The key components of receiving online payments
When thinking about receiving online payments (e-commerce) it is useful to understand the three key components.

1. Shopping Cart/Online order form
2. Payment Gateway
3. Merchant Account

Shopping Cart/Online Order Form
A Shopping cart is a tool that facilitates the item selection or ‘picking’ activity. Used in conjunction with an online catalogue tool, where the items for sale are listed, a user selects items from the catalogue and places them in the ‘cart’.  Most Australian companies will utilise a hosted shopping cart (ASP model) where they pay a monthly hosting fee. With the hosted approach the digital certificate (SSL) is provided by the host and is covered in the hosting fee. Companies who host the shopping cart themselves are responsible for the digital certificate which carries an annual ongoing cost.

In addition to better usability for the user, a well designed shopping cart helps the company to manage online risk and combat against fraud through the information collected and the usage of email auto-responders. Also, a user will judge the website by its shopping cart. So be careful, as a poorly designed shopping cart with a ‘clunky’ check out process can put the user off-side and the sale opportunity lost.

An online order form is a basic alternative to a shopping cart.

Payment Gateway
A payment gateway is required for real-time e-commerce on your website where the user’s credit card is authorised in real time, allowing the user to complete the transaction, and triggering a payment into the merchant’s bank account. Usually there is a set-up fee, annual fee, and per transaction charge.

The usage of a payment gateway is preferable with regards to managing online risk.
Internet Merchant Account facility

An internet merchant account facility is a dedicated account facility to receive online credit card payments the user establishes with a bank. For real time e-commerce it works in conjunction with a payment gateway.

Approaches to E-commerce
The following three approaches to e-commerce are common among Australian online merchants. 

1. For real time e-commerce the merchant establishes the internet merchant facility with their bank, integrates the payment gateway, and uses either a shopping cart or order form for information capture. In most circumstances it will be easier and more cost effective for the merchant to charge in Australian dollars only.
   
   From a security point of view the advantage of using a payment gateway means that the customer’s details (name, address, credit card number) are not captured (or seen) by the merchant but rather are captured by the payment gateway provider only. Also the transfer of the customer’s details from the merchant’s website to the payment gateway is secure (encrypted) and cannot be intercepted.
   
2. Another approach is where the merchant uses a third party hosted solution such as Paypal, Worldpay or Paymate who look after some or all of the key components of e-commerce. The advantage is the ease in which the Australian company can charge the customer in different currencies without having to establish dedicated currency bank accounts.
   
3. The last approach and the least preferred from a security perspective is where the merchant uses either a shopping cart or order form for information capture and then manually re-keys the credit card number into an EFTPOS facility they have leased from a bank. Essentially the website captures the order information and the transaction is processed manually off-line. With this approach the company does not require a payment gateway service because the transaction is not in real time.

This approach is not preferred for a number reasons relating to security. The problem is that once the customer details (name, address, credit card number) are entered into the online order form in order for the merchant to access them, they are either emailed or stored in a back-end database for retrieval. If emailed they are generally unsecured (not encrypted). If they are stored in the database, behind password access, they are still potentially vulnerable to a hacker who knows a thing or two about data bases.