Web Development Guidelines Resources for Creating a Web Site at Johns Hopkins
Web Guidelines Site Map

E-Commerce

This document outlines issues, general procedures, and guidelines that should be considered when conducting e-commerce via web sites hosted by the Johns Hopkins institutions. E-commerce could include transactions such as purchase of goods and services, charitable donations, dues payments, tuition payments, and other exchanges of confidential financial information online.

This document covers issues related to e-commerce in general without reference to any specific operating system or application.

Establishing E-Commerce Services

There are a number of steps that a department, lab, center, or other Johns Hopkins entity must undertake in setting up online commercial activity.

Basic Financial Considerations

All revenues received must be collected and reported according to standard Johns Hopkins financial procedures. Revenues must be deposited in a Johns Hopkins bank account. Consult the Account Management section of the Guide to Internal Controls: http://www.jhu.edu/~ohia/guide/acctmgmt.pdf. Please contact the Treasurer's Office at (443) 997-8120 for more information.

Departments should be aware of the implications of Unrelated Business Income Tax (UBIT) and determine whether some or all of the revenue will be subject to UBIT before launching a commercial site. For more information, please review the IRS Publication 598: http://www.irs.gov/pub/irs-pdf/p598.pdf).

Sales tax on appropriate transactions must be collected. Check the Sales Tax section of the Guide to Internal Controls: http://www.jhu.edu/~ohia/guide/salestax.pdf.

Revenues that are charitable in nature (e.g. gifts or donations to the Johns Hopkins institutions) should be routed to Development Information Systems (410-625-8370) or the Fund for Johns Hopkins Medicine Stewardship and Development Services office for further processing. Donors will not receive legal tax receipts for their gifts if transactions are not forwarded to one of these offices.

Establish a Merchant Account

In order to accept credit card payments online you must have an account with a card processor and with Johns Hopkins' bank. Johns Hopkins merchant ID provider is Card Services, International (CSI). For more information about setting up a merchant account, contact Development Information Systems (410-625-8370).

Security and Privacy Considerations

Encryption
Web servers that elicit credit card and other confidential information from visitors must use encryption, deploying the highest level of Secure Sockets Layer (SSL) available and allowable. Site administrators should be aware that SSL only encrypts data between the client PC and the server. SSL does not provide encryption or security for data that is stored on the server. Please refer to the Web Security Guidelines for detailed information on SSL and other security methods.

Credit card data
Credit card information should NOT be stored on Johns Hopkins servers. Hiding credit card numbers and other sensitive information in "_private" directories or in non-web enabled directories does not protect this information adequately. Under no circumstances should un-encrypted credit card information be stored on any PC or server whether or not it is accessible over the network.

Credit card transactions
Credit card transactions received via a web site must be processed electronically (i.e. not printed out and processed by hand through a POS system). Failing to use payment gateways is a violation of our institutional merchant account contract.

Privacy
All web sites that elicit personal information from visitors must have a privacy statement about what information you collect from your customers and how that information will be used. Please refer to the Privacy Guidelines for more information and sample privacy statements.

Using scripts
Programs, scripts, applications, etc. running on an e-commerce site should be routinely reviewed to determine if there is gratuitous script or other intrusions that could compromise security.

Routine testing
Test transactions should be submitted on a routine basis to ensure that data is being transmitted, collected, and reported as expected.

Maintaining security
Site administrators should keep abreast of security alerts and patches that may affect the security and integrity of their particular web server or database system. For more guidelines about establishing and maintaining secure web servers, please refer to the Web Security Guidelines.

Site Design Considerations

E-commerce sites should:

• be easy for the customer to navigate and complete an order. The site should require minimal data entry, and allow the customer to recover from mistakes easily.
• clearly communicate who is operating the site and where the money goes. Each step of the process of making a purchase or gift should include contact information for further assistance.
• be designed to accommodate customers from outside the United States. Considerations include requiring a state, zip, and/or postal code, and providing space for longer international phone numbers, for example.
• provide a meaningful response to the customer upon submit, so that s/he knows that the information has been transmitted properly.

Shopping Carts

A shopping cart is an application that allows site visitors to make several selections and then submit a single payment. For the web site designer, shopping cart applications provide an interface for creating and maintaining a catalog of items for sale. Shopping carts also provide back office reports and data that allow merchants to fulfill orders, track inventory, and other functions.

The merchant account provider for Johns Hopkins, CSI, has a list of partner shopping cart vendors available on their web site http://www.cardservice.com/partnerships/partners.aspx#carts.