I get the general idea. Products are stored in a database, and that database is accessed by a web front-end that (ideally) presents that data in an easy-to-understand format. You add items to your cart, and then check out.
When some random e-commerce site takes your credit card number, does that number get stored in the merchant’s database for them to process later, or is there some sort of API the merchant’s bank has that enables the software to automatically charge the credit card numbers?
Programmer here. As far as the systems I’ve seen, an API is used. The front-end application doesn’t know how to handle credit cards. It makes a call to another application, e.g. via a web service. That other application is maintained by a bank or credit card processor, and it reports the result back to the web UI, which can tell the user whether their card went through. Reconciliation, of course, still needs to happen, but that can be done via batch update later, or you can just forgo it and require the user to call in to check their status.
Yeah, that’s it. Every pre-made shopping cart/ecommerce solution I’ve worked with or looked at has at least one, some times a dozen or more, modules configured to work with different payment gateways. In the set-up of the software, you configure which module you’re going to use and also configure some settings which identify you to the gateway (because you have to set up an account with a gateway and pay them money). Then the software talks to the gateway during check-out and the gateway does all of the talking with the credit card issuer.
If you roll your own ecommerce software, it works the same way. You just build a connection between your software and the gateway API.
Can and do the ecommerce sites save your credit card info in a local database? Yes, especially if you want to re-use it on their site. They can even store it plain text if they are cheeky. But really no one wants to be responsible for a bunch of plain-text CC numbers sitting around, so encryption is the way to go.
PCI compliance controls a lot of this type of stuff (what info can be stored, how it needs to be stored or transmitted etc.)
Although PCI compliance isn’t a law, banks etc. could pass on fines for violations.
The normal process for something that may not ship the same day as when the order is placed is as follows:
1 - Get authorization for the order amount but do not charge the card yet. The authorization stays with the card so the bank knows what it has committed to.
2 - After the goods ship, then ding the credit card (called the “settlement”) for the actual amount.
So the e-commerce site needs to hold onto the CC info to be able to process the settlement transaction later.