Ecommerce Options & Best Practices Guide

Date: 
Wednesday, April 11, 2007
Announcments:

 

  • The next meeting: Leslie Johnson presented standardized banners across all ua websites in November and will present again;; ie/css coding; cross platform css issues and ie.
  • Starting in June we will be meeting downstairs in Highland Commons, room B116

 

Ecommerce Options at the UA

Presenters:

Robbyn Lennon
UA Bursars Office
lennonr@arizona.edu
* Melanie Molzahn
Bank of America
BOA merchant services customer service: 800-228-5882

Additional Contact Information

Information Security Liaison
Kelly Bogart
bogartk@email.arizona.edu
626 8232

Attachments:

  • CyberSource Standard Business Edition Presentation (ppt)
  • Credit Card Processing (ppt)
  • ECommerce Checklist


Notes:

  • Cybersource is the option that the Bursar Office uses. The Bursars office has experience with CyberSource and are able to provide support to UA web developers who are building ecommerce solutions.
  • Bursars/BOA opens a cybersource merchange acct. for you.
  • CyberSource-ready shopping cart integrations. Hosted order page with customizable content is the easiest and fastest way to accept cc payments.
  • Simple order APIs -- if you want to create your own SSL secure webpage;
  • New: electronic check option. in testing now. so users can just input their check information.


Comments:

  • What problems & complaints have you had with cybersoruce?
  • Reply: frustration when system goes down for a time; there was an issue during conversion when going to cybersource; some timestamp problem on reports only due to time zone issue with sites that are 24 hour, but the money is going through correctly;
  • Graduate college has seen some problems; no testing area after initial setup.
  • Cost to set up account?
  • Reply: depends on type of option. See checklist attachment above.
  • When using the API is the validation on the server side? Are errors handled the server?
  • Reply: Compliance issues from within the patriot act.
  • How to set up?
  • Reply: email or phone Robbyn and tell her you want to set up a merchant account. they will send you information/check list. With cybersource, they have support; if you are using another interface, you should let bursar's know about what interface you are using.
  • Are departments using this service to collect donations?
  • Reply: Yes, though the UA Foundation.
  • Are the policies on who can sell or what can be sold?
  • Reply: No policies on what can be sold. Security issues are needed and are being worked on. Security breaches have been a big concern.
  • Does it work for multiple projects?
  • No easy way to send money to different FRS accounts.. one website submits to one FRS accounts.
  • Temporary accounts?
  • Reply: Yes. Credit card merchant agreement.
  • How far advance notice?
  • Reply: A couple months.
  • Online tracking method?
  • Some software available that allows for tracking; Cybersource gives only basic tracking.
  • Are there cases where credit card info is also classified as other type of data such as FERPA?
  • Reply: The UA does not store credit card info. Point of Sale Termminal sales receipt, if written or imprinted from card, need to be in secure locked location as the record shows credit card number. The Point of Sale Terminal itself does not store card numbers.
  • Surplus property recently had a breach where credit card info was stolen. What were they using?
  • Reply: I don't know how purchasing was storing data, they MAY have been storing in their own data files. I don't know what the security breach situation in stores was exactly.

 

Web Development Best Practices Guide


Ed Murphy
Office of Student Computing Resources (OSCR)
emurphy1@email.arizona.edu
Resources

Web Application Best Practices Guide

A Wiki that allows you to add comments. You can request an account that allows you to be a contributor by contacting Ed.

 

Notes:

  • This site will expand to cover a lot of best programming practices. Hopefully, others will contribute to expand the site, such as adding .net best practices.
  • The guide provides links to resources that provide info such as OWASP. OWASP covers security issues in general and provides information on ecommerce best practices.
  • There will be "Certified Hacker Training class coming to campus in May.
  • Bugtraq - a mailing list focused on web security and general internet security. For more info, www.securityfocus.com
  • There is vulnerability in firebug that exploits javascript. Firebug is a web developers extension for Firefox. For more info on the vulnerability see, www.securityfocus.com/1/464786

Comments:

  • Do you know of any resources that can answer questions about the Shelton memo, web issues, security?
  • Reply: The policy is being developed. Central IT is being asked to do an inventory of what is out there. Trying to find out what is stored, where and why. the web and web applications are being looked at closely.
  • Do you know if there is a group of black hats/ hackers that test websites?
  • Reply: I dont know if that is being done here but there are companies who are doing vulnerability scans of systems.

Php Security
  • Meeting time ran out. Ed will reschedule for two months from now to present PHP security issues. The presentation show how to hack PHP to help you learn how to write better code.
Topics: