E-commerce, also known as electronic commerce, is the act of buying and selling goods and services, and accepting payment transactions electronically through the internet. Forms of payment include, but are not limited to, credit or debit card and electronic check processing. It generally requires a level of technical support and knowledge to create a secure website that can display the goods and services available for purchase, and safely capture restricted customer payment information during the purchase process.
To be able to accept credit card payments on your website, and bearing in mind that credit card data is “high risk” data, you will need the following:
Connects the merchant’s web-based store with the acquirer (or its processor), card networks and card issuers. Specifically, your website will need to incorporate the following components:
- SSL Certificate: Secure Socket Layers (SSL) are services that encrypt data communicated online to provide security against unauthorized use. The SSL is identified by the “s” in the “https” at the beginning of the URL of a SSL-protected webpage and often colors the URL bar.
- Online Store/Shopping Cart: Software that collects and organizes online customers’ list of items for purchase. Once the customer is ready to check out, the shopping cart calculates the order total and presents the customer with a payment information form to complete the transaction.The shopping cart can be provided by third party vendors or be custom-built by website developers.
- Payment Gateway: Technology that connects a merchant's online store/shopping cart with its acquirer (or processor) and transmits the transaction information and authorization for each customer purchase.
E-Commerce Merchant Account
Establishing a merchant account is the mechanism that enables merchants to accept credit and debit cards for payment. It is provided by the university’s acquiring bank Wells Fargo. It links all of the above mentioned components into an integrated system. For more information, refer to Topic Overview: Merchant Account Life Cycle.
The university encourages departments to use CyberSource payment gateway. By using CyberSource's Secure Acceptance Web/Mobile implementation, the customer enters their cardholder information onto a secure order page hosted by CyberSource. In this way, no credit card data is stored upon or transmitted through any of Stanford's UIT systems or servers.
If merchants choose another third party provided payment gateway, they will need to ensure that first the gateway is fully approved by Merchant Services (MS) and is compatible with Wells Fargo’s processor - First Data.
Connect to Payment Gateway
Cybersource can also be integrated with other third-party, vendor-provided applications if the vendors offer integration capability. Timelines, pricing and fees are dependent upon vendor and integration requirements. E-commerce merchants that connect to Cybersource are responsible for monitoring/maintaining that connection. All connections must be fully documented and that documentation must be submitted to MS prior to the merchant's web store going live with processing the live transactions.
Payment Gateway Features
The following Cybersource features are available to merchants:
- CyberSource Secure Acceptance Web/Mobile: Used to enable your web store to accept card and check payments by customers entering their own information into a secure order page hosted by CyberSource.
- Recurring Billing/Customer Profiles: Enables you to create customer profiles that are stored on CyberSource’s secure servers. A customer profile is a set of information about a customer that you store in the CyberSource database for future billing.
- Secure Storage: Customer payment information is securely stored for each transaction.
Note: Not all features may be applicable to your web store.
Approval of Implementation Changes
Any significant changes to current processes planned by currently active e-commerce merchants must be reviewed and approved by MS prior to implementation. Such changes include (but are not limited to):
- Departmental website
- Application software
- Products or services for sale
- Anticipated transaction volume
- Departmental contacts responsible for the e-commerce
While it is perfectly acceptable or encouraged for customers to make online payments from their personal devices, merchants must not allow customers to enter their credit card information on any university owned device (computer, tablet, laptop).
If merchants have the need to manually enter card information into an e-commerce site on behalf of the customer, entries must be made through an approved secure channel. This may include a dedicated PCI workstation or at a regular workstation connected with the approved point-to-point-encryption (P2PE), secure reading and exchange of data (SRED) key. Contact the Merchant Services team for more information.
E-Commerce Website Requirements
In order to comply with Visa and MasterCard regulations, certain terms and conditions must be presented on university websites and/or mobile apps. These include:
- Name of business unit listed on your merchant ID or payment processing account
- Contact information such as mailing address, phone number and/or email address
- Clear and prominent display of the merchant outlet’s country of operation, appearing:
- On the same screen view as the checkout screen that presents the final transaction amount
- Within the sequence of webpages the cardholder will access during the checkout process
- Disclosure of return, refund and cancellation policies on the sequence pages before final checkout and include a “click to accept” button, checkbox or other acknowledgement.
E-Commerce Best Practices
- Work with MS for all your e-commerce needs
- Allow plenty of time to establish your Merchant ID and e-commerce implementation (minimum 1 to 3 months depending on the solution)
- Inform MS of changes to staff and access roles so that payment maintenance of gateway users can be properly managed
- Do not use unapproved e-commerce vendors
- Do not conduct e-commerce at Stanford without an official Merchant ID unless exception approval is obtained