Keeping Control of Your E-commerce

Rick Ells, Senior Computer Specialist, Computing & Communications

Using the Web to buy a book or register for a conference is now quite common. Often you just enter your credit card number, click the submit button, and you are done.

Why not go online, using this e-commerce technology, the next time your department sponsors a conference or markets a CD-ROM? The ads for e-commerce software are tempting: "E-commerce made easy, $49.95 per month, free setup." How hard can it be?

"When setting up a Web site to do university business that involves financial transactions, keep in mind that you need all the normal accounting controls to settle, reconcile, report, and monitor those transactions," says Frank Montgomery, UW Controller.

Avoid Sending or Storing Credit Card Data

Setting up to do e-commerce can be done in several ways. The simplest—but not safe—method is to put a form on your Web site for customers to fill in and submit, causing the information on the form to be emailed to you. With this unsafe method, you would then manually enter the credit card data to actually do the purchase transactions, using standard point-of-sale terminals or software much as you see done in restaurants or stores.

As University of Washington Controller, Frank Montgomery calls for proper financial and security measures in place when doing university e-commerce.

While simple, this method has plenty of security problems. Credit and debit card data is too accessible since it is recorded in the server logs, on the email server, and in files on your computer.

"UW email and Web servers are not designed to handle sensitive information," says Oren Sreebny, assistant director for C&C's Client Services. "A hacker grabbing credit card numbers from your email folders or files—or en route to them—could give your university program a major public relations black eye, as well as create plenty of extra work for your staff."

Using a Service Is Safer

A safer way to do e-commerce is to make arrangements with an Internet-based credit card service. That way, the credit card information entered on your Web page form goes—via an encrypted link—directly to the service company for processing. (See previous article "E-commerce: The Grad School's Experience.")

"Using the Internet-based services has some real security advantages," says Montgomery. "Since the credit card transaction is between the customer and the service company, you don't have to worry about accumulating sensitive information like credit card numbers in your files where someone might find them."

Issues to Consider

Careful monitoring of all transactions is essential with e-commerce. "Incorrect, duplicate, and failed transactions may occur," says Montgomery. "You need to detect these problems and deal with them promptly."

Seek Advice First

Frank Montgomery, UW Controller, recommends that anyone at the UW considering setting up an e-commerce site contact the Controller's Office (206-543-4990) to discuss appropriate approaches and best practices.

Whether you generate revenue through e-commerce or by other means, some issues to carefully consider, according to Montgomery, include:

Proper reporting of the income
Taxes that may be due
State ethics laws that may apply
Policy guidelines on competition with private industry

From the customer point of view, your site also should provide good service, with assistance available at least by email if not by phone.

"Technology doesn't just do it all for you," says Montgomery. "Your system not only should be reliable and understandable, but should have help available and a system for handling refunds and other payment disputes."

After all, cautions Montgomery, if someone has a bad experience on your site, it will reflect poorly on the UW as a whole.

University of Washington Computing & Communications
Windows on Technology, No. 25, Autumn 2000
newsltr@cac.washington.edu