What You Need - Plain and Simple

Against a background of rapidly changing technology and hordes of online hucksters, it can be hard to figure out how to get started with credit cards. In fact, to accept credit cards through your Web site, you need to have three different elements in place:

1. You need a form on your site that customers can use to place their orders. This should incorporate a security technology such as SSL.
2. You need to have a credit card merchant account with a bank.
3. You need payment-processing software to serve as the link between your site and the bank.

It's just good form, old boy!

A form that takes orders online is no different than any other form. You set up the form using HTML, and set it to use a CGI script to do the following:

1. Pass the credit card info to the payment-processing software, which sends the transaction to the bank.
2. Send an email to whoever fulfills the orders, with the order information and customer mailing address if appropriate.
3. Create a confirmation page for the customer. This page should not only thank them for their order, but provide them with a phone number and/or email address to contact in case of problems with the order, and perhaps an order number for their records.

To learn how to create forms, consult an HTML primer. Here I'll just go over a few of the principles of good form design. Make sure that all your fields line up neatly - not always an easy task. Be sure to check the appearance in both Netscape and Explorer.

Make it very clear to your customers what will happen when they click on something. Don't assume that they're familiar with Web forms. A link that leads to the order form should not say "Click here to order," but rather something like "click here to proceed to ordering page." The Big Button (the one that sends their credit card number to the payment-processing software) should also be unambiguously labeled. Perhaps something like "Click here to finalize your order. Your credit card will be charged." E-commerce experts agree that uncertainty about whether they are actually committing themselves causes many would-be customers to bail out early.

Of course, the name of the game is getting people to click that Big Button, so make it easy for them. Avoid superfluous pages - the fewer clicks it takes to place the order, the more orders you'll get. And display plenty of reassuring messages about the security of your order form. Some sites go so far as to include a FAQ about credit card security. Another confidence-building measure is to join one or more of the various Internet consumer-protection groups, such as Netcheck and Public Eye. One of the best confidence-builders of all is simply to put your company's complete street address and phone number right on the ordering page.

There are several systems you can use to make your ordering page secure, but the most popular is Secure Sockets Layer (SSL), which is supported by all major browsers, and by most ISPs. Using a secure Web protocol such as SSL has two main goals:

1. Encrypt the credit card data being transmitted, so that it would be very difficult for a third party to decipher.
2. Certify that the message is in fact coming from where it claims to be coming from, so that it would be very difficult for a third party to forge a transaction. This is done by means of a digital certificate.

Notice that I say "very difficult," not "impossible." No matter how strong an encryption system you use, it is theoretically possible for someone to "crack" it, given enough expertise and computing power. The idea is not to make your messages as secure as humanly possible, but simply to make it secure enough that the potential ill-gotten gains from cracking your system wouldn't be worth the time and money involved in doing so. Experts agree that popular secure protocols like SSL are more than adequate to achieve this goal.

So, how to get SSL up and running? Your ISP will handle most of it for you, although they may charge a small fee for doing so. Your ordering page will have to be placed on a secure server, and you will need to obtain a digital certificate. Only the page with the actual order form needs to be on the secure server. A digital certificate may be obtained from one of several certification authorities (perhaps the best known is Verisign, and the process is pretty simple. You have your ISP generate a Certificate Signing Request, then you go to the certification authority's Web site and fill out and submit a form, including the Certificate Signing Request. The certification authority will charge you a fee (Verisign currently charges about $350), your ISP will install the certificate for you, and you're good to go.

SSL-secured page URLs begin with https:// instead of http://, and most browsers automatically indicate to the user whether a page is secure or not. However, it never hurts to remind your visitors that their credit card information is protected by SSL. If you'd like to learn more about Internet security, there are links to several FAQs at: Yahoo! Computers and Internet:Security and Encryption:FAQs. The Verisign site also has links to various security resources.

Accepting Credit Cards: Getting a Merchant Account
Accepting Credit Cards: Getting a Merchant Account
Getting a Merchant Account