Manufacturing eCommerce

Passing a PCI Compliance Security Audit

2/11/2010 by Michael Losapio

As part of the process to be PCI compliant, one of our eBusiness customers recently underwent a security scan by their processor's PCI audit vendor. The results of the initial scan of their eCommerce website were less than I'd expected - a failure. Failure?!? How? Why?

1. "The remote service accepts connections encrypted using SSL 2.0."
2. "Possible cross site scripting"

#1 was simple enough to resolve... make a quick registry change, reboot the server, and you're done (see here for Micrsoft's instructions). Why did we need to do this - SSL 2.0 is open to "man in the middle" attacks where someone could potentially intercept the data transmission and essentially control the transmission, unbeknownst to those at either end of the data transmission.

For any eBusiness using a SSL Certificate on their eCommerce website, and thinking they are providing safe commerce to their customers - beware, you may be vulnerable.

#2, in my opinion, was crap. Here's the situation - we have a textbox on the webpage that takes user input and appends it to the querystring while redirecting to the search results page. This search results page takes the search criteria from the querystring and passes it to a stored procedure that scrubs it for SQL injection and returns the results. One additional thing the page does is display the search criteria in a label. Sounds pretty straight forward, right? Apparently since we weren't scrubbing the search criteria before displaying it on the page, we were "vulnerable" to cross-site scripting.

I do not agree - the definition (thanks Wikipedia!) of cross-site scripting is "a type of computer security vulnerability typically found in web applications which enable malicious attackers to inject client-side script into web pages viewed by other users." The key here is "other users." Sure, the page ran whatever script was entered into the Search textbox, but it would've only been for that user session... these results would not appear for others. Congratulations, Mr. Hacker! You just fell victim to your own script! So I sucked up my pride and added code to scrub the search criteria before passing it to the next page - you win this round, PCI Compliance...

So after implementing both "fixes," the eCommerce website passed and is now PCI Compliant. I'm sad, though, that I can no longer search for <script>You're an awesome guy!</script> and have the browser give me a little pat on the back for doing a good job.

eCommerce - Measure Your Conversion Rate

1/25/2010 by Jack Burnett

The conversion rate may be the most important web metric in an eCommerce website. A good conversion rate is important because conversions lead to sales, and sales leads to profits.

The definition of conversion rate is:

Conversion rate (measured in %) = Number of Sales / Number of unique visitors

Customers ask me what is a good conversion rate.  The answer is simple - your conversion rate should be high enough for you to be profitable. It may only be 1% or 3%, or you may need a 15% conversion rate to be profitable.

For an ecommerce site, you can mesaure your monthly conversion rate manually.

1. Find the total number of unique visitors to your website in a month no matter how they find your site (direct and referrals)
2. Calculate the total number of sales in a month.

At TwinEngines, we use MediaChase as our eCommerce technology platform, and we implement Google Analytics  to track website performance. Our customers log into their eCommerce management website and find the total number of sales.  They get their total number of visitors from the Google Analytics dashboard.

I recommend measuring your conversion rate over a calendar year to get a complete understanding.  You'll be able to break the year down into seasonal periods and around other outside events that influence your sales.

Here is a link to an article on an automatic way to measure conversion rates - using Google Analyics.

Manufacturing eCommerce Resources

12/30/2009 by Jack Burnett

At TwinEngines, I use several manufacturing eCommerce resources for information on implementing manufacturing eCommerce websites and dealer and wholesaler web portals.  My goal is helping manufacturers and companies participating in the manufacturing value chain be more competitive with an effective web presence built on lean principles.

In my experiences helping small and mid-market companies increase sales with manufacturing eCommerce websites, I have compiled a list of resouces and websites that provide valuable insights and information.  I hope you find this information helpful and if you have another resource, please add it to the list. 

• CommerceNet [Membership site, but has lots of information in free area]
• eCommerce Guide [Lots of information on e-commerce]
• eMarketer [An e-commerce magazine]
• World Wide Web Consortium [Electronic Commerce Interest Group]
• Office of Technology and Electronic Commerce [Government information]
• Manufacturing.gov [Information on competitiveness]
• Industry, Trade, and the Economy: Data and Analysis
• ZDNet [Online magazine]
• Manufacturing Technology & E-Commerce Market Research Reports
• Practical eCommerce [articles, podcasts, webinars, etc.]
• eCommerce Times [online magazine]
• website Magazine [another online magazine with broader topics]
• DoublePlus [eCommerce information]

Top 5 Things to Make your Website Lean

10/22/2009 by Jack Burnett

Web Value Stream Management

TwinEngines specializes in helping manufacturers and businesses with manufacturing value chains operate more efficiently and increase profits.  When it comes to a company's web presence for marketing and selling online, we extend lean principles and value stream management to 5 key areas in manufacturing websites.

1. Website Value Proposition - Visitor Conversion

• Purchase managers, engineers and your prospects easily find your website
• Your website makes a good first impression conveying a professional, trustworthy company
• Visitors to your website take the action that you want them to take

2. Content Management System

• Eliminate waste inherent when your web/hosting supplier has to update your content
• Respond quickly to the marketplace and competition
• Simplify website management duties

3. CRM Integration

• Streamline your sales, service and support operations by connecting your website to CRM systems such as SalesLogix, Salesforce.com and Microsoft Dynamics
• Consolidate website leads and get them to your sales team efficiently
• Measure customer conversions and campaigns for continual improvement

4. Product Catalog

• Seamlessly integrate your product catalog and generate leads for your internal sales team
• Make it is easy for buyers and engineers to find what they need and contact you
• Consolidate CAD drawings, how-to videos and specification sheets

5. eCommerce Integration

• Centralize order processing by integrating your secure shopping cart to your financial and ERP systems such as MAS, Visual, QuickBooks and Microsoft Navision and GP
• Provide shipping costs and real-time inventory when customers place orders, simplifying fulfillment and warehouse management tasks
• Manage product/sku information in one place eliminating duplicate data entry

Whether your website targets dealers, distributors and wholesalers or your website allows consumers to purchase your products, TwinEngines can help to simplify, consolidate and eliminate waste for an effective web presence.  Your website should work smoothly for your customers, and it should work efficiently for you, too.

TwinEngines offers a free website consulting service tailored to finding efficiencies, identifying solutions and creating a roadmap for continual improvement. 

Call us today for your free Website Value Stream Mapping consultation.

10 eCommerce Website Best Practices

9/01/2009 by Jack Burnett

At TwinEngines, I lead manufacturing automation initiatives and specialize in eBusiness and integrating eCommerce to back-office systems and business processes. I recently guided a client through the process of opening a new sales channel on the Internet, following ten eCommerce website best practices.  A retailer has a store in the Savannah, GA area, and wanted to reach more consumers and businesses along the east coast.  We started by mapping the existing order and fulfillment processes figuring the best way to integrate the web orders into their processes and financial and shipping systems.  Pulling current item counts and pricing from their inventory management system was an important customer service consideration, too.

The web presence was created following a custom web design approach; after the goals and objectives of the website were documented, compositions showing the look and feel and the information architecture were crreated.  Once the design was finalized the product pages were described in wireframe drawings.  The analogy to building a house describes the necessity to pick out the style of the structure and decide on floorplans, before starting to build the house.  Don't make the mistake of having a web developer start building and then determining what the website will look like and how people will interact with it.

We followed these ten eCommerce website best practices:

1. State the security method for transmission of payment information, adhering to the Payment Card Industry (PCI) Data Security Standard for storing cardholder data.
2. State the return policy clearly and accurately during the order process and incorporate an interaction for the shopper to accept the policy.
3. Provide a complete description of the products and services you offer, including photos and availability.
4. When providing age-restriced products, clearly state the age restrictions and have an age-verification process.
5. State the shipping method and policy clearly and accurately, and incorporate an interaction for the shopper to accept the policy.
6. Include unique meta titles, descriptions and keywords for each individual product category and product detail page.
7. Display your store address so it can be seen during the checkout process - the page footer is usually a good location.
8. Display your customer service contact including email and phone number.
9. State clearly your consumer data privacy policy and website terms of use.
10. Allow anonymous orders where the consumer does not have to create an account as a prerequisite to making a purchase.

We successfully launched the website on our hosting platform in Atlanta, GA, and now we are focusing on search engine marketing, social media and email marketing efforts.

Manufacturing eCommerce Website Top Ten Tips

8/06/2009 by Jack Burnett

I help manufacturers extend their sales to the web, and I help companies participating in the manufacturing value chain to establish eCommerce with consumers (B2C) and with other businesses (B2B).  One of the most important keys to success for a manufacturing eCommerce website is the technology platform that has the the functionality, flexibility and scalability to grow with your business. B2B and B2C eCommerce websites require the latest technology features for companies to provide a positive shopping experience that leads visitors from a web search to a purchase.  One that also gives you the tools to fulfill orders and collect payments easily.

TwinEngines uses the MediaChase eCommerce framework to provide the functionality required in an eBusiness.  Our developers can configure and customize MediaChase quickly and cost-effectively for each product catalog and eCommerce store.  This includes the back-office administration website to manage the web pages and SEO content, the product catalog, orders, shipping, credit card payments and customers.  In fact, the entire eCommerce business can be managed with the MediaChase platform.

So MediaChase is a great technical foundation to grow an eBusiness; now here are my top ten tips for manufacturers considering an Internet sales channel for products, parts and accessories:

1. Don't over-commit to maintaining all the content and SEO on your eCommerce site. Realize that if you can spend your time more effectively running and promoting the business, then it makes sense to turn to your web development partner to help you manage content and SEO.
2. Use a professional to create the product photos or obtain them from the OEM, if applicable. The photographer should create photo versions for both traditional marketing materials and the web. 
3. Associate the parts and accessories with the finished goods to make it easy to find replacement parts and encourage additional items to purchase.  Displaying a CAD drawing with an exploded parts view makes it easier for visitors to make a purchase.
4. Describe your products so shoppers can't resist buying them. Talk about the benefits, and consider a copywriter to make your products irresistible.
5. Your website home page should communicate clearly so your customers understand instantly what are your products and the benefits of buying from your company.  Include links directly to the product catalog and featured products that can be added to the shopping cart.
6. Devote resources to search engine marketing from the beginning.  When you are building the website, that's the time to begin planning keywords, content and link building.  If people cannot find you when they search, then you will not sell your products to them.
7. The look and feel of the website and the ease people can navigate to find the information they need to make a purchase is very important.  If people feel that they cannot trust you due to a cheap looking website with broken links, then they will find your competitor to make a purchase.
8. Allow customers, dealers and wholesalers to create an account where they can update personal information, track orders and warranties.  Also allow customers to place orders without requiring them to set up an account; setting up an account to place an order will drive some customers away.
9. Communicate shipping costs and methods for an order early in the check out process.
10. Include manuals and brochure documentation easily accessible for each product or product family.

TwinEngines is an Atlanta manufacturing technology company that has extensive experience in building and designing eCommerce websites for companies participating in the manufacturing value chain.  We are experts in integrating your eCommerce website to your financial and fulfillment sysytems.  We can improve your Search Engine Optimization, and help you implement Google Search technology and search at your site.

PayPal Payflow Pro Upgrade for eCommerce Websites

7/22/2009 by Jack Burnett

PayPal, the owner of the PayFlow Pro Gateway - a popular credit card payment gateway for eCommerce websites - has announced a new update to their standard software for custom shopping cart applications.

TwinEngines creates manufacturing websites, industrial websites and content managed websites for small businesses.  Our expertise includes the Payflow Pro credit card payment gateway as well as the Authorize.Net gateway. The new PayPal PayFlow Pro Gateway interface is live now, and the old gatway software will be shut down on September 1, 2009.

Our eCommerce website platform is a configurable system, where TwinEngines staff easily change configuration settings and developers extend capabilities for unique eBusiness applications.  Our developers created a patch update for existing eCommerce websites that upgrades the gateway plug-in, and included the new plug-in as part of our baseline eCommerce platform for all future updates.

From PayPal:
"We've added new security features to our Payflow gateway service that will make your payment processing even safer. Because of these new features, you must update the Payflow code that's integrated into your web site. All merchants should update to Payflow Pro Software Development Kit (SDK) version 4.3 or higher, or use our direct HTTPS Interface."

If you are a manufacturer, distributor or an eBusiness and operate a eCommerce website that accepts credit card payments using the Payflow Pro credit card gateway, then you will need to update the gateway connection before September 1, 2009.  After that date, your eCommerce website will no longer be able to process credit card transactions.

Are You PCI Compliant?

5/21/2009 by Jack Burnett

I am helping a marine supplies company expand their customer base and increase consumer sales with a new eCommerce website. Consumer sales means credit card payment processing. Credit cards mean PCI compliance.

Some people think that PCI compliance is the big credit card companies attempt to push the responsibility down to the merchants, so they don't have to spend money now to upgrade their infrastructure from the 1980's. While there may be some truth in that, a merchant is responsible for protecting its customers' credit card information when they purchase their products. If they want to offer VISA, MasterCard and American Express credit card payments, then they have to follow the rules.

Wikipedia says the Payment Card Industry Data Security Standard is a worldwide information security standard created to help organizations that process card payments prevent credit card fraud. The standard applies to all organizations which hold, process, or pass cardholder information.

PCI compliance means that merchants and eCommerce solutions must follow the standards or be liable for credit card fraud. There are 6 core principles and 12 requirements to follow. The major business areas to consider for a merchant are:

• Merchant's facility, order processing and internal financial/ERP systems
• eCommerce website
• Credit card processing gateway
• Processor
• Merchant Bank

I recommend Authorize.net and PayPay Payflow Pro credit card processing gateways in our eCommerce websites, because they are rock-solid PCI compliant. A merchant chooses their Merchant bank and processor company, and best practices dictate due dilligence to ensure PCI compliance. This happened to be a concern for the marine supplies company, because they chose to use Heartland as the processor. Heartland was removed from the PCI-compliant list in March because of data breaches (see eCommerce Times article here), so it was important to ensure they were back on the PCI-compliant list; they were reinstated earlier this month.

TwinEngines eCommerce solutions do not store full credit card information in the website database. Very limited, partial information is stored only for customer service. The shopping cart transaction is secure with SSL, and does not display full credit card numbers anywhere after the card information is taken. The administrative engine used in eCommerce websites, connects directly to the credit card processing gateway to authorize payments at check out and to capture the charge at shipment.

Some merchants use the eCommerce website administration tool to process phone orders, ensuring PCI compliance. The eCommerce website holds the credit card gateway transaction numbers to allow the merchant to work with the transactions securely in the credit card gateway's virtual terminal. This is necessary for activities such as voiding an authorization or crediting a card when needed.

If you are selling online, the first place to start is the PCI DSS questionaire found at the PCI Security Standards Council. You'll also find the 6 core principles and 12 requirements established by PCI SSC.  After you do your homework, make sure your eCommerce website will be in compliance when selecting a partner to help you implement commerce on the web.