Peachtree, they can import financial files if the files are formatted a certain way. Some commercial and open source shopping carts have the ability to export financial data in the proper formats for Quickbooks and/or Peachtree. If not, then use your programming skills to write code to export financial data from your web database. Financial tools are invaluable if you know how to use them.

Privacy & Security Policies
Make sure you have published policies for both of these. The Privacy Policy tells the customer what information you gather and what you do with it. DO NOT LIE NOR FIB NOR MISLEAD or thou shalt be struck down by lightening - or the IRS.

Tell them the truth. If you sell their name to other vendors say so. Give them the chance to Opt out - in fact - make it the default. Your customers are smart people and will find out if you?ve been dishonest (not that you would). If you?re honest with them, they will appreciate it. Make this Policy available on every page - many websites have it in the footer.

Learn more: http://www.privacyalliance.org/resources/ppguidelines.shtml

The Security Policy should tell the customer exactly how you protect their private information. You don't need to tell them about how SSL works but you should tell them that their Credit Card transaction with you is protected by 'enter SSC issuer here' and their private information is encrypted and kept safely and securely for their safety (and yours). Make this policy available on any page you secure and any page that leads to a secured page.

Learn more: http://www.sans.org/newlook/resources/policies/policies.htm

And most important - A Satisfied Customer:
It?s all about customer satisfaction. People shop on the Internet to cut costs, save time and to track down hard to find specialist goods or services. They use the Internet to do research on goods and services too. Hmmm? what do you think would make a store successful? How about providing excellent product/service information with a quick, efficient, and secure way to purchase it?!

How the Cart actually works and the process for checkout is what makes the customer's experience positive or negative. The most successful on-line transactions are those that allow the customer to choose what they want, pay for it in a quick and efficient manner, take great pains to make sure the customer knows the transaction is secure - and is, and makes sure the customer feels good about the transaction.

The Transaction: You have control over what the customer experiences on-line. But after the sale is done make sure the customer remembers you in a good light. Make sure you inform the customer what to look for on their monthly CC report when you give them their order confirmation - i.e., what company name will appear on the statement.

Follow up with the customer:
Follow ups are a nice way to say "I value your input." Give your customers the opportunity to critique you. If they don?t, don?t worry. The simple fact that you asked lets them know you?re serious about ensuring their satisfaction ? they will appreciate it even if they don?t show it. If they do, you'll most often get some good insight.

Some customers may vent or you may get some wisecrackers - but always try to see through the emotional crap and find the message they're trying to deliver. Put on your "solutions provider" hat and put yourself in their shoes. Determine what went wrong, what you can and will do about it, and then do it. When it's done, let them know about it. This doesn't mean you have to make changes everytime someone complains. You have the final decision - all I'm saying is consider their point and then be fair.

Make sure the customer receives an email verification that acknowledges that they purchased X,Y,Z from You on This Date, for This Amount. NO mention of CC numbers or account numbers. Keep the personal information to a minimum.

And while it may be obvious ? make sure you deliver the product/service when you said you would for the price you told them. Hidden costs and delayed deliveries can kill a business. It is better to tell the customer it will take 2 weeks to deliver and have it there in 1 than it is to say 1 week and be even a day late!

Also, be sure to have an established policy and mechanism for handling returns, rejects, and disasters. Successful companies have been brought to ruin because they had no plan to handle disaster. What is a disaster? Take for example, your SSL Certificate becomes outdated and no one noticed until customers called and complained; or someone DOES hack into your database and steals your customer's private info. Your preparedness to handle the worst-case scenario could be your failure - or your path to success.

BTW - for more information on Credit Card Fraud: http://www.scambusters.org
And: http://www.fraud.org/welcome.htm

Final Thoughts:
Do NOT use email to transmit a customer's personal information - EVER! Perform all verification and approvals on your website under the SSL's protection. If you must send email - send only the bare minimum of information.

If you write an Administrative interface - use SSL to secure it. What ever financial information you see can be nabbed while you're working so wrap it up in SSL.

Additional Resources:



09-05-2003, 11:56 AM
Thanks for posting that. I intend to set up some kind (undecided) of business in the future and this will help.

visible soul
09-23-2003, 10:52 PM

Awesome info! I'm currently setting up MIVA and your post is a big help. My sincere thanks.