Secure Online Credit Card Transactions

Facilitate E-Commerce with Cybercash and IIS

Chances are that your business has taken advantage of the Internet's marketing potential by registering a domain name and developing a Web site that promotes your products and services. People who seek product information by going online are primed for purchasing; the best time to encourage an online purchase is when Web surfers are visiting your site. But if these visitors must write down online order information and then call your fulfillment center, you stand to lose sales.

E-commerce lets you process payments in realtime for orders that customers place through your Web site, eliminating the need for your customers to take additional action, such as making a separate telephone or fax order. Your customers receive order confirmation immediately, and you no longer need to manually verify contact and payment information. In this article, I will give you an overview of the e-commerce payment process and describe a powerful freeware program—CyberCash, which you can use with Internet Information Server (IIS)—that lets you accept credit card payments over the Internet. (Although CyberCash works with previous versions of IIS, in this article, when I refer to IIS, I mean IIS 4.0.) After you're in business online, CyberCash's CashRegister administrative software helps you maintain your site transactions.

The E-Commerce Payment Process
E-commerce credit card purchases and traditional physical-store credit card purchases have the same result but differ notably in execution. Let's look at a typical payment scenario for each of these processes.

Physical-store purchase. A customer travels to and enters the physical storefront. The customer selects the items he wants to purchase from the store's display and places the items in a shopping cart. When he has all the items he wants, the customer takes the items to a store employee at a checkout counter for purchase. The checkout clerk adds the prices of the customer's items, calculates sales tax on the total, and asks for payment. The customer produces his credit card. The checkout clerk swipes the credit card through a credit card machine and requests an authorization from the credit card issuer to charge the amount of the sale to the customer's card.

The credit card machine automatically sends the authorization request to a credit card processor or to the merchant's bank electronically. The card processor verifies the merchant's identity and requests the authorization of the purchase from the card issuer. The card issuer compares the credit card and purchase information with the cardholder's current balance, credit limit, and card expiration date. Based on this comparison, the card issuer sends either an authorization code to OK the purchase or a decline code to refuse the purchase.

The card issuer's code travels back to the merchant's credit card machine electronically. Assuming the code authorizes purchase approval, the merchant's machine automatically prints a charge slip. The customer signs the charge slip, takes his copy, and departs the store with his cool new stuff.

If the merchant didn't request a funds transfer during the authorization process (an auth-only transaction), the merchant generates another transaction based on the authorization number the card issuer provided. This additional transaction requests that the card issuer transfer the amount of the customer's purchase from the customer's credit card account to the retailer's bank account. Retail stores don't usually execute auth-only transactions but rather authorize and capture funds in one transaction (an auth/capture transaction). In general, retailers use auth-only transactions when delivery of a product or service is not immediate upon purchase, such as when a customer registers for a training class or places an order for an item the retailer must back-order.

E-commerce purchase. A customer enters the store by visiting the merchant's Web site. The customer selects the items she wants to buy and places them in an electronic version of a shopping cart. When she has the items she wants, the customer presents the items for purchase by clicking on a pay-now link and providing her shipping information. A program on the merchant's Web server calculates the total purchase amount of items in the shopping cart, including shipping charges and sales tax, if applicable. A Web page displays the total purchase amount and asks the shopper to provide credit card information for payment. The customer provides her credit card information, if it's not already on file, by filling in an electronic form and clicking a Submit button, which sends the form to the Web server. Merchants typically encrypt credit card information using Secure Sockets Layer (SSL) or another technology to prevent possible theft of the card information by system intruders.

The payment software on the merchant's server provides merchant information to the credit card issuer and requests authorization of the customer's purchase. The card issuer compares the purchase information with the cardholder's current balance, credit limit, and card expiration date. The card issuer sends either an authorization code or a decline code. The code travels back to the payment software on the merchant's Web server, and, assuming the credit card issuer authorized the purchase, the Web server sends an order-approval HTML document to the customer. The customer can expect the merchant to either ship her goods to her or make them available for immediate download.

The online retailer might have to perform a separate capture of funds for an auth-only transaction. If so, the capture transaction typically requires the retailer to use a separate administration interface to the payment software.

Merchant accounts. The steps in any e-commerce transaction will be nearly identical to the process I just detailed, regardless of the merchant's payment software. From a payment standpoint, the primary difference between a physical transaction and an e-commerce transaction is the type of merchant account required. Physical-store merchants must have a Card Present account with their financial institution. E-commerce merchants must have a mail order/telephone order (MOTO) account with their financial institution. MOTO accounts are also known as Card Not Present accounts, because the seller and buyer don't exchange a physical credit card.

Enabling e-commerce. Several software products are available for enabling e-commerce. Integrated environments such as Microsoft's Site Server Commerce Edition (SSCE), iCat's Electronic Commerce Suite, and the INTERSHOP product line provide development tools for Web site content, including electronic shopping carts and features such as customer tracking. Integrated packages include payment-processing programs and can cost several thousand dollars. If you don't need all the features an integrated package provides, or if you're trying to keep costs down, consider implementing software on your Web site that provides payment processing only. Of course, you still must develop your Web site content and shopping cart, but if you choose the right payment-processing software, you can obtain the software free.

Introducing CyberCash
CyberCash, founded in 1994, has developed software that lets you accept credit card and electronic check payments via the Internet. You can download the CyberCash Merchant Connection Kit (MCK) software for Windows NT and UNIX platforms free from the company's Web site at CyberCash focuses on supporting the payment process but has Merchant Development Partners to help you configure your electronic storefront, including catalog and shopping cart development. You can access a listing of CyberCash's Merchant Development Partners from the CyberCash Web site.

If you develop your retail site and shopping cart, the MCK offers several ways for you to integrate your storefront with the software, including using Active Server Pages (ASP), PERL scripts, and C programs. The MCK includes sample programs for each of these Common Gateway Interface (CGI) environments, as well as HTML documents you can customize for your storefront. The MCK also contains sample files for a shopping cart routine, payment collection forms, and response pages for providing receipts or denying purchases. (CyberCash uses template files for generating HTML pages regardless of which CGI environment you choose.)

Implementing CyberCash
Before you develop your online store and integrate the CyberCash software, you must become a CyberCash merchant by taking the following seven steps:

  1. Apply for a merchant bank account.
  2. Register on the CyberCash Web site.
  3. Obtain a digital certificate (see the sidebar, "Obtaining and Installing a Digital Certificate" for step-by-step instructions).
  4. Download and install the MCK software.
  5. Submit test transactions for each payment type available on your site.
  6. Go live with your storefront.
  7. Process transactions through the CyberCash Administrative Interface.

After you apply for your merchant account with a financial institution of your choice, go to the CyberCash Web site to register the software. Before you do so, however, consider setting up a server that is physically separate from the servers you will use to provide unsecured public information. Placing your secured content and e-commerce information on a separate server helps protect the sensitive customer information you gather during purchase transactions.

To begin integration with the CyberCash software, register with CyberCash on the company's Web site and download the MCK. Take the time to download and review the MCK documentation, which provides detailed instructions for the simple wizard-based installation. After you use the setup routine to expand the program files, the installation process consists of only a few screens. You configure the CyberCash software using the build-merchant routine the installation creates. On NT, you run the build-merchant program from the MCK menu.

The first step in configuring the CyberCash software is to choose your merchant type. CyberCash recommends choosing the Build a Custom Merchant option, which Screen 1 shows, to provide the highest level of detail for your configuration. When you choose this option, Setup prompts you to enter the fully qualified domain name of your e-commerce Web server. Don't include http:// when you enter the domain name in the Get Domain Name dialog box, as Screen 2 shows. After you've entered your Web server domain name, click Next.

Now you can interface your CyberCash software with IIS. To do so, in the Merchant CGI Environment dialog box, choose the asp option, as Screen 3 shows, and ASP becomes your CyberCash/IIS integration environment.

MCK Setup now prompts you to enter your CyberCash ID and Hash Secret, as Screen 4 shows. (You receive this information during the CyberCash Web registration process.) Entering these character strings correctly is crucial to your successful use of the CyberCash software. Any errors you make as you enter this information, including errors of case, will cause your e-commerce transactions to fail. For this reason, before you enter your CyberCash ID and Hash Secret, I recommend that you return to the CyberCash registration page at and click the Merchant Configuration link. Doing so lets you review and confirm your configuration information, including your CyberCash ID, Hash Secret, and Merchant Key. To ensure accuracy when entering these strings, you can copy them from your Web browser and paste them into the MCK Setup dialog box. The CyberCash registration page uses SSL to encrypt your password and configuration information during transfer. After you enter your CyberCash ID and Hash Secret, Setup prompts you to enter a store name and telephone number, your Merchant Key, and various file paths.

When the build-merchant routine completes, the CyberCash software is ready to process payments, and your new merchant configuration is ready for testing. CyberCash provides a sample form for testing your new e-commerce server. By default this form is at https://server name:port number/store name/mck-htdocs/test-mck.html. By using the form, you can test your CyberCash configuration without finalizing integration between your shopping cart and the CyberCash software. Load the URL in your browser, replacing the variables server name, port number, and store name with the information from your Web server and CyberCash merchant store name. If you're using the default port number (443) for SSL, you can omit the colon and port number from your URL. You must install your digital certificate for this URL to function, because the URL attempts to connect using SSL over HTTP (adding s to http invokes SSL over HTTP).

Perform several test transactions to ensure that your store is functioning properly. In an NT environment, the installation wizard might not properly register the cychmck.dll file in your system's Registry. If you receive the error message no POP record returned for payment request during your test transactions, you can manually register this file using regsvr32. Open a command prompt and change to the winntroot\system32 directory. Enter the following command:

Regsvr32 <mck_home>\asp-api\cychmck\cychmck.dll

Replace mck_home with the directory name where you installed the MCK, which by default is C:\mck- Stop and restart your Web server after completing this process.

Conducting Live Transactions
Before you conduct live transactions, you must configure your shopping cart routine to call the CyberCash software and pass payment information. Your shopping cart routine should provide a pay-now link to the appropriate payment driver file for your environment. When you integrate your storefront with the CyberCash software, set up a mechanism to log the results that financial networks return for each transaction—e.g., a database or text file.

Perform test transactions while your electronic store is still hidden from public view. Your test transactions should include purchases, returns, and funds captures for auth-only transactions. You need to test any transaction you will implement in the live environment. Screen 5 shows a CyberCash test form. Before going live, ensure that you have valid configuration data from CyberCash by going back to the CyberCash registration site and clicking the login link for existing merchants. Then click the Merchant Configuration link to view your configuration information, including your merchant bank account. Checking your configuration data lets you make a final review of your merchant information before you begin processing transactions.

After you confirm your configuration information and successfully conduct your test transactions, your retail site is ready to go live. Notify CyberCash of your status by clicking the Go Live link on the registration site. CyberCash will change your configuration to live mode, which means your CyberCash software will process all transactions sent from your site (i.e., money transfers). Perform several live tests, and use the CyberCash administrative interface to refund the transactions. (Figure 1 charts the flow of a CyberCash-processed payment.) Congratulations—your e-commerce retail store is now open and ready for business.

Administering Transactions
An administrator's work is never done—you need to maintain your new e-commerce site. CyberCash makes administration easy by providing a Web-based interface to CyberCash's CashRegister administrative software. You can access this interface at CashRegister is secured with SSL and requires your registered username and password for entry.

The CashRegister interface uses simple HTML forms that let you review and maintain transactions for your site. You can use CashRegister to assemble batches of auth-only transactions that customers completed previously and submit the transactions in a group for processing (capturing funds). The CashRegister interface lets you request the transfer of funds from the customer's credit card account to your merchant account for auth-only transactions. You can also use CashRegister to query orders and enter credit card information for simple authorizations and returns. Screen 6 shows CashRegister's Merchant Card Direct Card Input screen.

Happy Selling
Even small companies can use products such as CyberCash to enable their Web site for e-commerce. Whether you choose to develop your site and shopping cart or outsource those tasks, you can simplify e-commerce setup and maintenance in your IIS environment with CyberCash. Good luck and happy selling

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.