Much of this information is from Authorize.net and from a very helpful online store merchant ArtisticGiftBaskets.com who have done a great job explaining what happens and have given me permission to repost it here.

First a few definitions from Wikipedia:

Address Verification System (AVS) is “The Address Verification System (AVS) is a system used to verify the identity of the person claiming to own the credit card. The system will check the billing address of the credit card provided by the user with the address on file at the credit card company. The other security features for the credit card include the CVV2 number.”

Authorization Hold is “Authorization hold (also card authorization, preauthorization, or preauth) is the practice within the banking industry of authorizing electronic transactions done with a debit card or credit card and holding this balance as unavailable either until the merchant clears the transaction (also called settlement), or the hold “falls off.” In the case of debit cards, authorization holds can fall off the account (thus rendering the balance available again) anywhere from 1–5 days after the transaction date depending on the bank’s policy; in the case of credit cards, holds may last as long as 30 days, depending on the issuing bank.”

Now, with these two definitions in mind, let’s look at what happens  when you make an online purchase (again, info courtesy of  Artistic Gift Baskets):

The financial industry requires fund verification/fund reservation BEFORE address verification (AVS) occurs. It works like this:

1. You enter your credit card information into the payment page and submit for payment.
2. Your bank or credit card company is electronically contacted to verify if funds are available.
3. If funds are available, the bank or credit card company authorizes the amount, reserves that amount, and attaches an “authorization code” to the amount.
4. AFTER the funds are verified, your name, address, and billing info is then sent electronicaly to a separate Address Verification System (AVS) for validation.
5. If you entered any incorrect billing information, the AVS system rejects the verification and the card is declined.

The Result: Multiple attempts means multiple authorizations from your bank, appearing as multiple charges. These are not acutally charges, but temporarily holds that automatically expire based on your bank’s policies. ArtisticGiftBaskets.com , nor any other merchant, has absolutely NO CONTROL over the fund verification/AVS process or this specific problem.

The Solution: eCommerce is a still a new frontier and many of the problems / legal issues still need to be ironed out. We feel that federal legislation should be in motion to require financial institutions to reverse the current AVS/Fund Authorization process so that funds are not held prior to AVS.

So the bottom line, is that each time your are shopping online and your credit card is declined – there may be a hold put on your bank for the amount of the purchase. And if you try, and try, and try again and are unsuccessful – there will be three holds placed on your card. Again, these holds are placed by the cardholder’s bank, not the business owner, not the business owner’s merchant account, not the business owner’s gateway account. There is nothing the business owner can do to remove these holds.

Why doesn’t the bank put the hold AFTER the AVS is approved? We have no idea, this seems logical to me, but this is what banks do. And there are many store owners with really angry customers who can do nothing but apologize and ask the customers to vent their anger towards their banks. In this sense, the authorizations holds are a little like overdraft charges – they are really not the fault of the merchants – but a policy of the banks.

This new bill would ammend 82.32 RCW adding language that would seem to fix the problem that many of us who own online stores have – namely that we’re supposed to be charging tax based on the customer’s address, the “destination”.

Here’s the language:

NEW SECTION. Sec. 2. A new section is added to chapter 82.32 RCW

4 to read as follows:

5 (1) Retail sales of tangible personal property and digital goods

6 shall be sourced to the location where the order is received by the

7 seller if:

8 (a) The order is received in this state by the seller and where

9 receipt of the product by the purchaser or the purchaser’s donee occur

10 in this state. However, when products are sold in conjunction with a

11 retail service, both the product and the service must be sourced as

12 required in RCW 82.32.730;

13 (b) The location where receipt of the product by the purchaser

14 occurs is determined pursuant to RCW 82.32.730(1) (b) through (d); and

15 (c) At the time the order is received, the recordkeeping system of

16 the seller used to calculate the proper amount of tax to be imposed

17 captures the location where the order is received.

18 (2) For purposes of this section, the location where the order is

19 received by or on behalf of the seller means the physical location of

20 a seller or third party such as an established outlet, office location

21 or automated order receipt system operated by or on behalf of the

22 seller where an order is initially received by or on behalf of the

23 seller and not where the order may be subsequently accepted, completed

24 or fulfilled.

If you’re in Washington, contact your legislators to learn more about this bill and if indeed does get rid of the nearly impossible to implement “destination based sales tax”, help get this bill out of committee and up for a full vote. This would be a great improvement and make it much easier for online store owners.

1. Set up an email address like “ssladmin@yourdomain.com”
During the purchase process, GeoTrust will give you a bunch of email choices and you’ll need to have this set up in advance.

2. Obtain your CSR
CSR stands for “Certificate Signing Request“. It’s a big string of code that your web hosting company generates using a “key”. It’s available inside DreamHost’s control panel. They’ve moved things around a bit so I’m reluctant to detail the steps, but it’s under Domains -> Secure Hosting. It will look something like this:

—–BEGIN CERTIFICATE REQUEST—–
huge bunch of letters,numbers, characters, etc
—–END CERTIFICATE REQUEST—–

3. Purchase your SSL certificate from GeoTrust.
I usually get the Quick SSL Premium. As part of the purchase process, you’ll be asked to paste in the CSR from step #2, so have it handy. You’ll also be asked to select an email address that GeoTrust will send an approval to – so make sure you’ve completed step #1 first. Once you’re done paying, you’ll get an email asking for your approval. Once you approve it, you’ll get an email with the certificate code.

4. Give certificate code to DreamHost.
Add the certificate code to the appropriate location inside DreamHost’s control panel. It will be in the same place that you found the CSR code. Follow the steps to complete the SSL process. If you have issues, submit a support ticket to DreamHost and they’ll help you fix whatever’s broken. They’re quite helpful.

5. Check the SSL installation.
I usually do several things to check the installation. First, I go to the website but add “s” onto http, so you go to “https://yourwebsite.com”. Look for any error messages and make sure you see a padlock somewhere in your browser indicating a secure certificate has been found. If all looks good, then I contact GeoTrust and ask them to check the installation for me as well. I’ve used both their online chat service and their email service to do this. Once they give me the OK, I’m done! I’ve also recently gotten a link to the GeoTrust Certificate Checker Tool.

The first red flag I found, was when I tried to check out, and got to the page where you enter your name and billing information. My browser (Firefox) gave me this warning:

Security Warning

Your have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party.

Now, since I work with online stores, I know that sometimes these warnings are triggered by very benign issues, so I went ahead to the next step in the process since it hadn’t asked me for my credit card info yet.

The second red flag, was that the online store was charging me $9.95 for shipping. Now, I was purchasing carbon offsets – meaning that there was literally nothing that was being shipped to me. Not wanting to get charged for shipping when there was nothing being shipped, I stopped the checkout process and started looking for a phone number to call.

The third red flag, was that the phone number I found didn’t work.

So I emailed the company telling them about all of these issues. This was a Saturday.

On Monday, I got a phone call (from a wireless number, according to my caller id) from the company. Even though I had detailed all of the above issues in an email, they wanted to know what my problems were.

I told them about the security issue, and they assured me their store was secure. I politely informed them that, no, it wasn’t. Until my browser warning goes away, the store is not secure. They said they would relay this to their “technical staff”.

They also told me that since my purchase was under $50, I was being charged shipping – even though nothing was being shipped – they said, sorry, that’s the way the online store is set up. They offered to give me a refund after I made the purchase. They were not the least concerned about charging other people for shipping when nothing was being shipped.

Then they said that their website was being completely redesigned and that it would be done “next week” and all these issues would be fixed.

Lastly, I told them about their non-working phone number, and they said, yes, it was fixed now. (I called to verify this, and while it was working, it was a voicemail for a person – it didn’t mention the company name at all).

I asked the company if they would email me when their online store was secure, and they said they would, and then simply hung up.

Since I develop online stores for my clients and do quite a bit of online shopping, I am always on the lookout for online stores ways of conveying trust – telling their prospective customers through all kinds of ways that they can trust their online store. But trust must be earned, and when you encounter a security warning, unwarranted shipping charges, and a disconnected phone number, you’re inclined to take your business elsewhere. With online stores, details matter!

I ended up purchasing my carbon offsets from a different company, whose website was secure, who didn’t attempt to charge me shipping, and who had a real live person at the other end of the phone.

Adding an online store to your small business website is a big endeavor – and you want to be sure you’re getting the most out of your online investment. Here are a few tips and examples that will hopefully help you either make a wise online store application purchase, or fully optimize your existing store.

1. Make sure each product page has it’s own unique, specific title tag.

The page title is what’s seen in your browser window at the very top edge. Here’s an example: https://ahimsadogtraining.com/store/manners-minder–treat-and-train.php. This page’s title is “Manner Minders Sale / Treat and Train…” Page titles are important to search engines, and what comes first matters most. Therefore you want an online store to have the product name come first in the page title.

2. Use keywords in the product description.

Search engines can’t see images of your product, so be sure to use many different keywords in your product description to help that product page rank well. In the example above, note how many times “Manners Minder” is used in the product description. Don’t be afraid of being repetitive.

3. Make sure each product page has it’s own unique, specific description tag.

The description tag (like the title tag) is viewable either by looking at the source code of a page, or by looking at a search snippet. In the online store I work with, the description tag is automatically set to be equal to the short text description, but your store may be different.

4. Enable reviews/product comments.

Remember search engines love content that’s relevant to your product. If your online store supports reviews, you may want to enable them to let folks add their own content about particular products.

5. Make sure your online store product pages are crawlable by Google et al.

In the past, some folks would say that dynamically generated pages, like online stores, wouldn’t get crawled and indexed by search engines. In general this is not the case, but it’s always good to double check to make sure the product pages of your online store are getting crawled and indexed. Here’s how to check to see which pages of your website have been indexed.

Many of the general rules of SEO apply to online stores, the tricky part is that online stores are dynamically generated content, and so it is important that your online store lets you manipulate the title tag, the description tag, and that your store’s product pages are easily crawled and indexed. When shopping for an online store, ask your web developer to show you examples of existing stores, and then check to see for yourself whether the stores’ product pages have been indexed.

This is topic covers one of the things that annoys me the most when I’m shopping online. I recently had a particularly frustrating purchasing experience with Ticketmaster that I wanted to share. This example will help explain why I’m so against forcing online shoppers to create a login account before they can purchase something from your online store.

I was simply trying to purchase tickets for a Seattle Storm game using Ticketmaster online. When you purchase tickets using Ticketmaster, they have this system that automatically tracks how much time you are taking to make your purchase. If you take longer than 2 or 3 minutes, you will lose the tickets you’ve selected and get bumped out of the system. I presume this is to prevent folks from taking tickets and then sitting on them, preventing someone else from buying them. But I offer up my own experience as evidence that giving folks 2 or 3 minutes to complete a purchase is not long enough – especially when you force them to make a customer login account.

So here’s what happened. I selected my tickets and started the check out process. But Ticketmaster forces you to make a customer login account before you complete your purchase, and so, annoyed, I attempted to make an account. Here’s what I got:

Click on the image to make it bigger. It says “Please complete this page within 15 seconds”. And the following warning to tell me that the email address was already registered and I can request the password be sent to me. Now, I timed myself, and it took me 15 seconds just to read the message on this page. And remember, I didn’t want to have to create a login in the first place. I just wanted to buy tickets. I wanted to give them my money. But since they forced me to login, and the clock was ticking, I plain ran out of time:

“You exceeded the time limit and the tickets have been released”

Like this was my fault? I was just trying to give them money, but because they forced me to create a customer login that I didn’t want to create in the first place, and apparently they had my email address on file already, I ran out of time. Needless to say, I was pretty angry. And that they were blaming this on me, the customer – when in fact, it was their own system that is causing the issue, by forcing me to create a login account.

So don’t do this to your customers. If you’re shopping for an online store, I highly recommend one that lets you set customer login accounts as OPTIONAL. The ecommerce store I work with has this setting and all the online stores I develop have this set to optional, not forced. Not all online stores let you make this setting, so be sure and check this out before you buy an online store application.

Don’t force customers to log in to make a purchase – let them make that decision – and if they just want to give you their money and be done with it, let them do it. Let your customers have the fastest possible checkout time and the least amount of frustration and they’ll reward you with completing the purchase.

Understanding How Websites Work: Servers and Browsers

I’ll start with an explanation of how websites work. Website files live on a machine called a server. If you own a website, you’re paying someone to “host” your website files, and this means you’re paying them for a teeny bit of space on a server (if it’s shared hosting). Somewhere out there, there’s a computer that has your website’s files on them and that computer is your website’s server.

When you get on the internet, and you call up your website, you are viewing it using an application called a browser. Maybe it’s Firefox or Safari or Internet Explorer or another kind of browser. Here’s what’s happening behind the scenes. Your computer’s browser goes and fetches the files from your server and displays them for you. Browsers only read HTML (HyperText Markup Language). So the files need to be in HTML in order for your browser to understand them and display them to you.

So, your website files live on a server. And your computer’s browser fetches the files and displays them for you, depending on which URL you type in.

Databases and Servers

Now, here’s a little twist. Remember I said browsers can only understand HTML? Well, there are a bunch of other languages that only servers can understand. One of these languages is PHP. This is why PHP is known as a “server-side” language. PHP is a cool language because it does much more than HTML can do.

PHP can do logic, solve problems, and put things into and get things out of databases. It can also build HTML code. Now remember, browsers can’t read PHP code, only HTML code. If you are looking at a page in your browser that ends in .php, you’re looking at HTML code, the actual PHP code won’t be visible to you.

Static Web Pages

Static web pages are simply files, typically ending in .html, that contain all the content necessary for a browser to display a web page. This might be text or images. Like the files contained in your own home computer, static web pages are actual files…you can open them, edit them, save them, delete them. What you see is exactly what you get. The static web page can “stand alone” because it contains 100% of the information you see – no other files or information are needed.

Dynamic Web Pages

Dynamic web pages are different animals. They don’t actually exist as complete files on your website’s server. They are created, in the split second that someone calls up a page – and their content is often based on what’s in a database. Often they need variable values that guide them to select particular things from a database.

You know how you can be sitting in a room and look out a window and see a tree in your back yard? The tree isn’t really in the room. If you close the window blinds, the tree disappears from view, but it’s still in the back yard. Think of the back yard as a database that holds the tree, and the view from the room as your browser. You can see the tree in the view, but it’s really in the back yard.

In the same way, you can be looking at an item on the page of a shopping cart, say you’re looking at a image of shoes. Now, your browser is showing you the image, but the image of the shoes isn’t really part of the web page file. If you were to open the web page file and look at it, you wouldn’t see code for that particular image. What you would see is code with instructions to fetch an image from a database based on certain criteria. The picture of shoes is really stored in a database – and it being shown to you because you asked for this item. But just like the tree, it’s just a view of what’s in the database, it’s not really part of the web page file.

These pages are called “dynamic” because they appear to change. They change because one time you might want to shop for shoes and another time a book. The actual code on the page stays the same, but because you asked for books versus shoes, the code on the page ran over to the database and got the appropriate information and then constructed a HTML page for you to see in your browser. The PHP on the page remains constant, but the HTML, what you actually see in your browser, changes depending on what variables you send.

An Example:

Let’s look at an example. I realize you might not know any computer code at all, so this will be super simple.

Static:

<img src=”shoes.jpg” />

This code will display an image that is called “shoes.jpg”. This is all it can display.

Dynamic:

<img src=”<PHP echo $itemnumber ?>.jpg” />

Now, which image will this display? It can’t, unless it gets more information. If this page of code receives the value of the variable $itemnumber, it will display the correct image. But without this additional information, it displays nothing. (The PHP part of the code is in red.)

So in order for the page to display correctly, you need to send it the value of the variable $itemnumber. This can be done in many different ways, but suffice to say you tell it you want itemnumber 123 and it will display the image named “123.jpg”. If you send it “234″ , it will display image “234.jpg”.

Here’s a diagram:

Why Does This Matter?

It matters because if you are writing a blog or running an online store or hosting a forum, you’re probably using dynamic pages for much of your content. And it’s important to understand how these pieces work together to create the web pages you see in your browser. You may on occasion have to tinker directly with your database or back up/restore your database. You may also want to make changes to your pages and understanding which content is generated dynamically and which is static, can help you make good decisions and help keep your web designer’s sanity

But how often do you notice whether the little padlock in the upper right hand corner of your browser is actually there? This article serves as a reminder to always, always, always check.

I went to a website recently that asked me some personal information, namely, my social security number. This request surprised me, especially given the nature of what I was trying to accomplish. So I looked at the website, and here’s a screenshot of what I saw (note, I’ve tried to hide the identity of the actual website, that’s why some parts are blurry):

Notice the nice “Welcome to our secure online loan application” and the Verisign secure seal? But look again. There’s no padlock icon in the upper right hand corner of the browser. And the website is not secure at all, because the URL is “http” and not “https”. If it’s not “https”, it’s NOT secure.

Needless to say, I wasn’t going to put in my social security number.

But I did some investigation, because I’m curious and quality minded. I thought, well, maybe the web designer just forgot to put the “s” in the URL. So I typed it in. Here’s what I got:

This is a warning from my browser telling me that the SSL certificate belongs to “secure1.valueweb.com” and that it doesn’t match the website that I’m on. Not looking good.

I try another tactic. I click on the Verisign seal. Here’s what I get:

When you click on these security seals, you are checking back with the company that issued the seal to see if indeed it matches the website that you’re on. In this case, I was on a mortgage site in Washington, and the seal belonged to a software company in California.

I clicked on the “Report Seal Misuse”, emailed the webmaster, and emailed the mortgage company. While I never heard back from Verisign or the webmaster, the mortgage company did contact me. Hopefully they’ll get it fixed soon.

So there’s a big lesson here. If you hire someone to build a website and you need a SSL installed, verify for yourself that it’s working. If it’s done correctly you should see a little padlock in the upper right hand corner of your browser. The URL should be “https”. You should get no browser warnings. And if you click on the SSL seal, it should match the website perfectly.

Without these things, consumer confidence will disappear, like mine did, and your customers will leave, just like I did.

Be careful out there!

I wanted to write this article to provide help for other online retailers who may be asking the same question, because the answer was a bit hard to find.

If you’re in Washington State, here’s the link to the law: WAC 458-20-110. Shipping is considered a “Delivery Charge”.

It states:

Gross proceeds of sales and selling price include all consideration paid by the buyer, without any deduction for costs of doing business such as material, labor, and transportation costs, including delivery charges. Thus, delivery charges by the seller are a component of these tax measures.

And also:

Delivery charges by the seller making a retail sale are a component of the selling price. If the sale of the tangible personal property or service is exempt from retail sales tax, such as certain “food and food ingredients,” retail sales tax does not apply to the selling price, including delivery charges, associated with that sale. Similarly, if the product is sold at wholesale, retail sales tax does not apply to the delivery charges of that sale.

Now, again, this law only applies to the State of Washington. And you only charge Sales Tax if you are a business in Washington and selling to a customer in Washington and if the item you’re selling is subject to Sales Tax. If you’re in a different state, you should look up the appropriate law or consult with a local tax person.

Note: This article is not a substitute for professional tax advice. Please consult with a local tax expert to get the right answer for your online business.

Many of my website clients, after watching their website traffic statistics, are dismayed to see many people coming to their website leaving after only visiting one page (this is called the “bounce rate“).

They also often see visitors who may look around at several pages and then decide to leave without purchasing anything.

They even see people who were very close to a purchase. Visitors who after adding items to a shopping cart and starting the check out process, left before completing the purchase ( this is called “shopping cart abandonment“). While all of these visitor activities are normal and expected, what’s often surprising to my client is how often they happen.

This begs the question: how much traffic does it take to make a sale, or have a prospective client fill out a contact form? This metric is known as “conversion rate“. It can be used to measure any desired behavior of your website visitors. If 100 people visit your site and 1 fills our your contact form, your conversion rate is 1% (1 contact form / 100 visitors). Since most new website owners have no experience with website statistics, I’ll share some of the data from my own website and from what I’ve seen on some of my client’s websites.

Conversion Rate:
How do you measure conversion rate? Some website traffic tracking tools have built in ways of tracking this for you. All that is needed is to label the appropriate target page. The website tracking software tracks how many total visitors you have and what percentage of them hit the target page. Each time they hit the target page, they are considered to have “converted”.

Different Examples of Target Pages for Conversion Tracking:

• Shopping Cart “Thanks” Pages (last page after sale is completed)
• Contact Forms
• Newsletter Subscription Pages

On my website, I have two target pages, my contact form and my online ecommerce demo store.

Let’s look at my conversion statistics for my contact page:

Google	1,244	45	3.6 %
Direct Access (no referrer)	287	17	5.9 %
Google-Intl	227	6	2.6 %
MyClients	29	3	10.3 %

This data indicates that visitors who come from Google in the US, convert at a rate of 3.6%, while visitors who come from the websites of my clients, convert at a higher rate of 10.3%. (This data was collected using the Web-Stat.com traffic tracking tool.)

This makes sense doesn’t it? That the people who are following a link from one of my clients’ websites are more likely to convert than a complete stranger who found me on Google?

Measuring Quality of Website Traffic

Conversion rate tells us something about the quality of the website traffic source. If you are paying for traffic by utilizing pay-per-click online advertising measure the quality of the traffic that you’re paying for is super duper important to determine your return on investment. It’s easy to label your paid traffic sources and categorize them in Web-Stat so that you see if one ad has a higher conversion rate than another. This is one of the really neat things about the web and online advertising.

Remember, The “Real” Conversion Rate May Be Lower

If your conversion target is a contact form, then your “real” conversion rate will be lower than the conversion rate measured by the contact form conversion rate. Why? Because not everyone who contacts you will be converted into a customer.

Tiny Numbers

Now you’re thinking, hey, these conversion rates are getting to be pretty small numbers. Let’s say out of the people who contact you, 25% are converted to clients/customers. This means your real conversion rate is 25% of 3.6%, which is 0.9%. This means, to get a new customer, you need to have 100 people visit your website from Google, for example. Think about that. If your contact form to client conversion rate is 1 in 10, then you will need 277 visitors to get 1 client. Tiny numbers.

Setting Expectations for Conversion Rates

So don’t expect to have every visitor turn into a customer – it’s just not the way the web works. It’s a percentage game, and you will need a certain level of good quality traffic to turn enough of those visitors into clients.