4 replies to this topic

[winterion]

Ugh, and the complicated gets complicated-er. We're a small business with a large inventory.. 50,000 items. Took two weeks to figure out how to get osCommerce to import a database of that size from an Excel file. EasyPopulate still doesn't like it, have to split it into ten .csv files, manually fill in the Row 1 column names, and import one at a time, takes nearly three hours...

...but that's way off topic. Let me get back on focus here.

We have a large stock, but we can't really afford to 'segment' our inventory between brick store and web store. So, the idea was to have an online store with a weekly-updated inventory, take but not process orders, print the invoice, process it offline, remove inventory from brick store, ship.

But, it looks like we can't do that. PCI legal issues won't permit us to have the CC stored.

Now, besides the obvious issue of online orders through an external gateway for credit cards being expensive for a small business and cutting the margin even deeper, there's the issue of our business process. We simply can't guarantee that orders people place can be processed, because we simply can't guarantee inventory numbers. The reason we want to process offline at the register is so our clerks can actually verify we HAVE the item in question. More often than not, our stock can not be back-ordered.

So, we can't allow instant online processing for business reasons, and we can't allow delayed offline processing for legal reasons.

Help?

Is it possible, maybe, and this is the only solution I could think of, do offline processing with no credit card input online whatsoever, and use osCommerce to create invoices and use phone-call verification to pay? Problem is, this seems HORRIBLY unprofessional, and not having to input card info is likely to produce 'prank' orders?

[toyicebear]

winterion, on Mar 14 2008, 07:00 AM, said:

Ugh, and the complicated gets complicated-er. We're a small business with a large inventory.. 50,000 items. Took two weeks to figure out how to get osCommerce to import a database of that size from an Excel file. EasyPopulate still doesn't like it, have to split it into ten .csv files, manually fill in the Row 1 column names, and import one at a time, takes nearly three hours...

...but that's way off topic. Let me get back on focus here.

We have a large stock, but we can't really afford to 'segment' our inventory between brick store and web store. So, the idea was to have an online store with a weekly-updated inventory, take but not process orders, print the invoice, process it offline, remove inventory from brick store, ship.

But, it looks like we can't do that. PCI legal issues won't permit us to have the CC stored.

Now, besides the obvious issue of online orders through an external gateway for credit cards being expensive for a small business and cutting the margin even deeper, there's the issue of our business process. We simply can't guarantee that orders people place can be processed, because we simply can't guarantee inventory numbers. The reason we want to process offline at the register is so our clerks can actually verify we HAVE the item in question. More often than not, our stock can not be back-ordered.

So, we can't allow instant online processing for business reasons, and we can't allow delayed offline processing for legal reasons.

Help?

Is it possible, maybe, and this is the only solution I could think of, do offline processing with no credit card input online whatsoever, and use osCommerce to create invoices and use phone-call verification to pay? Problem is, this seems HORRIBLY unprofessional, and not having to input card info is likely to produce 'prank' orders?

Most of the payment gateway providers also offer a "authorize only" option for web transactions. ie. no money is withdrawn from the customers account at the time the sale is made in your web shop, but the charge gets authorized for later withdrawel.

After you have checked your inventory you can then, void or charge the transaction at your leasure.

[winterion]

Oh, meant to ask - does anyone have any experience using this "authorize only" method, and if so, who did you use? Positive or negative review?

I spoke a bit with some legal consultants, and going auth-only with an external gateway sounds like the perfect way for our business to all but zero out our PCI liability, so long as the process of passing the card info is properly secure, and I have to believe the choice of gateway takes care of most of that when you install it in osC? (Maybe, we have to get the safety certificate, a-la Verisign, etc?)

I keep hearing good things about "Authorize.net" and their "AIM" program. Would that be appropriate given this scenario, both functionally and legally?

Oh, the follies of newbism..

[toyicebear]

1. yes you need to use SSL for your site, which also involves getting a ssl certificate. (geotrust, comodo, verisign etc)

2. authorize.net aim would work for your scenario.

[winterion]

Thanks. You've been a great help, Nick.

I've got a few more questions, but they're not legal-related, so I put a new thread up in the general support thread instead.