Common myths v. math:

Why a hosted solution makes more sense for ecommerce.

(First things first, FoxyCart only hosts your cart and checkout. Where you choose to host your website, email, or other services is entirely up to you. But the cart and checkout are securely hosted on our infrastructure.)

Hate the thought of going with a hosted solution, either for perceived lack of flexibility or for the extra monthly fees? We understand, but our goal is to serve web professionals and their ecommerce clients; and if we felt we could better do so with a downloadable self-hosted solution, we would. But ecommerce presents unique challenges and requirements that make a hosted platform like FoxyCart uniquely suited to meeting merchant and developer needs in much better ways than a self-hosted solution might.

Even if a self-hosted solution ultimately makes sense, hopefully we can help you avoid the common and unexpected pitfalls associated with self-hosting an ecommerce checkout.

Myth: Self-Hosted is Cheaper

One of the biggest perceived reasons against using a hosted service such as FoxyCart is that it isn't free, and that there are many solutions available that are either open source or have a one-time purchase price. While this seems very straightforward and compelling, there are many requirements and best-practices that make a self-hosted solution much more expensive than a hosted solution.

We'll get into details below, but here's a quick breakdown of costs over a two-year period at right.

These numbers are estimates, but we've erred on the side of "cheap". For example, $40/hr is significantly less than most web professionals charge, let alone competent sysadmins. $24/yr for a security certificate is about as cheap as they come. Before you take issue with the numbers, however, let's explore the reasons for the radically higher cost than you might have expected.

Conservative Estimates Self-Hosted FoxyCart
Monthly Cost $434 $27
Cost over Two Years $10,416 $648
Cost of E-Commerce System FREE $15
PCI Compliant Hosting
assuming a cheap unmanaged dedicated server
$80 $5
SSL Certificate
assuming a very, very cheap cert at $24/yr
$2 included
PCI Security Scan from an ASV $15 included
Breach Insurance $150 unnecessary
PCI Compliance
time spent at $40/hr
$67 $7
Security Patches & Systems Administration
time spent at $40/hr
$120 unnecessary
Other various government compliance
such as state governments, EU's Safe Harbor, etc.
$40 unnecessary

Compliance is SUPER Fun

PCI DSS Compliance

By far the biggest compliance issue with merchants (both on and offline) accepting credit cards is the Payment Card Industry's Data Security Standard, known as PCI DSS. While there is considerable discussion and misinformation on the internet, PCI DSS is required for any and all merchants storing, processing, or transmitting cardholder data in any way. While there are ways to limit your compliance responsibilities, an e-commerce merchant must comply with PCI DSS. Doing so is not cheap, easy, or fun, and can easily take dozens of hours even for somebody with advanced knowledge of their servers and systems.

In addition to taking considerable time just to complete the 200+ questions of PCI DSS, PCI compliance (beyond the SAQ A or B) cannot be achieved on shared hosting. The PCI hasn't yet made clear decisions on virtualized or cloud based systems, so while some hosting providers will claim PCI can be achieved on a VPS, you should anticipate at least a VPS or a dedicated server. A VPS or dedicated server generally requires either an increased monthly fee for management, or a competent in-house system administrator.

Regardless your choice in ecommerce systems, we strongly urge you to familiarize yourself with PCI DSS. We have an easy to understand guide to PCI, and are a Level 2 Service Provider with Visa's CISP program.

Other Compliance Requirements

As if PCI compliance weren't enough, some US states are passing their own requirements that apply to merchants selling to their own residents, regardless the merchant's nexus. And other governments, such as the EU, have their own sets of requirements, such as the EU's "Safe Harbor" compliance for US merchants.

Why go hosted?

Further complicating matters is the fact that these requirements change constantly, and there is no single place where all of them are easily digested, let alone explained. If this sounds frustrating, trust us, it is. And that's the reason we built FoxyCart as a hosted model: We were tired of doing it ourselves, as web professionals serving merchants. We didn't have the time or expertise to manage it ourselves, and merchants generally have even less understanding of the requirements.

Liability, Infrastructure, & Economies of Scale

Hosting Infrastructure

Peace of mind comes when you know that your ecommerce site can handle seasonal and promotional traffic surges. We spend more money than we care to admit on our infrastructure to make sure things stay up. Could you do this yourself on a self-hosted solution? Yes. But trust us, it's a lot more work (and money) than you might expect.

Insurance and Liability

While related to the compliance issues above, liability and maintenance is a burden unto itself. While many merchants and web professionals will gladly look the other way, the simple fact is that fines for a breach resulting in the loss of customer information can be devastating, upwards of thousands of dollars per record lost, depending on the local laws. While not generally a requirement, breach insurance is nonetheless a worthwhile investment for any online merchant self-hosting their e-commerce application.

Constant Vigilance

What makes insurance a good idea is the simple fact that nearly every server connected to the internet will be attacked. What often doesn't happen, but categorically should, is the vigilant defense of the e-commerce application. This generally involves subscribing to at least one mailing list and being able to apply patches to your application immediately as vulnerabilities are discovered and (hopefully) patched.

Why go hosted?

All of this requires ongoing effort. If you're a merchant, it means either monitoring things yourself or relying on (and continuing to pay) your web professional (or a small army of web professionals). If you're a web professional, it means taking the initiative for clients you may not even have a billing relationship with anymore. This, again, is a reason FoxyCart is a hosted system: We were tired of continually patching sites (sometimes with disastrous results) for clients that were often confused and reluctant to pay for maintenance they didn't ask for, but was nonetheless critically needed.

When Self-Hosted is Great

So all that said, is self-hosting your e-commerce always a bad idea? No, of course not. There are two situations where self-hosting makes the most sense.

The first is if your ecommerce needs are sufficiently lightweight that you can get by without much customization at all, relying strictly on 3rd party payment processors and without any more advanced integration. There are many successful merchants that are able to take this approach, and if you can make it happen it's certainly worth exploring.

If, on the other hand, you have extremely advanced needs and the manpower (and budget) to make your compliance and security happen, self-hosting can be a viable option. It should be noted that depending on the number of transactions per year the merchant may need to undergo an on-site audit of their PCI compliance, which can be exceedingly expensive.

You are obviously free to accept or reject any of the information on this page, but if nothing else we hope that it's educational with regard to the true costs of doing business online. As a merchant, PCI is a requirement, even if it's just the SAQ A. As a web professional, we generally believe that it's your responsibility to educate your clients to costs and requirements. In any case, the true costs are worthwhile to explore.