Google Checkout

I'm half way through creating a goolgle checkout module.

Now there a few different ways of doing this.

Level 1 Is just a HTML forum that gets submitted with product, shipping information.
Leve 2 Has API intergation and forces you to have a SSL certifcate before you can recive requests for shipping methods and costs.

I think a lot people will not be able to use Google checkout level 2 because they do not have a SSL certifcate.

Does any one think its better to do just level 1? and try to include shipping calculate on the cart page?

I dont think many people will have an SSL certificate, and i know i wouldn't trust a site with an unofficial one, so it's probably best to go with option 1 like you said

I have several SSL certificates. Each for a different site.

Level 2 please.
I want as much security as is available.

I was also about to implement Google Checkout.
A module would be outstanding.

I'm not positive, but I think if you sell products online you need to be PCI compliant.

"The PCI compliance specification describes a set of requirements which participating businesses must observe to ensure that correct measures are taken to secure all data, both internal and externally exposed."

Hi Daniel

I thing it will be best to have google checkout level 1, but then people like FxMan they will be mad

So will be possible to do one google checkout with level 1 and second google checkout with level 2? Or will be possible to make one module for google checkout and in configuration you can choose if you like to use level 1 or 2.

I know it will be more a lot more work for you, but it will be the best solution for everybody.

Thank for your work

I think its going to have to be level 2.

I need the api requests to test if a customer has paid for downloadable orders.

In that case we shall have to invest in SSL certificates

Google only accepts SSL v3, what ever that is!

Presumably shops with an SSL certificate can still use level 1, so they remain secure it just means google checkout transactions are processed and secured via google checkout.

If thats the case then all shops with or without an SSL certificate can use level 1 but only a small percentage of shops that have the correct type of SSL certificate can use level 2.

Google checkout level 1 and the paypal equivalent are both PCI compliant. And as they handle the transactions on their secure servers on your behalf the online shop doesnt need to worry about most of the regulation.

I have a level-2 Google Checkout in the making, with SSL-support (shared SSL certificate on your webhost is fine for callbacks from Google), and detailed product submissions to Google Checkout, being implemented as a guest checkout scenario. I was to have released it last month but real life work caught up with me, hope to have it finished and fully tested soon. It will have the same features as the one for Opencart 0.7.9.

please send me the files.

I looked at the classes that google gives out and decided not to use them and started creating a much simpler method using curl and XML.

I am using the API classes and functions provided by Google which in turn use CURL and XML for sending stuff to Google, with an implementation of the Checkout API, the Notification API and the Merchant Calculations API according to the http://code.google.com/apis/checkout/developer/ guidelines.

The old 0.7.9 version is available here: http://www.mhccorp.com/downloads-opencart.shtml

Hope to have the new 1.3.x version released soon under a GPL licence, too.

It appears that PCI Compliance will be a law in the US.

Here is a recent quote from an article:

"Is PCI Compliance a Law? Should it be?

Is PCI compliance a law? The short answer is no. The long answer is that while it is not currently a federal law, there are state laws that are already in effect (and some that may go into effect) to force components of the PCI Data Security Standard (PCI DSS) into law. In addition, there is a big push by legislatures and industry trade association to enact a federal law around data security and breach notification." The article is here: http://www.pcicomplianceguide.org/secur ... ce-law.php

Notice there are some states that already have this law.

So the question is:
How secure is Level 1?
Are you willing to risk your customers data?
(ok, that's 2 questions)

I have a little experience in the Merchant Services industry.
Those are the people who provide payment/credit card services for merchants.
The Merchant Services provider we use requires PCI compliance.

So it is just a matter of time before PCI compliance is a requirement for online sales.
It is about data security.

Why not implement it from the start for Google Checkout by using Level 2?
Then we won't need to implement a new module when PCI compliance becomes law.

PCI compliance covers your ass...ets.

Not mad.

FxMan wrote:It appears that PCI Compliance will be a law in the US.

Here is a recent quote from an article:

"Is PCI Compliance a Law? Should it be?

Is PCI compliance a law? The short answer is no. The long answer is that while it is not currently a federal law, there are state laws that are already in effect (and some that may go into effect) to force components of the PCI Data Security Standard (PCI DSS) into law. In addition, there is a big push by legislatures and industry trade association to enact a federal law around data security and breach notification." The article is here: http://www.pcicomplianceguide.org/secur ... ce-law.php

Notice there are some states that already have this law.

So the question is:
How secure is Level 1?
Are you willing to risk your customers data?
(ok, that's 2 questions)

I have a little experience in the Merchant Services industry.
Those are the people who provide payment/credit card services for merchants.
The Merchant Services provider we use requires PCI compliance.

So it is just a matter of time before PCI compliance is a requirement for online sales.
It is about data security.

Why not implement it from the start for Google Checkout by using Level 2?
Then we won't need to implement a new module when PCI compliance becomes law.

PCI compliance covers your ass...ets.

Not mad.

this just shows me you have no idea about google checkout. all the data is stored on googles servers and nothing on the web site.

actually google checjkout is one of the worst checkouts I have ever done.

FxMan wrote:How secure is Level 1?

Its one of the most secure methods of payment on the internet and technically more secure than level 2.

FxMan wrote:Are you willing to risk your customers data?

As Daniel said by using level 1 you dont store any customer payment details or process any transactions yourself, its all done via google checkout on its servers, there is no data to risk.

FxMan wrote:So it is just a matter of time before PCI compliance is a requirement for online sales.

Level 1 is PCI compliant, and using level 1 makes it alot easier for a shop to be PCI compliant compared to level 2.

FxMan wrote:It is about data security.

Why not implement it from the start for Google Checkout by using Level 2?
Then we won't need to implement a new module when PCI compliance becomes law.

Your trying to make level 1 seem unsafe and non PCI compliant without actually understanding it.

Even with level 2 you have sufficient security. No credit card details are entered on the Opencart site. The customer is transfered to the Google Checkout page using the secure HTTPS protocol, and it is only there where he logs securely into his Google account to make the online payment. Google Checkout does send back messages to the Opencart server, hence the callback function on the Opencart end should support SSL, too. However, no critical payment details are send back to Opencart. Google only sends messages to Opencart about the progress of the payment process, or in order to get shipping quotes.

See for example our 0.7.9 Opencart demo on this, our upcoming 1.3.2 version will work the same way.

You're right. I don't understand it.
So if Level 1 is PCI compliant, then do I need to be concerned about the compliance of my cart?
Would that also mean the I don't need an SSL Certificate?

The reason I want to use Paypal or Google Checkout is to avoid the $99-$125 setup fee for Authorize.net and the $20 monthly fee just to use their gateway.

Paypal and Google are a gateway/merchant account all in one.
No monthly fees or "statement" fees like a normal merchant account.
The transaction fee of 2.9% + .30 per transaction is about the same as a standard merchant account.
A standard merchant account normally has a .20 or .25 per transaction fee plus a monthly statement fee of about $10.
So that's about $30US per month for a merchant account vs. $0 for PayPal or Google.

If you know of any merchant accounts that have a similar fee structure to Paypal or Google, please share them.

The bottom line is if I can make it easy for the customer to use their credit card to checkout, be PCI compliant, and save money by using a Paypal or Google Checkout OpenCart module, then I'm happy.

Do you even know what all the PCI compliant rules?

If not please don't go on about this.

OpenCart is already the most secure cart out there.