Hi Michael, Your system is of course quite simplistic, but when you respect a few elements could work (but don't forget to add a customer notification email!). First of all, never send any private data through email, unless you can use encrypted email (PGP etc.). Second, using a real database (even something like MySQL) will give you more security and protection in case of a crash, plus much more flexibity to handle users/administrators, log orders, manage your catalog & inventory, generate reports etc. etc. There are many examples and docs out there how to set this up.
Unless you can live with charging a flatfee (or nothing) for shipping, you can get the APIs or software for real time shipping calculation from the web sites of the DHLs, UPS, USPS, FedEx etc. Tricky is sales tax in some states in the USA. No, actually, it's a real mess, especially if you are in New York State (depends on where its shipped to, so basically you need to know all the applicable rates - and this is NOT nicely organized by counties/cities). Always assume that there will be lots and lots of people with very bad (or plein stupid) intentions out there. It's absolutely common that hackers use e-commerce sites to systematically place bogus orders solely to check if the card is accepted (they'll later sell the info as "Fresh and valid credit cards"). Since your system does not connect to a payment gateway like authorize.net or verisign, you don't risk horrendous charges right away, but a lot of hassles later. If you are connected to a payment gateway, they'll charge you between $0.15 - $0.30 per attempt for processing fee. Multiply this by a few thousand "orders" processed within a few hours....Outch. A few simple tricks can provide easy help, like ALWAYS requiring at least a logged two or more step process to place an order, creating individual form ids (with prevention of submitting a form multiple times), solid email and phone number syntax verification etc.. USPS also offers a realtime address verification on their site, if you are in the USA. Blocking according to IP addresses or cookies rarely helps. Hackers easily circumvent this. Also, as soon as you've processed an order, get rid of the credit card info from the server, and never ask for the three digit code on the back of the credit card (CVV2). While it's supposed to add additional security (I doubt it by now) for telephone orders, its use is very restricted for online use without a gateway. Without such an authorized gateway, you basically can't use it at all. All cc companies offer detailed information about their requirements on their web sites. Visa's penalties for storing cc numbers and CVV2 codes on an inproperly secured machine range from threatening you to cancel your merchant account to $10.000 fine and more. Finally, but that's more a business issue: If you come across an order with different bill-to, ship-to address, no or invalid phone number and funny looking yahoo email accounts (or similar), and -unfortunately- almost all orders from Indonesia, ALWAYS double & triple check the order. If a customer notification comes back to you as undeliverable, drop the order. It's fraud. Payments originating certain countries should always be made through Western Union or similar (cash). Tragically, today any legal online transaction from Nigeria is a big exception, and even "certified checks" often turn out to be falsified. This can take several weeks to be verified and cleared, although most US banks added the amount to your account earlier. If it turns out to be fraud, they'll take it back even weeks later. A client of mine (jewelry dealer) had over $400.000 in fraudulent orders within a three month period. He had no losses, since he's used to it, but it gives you an excellent idea how dangerous the situation is. In case something goes wrong, don't count on Visa or Mastercard. You'll ALWAYS be the one who has to eat the losses, even if they approved a stolen card. Plus they will bill you a hefty sum for the chargeback and downgrade your rating. This is currently subject of a neat class-action lawsuit. HTH, Markus -----Original Message----- From: A mailing list for discussion about Sun Microsystem's Java Servlet API Technology. [mailto:[EMAIL PROTECTED] On Behalf Of Michael De Vorms Sent: Wednesday, July 23, 2003 6:28 PM To: [EMAIL PROTECTED] Subject: Online Store Hello I wish to set up a web site offering online purchasing. I was thinking of setting up a system that takes the information from the text boxes on the web site , over a secure connection, compiles the information into a webpage on that secure server, sends me an email telling me an order has been placed with the link. When I click the link I can see the order form and manually do the order. Can someone please tell me what they think of this? What would be a better way? Thanks alot, I am new to web-based shopping! I'm sure someone can help me :) _________________________________________________________________ Download MSN Messenger @ http://messenger.xtramsn.co.nz - add your friends! ________________________________________________________________________ ___ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.502 / Virus Database: 300 - Release Date: 7/18/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.502 / Virus Database: 300 - Release Date: 7/18/2003 ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
