e commerce overview

E-commerce OverviewZack Jones

July 14, 2015

Topics

- Online transaction flow

- Payment Gateway

- Merchant Accounts

- E-commerce Platforms

- PCI compliance

Online transaction flow

1

2

9

5 6

4

7

3

8Cart/Store Checkout

Payment Gateway

Merchant Bank’s Processor

Card Issuing Bank

Merchant Account

CC Interchange

Payment gateways

Service that processes credit card transactions- Shopify Payments, PayPal, Authorize.net, Stripe, etc.

Typically charge ~ 2.9% + $0.30 per transaction

Rates depend on volume of sales, and what kind of product is being sold

Merchant accounts

Temporary bank account that holds the money from credit card transactions until it is transferred to you business bank account

The money is generally held in the merchant account for 2-7 days

Dedicated vs. Aggregate merchant accounts

Dedicated (Authorize.net, PayLeap)

● More in depth credit check and underwriting process

● Can negotiate better rates

● More control over when money gets transferred out of the account

Aggregate (Stripe, PayPal)

● Application process is much simpler and faster

● Less control over the account

● Can’t negotiate the rates

E-commerce platforms

Broad spectrum of options available- Hosted store- Hosted cart & payment- Hosted payment- Merchant store

Some popular platforms include:Shopify, Magento, Bigcommerce, Squarespace

PCI Data Security Standard (PCI-DSS)

A standard created by the PCI to prevent the compromise of cardholder information and credit card fraud.

12 major sections 226 specific requirements

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

10.Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

12.Maintain a policy that addresses information security

PCI-DSS validationMERCHANTLEVEL

TRANSACTIONS/YEAR

ON-SITEASSESS

QUARTERLYNET SCAN

SELF-ASSESS

1 > 6 million X X

2 1-6 million X X

3 20,000 – 1 million Maybe X

4 < 20,000 Maybe X

Level 1 & 2 merchants must have an annual audit by a certified Qualified Security Assessor (QSA)

They must also have their network scanned quarterly by an Approved Scanning Vendor (ASV)

Level 3 & 4 merchants are eligible to use the Self-Assessment Questionnaire (SAQ)

PCI-DSS SAQ validation YOUR PAYMENT PROCESSING SAQ

All cardholder data functions outsourced A

Cardholder functions performed locally, but no cardholder data stored C

Cardholder functions performed locally, and cardholder data stored D

To qualify for SAQ-A no sensitive information can ever touch the website!

Sensitive information includes the card number, expiration date, and card code.

If the site does handle cardholder information a quarterly network audit is required.

Sources & Useful LinksPayment Gatewayshttp://cart66.com/blog/payment-gateway-vs-merchant-account/http://ecommerce-platforms.com/ecommerce-selling-advice/choose-payment-gateway-ecommerce-storehttp://business.tutsplus.com/articles/how-to-choose-an-ecommerce-payment-gateway--fsw-42468https://www.formstack.com/payment-gateway-comparison

PCI Compliance http://www.winecountrywebdesign.com/ecommerce-part-3-pci-dss/ (This series is a solid overview)https://www.pcicomplianceguide.org/pci-faqs-2/

E-Commerce Platformshttp://ecommerce-platforms.com/comparison-chart

And Visit our website: http://woodridgesoftware.com