Why go open source with shopping carts?

If you’re looking to add some shopping cart capability to your website, open source software is a serious consideration for two reasons.  First of all, price – open source is extremely cost-effective, and often free.  Secondly, there’s the advantage of flexibility.  By using open source, you can design your shopping cart exactly the way you like it, and you have the back up of an active online community to help you with templates, modules and other ways of customizing the cart to your specific business needs.

What you need to look for in a shopping cart

With all that said, you need to research open source software in just the same way that you’d research commercial software.  You’ll need to test your open source shopping cart to ensure that it meets your individual needs, according to the following criteria.
Payment Gateway Compatibility – it’s no use having an all singing, all dancing shopping cart if it doesn’t connect up with your card processor.  This is the first thing you need to check before you select an open source solution.
Performance – secondly, you need to know that your shopping cart will be quick, easy and reliable.  Customers have zero patience for online stores that take too long to load, and they’ll be only too happy to go elsewhere.  Some of this will be down to server speed, over which you have little control, but software has a definite effect, so you need to see it in action before you make a decision.
Capacity – how many products can your open source shopping cart handle?  If you’ve got 300 products in your catalog and your shopping cart can only handle 200, you have the potential to lose a lot of cash.  So you need to find these things out up front.  Many open source carts have unlimited capacity, but don’t assume that’s so until you know for sure.
Support – by definition, open source software doesn’t come with official technical support, so you’ll need to find some with a thriving and accessible community of developers.  This community will be your technical support, and the good news is that if it’s there, it will be much more responsive to your needs.  Check out the forums for general ambience and response times.

Interchange fee is a term used in the payment card industry to describe a fee paid between banks for the acceptance of a card based transactions. Usually it is a fee that a merchant’s bank (the “acquiring bank”) pays a customer’s bank (the “issuing bank”) however there are instances where the interchange fee is paid from the issuer to acquirer, often called reverse interchange.

In a credit card transaction, the card-issuing bank in a payment transaction deducts the interchange fee from the amount it pays the acquiring bank that handles a credit or debit card transaction for a merchant. The acquiring bank then pays the merchant the amount of the transaction minus both the interchange fee and an additional, usually smaller fee for the acquiring bank or ISO, which is often referred to as a discount rate, an add-on rate, or passthru.

For cash withdrawal transactions at ATMs, however, the fees are paid by the card-issuing bank to the acquiring bank (for the maintenance of the machine).

These fees are set by the credit card networks,[1] and are the largest component of the various fees that most merchants’ pay for the privilege of accepting credit cards, representing 70% to 90% of these fees by some estimates, although larger merchants typically pay less as a percentage. Interchange fees have a complex pricing structure, which is based on the card brand, regions or jurisdictions, the type of credit or debit card, the type and size of the accepting merchant, and the type of transaction (e.g. online, in-store, phone order, whether the card is present for the transaction, etc.). Further complicating the rate schedules, interchange fees are typically a flat fee plus a percentage of the total purchase price (including taxes). In the United States, the fee averages approximately 2% of transaction value.[2]

In recent years, interchange fees have become a controversial issue, the subject of regulatory and antitrust investigations. Many large merchants such as Wal-Mart have the ability to negotiate fee prices,[3] and while some merchants prefer cash or PIN-based debit cards, most believe they cannot realistically refuse to accept the major card network-branded cards. This holds true even when their interchange-driven fees exceed their profit margins.[4] Some countries, such as Australia, have established significantly lower interchange fees, although according to a U.S. Government Accountability study, the savings enjoyed by merchants were not passed along to consumers[5]. The fees are also the subject of several ongoing lawsuits in the United States.

On June 8th, it was announced that the amendment pushed by Sen. Jon Tester (D-Mont.) that would have delayed implementation of a law that caps the fees banks can charge merchants for swiping debit cards picked up 54 votes, with 45 voting against. It fell six short of the 60 needed to break a filibuster.

The payment card industry (PCI) denotes the debit, credit, prepaid, e-purse, ATM, and POS cards and associated businesses.

The term is sometimes more specifically used to refer to the Payment Card Industry Security Standards Council, a council originally formed by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International on Sept. 7, 2006, with the goal of managing the ongoing evolution of the Payment Card Industry Data Security Standard. The council itself claims to be independent of the various card vendors that make up the council.

The PCI Council formed a body of security standards known as the PCI Data Security Standards, (PCI DSS), and these standards consist of 12 significant requirements including multiple sub-requirements which contain numerous directives against which businesses may measure their own payment card security policies, procedures and guidelines. By complying with qualified assessments (see QSA) of these standards, businesses can become accepted by the PCI Standards Council as compliant with the 12 requirements, and thus receive a compliance certification and a listing on the PCI Standards Council website. Compliance efforts and acceptance must be completed on a periodic basis. (See PCI DSS.)

When the acronym PCI is listed within job requirements, it most frequently refers the many disciplines of managing the PCI compliance effort within the applicable business entity.

The PCI Council compliance within any card handling business’s security process can be considered part of inter-related disciplines of governance, risk, and compliance (GRCM), as well as part of information security.

PCI DSS was created by the Security Standards Council as a set of rules merchants must adhere to in order to reduce fraud throughout the industry. The goals of the PCI DSS Standards and corresponding rules are as follows:

• Build and Maintain a Secure Network
  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect Cardholder Data
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks.
• Maintain a Vulnerability Management Program
  • Use and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications
• Implement Strong Access Control Measures
  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
• Regularly Monitor and Test
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
• Maintain an Information Security Policy
  • Maintain a policy that addresses information security for employees and contractors