NPI's Cascadia Advocate

Offering commentary and analysis from Washington, Oregon, and Idaho, The Cascadia Advocate is the Northwest Progressive Institute's unconventional perspective on world, national, and local politics.

Sunday, October 20th, 2013

Marco Rubio is wrong: Setting up a website where people can buy something is not simple

This morn­ing, Sen­a­tor Mar­co Rubio of Flori­da appeared on Fox Noise Chan­nel’s Sun­day morn­ing show to talk pol­i­tics with Chris Wal­lace. One of the top­ics the two men dis­cussed was the roll­out of the Patient Pro­tec­tion Act’s online exchanges, which unfor­tu­nate­ly has­n’t gone too well. (Many peo­ple have tried to use the exchanges, only to be foiled by glitch­es and errors).

Dur­ing Rubio’s appear­ance, Wal­lace asked if Repub­li­cans were per­haps over­stat­ing the extent of the prob­lems. Rubio replied:

No. You know, they need to get 7 mil­lion peo­ple on this thing. So, at the rate they’re going, even by their own num­bers, it’s going to get there. Of course, many of these peo­ple that are filled this out cer­tain­ly had made mis­takes. Many — some won’t qual­i­fy.

Beyond that, you know, there is a lot of work to be done, in terms of get­ting oth­er peo­ple on there, and there is no mech­a­nism for them to be able to do that.

And let me tell you why that’s con­cern­ing — if enough peo­ple don’t sign up for this pro­gram, cer­tain back­ground in terms of health and so forth, the pre­mi­ums on this pro­gram are going to become unaf­ford­able. It gets into the sort of debt spi­ral where the pre­mi­ums keep going up and then the whole pro­gram col­laps­es.

And that’s the direc­tion that we’re head­ed in.

But, again, I… the point that I want­ed to make was, set­ting up… in [the] 21st cen­tu­ry, set­ting up a Web site where peo­ple can go on and buy some­thing is not that com­pli­cat­ed. Peo­ple do this every day. The inabil­i­ty of the fed­er­al gov­ern­ment to set up a Web site where peo­ple can go on and buy some­thing like health insur­ance does not bode well for the much more com­pli­cat­ed ele­ments of this law that are yet to be rolled out.

Empha­sis is mine.

To me, Sen­a­tor Rubio’s com­ment shows just how out of touch he is. I bet he’s nev­er had to set up a web­site where peo­ple can “go on and buy some­thing.” I have, and I can say from expe­ri­ence that Mar­co Rubio is wrong. Set­ting up an ecom­merce store­front and get­ting it to work prop­er­ly is a com­pli­cat­ed endeav­or.

Let’s con­sid­er what is involved, shall we?

We’ll begin by dis­cussing the dif­fer­ence between just pub­lish­ing some­thing on the Web and doing busi­ness on the Web.

Web pub­lish­ing is easy to do. If you want to pub­lish some­thing for the world to see, all you need is a com­put­er or a device that can con­nect to the Inter­net (which most Amer­i­cans have or can get access to). You can set up a blog or a web page in min­utes using any num­ber of dif­fer­ent plat­forms. You can also estab­lish an account on Face­book, Twit­ter, or anoth­er social net­work.

Doing busi­ness on the Web is not as sim­ple as pub­lish­ing to the Web. Why? Well, because when you buy or sell goods and ser­vices on the Web, you exchange sen­si­tive infor­ma­tion with oth­er peo­ple. Typ­i­cal­ly, that includes your name, address, phone num­ber, email address and your pay­ment details, includ­ing cred­it card num­ber. Or maybe even your bank account num­ber and bank rout­ing num­ber.

This infor­ma­tion needs to be prop­er­ly stored, and han­dled with care while it is in tran­sit. This is where encryp­tion comes in.

Ordi­nar­i­ly, when you con­nect to a web­site, you do so over an unen­crypt­ed con­nec­tion. In oth­er words, the bits flow­ing between your com­put­er and the remote serv­er (i.e. nwprogressive.org) are being trans­mit­ted in the clear, which means your com­mu­ni­ca­tions can be eas­i­ly inter­cept­ed and read by oth­ers.

Most web brows­ing hap­pens over unen­crypt­ed con­nec­tions. There are those who believe encryp­tion real­ly ought to be the default, and we are among them.

How­ev­er, encryp­tion is the default for ecom­merce sites already. It has to be, because oth­er­wise that sen­si­tive infor­ma­tion would be trans­mit­ted to and from web­sites in the clear. It is ridicu­lous­ly easy to eaves­drop on unse­cured web traf­fic.

To guard against snoop­ing, we have SSL (Secure Sock­ets Lay­er) and TLS (Trans­port Lay­er Secu­ri­ty). These pro­to­cols scram­ble traf­fic before it goes over the Inter­net so it can’t be eas­i­ly read. SSL and TLS aren’t fool­proof — in fact, we recent­ly learned the NSA has com­pro­mised them — but they nev­er­the­less pro­vide impor­tant pro­tec­tion against snoop­ing and eaves­drop­ping. SSL and TLS are used by ecom­merce sites large and small, from Ama­zon and Newegg on down.

An entre­pre­neur not wor­ried about brand­ing or hav­ing full con­trol over their users’ expe­ri­ence can use a site like Cafe­Press to set up a store. Cafe­Press is essen­tial­ly an online mar­ket­place that lets peo­ple buy and sell mer­chan­dise. Sites like Cafe­Press take care of all of the host­ing, main­te­nance, admin­is­tra­tion, and secu­ri­ty.

But, if you want to set up “a web­site where peo­ple can go on and buy some­thing”, as Sen­a­tor Rubio put it, you become respon­si­ble for those things.

To get start­ed, you need:

  • a domain name for your web­site that reflects your brand or com­pa­ny name
  • a web host­ing account that sup­ports secure host­ing and comes with a unique IP (Inter­net Pro­to­col) address
  • a secure cer­tifi­cate
  • shop­ping cart soft­ware to run your store­front (either a stand­alone solu­tion like Zen Cart or a bolt-on ecom­merce plu­g­in like WooCom­merce for a con­tent man­age­ment sys­tem like Word­Press)
  • a theme (set of tem­plates) to con­trol the look and feel of your store
  • option­al­ly, addons to allow your shop­ping cart solu­tion to talk to your pay­ment proces­sor and sim­pli­fy order ful­fill­ment

Near­ly all of these things cost mon­ey, so the first order of busi­ness is real­ly rais­ing mon­ey to set up the store. Min­i­mal­ly, an entre­pre­neur needs a few hun­dred dol­lars for the above. That does­n’t include any oth­er start­up costs.

Peo­ple expect to be able to pay by cred­it card when they shop online (it’s the stan­dard) so if your inten­tion is to oper­ate an online store that does a lot of busi­ness, you sim­ply have to have the capa­bil­i­ty to take cred­it cards. To do that, you’ll min­i­mal­ly need a bank account and a pay­ment proces­sor.

You can out­source pay­ment pro­cess­ing to Pay­Pal, but seri­ous mer­chants avoid Pay­Pal because Pay­Pal isn’t a bank and does­n’t have to fol­low fed­er­al bank­ing reg­u­la­tions. It’s bet­ter to have a mer­chant ser­vices account and use an alter­na­tive pay­ment proces­sor that can inte­grate tight­ly with your shop­ping cart. That way, you have com­plete con­trol of the check­out process.

If you accept cred­it cards, you must com­ply with Pay­ment Card Indus­try Data Secu­ri­ty Stan­dards (PCI DSS). PCI DSS is essen­tial­ly a set of manda­to­ry best prac­tices for han­dling card­hold­er infor­ma­tion that evolved from five sep­a­rate stan­dards cre­at­ed by Visa, Mas­ter­Card, Dis­cov­er, JCB, and Amer­i­can Express. The require­ments are com­plex — the doc­u­ment explain­ing them runs sev­en­ty-five pages.

Some busi­ness­es must also com­ply with fed­er­al laws like HIPAA and Sar­banes-Oxley (Sox or Sar­box) if they take/store cer­tain kinds of sen­si­tive infor­ma­tion.

Before you can do any test trans­ac­tions, you have to set up your bank account, mer­chant ser­vices account, and web host­ing account.

As men­tioned above, your web­site needs to have its own unique IP address. This is because old­er com­put­ers and smart­phones run­ning old­er oper­at­ing sys­tems don’t under­stand Serv­er Name Indi­ca­tion. (SNI is a tech­nol­o­gy that allows mul­ti­ple web­sites to share one IP address for secure con­nec­tions). Because IPv4 address­es are scarce, get­ting a unique IP often costs extra mon­ey.

You also need a secure cer­tifi­cate so that users don’t see an “Untrust­ed” warn­ing in their brows­er when they vis­it your store. There are many dif­fer­ent types of cer­tifi­cates avail­able to choose from. The ones with the most bells and whis­tles are called EV (Extend­ed Val­i­da­tion) cer­tifi­cates. If you get one of these, users’ brows­er URL bars will turn par­tial­ly or com­plete­ly green when they vis­it your online store, sig­ni­fy­ing a secure and trust­ed con­nec­tion.

After you buy a cer­tifi­cate, you’ll need to install it, just like every­thing else.

Once you have all of this, you need to decide what shop­ping cart soft­ware to use. Again, there are many choic­es. Some solu­tions are more fea­ture-com­plete than oth­ers. WooCom­merce, for instance, is a free plu­g­in that lets you set up a store inside of the con­tent man­age­ment sys­tem Word­Press, but you’ll have to buy add-ons to make it work with your pay­ment proces­sor and your couri­er of choice.

Shop­ping cart solu­tions are designed to help you do the fol­low­ing (and more!):

  • Set up prod­uct pages and upload prod­uct images
  • Cre­ate pro­mo­tions and option­al­ly pro­mo codes
  • Man­age prod­uct inven­to­ry; dis­al­low sales of a prod­uct when the exist­ing inven­to­ry has been deplet­ed, or switch the prod­uct to backorder/preorder
  • Cal­cu­late sales tax­es or oth­er tax­es and add these to the total
  • Cal­cu­late ship­ping charges and sim­pli­fy order ful­fill­ment if you’re sell­ing a phys­i­cal good of some kind that will need to be deliv­ered
  • Per­form address ver­i­fi­ca­tion and trans­mit cred­it card infor­ma­tion to the pay­ment proces­sor for autho­riza­tion and cap­ture
  • Email the cus­tomer a receipt after they com­plete a pur­chase

Even though shop­ping cart solu­tions cut down the amount of work that’s involved, they still need to be con­fig­ured. Most soft­ware pack­ages come with a large num­ber of con­trols to accom­mo­date users who want to be able to ful­ly cus­tomize their stores. Learn­ing what all the dif­fer­ent con­trols do can take some time.

Peo­ple do, as Mar­co Rubio said, set up online stores every day. But that does­n’t mean it is easy. Is it as com­pli­cat­ed as, say, rock­et sci­ence, to use the cliché? No — set­ting up an online store is eas­i­er than step­ping into the shoes of a NASA engi­neer or sci­en­tist. But it’s not a piece of cake, and it can’t be done in a day, even by some­one with a lot of expe­ri­ence. There’s just too much work involved.

Think about all the deci­sions that go into set­ting up a busi­ness and a store. There are some big ones. Choos­ing a bank or cred­it union. Choos­ing a mer­chant ser­vices provider and pay­ment proces­sor. Choos­ing a web host. Choos­ing the soft­ware that will run the store. Choos­ing a couri­er or couri­ers.

I have set up dona­tion infra­struc­ture for non­prof­its and ecom­merce infra­struc­ture for for-prof­its. Every project I’ve done or helped with has been com­plex.

I’m guess­ing Mar­co Rubio has nev­er set up an online store, oth­er­wise he would not have gone on nation­al tele­vi­sion and said “set­ting up a Web site where peo­ple can go on and buy some­thing” is “not that com­pli­cat­ed.”

Because it actu­al­ly *is* that com­pli­cat­ed.

I’d wager that if Rubio had to cre­ate his own online store from scratch, even with a small team of tech­ni­cal advi­sors and con­sul­tants at his side, it would take him weeks. Even if he was doing it for a firm that had already incor­po­rat­ed.

There’s no ques­tion in my mind the roll­out of the exchanges could have been han­dled bet­ter. In the soft­ware world, you don’t release to man­u­fac­tur­ing or go gold until you’ve done a suf­fi­cient amount of beta test­ing.

The Oba­ma admin­is­tra­tion is real­iz­ing this. They weren’t pre­pared enough for Octo­ber 1st. They’re now bring­ing in pro­gram­mers and Web infra­struc­ture spe­cial­ists to help make healthcare.gov and its asso­ci­at­ed web­sites work bet­ter.

It would be nice if Repub­li­cans were inter­est­ed in being con­struc­tive and mak­ing the Patient Pro­tec­tion Act work. But instead they’re bent on repeal­ing it. They would rather make polit­i­cal hay out of the online exchanges’ glitch­es than fix them.

Adjacent posts

  • Sustain the Cascadia Advocate by joining us on April 17th!

    Join us on April 17th for NPI's 2020 Spring Gala
  • Can’t attend the gala? Make a donation!


    Thank you for read­ing The Cas­ca­dia Advo­cate, the North­west Pro­gres­sive Insti­tute’s jour­nal of world, nation­al, and local pol­i­tics.

    Found­ed in March of 2004, The Cas­ca­dia Advo­cate has been help­ing peo­ple through­out the Pacif­ic North­west and beyond make sense of cur­rent events with rig­or­ous analy­sis and thought-pro­vok­ing com­men­tary for more than fif­teen years. The Cas­ca­dia Advo­cate is fund­ed by read­ers like you: we have nev­er accept­ed adver­tis­ing or place­ments of paid con­tent.

    And we’d like it to stay that way.

    Help us keep The Cas­ca­dia Advo­cate edi­to­ri­al­ly inde­pen­dent and freely avail­able by becom­ing a mem­ber of the North­west Pro­gres­sive Insti­tute today. Or make a dona­tion to sus­tain our essen­tial research and advo­ca­cy jour­nal­ism.

    Your con­tri­bu­tion will allow us to con­tin­ue bring­ing you fea­tures like Last Week In Con­gress, live cov­er­age of events like Net­roots Nation or the Demo­c­ra­t­ic Nation­al Con­ven­tion, and reviews of books and doc­u­men­tary films.

    Become an NPI mem­ber Make a one-time dona­tion

One Comment

  1. Nice job school­ing Sen­a­tor Rubio. He and his staff prob­a­bly won’t see this, but you’ve cer­tain­ly demon­strat­ed he does­n’t know what he’s talk­ing about.

    # by Michelle Heng :: October 29th, 2013 at 11:20 AM