You all probably know I got a drum community website, getting bigger and better!  A drum shop has approached me and would like to make a deal with me, I have an online store on the site selling drum stuff, I get a 3% commission on everything sold.

Right, heres the problem, how am I going to actualy sell the things on the site?  I really dont want to end up paying for some credit card service to take the orders online, plus how can I record how many orders where made, and if I do go for a credit card company, who's credit card's name is it in?

Bah!  Its complicated

3% is only good if they eat the credit card fees which will usually be more than 3%. They eat them now, but online the fees tend to be higher than fees where the card holder is in front of your face.

A lot of people like candypress. ASP, easy to set up. Storefront is free, but the admin stuff goes for around $50 US. WWF for the support forum.  A good place to start.

This article    http://www.broad-lea.com/weblog.php?id=C0_1_1 - http://www.broad-lea.com/weblog.php?id=C0_1_1    mentions FreeAuthNet which I've used in the past with no bad experiences. - YMMV

Thanks for all the help, im happy building the store myself that fine. Mleh, never mind hehe ill think about it

Don't know about things in the UK, but in the states, each CC has variable rates depending upon the type and volume of the business, how they physically interact with customers, and their past record.

If this was me, I'd be thinking that he's already paying 3-5% for credit card transactions. Comissioning you at 3% for sales gets him an additional sales outlet for no - or even less - addtional cost.

Also, remember that your arrangement with the CC processor is subject to change. Your arrangement with the shop owner needs to reflect that.

One option you have is to take an online order subject to verification. The shop owner then "swipes" the card the next day from his retail location. I imagine that orders would be shipped by the shop owner so combining the verification and distribution stages wouldn't be a terrible hardship.

Just make sure that the process leaves you with the customer contact responsibilities. Keeps the shop owner from claiming the card didn't pass when it actually did.

BTW... He gets his drums from somewhere. If you have to use a cc processors, you may want to think about contacting drum manufactures directly. Factory shipping and the margin is something substantial you can play with. Many product manufactures look at online sites as additional storefronts others are afrraid of cannibalizing existing sales.

As I would think that drums tend to be a "try before you buy" thing, you could address those objections by targeting advanced drummers and market geography that not's covered by retail.

Ahhh, so its possible for me to take the CC details, send it to mr blokey who runs the shop and he keys it on his machine?

Ok, I suppose I would need to get SSL hosting, and what by law am I allowed the store the CC numbers on?  Pressumably not my SQL Server database?  And how would I go about sending CC details to the store legally?  I'm probably not allowed to simply post/email them!  SSL login to view them?  I dont know

I did an mortgage site that swiped the card off line as fees would be outrageous online.

For this kind of operation, I wouldn't store credit card numbers. It's (I think) not like people drop in once or twice a week to get a new drum?

You would have to use ssl to cover cc's in transit from them to you. For the email side of things, your host probably already has PGP or some other encryption mechanism in place. You'll need to generate sender and recipient keys, distibute the recipient key to the people who get copies, perhaps set up separate email accounts for them on their client email program, and encrypt the message using the sender/server key.

You may also want to look at encrypting as much of the header as you can. It can be difficult with some email servers and anti-spam measures. To be VERY secure, you can encrypt the email for storage on the mail server and have the client access via a VPN but that'll cost more $ and most shared hosts don't support VPN's.

Your exposure here is an inside job by one of the hosting company employees. Of course that applys to storing CC's on a db as well. If they have access to your mail/db server and access to your code, they can pinch the encryption keys and apply them.