Woodridge Tech Talk

Our ongoing series of bi-weekly technical presentations

E-Commerce Overview

In this slideshow, Zack provides an overview of e-commerce, covering online transactions flows, payment gateways, merchant accounts, e-commerce platforms, and PCI compliance.

Slide Summary

  1. E-commerce Overview, Zack Jones . July 14, 2015
  2. Topics
    • Online transaction flow
    • Payment Gateway
    • Merchant Accounts
    • E-commerce Platforms
    • PCI compliance
  3. Online transaction flow
    • Cart/Store
    • Checkout
    • Payment Gateway
    • Merchant Bank’s
    • Processor
    • Card Issuing Bank
    • Merchant Account
    • CC Interchange
  4. Payment gateways
    • Service that processes credit card transactions (Shopify Payments, PayPal, Authorize.net, Stripe, etc.)
    • Typically charge ~ 2.9% + $0.30 per transaction
    • Rates depend on volume of sales, and what kind of product is being sold
  5. Merchant accounts
    • Temporary bank account that holds the money from credit card transactions until it is transferred to you business bank account
    • The money is generally held in the merchant account for 2-7 days
  6. Dedicated vs. Aggregate merchant accounts

    Dedicated (Authorize.net, PayLeap)

    • More in depth credit check and underwriting process
    • Can negotiate better rates
    • More control over when money gets transferred out of the account

    Aggregate (Stripe, PayPal)

    • Application process is much simpler and faster
    • Less control over the account
    • Can’t negotiate the rates
  7. E-commerce platforms
    • Broad spectrum of options available
      • Hosted store
      • Hosted cart & payment
      • Hosted payment
      • Merchant store
    • Some popular platforms include: Shopify, Magento, Bigcommerce, Squarespace
  8. PCI Data Security Standard (PCI-DSS)
    • A standard created by the PCI to prevent the compromise of cardholder information and credit card fraud.
    • 12 major sections
    • 226 specific requirements
  9. PCI-DSS
    1. Install and maintain a firewall configuration to protect cardholder data
    2. Do not use vendor-supplied defaults for system passwords and other security parameters
    3. Protect stored cardholder data
    4. Encrypt transmission of cardholder data across open, public networks
    5. Use and regularly update anti-virus software
    6. Develop and maintain secure systems and applications
    7. Restrict access to cardholder data by business need-to-know
    8. Assign a unique ID to each person with computer access
    9. Restrict physical access to cardholder data
    10. Track and monitor all access to network resources and cardholder data
    11. Regularly test security systems and processes
    12. Maintain a policy that addresses information security


  10. PCI-DSS validation
    1. > 6 million X X
    2. 1-6 million X X
    3. 20,000 – 1 million Maybe X
    4. < 20,000 Maybe X

    Level 1 & 2 merchants must have an annual audit by a certified Qualified Security Assessor (QSA)

    They must also have their network scanned quarterly by an Approved Scanning Vendor (ASV)

    Level 3 & 4 merchants are eligible to use the Self-Assessment Questionnaire (SAQ)


  11. PCI-DSS SAQ validation
    All cardholder data functions outsourced A
    Cardholder functions performed locally, but no cardholder data stored C
    Cardholder functions performed locally, and cardholder data stored D

    To qualify for SAQ-A no sensitive information can ever touch the website!

    Sensitive information includes the card number, expiration date, and card code.

    If the site does handle cardholder information a quarterly network audit is required.

  12. Sources & Useful Links

    Payment Gateways

    • http://cart66.com/blog/payment-gateway-vs-merchant-account/
    • http://ecommerce-platforms.com/ecommerce-selling-advice/choose-payment-gateway-ecommerce-store
    • http://business.tutsplus.com/articles/how-to-choose-an-ecommerce-payment-gateway–fsw-42468
    • https://www.formstack.com/payment-gateway-comparison

    PCI Compliance

    • http://www.winecountrywebdesign.com/ecommerce-part-3-pci-dss/ (This series is a solid overview)
    • https://www.pcicomplianceguide.org/pci-faqs-2/

    E-Commerce Platforms

    • http://ecommerce-platforms.com/comparison-chart