What I wanted to say is that I actually had some fun proving a friend that I could set-up an e-commerce site for free in one single day. Not with Magento, though.
We’re talking about WordPress – I know what you think, but wait a minute: Magento is very badly coded, right?
Probably the most anarchical, undocumented, vaguely object oriented, piece of software ever developped: Frankensteincode.
Done with great marketing sense, I must admit.

Back to our common desire to build a working ecommerce website for – way – less than $1 000.
WordPress has come a long way from the super simple blog solution that made its reputation to becoming the most popular full blown open source CMS on this planet. Joomla is dead, Drupal is still doing fine.
At least with WordPress there is a real community of tens of thousands of developers, and the biggest open source community in the world.
The code is definitely better. And so are performances – admittedly not mind blowing out of the box, but still …. And the desired features are now there.

Check the free WooCommerce plugin, for instance – there are many others but this one isn’t half baked.
All you need is there, from catalog to cart to checkout to shipping to user management, follow-up marketing, gifts, vouchers, coupons…dozens of gateways and scores of plugins ( which usually are compatible, unlike many Magento extensions, and much much less expensive).
Very little coding is required, and none if you buy a proper theme – and these are definitely sexier than Magento’s as it is one of WordPress’ strong points.

And… it works.
And yes it is less buggy than Magento.
And yes it is faster.
You may not benefit from advanced, top heavy, third party integration tools, things like that, right..No SAP, no Salesforce and so on. (Even though you could, in theory, developping proper connectors are always a possibility since the code is open.)
But a full blown CRM suite or a warehouse management tool is not needed by 95% of ecommerce websites anyway.

The same set of features would require you to shell out more than $ 10 000 with Magento, as some are only available with their Enterprise edition.
And such ecommerce functionalities integrate very nicely with WordPress as a CMS, if you want a blog with your ecommerce shop. Which can’t be said about Magento, horrendous to use as a CMS.

For a small shop selling hand made potteries, that would be a perfect fit.
Without a doubt better than Magento, which I am afraid would be rather oversized for the task, if you ask me.

I would not recommend the use of WordPress to handle a large ecommerce site, but let’s say that for 95% of ecommerce websites (you know the stats, those making less than $1 M/year), it is quite sufficient to start with.

 Remember it always feels good to pick up a paintbrush even if you can get a decorator’s quote.
 
Well done Ashley.

The bigger question needs to be mentioned with this article to be responsible and that is:

Should you as a business follow these instructions?

If I need a brain surgeon today to remove a cranial growth I dont pull out a “do-it-yourself” book.
There is waay too many books to read to perform the surgery correctly in the time required.
But I am sure the tools are cheap, and the total procedure is done in under 40 minutes.
I am not sure where to make the incision exactly (a minor detail), I will just cut somewhere and see what happens.

However credit is due:
Can you build a Magento online shop for less than $25000?
Yes. (I mean – hell- a plastic scapel costs 95 cents – what a bargain!)

So, should you?
Just ask yourself what is at stake for you and your business and the answer is simple.
If you are not certain, ask a surgeon if you should be performing dangerous self-surgery when you do not have the skill and know-how to do so. Take the surgeon’s answer. It will be the right one.

I wouldn’t recommend any business to “do it on the cheap”, I would recommend they seek immediate financial advice/help if they even look at business in such a way. They obviously have bigger problems. If you think cheap, you end up getting paid like you think.

Many businesses have problems stepping into ecommerce not because of the price tag per se.
It is because they do not have the skill, know-how and resources to do so. A shop that expects yearly 5+ digit incomes* do not worry about 5 digit start up costs, because you make it back in the first years. Those start-up costs should turn into a drop in the ocean after 5-10 years if your business is still around. If you are earning less than 5 digits per year from your enterprise, dont give up your day job. Re-think your business plan. (* western world figures)

Business is a risk. If you can’t risk, don’t do business.
If you do risk, try and minimize that risk by weighing up the pros and cons of endeavours to form workable/profitable solutions.

Access to digital tools have opened the gates to “amateur hour” and have changed the economic landscape, but good business sense has not changed for millenia, though it seems it is just harder to find it in the cacophony of progress.

I recently use Magento as a solution for some businesses to sell online, it is great, but I have been doing IT and business for 14 years, I put that experience behind my work. Though some businesses don’t need Magento to make money online, when only a small single page website with an address and telephone number would do the same job. With 14 years of experience I can still tell clients that sometimes, simple is better. They pay me $$$ to hear that, and I know *when* to say it.

Knowing *which* tool to use when and how to use it, is why clients should pay you $$$. They don’t pay you for the tool, the SSL cert, the PCI compliancy, Magento, OSCommerce, XHTML, CSS, JS, OOP, PHP, SMTP, jQuery, Flash, Adwords, Zend, Varien, Apache, MySQL, DNS,Google, PayPAL, CVV, encryption, public-keys…. blah, blah, blah.. (I could rattle off hundreds of IT invented constructs) these are meaningless words to your clients at the end of the day, even though it is your responsibility to know them… they pay you for the outcome of the tool, proportional to the success they will have with it. The bigger the potential for success and with greater complexity of implementation, the more they should be paying.

At the end of the day a person who offers ecommerce solutions is just selling a mechanism for success for the customer. If your customer succeeds you will succeed as well, and you have done your job.

If you think the $25000 price tag is for the Magento implementation only, you have been coding waaaaaay too long. Get some sunshine, and think about how you can do better business for your clients and yourself.

They will pay you much more if you can show them how they will succeed. 😉

my 2c.
Dave.

BTW if you are a kid selling lemonade on the side of the street and you have *NO* idea about internet technologies, let me know when you have made your first Magento install and I can buy some online. I am thirsty after this post. 🙂

I think it can be summarised as following.

If you use PayPal-like payment processors where you and your website/server never get to see/process/store/handle card details, you still need to be PCI compliant by completing (in most cases) SAQ A. Because if you weren’t going to claim compliance, how else would they have a record of how you claim to process card details? It’s an attestation of compliance they need whether you process cards OR NOT.

If you don’t process/handle/store cards, they still need to know.

And yes, your eBay example make PCI even more complex. You could argue you are still a merchant and your success or even failure of trading still evolves around people being able to pay by card. So if a lawyer were to find it fun to examine the depths of PCI DSS legal spiel, I’m pretty sure he’d find that even those need to be compliant. Remember the goal. Protecting card data. ‘They’ don’t care how you sell. As long as you are uber careful with card data. So it makes sense that they’d want everybody who sells stuff to be aware of the basics. Eg SAQ A. Because that still helps John Doe newbie eBayer to think about passwords, virus scanners and wifi security.

But indeed, it’s not clear. But if you have a website and a business, PCI is part and parcel. If yuo don’t have a website and use eBay and don’t have a business because you sell the books from your loft-clear-out, then who knows, you may be exempt from PCI. But still have an netizen obligation to know about security.

Regarding SSL – if you are using hosted payment options, you’ll probably not need SSL for any actual security reasons. You’re right though, in that some customers might feel safer if you add some SSL ‘flair’ to your site footer. I think people refer to them as ‘trust badges’?

@J.T. – I can’t argue with that! It’s a bit of an interesting situation though. What if I sell my old fishing rod on ebay – where the customer pays *me* with a credit card via paypal – would I need PCI for that? What if I import and sell 1000 fishing rods via ebay? Or what if I sell my old books on Amazon, and then affiliate link to the Amazon listings on my blog? Are these situations any different in the eyes of the PCI-club than a merchant using Paypal or Amazon Payments? If so, why? It’s all very confusing to me – but it seems I need to fill out some SAQ forms – right after I fix this Google Checkout VAT bug I’m working on!

For example, configuration is about 4 hours of work (including cronjobs, backups, etc…), inserting all products can take you days if you don’t import it using the importation tool and most of the time you have management to make on with your Elance guy’s recruited, preparing documents, preparing tasks, etc..

So, finally I think that if you are a techie guy (like me 🙂 ) I would do it my self along my evenings but otherwise you will need to take someone to take care of your website.

Between 10 and 11 I would add SSL Certificate $70/per year that is really important to gain trust with the customer. (even if you make some AdWords if you don’t have the customer trust you wouldn’t have some orders)

I may be wrong too but it makes sense to me that everybody needs to be PCI compliant, all merchants that is. If you sell stuff and people can pay with cards, you need to be compliant. It just so happens to be that if you have outsourced all of that, to say PayPal or Google, your attestation of compliance is extremely straight-forward. It becomes a statement of “I’m compliant because I don’t handle cards”. Without that statement, they have you as non-compliant.

I base that on the official website, which I’d take any day over an unnamed guy in a forum. For that same reason, your readers shouldn’t trust my judgement either as they don’t know me from Adam either. But let me back up my thoughts:

https://www.pcisecuritystandards.org/saq/instructions_dss.shtml#instructions

SAQ Validation Type 1, key quote: “Card-not-present (e-commerce or mail/telephone-order) merchants, *all cardholder data functions outsourced*.” My emphasis. That needs SAQ A. That’s the easy one, no scan required, done in 10 minutes.

Who do you file your compliance statement with?

https://www.pcisecuritystandards.org/qsa_asv/find_one.shtml

See “Approved Security Assessors”. Go through the process with them and then copy your bank/acquirer (if you have one) in too. Possibly even your business insurer. Better safe than sorry.

So based on my extensive checking, EVERYBODY who sells stuff and their customers can pay by card needs to be PCI compliant. The fact your system doesn’t see, hear, smell or feel card details is no excuse. You still need to tell the governing bodies that that is the fact. No cards = not applicable = not true. In fact, it’s no cards = still applicable = very easy process. And mostly free.

How Amazon Payments fits in I don’t know. But I would do this. Which is the procedure for any payment service.

1. Try it out on a website that uses it already or set up a dev environment. Go through the checkout and take note of the URL of where you enter the card details. If that’s not your URL, you should be OK for simple PCI.

2. Confirm that with the payment service provider in question as well as with the developer who built the payment bridge/module. Ask “Does your system/code cause my site/server to store, handle or pass card details?” If the answer is No from both, your’re good for simple PCI. If yes, you’re in for a more tricky ride beyond the scope of this post and its comments.

3. Now complete PCI-DSS compliance with an approved assessor from the list above.

Simples 🙂

But it is still confusing despite their best efforts to make it simple. But I think I’ve seen enough proof to think that everybody needs to be PCI compliant and submit the attestation, whether you use PayPal or not.