[LOGO]

The ChargeMIT
E-Commerce Cookbook

June 03 lcs

Sections: Background -- Recipes -- Back Office Procedures

This page offers a survey of the techniques we recommend for building e-commerce websites (any site that accepts payments by credit card). Start here if you creating a new website and that includes e-commerce and you need to learn more about it.

Each of the "e-commerce solutions" described here has its own advantages and disadvantages: generally, the more complex and difficult ones give you more capabilities. Use this guide to choose the one most appropriate for your application.

Audience: Merchant staff developing e-commerce websites.

Part 1 -- Background

1.0 Appetizer: What is E-Commerce?

We define e-commerce as any website that accepts payments. The site may look like a "storefront" selling goods or intangibles, or it may just be an electronic form that lets customers pay existing bills online.

A website can also accept other payment methods, such as checks sent by physical mail, wire transfers, and journal vouchers. We do not address those methods directly but include them in some examples.

We also refer to the back office, the zone inhabited by the merchant's customer-service staff. Back office users process e-commerce orders. They may also accept and enter orders that arrive by telephone, FAX, and email. These people also check incoming orders and answer questions from customers who may have made mistakes or entered duplicate orders. They use the OMARS pages to check orders and make corrections.

Some e-commerce solutions put information about your orders in two separate streams of data, which have to be reconciled (joined) in your back office. For example, you may get the details of an order by email while the credit card payment for it goes directly into OMARS. Later on, you'll have to match payments to orders to confirm all your customers have paid.

1.1 Making "Bread": Follow the Money.. Elements of E-Commerce

Just what data do you need to process a credit-card transaction? There is a bare minimum, and then a practical minimum, since gathering more information about the cardholder can get you a better discount rate (i.e. lower fraction taken out by the credit card processor).

Datum Status Description
Card (account) Number Mandatory The "credit card number", a string of 15 or 16 digits. Spaces or dashes between groups of digits are allowed. This, obviously, must match the number on the card.
Expiration Date Mandatory The month and year that the card expires. Both of these figures are entered as 2-digit numbers, with leading zeroes if needed (e.g. "03").
Amount Mandatory The amount of money to be charged, as a decimal dollar figure (e.g. "2.50"). Must not include a currency symbol or other punctuation.
Cardholder Name Recommended The cardholder's name exactly as it is printed on the credit. Case does not matter. Note that this may not be the same as the purchaser's name; it must match the name the card was issued to.
Billing Address Recommended The address to which the credit card statements are sent. This is used by AVS, the Address Verification Service, which can get you a better discount rate on the transaction. AVS only looks for a numeric value at the start of this field, assuming it is the street number of the address. AVS does not even try to match street names. So, the address should be entered as e.g. "1 First St.", not "One First St.".

AVS really only requires the first line of the street address and the ZIP code for US addresses, although it is too confusing to customers to ask for a partial address.

Remember these data and watch for the way they are handled by the various e-commerce tools introduced later on.

1.2 In the Soup: Security

Since an e-commerce application receives customers' credit card numbers, you must know how to handle them carefully and keep them confidential. The best solution is not to touch credit card numbers at all: set up your site to the credit card number goes directly from the customer's Web browser to ChargeMIT's OMARS server.

Practices to Avoid:

If you need to get a credit card number from a customer, use the telephone or a secured FAX machine.

1.3 Ingredients: E-Commerce Tools

The following table lists the E-Commerce solutions we recommend along with some criteria for comparison.

Key:

Skills Needed
What level of website-building and/or programming skill is required to make use of this solution?
Effort to Setup
How much time and effort can I expect to spend setting up this solution for my store?
Collect Extra Data?
Can it collect and store "extra" data items from the user, other than the data required for the credit card transaction? For example, answers to inputs for a customer reference number, details of goods purchased, color and size of a T-shirt, etc.
Custom Look?
Can the wesite designer customize its look and feel? To what degree?
Calculations?
Can this tool automatically calculate an amount to be charged by adding up the prices of products and options that the customer chose?
Multiple Items?
Is it possible to purchase multiple items in one transaction? Also, does it give ClearCommerce a record of each item so you can use OrderManagement to fulfill the order by-item?
Hosted?
Where is the solution hosted -- i.e. who provides the Web server and other equipment to host the service?
E-Commerce Solution Skills Needed Effort to Setup Collect Extra Data? Custom Look? Calculations? Multiple Items? Hosted?
Simple OMARS payment form None. Minimal. One 64-character line. Slightly; background color only. No. No. ChargeMIT server.
OMARS with Custom HTML form HTML coding, forms. Low to moderate. One 64-character line. Yes, although receipt page is fixed. No. No. ChargeMIT and Web locker.
cgiemail Version 1 and Custom HTML form Good HTML, CGI skills and cgiemail experience. Substantial planning and development work. (est. 20 hours) Handles any extra data that can be input to Web form. Amount to charge must be entered by user, however. All pages but receipt can be customized completely. No. No. ChargeMIT and Web locker.
cgiemail Version 2 and Custom HTML form Good HTML, CGI skills and cgiemail Version 2 experience. Substantial planning and development work. (est. 25 hours) Handles any extra data that can be input to Web form. Can transform inputs and make computations from inputs. All pages but receipt can be customized completely. Yes. Yes, but not entered in ClearCommerce. ChargeMIT and Web locker.
FileMaker Pro forms Extensive FileMaker Pro web development skills and HTML, CGI. Substantial effort to design database and Web interface. Any extra data that can be input to FileMaker. All pages but Receipt can be customized in Filemaker. Yes. Yes, but not entered in ClearCommerce. Your FileMaker server and ChargeMIT.
ShopSite (catalog/shopping cart software) HTML authoring helpful but not necessary. ShopSite admin interface easy to learn. Variable, depending on degree of customization. A few hours or more. Limited use of renamed inputs in order-entry forms, optional fields. Yes; simple adjustments are easy, extensive custom forms are possible. Yes, limited to parameters in products. Yes, but not entered in ClearCommerce. ChargeMIT and Web locker.
OMARS Order Entry API Java programming in webserver environment required. Extensive development effort (at least 2 person-weeks est.). Yes, whatever application can implement. Yes, all pages are completely custom. Yes (under control of custom web services). Yes, this is the only way to enter multiple items into ClearCommerce. Your Web server and ChargeMIT.

Part 2 -- Recipes.

2.1 Fast Food: Simple OMARS Payment Form

This is easy and quick to create, but it shows. It is adequate for some very simple applications, such as paying bills online.

Pro:
  • Only requires minimal effort and no extra knowledge to set up.
  • Customizable background color and some labels.
Con:
  • Cannot control appearance of order entry form.
  • Customer must calcuate and enter the amount to pay.
  • Minimal "extra data": just order category and Order Comments field.
  • Digital (email) receipts available through ClearCommerce/OMARS.

This solution gives you a very simple and utilitarian web page that accepts and processes a credit card payment. The form was originally developed for merchants' back office point of sale applications, as a replacement for the "telephone terminal", but it also works as a public e-commerce page.

You cannot control the look and feel of this page aside from some labels and the background color. For more information, see the Point-of-Sale section of the OMARS Merchant Setup Questionnaire. This explains the options available in setting up the form.

Example

https://shopmit.mit.edu/payment/alchemy_public

You can configure these features of the payment page:

Background color
Sets the background color of the automatically-generated Web pages. The foreground colors are all dark so choose a pale shade.

Transaction Type
The type of credit-card transaction, either PreAuth or Auth.

Charge Description
Optionally, modify the message sent to the customer on Amex transactions. This is usually not needed since the default message TUITION/FEES is appropriate, and we recommend keeping the default.

Order Classification
This optional setting lets you collect an extra piece of data with each order, a "classification" meant to indicate the purpose or description of the payment. It can be used to sort orders later in the back office. The set of classifications is fixed, set at the time your store is configured, although it can be changed later.

Order Comments
This is another optional input to associate a piece of data with the order. It can be up to 64 characters long and may contain anything. You configure whether or not this input appears on the Web form, its label and an optional line of instructions to the user.

We recommend using the Order Comments field to store a reference identifier such as a bill or invoice that lets you match the credit-card payment with an entry in your main recordkeeping system. For example, if you ask customers to pay their invoices online, collect the invoice number so you can easily find the invoice corresponding to each payment and log the amount paid.

There is also an option to add some scripting code to check the value entered in the Order Comments field. This is a script that runs in the browser (e.g. javascript) to put up a warning message if the value is missing or unacceptable. Most merchants don't bother with this option.

Shipping Address
The form may optionally be configured to include entry boxes for another mailing address, designated the "shipping" address because it is intended to be used for orders where the goods are shipped to a a different address from the credit card billing address. The input fields can be given a different label if you wish to use them for something other than shipping.

Separate Tax, Shipping amounts
Add input boxes for separate amounts for tax and shipping. Most of our merchants do not need to charge tax, so this is usually not an issue. The separate shipping box is only needed if you want to specifically track the amount charged for shipping. The tax and shipping inputs are automatically added to the subtotal entered to get the total amount charged.

We recommend leaving these input boxes turned off.

Store Name
The title at the top of the page does not need to match the name of your store, although by default it does. Configure a different store name if needed.

2.2 Blue Plate Special: OMARS with Custom HTML form

This uses the same OMARS Order Entry service as the Simple OMARS payment form described above, but lets you substitute your own custom HTML page instead of the plain automatically-generated one. The capabilities are no different, but you can design the payment page to blend into your website and provide appropriate documentation to your customers.

Pro:
  • Relatively little effort to set up, only requires basic HTML knowledge.
  • Form page is completely customized. You can hide or omit irrelevant fields.
  • ChargeMIT takes care of hosting the page securely if you upload it to your Web locker (exactly the same as for sites on web.mit.edu).
  • Digital (email) receipts available through ClearCommerce/OMARS.
Con:
  • Customer must calcuate and enter the amount to pay.
  • Minimal "extra data": just order category and Order Comments field.
  • "Receipt" page is not customizable (aside from background color).
Your custom page must contain a FORM and inputs with the names and size limits expected by OMARS. Please see our documentation page:

OMARS Order Entry from Custom HTML Forms.

Hosting the Page

Your custom HTML page should be installed in a locker provided by I/S Web Communications, since there simple and well-documented procedures for maintaining websites this way. However, this only offers an unencrypted web page to the public at large. You will find that knowledgable e-commerce customers are reluctant to enter a credit card number in an unencrypted page (one that starts with http: instead of https:). (Note: The web.mit.edu server does have an https service but it requires MIT personal certificates and so is not usable by the public.)

We offer a solution to this problem. Our e-commerce server, shopmit.mit.edu, also provides access to websites in WCS (Athena) lockers, but it is configured to give encrypted https access to the public. If you change the URL to use shopmit your customers will be loading the exact same pages out of your locker, but they'll just go through the shopmit.mit.edu server instead of through the web.mit.edu server.

To derive the new URL you should advertise to your customers, start with the web.mit.edu URL you'd normally use to load the page. Then substitute "https://shopmit.mit.edu/" for "http://web.mit.edu/" at the start of the URL of the page that you offer to customers; e.g., change 

        http://web.mit.edu/mylocker/www/pay-me.html
to 
        https://shopmit.mit.edu/mylocker/www/pay-me.html

Example

For an example of a payment page using a custom HTML form see: https://shopmit.mit.edu/cao/payar/cao-payment.html

2.3 VISA Vindaloo: cgiemail Version 1 and Custom HTML form

You can join an OMARS payment page to a cgiemail application to make an e-commerce site that is capable of collecting any number of extra data from the customer.

Pro:
  • With cgiemail you can collect as many answers from the customer as you need.
  • All pages are completely custom. You can hide or omit irrelevant fields from the payment page.
  • ChargeMIT takes care of hosting the pages securely if you upload them to your Web locker (exactly the same as for sites on web.mit.edu).
  • Digital (email) receipts available through ClearCommerce/OMARS.
Con:
  • Customer still must calcuate and enter the amount to pay. (See next section on cgiemail2 for a solution to this.)
  • Back office staff must match cgiemail messages with OMARS orders.
  • Building this kind of site requires thorough knowledge of HTML and some time and effort learning cgiemail.
  • Some features require adding the complexity of server-side includes.
  • "Receipt" page is not customizable (aside from background color).

The customer is led through two web pages: the first is the cgiemail application, where he/she chooses what to order, and the second is a payment page that collects the credit card information and processes the transaction. It may seem cumbersome to break up the activity into two web forms but it is actually common for e-commerce websites to use a separate page for credit-card payments. This design also lets you offer other methods of payment by switching to different follow-on pages instead of the credit card page.

Here is how it works:

  1. Customer loads the form page that drives cgiemail. Customer fills out the form, chooses "credit card" payment method, and submits it.
  2. cgiemail sends an email message with the form answers.
  3. cgiemail builds a response page out of the "success template" for the credit card payment page and sends it to customer's browser.
  4. Customer now sees the second page of the form, pre-loaded with any applicable answers from the first page such as name and amount to charge. Customer adds credit card information and submits it.
  5. This form goes to OMARS order entry service, which processes the transaction and returns a "receipt" page to the customer.
  6. Customer sees confirmation page saying his transaction was approved.

One disadvantage, to the merchant, is that information about orders arrives from two separate sources: email messages with results of cgiemail forms, and orders entered into your OMARS storefront. You have to correlate order messages with their payments (or lack of payments).

For more information on building your site with cgeimail, please see the manual ChargeMIT E-Commerce with cgiemail.

Example

http://web.mit.edu/ecommerce/www/demo/alchemy/pubs.shtml

2.4 Mastercard Marsala: cgiemail Version 2 and Custom HTML form

This is exactly the same as the cgiemail Version 1 and Custom HTML form solution described above except it takes advantage of features added to cgiemail Version 2. "Cgiemail2" was developed to make it easier to implement sophisticated e-commerce applications.

Pro:
  • With cgiemail2 you can collect as many answers from the customer as you need.
  • All pages are completely custom. You can hide or omit irrelevant fields from the payment page.
  • ChargeMIT takes care of hosting the pages securely if you upload them to your Web locker (exactly the same as for sites on web.mit.edu).
  • Amount of payment can be calculated automatically.
  • Server-side includes (SSIs) no longer necessary.
  • Digital (email) receipts available through ClearCommerce/OMARS.
Con:
  • Cgiemail2 is not supported by I/S and has not been completely tested or documented. There is some risk in using it.
  • Back office staff must match cgiemail messages with OMARS orders.
  • Building this kind of site requires thorough knowledge of HTML and some time and effort learning cgiemail2, which is even more complicated and subtle than the original cgiemail.
  • "Receipt" page is not customizable (aside from background color).

The new features in cgiemail Version 2 are:

  1. cgiemail2 has its own built-in unique identifier in the [cgiuniqueid] variable so the initial page does not need server-side includes to generate an identifier.

  2. With conditionalizations you can transfer the value from a SELECT tag input in the initial page to a SELECT in the "success" template. The example uses this feature to set the billing address country field.

  3. Most significantly, cgiemail2 can edit variable values, assign to variables, and perform calculations. This lets it extract prices and quantities from the purchases chosen on the first page and compute the amount to be charged automatically. Having the amount to pay appear automatically on the payment page looks much smoother and more professional than a confusing message begging the user to add it up.

cgiemail2 has a major disadvantage, however: it is not released, and is not scheduled to be released because no resources are available to properly test it. A few sites are using it anyway, at their own risk.

For more information on building your site with cgeimail2, please see the manual ChargeMIT E-Commerce with cgiemail.

Example

http://web.mit.edu/ecommerce/www/demo/alchemy/conf.html

2.5 E-Commerce Jambalaya: FileMaker Pro forms

FileMaker Pro is a small relational database and integrated Web server product for the PC and Macintosh platforms. It can be used to implement a Web form that collect its inputs and inserts as a new row of a data table. In this function it is similar to cgiemail, only it appends the data to a table instead of sending it in email.

Pro:
  • FileMaker form lets you collect as many extra inputs and answers from the customer as you need.
  • All pages are completely custom. You can hide or omit irrelevant fields from the payment page.
  • Amount of payment can be calculated automatically.
  • Digital (email) receipts available through ClearCommerce/OMARS.
Con:
  • You are responsible for hosting and maintaining the FileMaker Pro application.
  • Back office staff must match FileMaker entries with OMARS orders, although this is easy to automate once OMARS report is imported into Filemaker.
  • Special FileMaker Pro training and knowledge is required, as well as some HTML skill. The ChargeMIT team can only provide limited advice and assistance, although I/S offers FileMaker training courses (follow the link and look under "Databases").
  • "Receipt" page is not customizable (aside from background color).

To turn a FileMaker Pro form into an e-commerce site, have it produce another form upon a successful submission which drives the OMARS custom form order entry service.

XXX TODO: add details about generating identifier for OrderComments (or OrderId), importing reprts, etc.

Example

XXX None, yet.

2.6 Angry Fruit Salad: ShopSite (catalog/shopping cart software)

Pro:
  • Impressive results from little effort; ShopSite is well-documented and easy to use.
  • Customer can choose multiple products and options, charge is totalled automatically.
  • Complete sales reports are available from ShopSite.
  • Merchant does not need to know any HTML or programming, although some HTML knowledge can be helpful.
  • ShopSite is hosted and maintained by ChargeMIT.
  • Credit card processing is integrated with OMARS, transactions appear on OMARS reports.
Con:
  • ShopSite works well for e-commerce sites that conform to the catalog-and-shopping-cart model, but is difficult to adapt to other situations -- such as events and conferences. E.g., there is no way to "require" that every shopper purchase an the "registration" product.
  • Products must all have fixed prices, although options that change the price up and down are possible.
  • Many features and messages are difficult or impossible to customize. (Prospective merchant is advised to experiment with one of our demonstration stores if there are any pending questions.)
  • Merchant must cover incremental cost of ShopSite license (about $325-900). (Student groups can use it for free through SAFO.)

See ShopSite's website for demonstrations and more details. We are running Release 5.0. Upgrades are unlikely because of licensing issues.

2.7 Baked Alaska: OMARS Order Entry API

The API is intended to be used by custom e-commerce applications such as Java servlets on a web server. It offers ultimate control over the order entry process and user interaction, at the cost of much larger development effort than the other options.

It only submits new orders. It is not capable of order management (e.g. marking orders "fulfilled") or of getting reports.

Pro:
  • All web pages, including receipt page, are completely custom.
  • OMARS API is the only way to enter an order with multiple items into ClearCommerce, so it can be fulfilled by-item.
  • Digital (email) receipts available through ClearCommerce/OMARS.
Con:
  • High level of programming and Web design expertise is required.
  • At least a few weeks of effort required to implement a site.
  • Merchant is responsible for hosting and maintaining web server and server-side Java infrastructure.
  • OMARS API can only capture a few pieces of data outside of the data directly relevant to the credit card order; the application developer is responsible for capturing, storing, and relating any extra data which does not fit in API.

Consult the ChargeMIT team for advice and documentation if you are seriously interested in using the API.

Part 3 -- Back Office Procedures

3.1 Apertif: Relevant OMARS Pages.

When your store was created, you were issued an "OMARS home page" URL. It contains a link to each OMARS service page for your store. Bookmark that home page, and consult it, since it will be updated when new services are added. The URL will look something like this one for the "alchemy" demo store: 
    http://web.mit.edu/ecommerce/www/stores/store-alchemy.html
Ignore the lines describing Order Entry pages that mention an "External Form page" -- these are for order entry through custom HTML forms. You can also use the same custom HTML page in your back office, but people cannot use the OMARS service directly.

Only the people permitted to use the service will be able to load the service page. They must be using a Web browser with their personal MIT Web certificate available.

3.2 Dessert: Tasks and Roles.

This section describes how to manage your e-commerce system from the back office. The list below shows the tasks typically assigned to each role -- your staff members will probably each assume more than one role. (Some merchants have only one person for all roles. We recommend having at least two people trained for each role for coverage during absences.)

All operators must be explicitly granted the privileges to access these roles in your store. This is usually done when your store is set up. You can add and remove users from roles at any time by sending mail to chargemit-help@mit.edu.

Order Entry
Create new credit card orders, using either the back office OMARS Order Entry page or the same e-commerce interface as your customers. The orders come from customers via telephone, Web form, physical mail, written forms, etc.

Order Entry operators need to be trained to fill in the Order Entry page correctly, and which inputs are the most important. They also need to know how to react to failures and correct them. The exact instructions depend on how your store operates, possibly including:

  • Choice of Auth or PreAuth transaction type.
  • Choosing an order category.
  • Reading the magnetic stripe on a credit card.
  • Entering minimal address information for AVS (i.e. billing name, billing street number, and ZIP code, only for US addresses).
  • Capturing a ship-to address.
  • Entering the CVM digits from the credit card.
  • Entering Order Comments field correctly.

Fulfillment
If your store uses PreAuth/PostAuth transactions, some of your staff must be able to fulfill (i.e. PostAuth) orders. You are allowed to fulfill an order when the the purchased goods are shipped or otherwise made available to the customer.

Fulfillment operators are trained to use the Order Management pages to locate and fulfill relevant orders. Using the Order Detail page they can adjust the fulfilled amount to less than the authorized amount (but not more).

An authorized transaction must be fulfilled within 30 days or it "times out" and gets voided automatically.

Void
When an order is created by mistake (e.g. a duplicate order entered through the Web ecommerce form), it can be voided if caught before it gets settled. Voiding an order cancels it and frees the hold on the customer's available credit balance. In most cases, Order Entry operators should be trained and given access to void orders as well.

Use the Order Management page to void an order.

Credit
A credit is separate transaction that sends money from your store back to a customer. Since it takes money from your store, this is a very sensitive operation. OMARS incorporates many safeguards to prevent credit transactions from being used fraudulently, but it is still best to restrict the Credit function to a few experienced and trusted staff. Credits should not be needed often anyway.

Use the Order Management pages to issue a Credit on an existing order.

Report
All of your order-processing staff need the Reporting role so they examine the history of orders and transactions. You'll also want to include accounting and business staff who need to look at credit card reports. OMARS reports do not reveal complete credit card numbers or other sensitive information, so they can be made available fairly widely.

Use the Order Management, Transaction Report, Settlement Report, and Category Report OMARS pages to get reports.

3.3 Washing Up: Reconciliation and Accounting

3.3.1. Sorting Orders.

If your store gets orders from different sources -- e.g. an OMARS back office Order Entry page as well as an e-commerce Web form -- you need to know how to distinguish them. Uusually, your store is set up to apply a different Order ID prefix to each type of order. For example, the OrderID of an order from the e-commerce form would have a "Web-" prefix like "Web-20030714233752.13845", while the order entered in your back office would have the ID "BO-9001234".

Be aware of the different sources of orders so you can identify where each one came from and know what has to be done with it.

3.3.2. Correlating Order Information.

When your store employs one of the e-commerce techniques that results in two streams of order information, then your back office staff has to correlate, or reconcile, that information.

For example, if you have a cgiemail Web form to initiate an order which then leads to a credit-card payment form, you'll get an email message for each credit-card order. (You may also get other email messages which have no corresponding credit credit-card order because the customer chose some other payment method.)

The task is to ensure that there is an order in OMARS for each email message that should have one, and furthermore check the status of the order -- was it settled successfully? Does it need to be fulfilled? You may encounter any of the following failure modes:

XXX TODO: accounting, DTRs, etc.