Slashdot Mirror
Small Businesses and the Outsourcing of e-Commerce?
Zzzt asks: "I work at a very small advertising agency & production company, doing various electronic media projects, including small websites. In anticipation of our clients going elsewhere, my boss decided we should offer development services for commerce websites, complete with credit card transactions and the like. For those out there who have created these sites, is it worth it for a small company to take on such a project, considering maintanance, liability, and other issues that will come up? Or should we just outsource the whole thing? For a medium to low-end HTML programmer, are there pre-canned packages that will most of the work for me?"
...recently, I'd say outsource it. If you're not a programmer, you don't want to learn how to do it from scratch. The programming's the smallest part, though: dealing with the banks, cert vendors, hosts, etc. is a royal pain. Securing your system is the most important thing, and this is an area where you cannot skimp. Period.
Run the numbers, though. You should be able to hire someone with e-commerce experience specifically to implement this. You want someone who knows the space, how can pick a good off-the-shelf system and customize it for your clients, and who is security-conscious. As someone else in this thread said, HTTPS and certs are blue smoke and mirrors compared with unpatched or poorly-maintained servers.
Bring this up to your boss and see how much he *really* likes the idea. With the prospect of paying a new hire (or a contractor) to work on this, he'll either get more serious or less serious, both of which are good news for you.
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
and let's not forget social engineering. i worked for a place with a major e-commerce site (actually, major in my country alone, but it moved a lot of money daily) and the security was once compromised because someone called tech support and asked their e-mail to be changed. this was done by the support 'technician' right away, and the attacker then used a 'forgot password' form to get a new password for the account. (the password remember question/answer mechanism is a joke since most people use dumb questions such as 'my dog's name' and other sort of easy to brute-force-attack data).
my bottom line is that whatever process is involved in e-commerce, security is important not only in your servers but in your people, and tech support folks have a series of ugly qualities:
- are scared of their boss and will try to please the customer (even if he/she is no real customer) fast as long as the call doesn't escalate
- have low wages and are usually rotated frequently (every 3 months in the place i mentioned) for 'security' reasons (i guess the intention was to keep security lax)
- tend to think they know more than the sysadmin/programmers/DBAs about how the system works
finally, security procedures are usually not well documented or not documented at all, especially if the IT department is small or unimportant in the jerarquic structure of the enterprise.osCommerce looks great! This is what the world needs, in my opinion, a standard method, so people don't have to invent their own. This is the first time I've seen it, so thank you nandix and Slashdot.
However, the osCommerce documentation and source sites are disorganized enough that it seems like osCommerce is not ready for wide use. For example, the documentation project site calls the software by a different name than the software site: OSCommerce vs. osCommerce.
OSCommerce 2.2CVS Documentation
OSCommerce 2.2CVS Pretend product catalog
Short description: About osCommerce
830 sites use osCommerce, and are registered.