Update on "Ideas"

Posted At : June 20, 2009 8:18 PM | Posted By : Admin
Related Categories: ColdFusion,Software Development,General,Code

A while back, I did a post asking for ideas for an open-source project. Having thought long and hard about the many (truly excellent) ideas, I think I'm ready to begin the next phase.

I've decided to go with an Ajax-based ecommerce system. While there was a good deal of enthusiasm for a CMS, there are some very good ones out there now and I think we'd all benefit from having a really nice, flexible ecommerce system.

I'm planning on taking this slowly, and at this point, I'd really like to get your ideas about the following categories:

MUST: What features must the system have to be usable? In other words, what features, were they to be lacking, would make any ecommerce system unusable?

NICE: Having passed the bar of MUST, what features would you really like to see in the ecommerce system?

NOT: What would you like to see omitted from such a system? This category could also be used to indicate particular "gotchas" from features in the MUST or NICE category.

Also, if you would be willing to work on this system, please send me an email to h a l @ h a l h e l m s . c o m telling me what areas (graphics, architecture, coding, internationalization, etc) would you like to work on?

Thanks!

Comments (23) |

Print |

Send |

del.icio.us |

Digg It! |

Linking Blogs | 1621 Views

Comments

[Add Comment]

NICE: One thing I notice in Amazon is that I can change items in my cart from Buy Now to Buy Later or similar. Unfortunately for Amazon, I never get a reminder that there's stuff in there I might want to now buy. Too bad they don't email me once a month with the fact that items are in my cart and link to it.

# Posted By Will B. | 6/20/09 10:08 PM

@WillB: You would probably be better off with a wish list type feature. It is a great way to store store for purchase later (or to tip other people off if they want to get you a gift). Many sites are using it now and I think it's a great idea.

# Posted By Raymond Camden | 6/20/09 10:37 PM

Hi Hal,

e-Commerce is a great idea and I would suggest check some best accepted solutions such as oscommerce.com etc.

I am ready to provide my help especially for i18N part.

I also would like to suggest Git as version control for a better team collaboration.

Thanks again for an idea like that.

# Posted By Oğuz Demirkapı | 6/20/09 10:39 PM

Here is my 2 cents for a NICE:
Have a big emphasis on a clean separation between the model/backend and the user interface. Yes, an Ajax interface would be pretty an all, but I think much more beneficial for everyone would be if anyone can just pickup the "engine" of the ecommerce system and plug it into any type of interface they need. That way you can go from a simple html+cf interface, to Air, to Flex, to Framework XYZ, to anything you want.

# Posted By Oscar Arevalo | 6/21/09 1:22 AM

MUST: Keep cart "state" indefinitely. People often browse and put items into the cart, only to abandon it and return days later to make a purchase. Perhaps a JSON-formatted cookie would be best? It's either that or keep cart data in the DB, which would lead to a lot of useless records if you want to keep the data indefinitely.
NICE: Item attributes should be standardized. Maybe match them to the attributes in Google base?

# Posted By Russ S. | 6/21/09 5:28 AM

This is great!

@Oğuz: I know very little about Git. Perhaps you'd be able to set us up and give us a little knowledge about using it?

@Oscar: Agreed. Even if we provide a front end for it, it should simply be one client implementation. That's one of the biggest shortcomings I see in ecommerce systems. Sounds like we need a good API.

@Will B: Agree. I'm working on an ecommerce system for a client in which customers can select an entire tableware set and buy them over time. The advantage to the customer is that they receive a discount on each individual selection. We're planning on using their chosen set to (a) remind them when they come on the site and (b) periodically contact them to remind them about continuing the completion of their set.

# Posted By Hal | 6/21/09 1:35 PM

Hal,

I've thought of doing something similar. I even entered into discussions with AbleCommerce, which seemed to be the most mature CF-based e-Commerce system. AbleCommerce has stopped development of the CF version, and they were in fact open to selling it. The price was too high, and I was suggesting them to open-source it. I do know the code is somewhat spaghetti, but it did have tons of features.

Having had time to think this over, I think Oscar's comment is right on. You should be able to plug something robust into Mach II, ColdBox, MG, etc, or work with AIR, Flex, HTML.

For a list of features, its easy to skim other systems. An e-Commerce system never seems to have enough features.

# Posted By Sami Hoda | 6/21/09 9:43 PM

Also, take a look at http://cfcommerce.org/. There was an attempt, don't know how far it got.

# Posted By Sami Hoda | 6/21/09 9:45 PM

Must: The consumer wants to see products, buy them using their credit card or Paypal.
Unusable: Lack of https support.
Nice: The merchant wants some sort of dashboard to see who's "shopping" in your store, and a "Can I help you?" feature.
Must: Keep track of profits for taxes.
Nice: Integration with Quickbooks.
Nice: Drop shipping, so when someone signs up to this new eCommerce system, the only thing they have to handle is the money coming into their bank account.

# Posted By Phillip Senn | 6/22/09 12:03 AM

One "must" that I don't see mentioned yet is compliance with the PCI-DSS (Payment Card Industry Data Security Standards). I'm sure you're aware of this, but thought I'd mention it anyway. For those who have no idea what this is, stop any work you're doing on e-commerce and visit https://www.pcisecuritystandards.org/.

# Posted By Justin Scott | 6/22/09 12:59 PM

@Justin Well, we DO have a "security expert" position available that pays 3 times what I'll be getting paid for this. Interested?

# Posted By Hal | 6/22/09 1:05 PM

LOL, well, I'd be happy to make some contributions for PCI compliance once the code gets going and a solid foundation is in place. You can pay me with an invite to your card game sometime (although that may turn out to be me paying you).

# Posted By Justin Scott | 6/22/09 1:49 PM

Although I am a ColdFusion "fish" compared to the "sharks" on this thread, I would be willing to offer support. I can probably make my most significant contributions in the XHTML/CSS area.

# Posted By Chrisitan Ready | 6/23/09 12:10 AM

@Christian The problem with a lot of open source projects is that the leaders get too humble and nothing ever gets done. Nobody wants to have the responsibility for actually making a decision about features, and things just go around in circles until it just dies off. I've seen it happen time and time again. Hopefully Hal will take some suggestions, nail down a feature list and just run with it. If it's not perfect at the first release, things can be added or modified until most people are happy with it. Most don't get that far, however. I have an unrelated project on my own radar, but I won't be making any announcements until after coding on the base features is well under way.

# Posted By Justin Scott | 6/23/09 11:55 PM

@Justin Luckily, no one has ever accused me of excessive humility! ;-) We'll definitely get this thing going and I'll be heading up the effort making the most of all these great volunteers.

# Posted By Hal | 6/24/09 3:27 PM

My recommendation on the PCI DSS issue would be to focus on implementing the system to work with gateways that support the "hosted order page" model. So instead of accepting and transmitting card info from within the ecommerce app, you push the payment process off to the gateway's payment page. You can then focus your effort on writing a great ecommerce system and let the gateways worry about keeping card data secure. The PCI mantra should be: don't handle card data if you don't have to!

# Posted By Marc Henkel | 6/25/09 7:52 PM

@ Marc

With all due respect that really shows your lack of understand on PCI DSS.

if you're using a payment server provider its a requirement at the very least to complete the PCI DSS questionnaire. No matter even if you are using a PSP the end store has to satisfy at what level they need to meet (if any). Even PayPal Payments Pro! Anyone who runs a ecommerce store must understand this!

Paypal "If you're using Website Payments Pro or Virtual Terminal or your method of integration means you store card data, you are therefore responsible for your own PCI DSS compliance."

You have to prove you don’t need to meet the requirements now. Most sites using Paypal pro, WorldPay, Sagepay come will come under level 4 which is just a scan once a year.

# Posted By Glyn Jackson | 9/2/09 7:46 PM

Even at level 4, in addition to the external security scan (which is required quarterly, not annually), if the application you're using stores or transmits card information (i.e. you accept from the customer and run it through PayFlow Pro), it must still implement certain parts of the PCI-DSS such as the admin user account controls (automatic lock out, password complexity, password aging, etc.), logging access to card data, and such. Many people think it's just a matter of filling out the SAQ and getting a security scan, but it is somewhat more involved than that, even for a level 4 merchant.

# Posted By Justin Scott | 9/2/09 7:52 PM

Also, I think what Marc was getting at it to have the application handle everything up to the point where it asks for billing information. At that point, it would send the user over to PayPal's (or other payment processor) web site to complete the transaction. This way, the end user never enters their actual secure billing information into this application at all. The application just gets a callback from the payment processor that says "I got their billing info, transaction was authorized" or some such status message. Since the app never actually handled the credit card information, it's not in scope for compliance and the PCI-DSS would not apply (i.e. let PayPal and the like worry about that). If you're taking the info and then passing it to a processor yourself, then you're in scope and would need to be compliant. Marc's suggestion is to avoid taking the billing info at all and let a payment processor web site do that for you.

# Posted By Justin Scott | 9/2/09 7:57 PM

@ Justin Scott, sorry yes its quarterly.

however our customers using Paypal standard and SagePay VSP Form where the end user never enters their actual card details are still required to complete the questionnaire even if the outcome is you dont need to to meet any level. certainly over the last few months some of our clients have had to prove to the bank there are not storing card data or transmitting data (even in RAM for a second is storage)

# Posted By Glyn Jackson | 9/2/09 8:17 PM

its actually becoming a real issue for our clients, as banks and merchants are starting to ask them to prove it! and yes I was somewhat oversimplifying the issue even at Level 4. the point i am making is its not a given just because your using something like paypay you may still be forced to prove you dont need it

# Posted By Glyn Jackson | 9/2/09 8:21 PM

In those cases the banks are being overzealous. The PCI-DSS itself says (on page 5 of PCI-DSS v1.2.1), "If a PAN [Primary Account Number] is not stored, processed, or transmitted, PCI DSS requirements do not apply." Perhaps those banks need to be more educated about what they're trying to enforce.

# Posted By Justin Scott | 9/2/09 8:30 PM

I think the bank in the UK have some special deals with some of these companies and they must get a cut thats all i can think of! lol

# Posted By G Jackson | 9/2/09 8:35 PM

[Add Comment]

Archives By Subject

Shameless Money

Recent Comments

Recent Entries

RSS

Subscribe

Update on "Ideas"