Collect money using your website

“How can I sell and collect money using my website?” This is the most common question we are asked when a new business come to us.

Many website owners who are selling products and services over the net wish to have setup a payment gateway or in other words they wish to allow their customers to pay easy and secure.

For an IT person working every day in this area all is simple. However for a business person terms like: PC compliant, DSS, Amazon S3, Google checkout, offline vs online cc processing may be just annoying.

Wheeler Software has in its core implemented an “engine” that allows the owner of the Wheeler Software website to turn on/off with a few click of mouse a “switch” that allows internet users to pay using their credit card. This is an example of offline CC processing.

There are plugins that can be installed on a Wheeler Software, WordPress or any other website that allow the owner to collect money via Paypal or other Online Payment Gateway. This can be an example of online CC processing.

Let’s make clear a few terms using “plain English”:

You can collect money from credit cards in three ways:

  • Offline. It is named offline because the money are not transferred from the customer to you immediately the customer send his credit card details using your website (fill in a form and press Send/Submit button).
    It means you receive the Credit card number & expire date and you manually input these details in your “terminal”.

    1. What you need: a terminal ID. This terminal can be a physical machine (you may have one as a merchandiser) or your bank web interface. If you do not know what it is about just contact your bank and tell them that you wish to process offline credit cards of your customers. You will receive your merchant ID(and a terminal device if applicable). The process takes a few weeks.
    2. Costs: Your bank monthly fees for your Merchant ID (and terminal) and a fee per transaction based on what type of CC was processed (visa, master card etc. and what kind of card is for example low interest rate) Check with your bank for details.
    3. Time frame the money get into your account: usually 24 hours (except holidays – ask your bank for details)
    4. Anti fraud. This is the single method that gives you a chance to avoid collecting money from a stolen credit card. For example if you receive a “not common order” (big value, from another country/oversees) you can check if the request is valid. Ask the user to send you a copy of his ID or you can contact him by phone asking for details. If that CC was stolen you will not receive any details and you will not charge that credit card. Doing this you will avoid money refund and the extra fee (usually $50) the bank will charge you.
    5. Important. Please consider HOW YOU GET CC details. You can use a Offline payment gateway for example e-path. Subscription per year, no transaction fee. You can setup your website in a PCI compliant hosting space – this is very expansive. Ask your hosting provider for details.
  • Online.  It is named online because the money are transferred from the customer to you (actually to your payment gateway provider and then to your account) in the moment the customer press “Pay Now” (final approve of his action/ buying process).

    1. What you need:
      – terminal ID (no physical device). If you do not know what it is about just contact your bank and tell them that you wish to process online your customers credit cards. You will receive and merchant ID. The process takes a few weeks.
      – account on and Payment gateway system (eWay for example). They will ask for your merchant ID and the process takes another few weeks.
    2. Costs:
      – Your bank monthly fees for your Merchant ID (and terminal) and fee per transaction based on what type of CC was processed (visa, master card etc. and what kind of card is for example low interest rate).
      – Your Payment gateway provider fees: monthly fee based on specific subscription + fixed amount per transaction (usually 10c t0 50c) + percent per transaction (usually 0.2% to 2%, depends of your subscription)
    3. Time frame money get into your account:usually from 48 hours. 24 hours from the customer bank to your Payment gateway provider +  24 hours from this one to your account.
    4. Anti fraud.Your payment gateway provided usually has implemented an automated anti fraud system based on many parameters. It does his job okay but however, if a CC is stolen and used quick then it will not be detected as stolen. The transaction will be processed and later you will refund the money and will pay the “fraud fee” to your bank.
    5. Important. Using an online Payment Gateway system you don not have to worry about “PCI compliant hosting space”. You pay heavy for it every single month and translation.
  • Paypal or similar (Google checkout, Amazon S3): I will talk about PayPal only. For other systems please consult the provider. Money from your customer are going to your account on PayPal (you must have one).
    1. What you need: Business PayPal account (it is free) linked to your bank account. The process takes up to 5 days. When you setup your PayPal account you will provide at least one email address. That address is all you need to have a PayPal payment gateway installed on any website.
    2. Costs: Basically there are no fees as long as you keep the money on PayPal. That is not a realistic scenario because you will transfer them to your bank account or you will buy something and pay from your PayPal account. At that point you will be chargedand honestly the charges are pretty heavy. Check PayPal website for full and current details. There are available subscriptions that will reduce your transactions fee.
    3. Anti fraud. It is the same like in Online CC processing. However, even PayPal has a good “feedback/support” system be sure you will be charged and you will refund the money if a fraud will occur.
    4. Important. Using PayPal  you don not have to worry about “PCI compliant hosting space”.


PCI standas for Payment card industry
DSS stands for data-security standard

You, as owner of a website, can collect CC numbers using your Wheeler Software website for example, I mean your internet user will type all CC details into a form and you get them and process them using your terminal for example.

To do it, your website must be hosted on a hosting space (server) that is  PCI and DSS compliant. Ask your hosting provider if you do not know. If you do collect CC using your website and the website is not hosted in a PCI, DSS compliant environment and if you have “bad luck” then you ca get a fee starting with $50k. It just does not worth. Read above and decide what system to have. Contact us if you need professional consultancy.

A bit about cloud systems. According with Dr David Ross (Credit: Michael Lee/ZDNet Australia) speech at AusCERT 2012 on the Gold Coast on 17 Mai 2012 (source

  • the Payment Card Industry’s (PCI) data-security standard (DSS), which has 12 overarching requirements for how credit and debit card information must be secured.
  • Dropbox and Amazon Cloud Drive are not suitable, even though data itself is being stored on Amazon S3, which is suitable for PCI-compliance purposes.
  • no Google products are suitable either, including Drive, which he said is often a source of leaked information, due to the poor practice of storing card numbers in spreadsheets and then having these automatically synced to Drive. The only exception is Google Checkout Merchant, which, Ross said, if implemented correctly, would not harm an organisation’s PCI compliance.
  • Microsoft also has certain issues, with the company stating that its Azure Cloud platform undergoes annual PCI DSS audits — but never explicitly stating that its systems are actually compliant. Ross recommends watching and waiting to see whether the company achieves compliance.

Allow editors to customise theme and widgets

There are two major opinions about  “allow or not other roles to access theme options”

By default only administrator has access to this area.

In production you may wish to allow editors (your client) to access that area for vary reasons. The most commons reasons area:

Menus are built using this area and the client must be able to change them: add, delete, change options menu and options order.

Theme options are in this area and the client must be able to change background colours or images etc.

How to do it:

Below you will find how how to give access to editor (role) to:

  • access theme options,  editors will see themes but will NOT be able to add / change / delete themes)
  • import and export all website content. Editors can backup / restore website content

Open your current theme “functions.php” and add to it:

/************* WOD - change editor capabilities  BOF *****************/
// get the the role object
$role_object = get_role( 'editor' );
// add $cap capability to this role object
$role_object->add_cap( 'edit_theme_options' );
$role_object->add_cap( 'export' );
$role_object->add_cap( 'import' );
/************* WOD - change editor capabilities EOF *****************/

You can install plugins but the best is to include into your theme this functionality because any plugin you will install will:

– increase the loading time

– increase the chance the website be hacked in

– make your website depended of the plugin provider, if you have many plugins then you will have soon problems with updating all and with “the developer just vanish”


Should a website be revamp?

There are tones of pages on the Net about how should be a website done so search engines to be able to get fast relevant content.

Everybody receive many emails and newsletters about what must be done or what should not be done into a website to have a good visibility in Search Engines (SEO).

One image tells more than 1,000 words. I’ve  chosen  two images. Both are 3D representation of two websites, one is the last entry in the WOD (website on demand)  portfolio and the second is  from a website taken randomly from the net (an old website – built 2007-2008).

Just imagine that a “robot”, that pickup data to index any of these two websites, is coming into website on the basic (ground) level and it has to “climb” to the “surface” where data is stored. Usually any robot (SEO) try to get something in microseconds.

Have a closer look to these two images and you will know for sure from which website a robot will “take”  more relevant data.

Because on both websites keywords, title and descriptions (meta data) are on the ground level the difference will be given by relevant content.

Furthermore, metadata is always the same but the content is dynamic (as long as the website is updated). Google loves to see that something is happening into a website so it is obvious that a static content website will go slow but sure down.

There are many factors and you may get bored so let’s keep it simple.

More pages an website has in Google index means  there are more chances that website to get a better position in Google listing.