One Click Ordering (usability)

[yasunobu13]

I work with a small publishing firm. The head guy (who doesn't quite think things through all the time) wants to mimic Amazon's One Click Ordering on his web site to sell books. First off, it would be a pain in the butt to actually implement because we would have to modify the shopping cart system (zen cart) as I don't think that it has been implemented yet.

But I was wondering what sort of usability questions this raises (not to mention legal issues of storing credit card information on a not-so-secure server). I went to amazon and tried it out. Sure enough I went directly from a details page about a DVD straight to a page that said the order was to be shipped soon. All in one click. There was no confirmation involved, which I would think you'd want for online purchases.

I then had to look around to see what I needed to do to cancel the order

Any thoughts? It doesn't seem so great for the casual clickers out there.

[PAlexC]

(not to mention legal issues of storing credit card information on a not-so-secure server).

Don't.

[jAQUAN]

there has to be some sort of "Yes this worked, no it's not broken" change on the screen.

[Markp.com]

Can't they still have one click which then takes you to the enter your creditcard page, or basket, two click ordering?

[Ultima Designs]

Don't.

Yeah, you don't do that. You let an credit card processing agent handle and store credit card numbers. Those numbers should never be stored anywhere on your server. Not worth the risk.

[yasunobu13]

Can't they still have one click which then takes you to the enter your creditcard page, or basket, two click ordering?

That's my suggestion. Have a button that adds it to the basket and proceeds to checkout

[tonytryout]

if you own the server, why not purchase a 128-bit SSL? It is not that expensive...

To make it even more secure, you could encrypt the card details in your database.

This is what I have done for some clients.

[Ultima Designs]

if you own the server, why not purchase a 128-bit SSL? It is not that expensive...

To make it even more secure, you could encrypt the card details in your database.

This is what I have done for some clients.

See, but what if someone manages to hack the server, download the encryption key from your files, and decrypt the card number? We just hash (md5) the card number so that you at least have something to compare it against if necessary, but it isn't reversable. Then, if you need to actually deal with the card number, you can do it on the processor's website instead of your own.

[PAlexC]

It's a big liability to take on. I'd look for a 3rd party processor.

[rafiki55]

Kinda OT, but isn't their one click system patented? I remember a big controversy about it a few years back... although I don't know if Amazon won the case to keep their patent.

[tonytryout]

See, but what if someone manages to hack the server, download the encryption key from your files, and decrypt the card number? We just hash (md5) the card number so that you at least have something to compare it against if necessary, but it isn't reversable. Then, if you need to actually deal with the card number, you can do it on the processor's website instead of your own.

I currently use md5. The server is at a datacentre with 24 hour security, visitors are always occupied by staff, and you require 4 logins just to get into the server. In addition, to protect the credit details even more secure, it is automatically erased once the payment/donation is processed.

However, nothing is 100% secure not even the 3rd party providers can do this.

[yasunobu13]

I currently use md5. The server is at a datacentre with 24 hour security, visitors are always occupied by staff, and you require 4 logins just to get into the server. In addition, to protect the credit details even more secure, it is automatically erased once the payment/donation is processed.

However, nothing is 100% secure not even the 3rd party providers can do this.

They own the server and keep at the design firm with not one person who is knowledgeable of security. Ultima summed it up quite well why they shouldn't have any way to retrieve the credit card information.

[TallGuyLittleCar]

It's a big liability to take on. I'd look for a 3rd party processor.

I agree with PAlexc, that is not a buck i want stopping at my desk.

[yasunobu13]

What kind of third party places are there that would allow one-click ordering though? A customer clicks the button, we would have put the item in the cart, go to checkout, use standard shipping and addresses and retrieve the credit card info to place the order on.

All this, and I doubt these guys want to pay a third party in the first place. That's reason why they host it themselves, a dedicated server was too pricey

But, ignoring the security issues for now, is it even a good idea to have one-click ordering at all? Assuming that your information will never be seen by human eyes other than your own, is it still a good design to be able to accidently click a button and have bought a $50 book?

[creativeinsomnia]

I would be against the whole one click ordering from a usability standpoint if that's all you're asking. A lot of online shoppers accidentally click...it's nice to see a confirmation page, sort of comforting, along with a "order processed" page. I think it's universally accepted and expected. Seems like it would be a pain to cancel an order if you accidentally clicked, and for an unsaavy user, they would be completely turned off by the hassle.