How much would it cost to have a website made for you?

[EdwardTeach]

I was thinking of setting up an online retail business, and would need a website built before I can see trade pricing. I talked to a supplier today and one of their conditions was that it must include an inbuilt shopping cart, i.e cannot rely on paypal etc, i.e you must be able to complete the transaction within the site, without being taken to an external website.

I am looking at the lowest I could pay for something of this kind, it just needs to be a shell, which can process dummy payments to show that it works in principle.

 

[tombruton87]

its not even worth thinking about not using paypal or a 3rd party payment app. first you need an ssl certificate 200 quid lets say then a pen test at probs around 10 grand. It has to be on its own server.

In short if you are asking this question you need to use paypal or gpay or sumthing along those lines

 

[tombruton87]

what wholesaler told you that. The person is obv a nutter you just need to have a registered business that is all. Id look at around 20k to setup a site where you process payments. Then factor in about 500 a month. a lot of big sites use paypal if they are saying you cant use it there talking out there ass. You obv need a shopping cart on the site but you need to farm out your payment processing. You should look between 500 and 1000 for a site with a cart and all that jazz

where abouts are you in the uk

 

[Mark M]

Set up a site that uses Sage Pay which I'm sure will be fine for the wholesaler as its one if not the biggest payment gateway out there for small businesses and takes care of all the legal stuff for you.

 

[Paul11]

there are plenty of 3rd party credit card processing companies, like cardsave

Lots of companies use these and i cant see any reason not to

 

[GravyMonster]

its not even worth thinking about not using paypal or a 3rd party payment app. first you need an ssl certificate 200 quid lets say then a pen test at probs around 10 grand. It has to be on its own server.

In short if you are asking this question you need to use paypal or gpay or sumthing along those lines

These are costs if you're going to make people enter their card details on your own website. If you redirect to the payment gateway provider site to take card details you don't need to bother with penetration testing as all you receive back is a true/false to indicate whether or not the payment was successful. Also, pen testing does not cost £10k unless you're running something the scale of Amazon, and SSL certs can be had for £30.

If you have a business bank account, talk to them about adding merchant services. Most of the time if they're a decent bank (NatWest, Barclays) they'll have a decent API you can hook into. Others, like HSBC, have the most outdated POS undocumented crappy API which is a nightmare and should be avoided at all costs.

As for costs to develop a bespoke shop, I'd personally charge around £10k for a basic categories/products/basket/order style affair. Stock checking, bespoke products etc. would all add to that cost.

 

[md85]

I can't even understand half of what 'tombruton87' has said, but what I can understand is absolute, complete rubbish.

£200 for an SSL certificate?!
£20,000 for a simple online shopping system?!

You could probably 'setup' and have designed four online stores, as well as have managed SEO, for £20,000. I mean you could even run something like concrete5 (free) and use their ecommerce add-on ($125) and pay someone £500-2000 to design your site and be absolutely nowhere near £20,000.

I can also only assume he meant the £500 a month part for hosting, which is equally as ridiculous. You can rent a decent starting point with SSL included for $40-60 a month using a cloud service like Pagoda Box, and scale up the costs as and when you need throughout the year (Christmas shopping etc).

 

[aln]

It's more of a question of "how much do you want to spend?". I actually worked at a buisness who spent £30k for a skinned joomla install, with a couple of standard modules and a 6 months support contract, thus in a way tombruton87 isn't wrong.

On the other hand, you will be able to find completely bespoke websites from people who know what they're doing for much cheaper prices, and what md85 quoting is quite reasonable, and you could probably find people looking to buff their portfolio do it for less even.

It really depends on functionality you want, the reputation and experience of those producing the work, and the assurances you need. Without knowing him personally, Spunkey prices may also be reasonable - If you want a garuntee of quality work, you're going to need to find someone who has a proven track record and you're going to need to pay them a decent amount of money for their experience and time spent on your project.

However, given your actual requirment is that you're looking for something not production ready, you could skimp and get it for ~£1000, with the caveat that you'd probably be advised to throw it away when you need something which actually does the job. I wouldn't skimp when dealing with money transactions though, the fines will just make it more expensive in the long run.

P.S. The best thing to do is to find someone you trust to do a resonable job, then get his prices. There are plently of charlatans who'll charge you £100k for a few hours work, and there are a load of kids who'll offer you a site that'll never be completed for £100. Trust is the primary commodity in the market.

 

[tombruton87]

I can't even understand half of what 'tombruton87' has said, but what I can understand is absolute, complete rubbish.

£200 for an SSL certificate?!
£20,000 for a simple online shopping system?!

You could probably 'setup' and have designed four online stores, as well as have managed SEO, for £20,000. I mean you could even run something like concrete5 (free) and use their ecommerce add-on ($125) and pay someone £500-2000 to design your site and be absolutely nowhere near £20,000.

I can also only assume he meant the £500 a month part for hosting, which is equally as ridiculous. You can rent a decent starting point with SSL included for $40-60 a month using a cloud service like Pagoda Box, and scale up the costs as and when you need throughout the year (Christmas shopping etc).

If the OP wants to process payements he cant use a crappy SSL certificate that can be decrypted by any old script kiddy I think there's even an extension in wireshark for this. So yes a couple of hundred pounds is reasonable.

Again if he wants to process payments it needs to be on its own server with a proper firewall and ids/ips system. This is all stuff needed to comply with PCI DSS (if you loose card details there is a maximum fine of 10k per card) so loose 100 card details there is a potential fine of 1 million pounds. I have never seen a company fined this much but I have seen fines that have put companies out of business.

There are a lot of sites big and small that don't do things properly ie sony/amazon. The UK has in my opinion the best security standards in the world. Crest have a 50% pass rate in the UK in the US crest is down to 10% thats why most Americans go for the tiger standard.

Processing payments costs a lot of money. So until you are turning over around half a million depending on margin its not worth considering. Natwest have really good API's as somebody mentioned before. 1k should be a good figure to look around for a site that integrates 3rd party payment just have a look at there other work

 

[aln]

If the OP wants to process payements he cant use a crappy SSL certificate that can be decrypted by any old script kiddy I think there's even an extension in wireshark for this. So yes a couple of hundred pounds is reasonable.

I'm fairly confident there isn't any extension that'll allow you to bruteforce any resonable SSL on the wire.

There are two aspects of an SSL, #1 is the encryption that can be gained by using a freely generated SSL which will give you a big warning in your browser, despite doing the job just as well as a pay for SSL. Whilst you can pay for heavier levels of encryption, thats really not what the cost is associated with. I'd dare say the encryption is near foolproof.

The second aspect of an SSL is the trust facility. Basically the whole reason you pay for an SSL is to prove that the person you're communicating with securely is actually the person you think it is. This is very much a false economy given the history of the browser supported SSL providers being ****, and the fact that open source software solved this issue without paying people many moons ago. Irregardless, the more you pay is almost always more about upping the trust ratio, as this is what the public has been coerced to believe in. This is supposed to stop MITM attacks, which are the real threat.

Again if he wants to process payments it needs to be on its own server with a proper firewall and ids/ips system. This is all stuff needed to comply with PCI DSS (if you loose card details there is a maximum fine of 10k per card) so loose 100 card details there is a potential fine of 1 million pounds. I have never seen a company fined this much but I have seen fines that have put companies out of business.

No, it doesn't. He can process payments by passing them straight to a 3rd party payment portal, such as datacash, who'd take care of the PCI-DSS requirment providing him with some sort of customer-id and boolean for a transaction. For 'storing card' details, you need only keep the customer-id, and you can process future payments with datacash without keeping the card details on file (though the customer will need to re-enter their security number, which I believe even datacash can't keep on file).

There are a lot of sites big and small that don't do things properly ie sony/amazon. The UK has in my opinion the best security standards in the world. Crest have a 50% pass rate in the UK in the US crest is down to 10% thats why most Americans go for the tiger standard.

I tend to agree with you here.

A lot of companies don't do this properly because their coders either don't know what they're doing or where to find out more, or aren't given a resonable amount of time to do it right. I suspect many of these companies are in danger of massive fines, thus it is advised to pay someone who actually knows what they're talking about a decent amount, and actually listen to their advice.

This is why, I've agreed with the others in this thread that you need to be paying a living wage to get quality work (people oft seem to think all programmers live in their moms basement, and eat ramen exclusively. and thus can afford to work for below minimum wage and still develier a professional level of work) but unfortauntly too many people scrimp and save, because they don't know how to differentiate between quality work.

Processing payments costs a lot of money. So until you are turning over around half a million depending on margin its not worth considering. Natwest have really good API's as somebody mentioned before. 1k should be a good figure to look around for a site that integrates 3rd party payment just have a look at there other work

See this is where you should have started, but I'd go further than that. Everyone should be using a payment gateway, unless they have a strong reason for not doing so. So by default it's an entirely feasible project, and until you're a lot bigger, you shouldn't need to be worrying about anything such as PCI compliance.

 

[durbs]

In short if you are asking this question you need to use paypal or gpay or sumthing along those lines

This.

Seriously, you need to use a 3rd party payment system should not hold credit card data within your own database, you will get raped by every bank and credit card company out there if something goes wrong and be instantly out of business and in deep legal trouble. I don't think this is what you meant though.

I assume your brief means that they don't want the user to visibly leave your site to make the payment (like with certain Paypal options), this is entirely possible and most 3rd party gateways offer this. One of the simplest is Paypal Pro but there are loads out there.

If you wanted a proof of concept then you could get that for a coupe of grand if you use offshore resources through elance or similar.

 

[tombruton87]

in response to aln most of my post is if they chose to go it alone. Which I have said all along that is a very bad idea.

The main thing you pay for in SSL certificates is the age of the trusted source. Yea it can be decrypted just looked up for wireshark modules and yep there is one for decrypting ssl packets.

As I said if he is processing the payment and not using a 3rd party yes it does need to be on its own server plus other reqs. However if he uses a 3rd party to process stuff you can use any hosting within reason

I think everybody is in agreance to use a 3rd party vendor whether that is visable or not.

The main reason people don't use a payment gateway is to save money however in order to do this you need to be a trusted company with a large enough turnover to warrant the costs.

I have seen sites that have been storing card details with no encryption wat so ever and every user sharing the same db permissions its crazy.

The problem is, is that managers would rather there programmers work on new features rather than security. Also companies such as the sony situation know that wen they get o a certain size fines are unlikly because they just use the argument that if they get fines they have to make people redundent. So the judges tend to let them off lightly.

 

[stoke1863]

Set up a site that uses Sage Pay which I'm sure will be fine for the wholesaler as its one if not the biggest payment gateway out there for small businesses and takes care of all the legal stuff for you.

THIS,

We manage pretty much every triumph and hahrley davidson dealership in the UK and prety much all our clients use this solution

 

[aln]

in response to aln most of my post is if they chose to go it alone. Which I have said all along that is a very bad idea.

Honestly, I think you slightly misunderstood what the OP was asking, and then you were then misunderstood because of your reaction to the OP.

The OP stated that he could not use a solution that directed away from his site, he in no way specified that he couldn't use a payment gateway which did not require this functionality, and quite why you assumed he had specified DIYing a payment service, is what is confusing and where much of the disagreement has come from.

The main thing you pay for in SSL certificates is the age of the trusted source. Yea it can be decrypted just looked up for wireshark modules and yep there is one for decrypting ssl packets.

Sure, if you can provide the key - which is entirely OK. Please provide a link to prove script kiddies can do nefarious things without a) MITM, or b) providing the key first. I'm happy for you to prove me wrong, but I honestly don't buy the idea that the ecryption provided by the reputable dealers can be easily broken.

You'd pretty much rock my world if you can prove that.

As I said if he is processing the payment and not using a 3rd party yes it does need to be on its own server plus other reqs. However if he uses a 3rd party to process stuff you can use any hosting within reason

I think everybody is in agreance to use a 3rd party vendor whether that is visable or not.

From my understanding, and everyone elses I think, he didn't say it wasn't viable.

The main reason people don't use a payment gateway is to save money however in order to do this you need to be a trusted company with a large enough turnover to warrant the costs.

I'm not disagreeing with you.

I have seen sites that have been storing card details with no encryption wat so ever and every user sharing the same db permissions its crazy.

Me too.

The problem is, is that managers would rather there programmers work on new features rather than security. Also companies such as the sony situation know that wen they get o a certain size fines are unlikly because they just use the argument that if they get fines they have to make people redundent. So the judges tend to let them off lightly.

Its the job of the programmer, and or legal, to advise managment on issues like this, and the implications of ignoring it. The reasons for this are many, and do include management ignoring that advice, but are just as often caused by IT professionals overstating their knowledge.

Non-technical managers have almost no ability in validating whether an employee knows what they're talking about or not, and trust can easily be placed in the wrong people. It's a failure of the buisness, of course, but I wonder what recourse they have other than luck to place their trust in the right place initially?

In IT, we work in a very young profession. It is quite clearly a mess, and I've met a lot of professionals who I'd dare say do not have sufficient knowledge in their field. Hell, I certaintly don't know everything, perhaps I'm the liability. Either way, I find it difficult to place blame on any individual though, especially if you've not been there to watch events unfold.

But meh, what do I know.