Brilliant Thinking

Unless you have money to burn, don’t. It’s not worth it.

We’ve been asked a few times to build systems that store credit card data locally on the website because it’s convenient for the client to do it that way, or their product/service cannot be billed immediately.

The key reason not to store the information locally is one of liability.

Imagine that the credit card information that was stored locally was stolen from your site … you’d be potentially liable for all losses on any of the credit cards stolen. That could be hundreds of thousands of pounds and I doubt if your insurance would cover it. Plus it would probably mean the end of your online business, not to mention the risk of closing you down. Remember there are also broader issues of identity theft which could carry a liability also.

There are also data protection compliance issues. Depending on how you store the information you could range from compliant to non-compliant. Any non-compliancy only exacerbates your liability. Remember too that these data protection issues also extend to how your staff access the system and how easily it would be for an employee to grab the data, leave/pass it on� and compromise your organisation … for organisations that have many staff, multiple access points� and higher turnover rates, this is a very real issue.

Then you also need to consider Payment Card Industry (PCI) Compliance. This is complex and difficult to achieve properly, and unless it is done properly then you will be violating your bank’s merchant agreement. At the moment the PCI is pursuing Payment Service Providers (PSPs) for DSS compliance but after this year, they should be ready to move on to enforcing it with merchants directly (ie the online stores). The six sections for PCI compliance are:

1. Build and Maintain a Secure Network
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy

From a technology point of view, it can be done. Here’s one scenario to consider.

Install an SSL certificate and a second secure server running behind a firewall, preferably with a nonpublic IP address and no default route set, which is inaccessable directly from the web (and maybe go as far as to have a dedicated crossover cable between the two servers). The second secure server� runs a dedicated SQL server that the webserver (website) can only insert into - no selects or other access. The website itself should be running on its own server (dedicated IP) so that there is no risk of security breach from other sites that share the same IP address.

For larger companies, this may be a viable option and a requirement. But security is not cheap and you have procedural considerations to consider. For smaller companies with more restrictive budgets, you should only ever consider using a third-party payment gateway to take credit card information.

Payment gateways such as Protx allow you a secure integration with your website, manage the credit card information for you securely, mitigate the liability risk, include deferred payment options (so you only bill when you ship)� and only cost a £20 per month flat fee.

The cost of developing your own system, not to mention the hardware and annual support costs is significantly higher than using a company that has already invested huge sums of money to ensure security. And don’t forget the lurking liability costs too.

I was just reading through the transcript of a “just published” Marketing Sherpa Ecommerce study which I contributed to and thought that one paragraph was very interesting and bore repeating:

Anne: I think this really shows you another thing as well and that is, that consumers are treating Ecommerce sites, and you see on the next slides as well, consumers are treating Ecommerce sites in a very different way than they treat print catalogs and in a very different way than they treat brick and mortar retail stores. What you’re seeing is very little browsing activity. I mean, I know when I sit down with a catalog and in fact there are eye-tracking studies in the catalog industry, that if you are sending a catalog, in particular to your house list. They’re really looking at the images. They’re really examining it. They’re saying, “Hmmm, should I buy this…” They’re really enjoying that browsing, shopping activity. The same thing happens with a lot of shoppers in brick and mortar, depending on the type of store you have. But they’re coming in and enjoying the environment. They may be examining a lot of different things. You know, you’re in the mall, it’s Saturday afternoon. You’re enjoying yourself. This is almost an entertainment activity. It doesn’t seem to be the case with online Ecommerce according to the eye-tracking studies. Now we studied eight different Ecommerce stores including Amazon, eBay, a whole bunch of them. Most of them you didn’t see that kind of entertainment activity and what I think is interesting is that a lot of/some� Ecommerce marketers are making the assumption that the entertainment mindset is there. Certainly Bombay with that big gorgeous picture is sort of thinking, “Well, we know our Bombay shopper. They love to look at these big beautiful pictures.” But indeed, people barely glanced at it. What are people doing instead? They’re looking at the navigation. And we see consistently, people going zooming right to the navigation. Pretty much ignoring anything else.� So they’re treating the Ecommerce site as a search engine, as a search tool. You are not a store; you are a search tool to get to where people want to go.

So, you can forget the bells and whistles when it comes to designing the core of your ecommerce site. As the latest Marketing Sherpa study shows, unless you can get your visitors from where they enter your site to what they’re looking for quickly, you’ll be passed over for other sites who do. Ecommerce is not about browsing, it’s about finding - and fast.