On one of the mailing lists I frequent, Zack Halbrecht posted a list of best practices for e-commerce websites. It's a simple list, and much of it is common sense, but sometimes it's good to state what should be obvious. Clearly it's NOT so obvious as so many e-commerce sites don't do this...
- Don't charge the card until you ship
- Don't store credit card information - leave that up to the payment processor unless you really want to become PCI compliant, which is costly and a pain. Most payment processors have some sort of recurring billing api too.
- User account information should be protected with a salted hashed password. Do not store passwords in plaintext.
- Offer real time shipping quotes w/ Tracking # in confirmation if possible.
- Keep it simple. Collect as little information as possible. NO OPT OUT (checkbox already checked) marketing! OPT IN ONLY.