Google Inc. revealed the launch of Google Checkout, a checkout process that makes online shopping faster, more convenient and more secure for Google users. It offers an easy and trusted checkout option that enables shoppers to purchase from participating stores with a single Google login. Bypassing their traditional beta releases(years in beta stage) this time Google came up with fully functional and tested version because consumers would be unwilling to trust their bank accounts and credit cards to a beta version. It will serve as a centralized authorization service for customer purchases, promising the transaction security with industry-standard SSL technology.
Integrating your website with Google Checkout
To integrate your website with Google Checkout you can choose either simply by adding Google ‘Buy Now’ button to your site which will take you to the Google checkout page to complete the order or if one of Google’s e-commerce partners is currently providing your shopping cart application, you can integrate your shopping cart and order processing functionality with Google Checkout following these steps or if you are using different shopping cart you can integrate your current shopping cart with the Google Checkout API.
Checkout API
Google Checkout API is XML based API and the XML schema can be found at http://code.google.com/apis/checkout/apiv2.xsd. When you post any message to Google, you receive a reply right away as an HTTP response message. Before sending this response, Google checks the command’s XML against the Google Checkout schema, and checks the command’s arguments and state for validity. If the command is valid, the response is request-received; otherwise, the response is error. If the command is valid, Google then processes the command and returns a further result using the Notification features.
Here is the sample of simple checkout shopping cart XML:
<?xml version=”1.0″ encoding=”UTF-8″?>
<checkout-shopping-cart xmlns=”http://checkout.google.com/schema/2″>
<shopping-cart>
<items>
<item>
<item-name>HelloWorld 2GB MP3 Player</item-name>
<item-description>HelloWorld, the simple MP3 player</item-description>
<unit-price currency=”USD”>159.99</unit-price>
<quantity>1</quantity>
</item>
</items>
</shopping-cart>
<checkout-flow-support>
<merchant-checkout-flow-support/>
</checkout-flow-support>
</checkout-shopping-cart>
If the received XML is valid then you get the request received response as follows :
<?xml version=”1.0″ encoding=”UTF-8″?>
<request-received xmlns=”http://checkout.google.com/schema/2″
serial-number=”58ea39d3-025b-4d52-a697-418f0be74bf9″ />
If the reeceived XML is not valid the you get the error response as follows :
<?xml version=”1.0″ encoding=”UTF-8″?>
<error xmlns=”http://checkout.google.com/schema/2″
serial-number=”3c394432-8270-411b-9239-98c2c499f87f”>
<error-message>Bad username and/or password for API Access.</error-message>
</error>
Along with Checkout API Google also released Order Processing API, Notifications API and Merchant Calculations API to support the order processing features so you can move an order through the fulfillment cycle: capturing the payment, marking the order delivered, and so on.
The complete developer guide can be found at http://code.google.com/apis/checkout/developer/index.html.
Also the sample code to integrate the Google Checkout functionality with Java, ASP and PHP can be found at http://code.google.com/apis/checkout/samplecode.html.
I checked out "Google-checkout".
The overall process seems to be very easy but exactly that makes this solution very vulnerable. During checkout there was no security question to make sure that I'm indeed the owner of the Google account or the associated Credit Cards in that account. Of course I used my username and password but because there are so many Google sites, using the same username and password, it is very easy to loose your login information on a hijacking page as you might not check the url for Ad-Words or Gmail every time you log on as those services never had the possibility to shop with your Credit Card.
Now because you have one account and login information for all it is quite possible that hackers will try to get your login information from any Google service out there! Even worth is the fact that the hacker can change the password without any problem. The owner of the account might not even get any information about the password change as the e-mail is sent to the according and hijacked Gmail account.
Because of this HUGE security risk I would not recommend using Google checkout!
Please checkout the http://www.thebilliondollarpatent.com as s-registration solution that Google should have implemented in their service to make it solid and secure. This solution is requiring a third credential called TAN to make sure that ONLY the owner of that account is able to shop online even in case the account is hijacked.
I hope that everybody is aware of the security issue with Google checkout and will inform Google of a better solution!
Thanks and be safe;-)))!!