Cold Fusion, CyberCash and SSL: Technologies of eCommerce
When you are setting up an eCommerce web site, it is important to understand the basics about the enabling technologies. Following my introductory article on "Launching your business on the Web", here is a brief discussion of the different technologies and how they all come together in an eCommerce site.
Summary
Cold Fusion is a powerful development tool that you can use to build any eCommerce site. It's template based language makes it easy to learn. It's powerful features enable quick development. CyberCash is the transaction processing technology that works over the Internet. CyberCash, perhaps is the pioneer of eCommerce on the Internet, although the term eCommerce was coined much later. CyberCash has been providing transaction processing over the Internet since the early 90s. And SSL (Secure Socket Layer) provides the necessary layer of security via encryption when transmitting sensitive information such as Credit Card Numbers over the Internet. When you visit a web address that begins with "https" the browser and the server setup and follow a protocol and exchange all subsequent information in an encrypted format so evesdroppers can't see what your browser is sending to the server. Your browser encrypts all the data in such a way that only the intended server can decrypt and understand it.
Cold Fusion
Cold Fusion is by far the easiest tool to learn when it comes to Web Development. By inserting a few extra tags in your HTML code, you can interact with a database and display dynamic pages. Or communicate with a mail server to send out an email message. You do not have to learn any SMTP protocol or any C++ Database programming to do these. You do have to know basic SQL concepts to execute a query from Cold Fusion and the rest is handled by Cold Fusion. Similarly, when you want to setup an eCommerce site, you simply have to insert a few extra tags in to communicate with the CyberCash Server to authorize a credit card. After you have the input from an HTML form that includes a credit card number and expiration date, and you have the amount you would like to charge for this transaction, you simply "invoke" a custom tag (CFX_ONCR_CYBERCASH) and pass it all the appropriate parameters and bingo - you've got credit card processing on your web site. You simply have to insert a few more Cold Fusion tags to check the result of your credit card authorization request to see if it succeeded or not. And if it did indeed succeed, your Cold Fusion template can go ahead and take the appropriate action - such as granting access to a secure site (using the CFX_ONCR_NTADMIN custom tag) or accepting the customer's order to be shipped later. This template based programming ensures that you do not have to get into CGI or ISAPI or NSAPI programming in C or C++ which could be very time consuming and expensive. Allaire has done the ISAPI/NSAPI programming in C++ and created the framework Cold Fusion that you can simply use to develop your web applications with tremendous ease. There are numerous built-in tags, and functions for common tasks. In addition to the built-in tags, there are numerous custom tags that are available in the Tag Gallery (including the CFX_ONCR_CYBERCASH and CFX_ONCR_NTADMIN) that can be used very easily in your web applications. This ability to extend the language is also a very good feature of Cold Fusion. Essentially, it guarantees that there is no dead-end - whatever you want to do in your Web Application, can be done - most without a lot of programming, and if there is a special custom feature that's not available off the shelf - it can be easily built using C++ and plugged right into your application to provide the desired functionality.
CyberCash
I am sure you are familiar with the traditional methods of credit card transaction processing. Every time you purchase something with your credit card (in a shop) you witness the procedure. The cashier either swipes your credit card through a machine or dials a phone number and reads out your credit card number. What he/she is doing is "authorizing" your credit card via a "processor" - there are about 8 or 9 major credit card transactin processors in the United States - fdc, mappi, wells, nova, checkfree are among the more popular ones. When the cashier makes a call or swipes your credit card through a machine, that machine either dials out a number to connect to one of these processors or the merchant may have a dedicated connection which it uses to transmit the credit card information such as number, expiration date and your name and address and the amount of your purchase to the processor. The processor then performs the necessary checks and replies back with a "yeah" or a "nyeh" - if it's a "yeah", it gives the cashier an approval number which she writes down for her records and if it's a "nyeh" - she tells you that you can't use that credit card. None of these processors provide any facility to accept these transactions over the Internet (some of them have started doing it now, however, most of them don't) - so if you were a merchant and needed to authorize credit cards, you must have either a dedicated connection to the processor, or must get used to complicated applications using Modems to connect to the processor to authorize the credit cards. It's worse if you are an online merchant - i.e. if you want credit card processing for your web site, because now you must integrate your web based application with either a manual procedure of dialing out, or you must write complicated programs that can interact with these processors using a modem. There are some solutions available now that allow you to connect from your web page to a processor using a dial-out modem - but the processing time in those cases can be very long - because it takes very long just to dial out on a modem and get a connection - and then there is the chance that the connection could not be established. People who started CyberCash were experts in Internet Technologies, and they provided an alternative method to authorize credit cards over the Internet securely. CyberCash essentially has dedicated lines into all the processors, and they provide an Internet based front to accept transactions over the Internet which are then turned around and sent to the apropriate processor (for the merchant that's sending the transaction) and when a reply is received, it is returned back via the Internet.
In the most common case, you only need to know about 3 or 4 transaction types - "authorize" transaction (in cybercash lingo it's "mauthonly") - this is the initial transaction that your web site must send in order to verify a credit card. It does not transfer any money - it only checks to see whether or not credit is available. If credit is available, it returns a "success" status, or it returns a "failure-hard" status. After you have "authorized" several transactions, you must send a "batch-commit" transaction to "settle" these transactions - i.e. to transfer the funds from the credit card to your own merchant account. CyberCash 3.2 now provides an automatic batchint service, where they will automatically submit batches for your account. If you are a new merchant and are using their 3.2 service, you do not need to send a "batch-commit" for your transactions. The other transaction that may be used in some applications is "return" - as the name suggests - this is used when you want to return someone's money that was previously charged using their credit card. One important thing to note here is that "return" is a transaction that can be sent only after the money has been charged (not just "authorized" ) using a "batch-commit" transaction. Before the money has been settled, you can use an "unmark" (in CyberCash lingo it's a "void" transaction, however since there are two different kinds of "void" transactions, the CFX_ONCR_CYBERCASH tag defines two different types "unmark" and "void" for voiding a transactions - "unmark" is to be used after a "mauthonly" and "void" is to be used after an "mauthcapture" transaction) transaction to cancel a transaction. If you unmark a transaction, it will never be "batched" for "settlement". CyberCash API provides many other types of transaction types, many of which are implemented by the tag as well - however, your application may only need to use a small subset of all the messages provided by CyberCash.
SSL
SSL (Secure Socket Layer) protocol is an important part of the mix too. It provides security from the client's browser to the web server. As shown in the picture - the communication between the web server and CyberCash server is secured using Triple DES encryption which the CFX_ONCR_CYBERCASH tag implements for you. The communciation between the client's browser and your web server must be secured as well to provide security all the way through the transaction. This is done using SSL. In order to run SSL on your web server, you must obtain a digital certificate from a certification authority such as Verisign (http://www.verisign.com). Procedure to install the digital certificate is different for all web server software, and is documented by the web server vendor. In case of Microsoft IIS, you can use the Key Manager to generate a request and then use the ".req" file that's generated to complete the procedure outlined on Verisign's site to apply for a digital certificate online. If all the information you supplied is verified correctly, within a few days you will receive an email from Verisign. Included in that email will be the digital certificate for your server. Simply go to Key Manager on your web server again and install this certificate. After you install this certificate, you will be able to access your web pages using an address starting with "https" on the same server. You must change the link to your orderform to use this "https" address instead of the usual "http" address so that when customers click on the link to open up the order form, they are automatically using the "https" address. This ensures that the data transmitted by the customer's browser to your web server is encrypted, and thus provides complete end to end security for the credit card transaction.