IT DevWorks specializing in ecommerce sites and Authorize.net integration.

How to Build Your Own Shopping Cart

To process payments, you first need the appropriate infrastructure, as shown in the above diagram. Your website will use a certificate to ensure security between you and the customer. You'll pass the customer's payment information to an approved payment gateway, using its secure mechanisms. The gateway passes the information to your merchant account, which then interacts with the other financial institutions to approve or deny the transaction. The response and related data is securely passed back up the chain to your site.

Digital Certificates

Security is critical to customers. Inadequate security can result in lost sales. Keeping information safe means encrypting it. The most common method is to use SSL (Secure Sockets Layer) encryption. SSL requires a server digital certificate. SSL puts the ‘s’ in https and displays the lock indicator in the browser, security indicators customers look for.

You can purchase the required SSL certificate from a variety of certificate authorities (CA). CAs require some level of proof of domain/business ownership in order to obtain a certificate. The requirements vary, however, with corresponding variations in the level of trust one can place in the certificate. At the very least, the CA you choose should verify that the applicant owns the domain for which the certificate is being requested.

Before purchasing, you'll need to decide such issues as whether you need a certificate that supports subdomains, whether you need a certificate that covers multiple servers, and what encryption strength you'll support.

Certificates come in varying bit-levels. The higher the encryption level, the more character combinations uses in the encryption algorithm and the higher the security. Note, however, that the actual encryption strength is determined by the level of encryption the customer's browser supports and your web site's server. However, we recommend a minimum of 128 bit.

Where to go

If you are hosted, the hoster may have a certificate you can use. Otherwise, use one of the many certificate authorities. You’ll want to shop around to find the one that provides the best price for your requirements. The major authorities are: VeriSign, Thawte, GeoTrust, Comodo, GoDaddy, Entrust, and Network Solutions. A community-driven alternative to these companies is CAcert.org.

Information you’ll need

When you apply for your certificate, you’ll some or all of the following information:

A security phrase, similar to a password
Business name and location
Your contact information, including e-mail
Your domain name
Possibly a challenge password

More stringent authorities may also require you to provide your federal tax ID or to send the authority various documents such as your business license.

Cost

Costs vary considerably, depending on the vendor and the security level of the certificate. They also vary depending upon which level of encryption you will support, the period of coverage for your certificate (typically 1, 2, or 3-year) and whether you are licensing subdomains, multiple servers, or purchasing extras offered by the vendor, such as logos and seals that you can place on your site. Costs can range anywhere from $10 to $1500.

Next: Payment Gateways