Archive for the 'Ecommerce' Category

A common problem in ecommerce is fraudulent orders from overseas customers. The risk is so high in fact that some merchant account providers will not allow their merchants to accept orders from foreign countries. Even if they did, and you wished to solicit foreign orders, some regions pose such a high risk for fraud that accepting any order from that region would be just bad business.

So how do you reduce your risk of fraud from there regions? The easiest way to mitigate your risk is to block users from these regions from reaching your site. The Apache webserver offer the ability to block these regions as a group from your website. To do this create a file called .htaccess and place it in the root directory of your website (or your store if you only want to block that part). Place this code inside of it:


<Limit GET POST>
order allow,deny
allow from all
deny from 195
deny from 218
deny from 219
deny from 220
deny from 201
deny from 221
deny from 222
deny from 202
deny from 80
deny from 223
deny from 211
deny from 60
deny from 210
deny from 57
deny from 58
deny from 59
deny from 60
deny from 77
deny from 78
deny from 79
deny from 80
deny from 81
</Limit>


That’s it! This should block users from high risk parts of the world from accessing your site. Keep in mind they can still use an open proxy to make their IP address appear to be different and this doesn’t mean that the users now able to visit your site is honest. You still need to scrub your orders for fraud. But this should reduce the opportunity for fraudulent users in high risk areas to attempt to commit fraud on your website.

As previously mention in our blog new high assurance SSL certificates have made their debut. If you visit Entrust’s home page in Internet Explorer 7 you will see the address bar turn green.

As mention in our original blog post these new SSL certificates will be expensive. Entrust sells theirs for $99. Verisign is offering packages that start at $1300 per year. Once again, it looks like the small ecommerce shop will be priced out of game.

Technorati Tags: ecommerce, ssl certificate

Shortly after the new year, Microsoft plans to move forward with a plan to flag certain ecommerce and banking sites as “safe” in an upcoming update to its Internet Explorer 7 browser. It will do this by looking for a special kind of SSL certificate called an “extended validation certificate”. For an ecommerce site to qualify as safe their SSL issuer will need to do an extensive check on the ecommerce applicant as well as an audit by a company called WebTrust.

What these companies will be verifying are:

• Physical existence

  The certificate issuer must verify that the business’ legally registered address matches the address provided to the certificate issuer. If they do not match the issuer must visit the physical location provided by the business to verify that it exists. In these cases photographs of the business’ location must be provided.

• Legal existence and identity

  The certificate issuer must verify that the business is legally registered. DBA’s (Doing Business As) that differ from the business’ legal name will also need to be individually verified.

• Individual’s authorization

  The person applying for the certificate must be verified as being a legal representative of the applying business with the authority to apply for the certificate. This requires contacting the business as well as receiving a written verification.

• Domain name

  The domain name that the certificate is being applied for must be verified as being owned by the business. This means verifying the whois information as well as possible having the site owner make specified changes to the website to verify they do in fact control the domain.

• Telephone number

  The telephone number provided in the application for the certificate must be verified. This can mean calling the number or checking publicly available phone directories. Cell phone numbers will typically not be allowed.

Although at a glance this sounds like it will offer a strong assurance for potentially new online shoppers, there are issues with this process. Business registered for less then three years may require further validation including verification that they have a valid business bank account. Because many of these checks require government filings certain business entities (sole proprietorships, general partnerships, unincorporated associations) will not be able to get these certificates. Also, due to the amount of work that must be performed by the certificate issuer to validate the business, the cost for these certificates will be substantially higher with costs possibly reaching as high as $500 or more.

Because only a limited subset of all businesses will be eligible to receive these certificates. Additionally, only Internet Explorer 7 will support these certificates. This means the extra validation done will not offer any additional credibility in all other web browsers and thus provide virtually no additional benefit to merchants.

Additionally, Microsoft is implementing this on an unfinished specification. This means if the specification changes, and it likely will as most of the participants in creating these specifications do not like the current draft, then these certificates may not be valid in the future or may not be compatible with all browsers. Imagine paying for an expensive SSL certificate that results in some browsers saying your site is verified while others saying it is unsafe.

Technorati Tags: SSL, ecommerce, Verisign, Comodo

A common question from merchants entering the world of online credit card processing is when should an SSL certificate be used on a website. SSL allows websites to encrypt sensitive data when in transit to and from a user’s web browser. This prevents hackers and other nefarious characters from stealing sensitive data being sent during an online transaction.

Based on that basic description of what an SSL certificate does it would seem to make sense that a merchant should simply make their entire website encrypted. That way they can be sure every page that needs to be encrypted is. At a glance that would seem to be a logical solution. After all, if every page is encrypted then it is safe to assume that every page that needs to be encrypted is.

But upon further scrutiny important flaws can be found in this solution:

1. SSL requires the server to do more work

Every time an encrypted page is requested by a web browser the server must first process the encryption portion of the request before sending the web page to the browser. This requires server resources to do. Encryption must be done every time an encrypted page is requested. If your site has simultaneous users this will increase the burden on the server even more.

2. SSL is not search engine friendly

Naturally every ecommerce website would like to be in the search engines as they can provide a lot of free traffic for a website. However, search engines cannot read pages encrypted by SSL. This prevents them from finding and reading the pages in your website and thus they cannot add your pages to the index. If you are not in their index, you simply cannot be found by searchers.

So what is the proper way to use SSL to secure a transaction? As explained above, SSL is used to encrypt sensitive data. For an ecommerce website, this would mean encrypting the information your customer submits to you during their transaction. This includes their personal information (name, address, etc.) and credit card information. Some websites collect this information on one page; some collect in on multiple pages. However you choose to implement your checkout every page that transmits your customer’s data needs to be encrypted. Your order confirmation page should be encrypted as well if you print out your customer’s personal information on it.

By only encrypting these few pages we are avoid both pitfalls of using SSL. Since only a few pages are encrypted, and these are only used by the small percentage of your site’s visitors that checkout, we relieve the server of the burden of encrypting the other pages. Plus we do not have to worry about the search engines as they do not need to index your order form or order confirmation page (as it won’t even exist until after checkout anyway).

Technorati Tags: ssl secure socket layer, ecommerce, credit card processing

A big question for businesses entering the realm of ecommerce is how should they approach creating their ecommerce system. Should you use an out of the box package like Yahoo Stores or Shopify? Or should set up everything yourself (hosting, merchant account, shopping cart, etc.)?

Well, let’s look at the pros and cons to each:

Fully Hosted Solution

• Quicker set up

  Using an out of the box solution means everything is set up for you before you even start using the solution. All of the programming and integrating that needs to be done has already been done for you. You only need to customize the solution for your store and add your products.

• Technical issues handled by the solution provider

  Browser compatibility, gateway integration, database connectivity: all handled for you. Knowledge in web programming or other technical skills are not required as this is all handled by the solutions provider.

• Less overall maintenance

  Since the hardware and software that powers the solution is all managed by the solutions provider, all you need to do is manage your products and your orders.

• Possibly better security

  Naturally the security of the data each merchant stores on the provider’s servers is very valuable not only to the merchant but to hackers as well. Normally the security of this information requires constant checking and upgrading to make sure no new security vulnerabilities arise that may allow this data to be compromised. Fortunately the provider handles all of this.

• Higher costs

  Naturally the provider is not going to offer their services for free. Not coincidentally they will not offer it at cost either. You will have the same costs as you would if you attempted to establish the service yourself plus the mark up of the provider.

• Less control

  Since you do not own or control the software offered by the provider you are limited to whatever the provider will allow you to do. This means you cannot customize the software to fit your needs. You can only do what they decide their software will allow you to do. Additionally, this solutions typically do not allow you full customization of the appearance of your store. This means your store either won’t match the rest of your website or, even worse, will look just like every other store hosted by the provider.

“Self Serve” Solution

• Lower costs

  Because you are free to shop around for the software your store will use it is likely that you will find a solution that is well-priced. In fact, there are many free offerings for ecommerce solutions available. You also will be able to sign up for a merchant account that costs less to use then what most third party processors offer.

• More control

  Because you control every aspect of your solution you can be sure it meets your exacting specifications. Your storefront and checkout will seamlessly integrate into your website and provide your customers with a professional shopping experience. You will have all of the features you want and none of the ones you don’t want. You can expand and alter your storefront whenever your business demands it.

• You are now a security expert

  Without a dedicated team minding the security of your storefront you take on the responsibility of ensuring your storefront and your data is safe and secure. You have to keep up with security updates for your software otherwise you risk exposing sensitive data. One occurrence of this can mean the end of your business.

What a smart business will do is make a lit of their priorities and then compare them to this list. One is no better then the other straight up. But one may be better then the other to your specific business based on your needs and wants.

Technorati Tags: yahoo stores, shopify, merchant account, ssl certificate