Results 1 to 11 of 11
  1. #1

    Pay for download solution

    Hi all,

    I hope my questions are not too simple. I am a sysadmin and not a web person. This all is out of my league.

    I have a client who is looking to charge for data downloads and also sell physical merchandise. There will also be some “buy on the web and pick up in person” transactions such as event registrations. At some point they might want POS terminals so the system should be built with that in mind. The material is not adult oriented so there is no worry about being turned away by providers. There is a rather lot of content though. Well over 100GB and growing all the time.

    They currently have a custom storefront that they believe to not be compliant with all the laws and regulations (PCI?). They process credit cards through Authorize.net and VeriSign. They are well a well established company with merchant accounts and all that.

    We have been told that unless we use a company such as MonsterCommerce we must have third party audits. Is that right?

    MonsterCommerce doesn’t seem like a good match since we would have to host many gigs of files on their servers (which I doubt they would appreciate) or do some kludged email thing. Neither seemed good to me.

    How would you go about setting this up? I was thinking that a basic hosting account (LiquidWeb perhaps) with any shopping cart would do. Are there good modules available for controlling downloads? I figured there must be for the shareware sellers. Would we really need to do audits? The powers that be seem to think that we would have to have the corporate network audited. That seemed *really* wrong to me.

    TIA,

    Dan

  2. #2
    I've used OSCommerce for pay per download sales and it's worked fairly well for me. It also integrates with most payment processors, so you wouldn't have to change any of that.

    As long as payments are going through a certified payment gateway, such as Verisign or Authorize.Net, and you're not storing any credit card numbers, I don't know of any reason why you would need any auditing of your server or network.

  3. #3
    Thanks. I wasn't getting why we would be audited. I'll email the webmaster-like person. I suspect it was FUD from a salesperson.

    Anything in particular that works well for a pay to download system?

    Dan

  4. #4
    Join Date
    Jul 2003
    Location
    Castle Pines, CO
    Posts
    7,189
    It sounds like they want to be CISP compliant - which they will be audited at least once a year for security purposes. Depending on the volume, you might have to be.

    MonsterCommerce probably would not be that great of a source for you. Using your own shopping cart & making sure it is compliant (no sql injection, etc).

    As far as the pay for downloads - what language are you looking for?

  5. #5
    Corey,

    Just who needs to be CISP compliant? Do you know where I can find, in writing, an official listing of who has to comply and who doesn't?

    I have heard that if you do not keep credit card numbers you do not need to comply. According to the FAQ at http://usa.visa.com/download/busines...t/cisp_FAQ.pdf they would need to since they are transmitting data. OTOH we were told that the LAN would need to be audited and that seems outrageous. Two servers back east are talking to each other and we need to secure our LAN? I don’t think so since “If a merchant or service provider does not store cardholder data, CISP still applies to the environment that transmits or processes cardholder data."

    Of course that FAQ says that "CISP is directed to all entities that store, process, or transmit Visa cardholder data." which by a literal reading would mean that I as a customer have CISP "directed to" me since I am transmitting "cardholder data" even if it is my own. This stuff is terribly confusing to a literal minded geek.

    In any case they would be a level 4 merchant according to http://usa.visa.com/business/accepti...html|Merchants. From that it would seem that audits are not required.

    The downloads are MP3 files. PHP is the preferred language.

    TIA,

    Dan

  6. #6
    Join Date
    Dec 2004
    Location
    San Francisco Bay Area
    Posts
    213
    I suggest you contact Visa USA for a clarification of their rules. That's better than anything you'll get off a forum
    Sizzling Web Design - Creator of EasyEstimates: Let your customers create complex estimates and orders on your web site.
    Video Gallery Pro - Show your videos like a pro

  7. #7
    Quote Originally Posted by mitchlrm
    I suggest you contact Visa USA for a clarification of their rules. That's better than anything you'll get off a forum
    Already done. It might be more authoritative but not as fast or reliable

    Dan

  8. #8
    Join Date
    Jan 2003
    Location
    Orlando FL
    Posts
    1,342
    You said that at some point they will be using a POS? the Point of sale will be on a retail store? how are those customer going to download the data if purchasing on a phisical store?

    Anyway I believe you need some custom work to be done, you can get an ecommerce store like osCommerce and modifyit so it will populate directly from the POS.

    Regarding the Visa regulation, I believe you will be just fine by having a gateway like authorize.net and your SSL Cert.

    If you need 100GB of space on the server I believe you will need a dedicated, with good size hard drives and lots of transfer if the web site is going to be popular. Keep in mind that all products will be downloaded.
    Jorge Campos | WBpro
    Web Building Professionals
    www.wbpro.com

  9. #9
    Quote Originally Posted by wbpro
    You said that at some point they will be using a POS? the Point of sale will be on a retail store? how are those customer going to download the data if purchasing on a phisical store?
    It is not all download. They sell CDs and DVDs at a physical location, mail order CDs and DVDs, and offer MP3 downloads.

    Right now walk in and mail order CDs and DVDs are handled on PaperOS. There are also seminars and concerts that are handled in yet another system.

    At some point it would make sense to get everything into one system but we don't want to confuse the volunteers.

    Thanks,

    Dan

  10. #10
    Join Date
    Jul 2003
    Location
    Castle Pines, CO
    Posts
    7,189
    I cannot get to Visa's site unfortunately right now. It does not matter if you are storing numbers etc it also matters on the volume of transactions you are doing, etc.

    I wished I could remember - but I always go back to that site and I cannot find the PDF on my computer (I just recently moved a lot of documents around). Another possible reason Visa might require them to be CISP compliant is because of past issues. For example, if someone had a website and it was not secure at all (had SQL injection, etc). And their site was hacked, credit card data was compromised etc. Visa might require something at that point.

  11. #11
    It is under 20,000 eCommerce and under 6,000,000 physical transactions for Level 4, IIRC.

    I still haven't heard back from the CISP area at Visa.

    Dan

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •