Author Archive

Making it with mobile commerce

March 1, 2010 · Filed under General ecommerce · Tagged

Don’t you love it when folks try to drive excitement up on something they don’t really understand? The latest faux boom I am being annoyed by is the mobile ecommerce market, something the self proclaimed knowledge leaders are calling m-commerce.

Here’s some “facts” that are true, smartphones are forecast to have a 27% penetration in the U.S. population by 2010. That’s over 35% of the cellphone market. 3G & 4G network consumption is expected to double in the next 18 months. That’s great news for the telcos but does that translate into an opportunity for the online merchant?

While it’s true that people are making huge strides in refining mobile video and other content delivery streams for the current platforms it seems that m-commerce is struggling to find its way. The majority of pundits are predicting a huge market for this kind of retail channel but it has to be said that we may be expecting too much too early. There is a chronic fragmentation in platforms still and this has to hurt. Building applications aimed at the native platform (as in the iPhone app store) just isn’t viable right now. Who do you target? Nokia at 38%? RIM at 16%? iPhone at 10%? Building for everybody just increases the cost of the MVP as well as the complexity of your effort. I have seen some people trying to get this method to grow, pizza ordering applications, cinema tickets etc. But I don’t think that dog’s going to hunt.

The other option, building for the mobile web, is probably the only viable strategy right now but it has its own challenges. The primary struggle with aiming for the mobile browser is the huge variance in the capabilities of the provided browser. There is such a variance in standards adherence (there are none) that strategies that we have relied on in the recent Web 2.0 universe may not be our allies here. Heavy weight pages requiring relatively large scale javascript libraries are going to provide a less than optimal experience for the shopper as well as a quick consumer of some generally miserable data caps.

What I have seen so far has been pretty miserable. So many merchants who don’t get it at all, mobile experiences that rely on native scaling technologies in the browser or providing a checkout form that takes hundreds of key presses to get to the “charge me” button. If you are currently considering the mobile web as a sales channel you may wish to consider the following, AVS needs to be turned off. What is the smallest dataset I need to complete the transaction? Your store needs to be simplified to a massive degree. Your customers are not going to navigate their way through masses of sales copy, they won’t scroll endlessly, your products need to be found easily on the site and you need the checkout to be as slim as possible. The alternative is that you will just get a catastrophic abandonment rate and zero conversions.

M-commerce is not e-commerce on a small screen. It’s mobile, fast, shaved down to the minimum. It’s about convenience being king. If the solution provider or the merchant doesn’t focus on the customers needs above their own there is going to be a problem.

Leave a comment »

EBay illustrates Black Friday

November 29, 2009 · Filed under General ecommerce · Tagged , ,

The folks over at EBay, having nothing better to do, have given us a great minute by minute heatmap illustrating exactly what “Black Friday” meant to them. You can have a closer look at the result by going here but in a nutshell there’s nothing unexpected here. More population = more activity. Duh.

I am amused by Big Retail’s constant efforts to turn America into one 365 day a year shopping frenzy. The efforts of years gone by to try and push the folklore of “Cyber Monday” has been met by the reality that they don’t get another buying holiday for free here. Bottom line, if you sell on the web then “Black Friday” is as critical to you as it is for the bricks and mortar guys. If you don’t sell online, why on earth not? What we are seeing this year is that more and more people are trading in the experience of endless queues for shopping the day entirely from their own homes. More power to them.

Leave a comment »

Heartland boss plays the blame game

August 14, 2009 · Filed under Security · Tagged , ,

heartland_paymentOMG, you have to be kidding me? Robert Carr, the CEO of Heartland Payment Systems, famous for what is probably the largest credit card breach in history late last year has just come out in an interview essentially blaming his PCI auditor for the incident. To quote “The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, ‘You’ve got to be kidding me.’ That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can’t reconcile that.

Here’s some news for you Bob, the QSA is not your security team. The PCI-DSS standard is not a security standard. Your QSA is not there to replace the skills and initiative of your own security team. They are not responsible for educating your people about common attack vectors. They are there to check that you meet a card industry standard at a point-in-time. To say otherwise is venal and just shows me that you have failed to take responsibility for the failure that you allowed to happen on your watch.

Security in this industry is everyone’s responsibility but you as the CEO are ultimately liable as you determine where resources are spread within your organization. Throwing your QSA under a bus just makes you even more pathetic in my eyes.

Comments (1) »

PayPal goes dark today?

August 3, 2009 · Filed under General ecommerce · Tagged , ,

PayPal-logoI was watching some api calls to PayPal fail, fail, fail today around noon and decided to go have a squiz at a couple of PayPal staffer blogs that I follow to see if anyone was talking about what was going on. So apparently they were down hard for about 40 minutes and horribly spotty for an hour or so more. In fact after about an hour and a half I was still getting email notifications of slowness in the api system which no doubt is due to queued out of process engines trying desperately to get out of the hole.

Well, I have been in their place, last October we went down for the best part of an afternoon and it was a savage thing with hapless engineers and crazy PHB’s rushing around so I do have some sympathy. And when you think about how much GMV they process a second ($2K) this means that around $7M in sales were just dropped on the floor. Ha!

UPDATE: Ouch, still getting failure notices from the API’s at 19:00 EST.

Leave a comment »

Opinion: PCI-DSS, it’s all about shifting risk

July 27, 2009 · Filed under Security · Tagged , , ,

creditcardI get to hear a lot about PCI lately. From customers, from industry partners and from sibling companies. It’s an acronym that is receiving a lot of hype and there is a strong showing of folks out there that are determined to find a dollar in it whether it’s through the use of FUD (fear, uncertainty & doubt) or through the compliance cost carnival.

This week we had a customer call us up and demand that we be PA-DSS certified. We tried to tell him that since we did not distribute our cart or payment processing engine, there was no need to be PA-DSS certified. PA-DSS or PABP as it used to be called is a standard intended to be applied to folks who sell software to be installed on the customers third party server. An example of this would be Zen Cart. By the way, out of the hundreds of self-hosted carts out there currently only 5 are PA-DSS certified, probably due to the high cost of this certification process ($40K). As it stood this customer took a lot of convincing. Apparently he had engaged a PCI consultant who misdirected him, perhaps through ignorance but I am cynical about this overnight industry and wouldn’t be surprised if it was a deliberate attempt to grow the scope of the engagement.

Back to PCI-DSS, another bit of confusion I hear from customers is the belief that they will be “hacker proof” after completing it. Since most merchants will fall under the least restrictive Level 4 category and their compliance will be measured by a self answered questionnaire this seems a little bit like wishful thinking. The whole audit process is aimed at point in time compliance. That is, on the day the audit is completed all parties involved attest that it is accurate to the best of their knowledge. Since a clumsy server administrator can undo that the very next day really all the audit does, even at it’s most thorough, is reduce the attack surface of the customers application, not eliminate it. For an example of this thinking look up the circumstances of the WorldPay breach. WorldPay was certified to the PCI-DSS standard only 2 months prior to gushing customer credit cards like a old time Texas well head.

I can’t help believing that the whole PCI-DSS process is simply a way for card issuers to shift risk and the cost of managing it onto the merchant. Certainly the work required to pass an audit is expensive, not just in terms of hardware (firewalls, IDS’s, vulnerability scanners etc.) but also in the labour that now has to be directed maintaining the standard 12 months a year. When Heartland got breached last year their auditor then got seriously hosed by the card issuers on the grounds that if the audit was accurate the breach would not have occurred. This is rather disingenuous since this “belief” doesn’t seem to be held by anyone else in this process. Let’s accept for a moment that the Big 3 aren’t in the business of making money off invented rule sets (and I personally am not convinced that they don’t have a line in their P&L for compliance income) then certainly the auditors are making a mint. When an audit for a Level 1 processor can run into the hundreds of thousands somebody is making money. If it walks like a duck etc.

Leave a comment »

What the heck is a trust mark?

July 25, 2009 · Filed under Cart science, Security · Tagged ,

trust_meterA key component of a successful e-commerce transaction is the establishment of trust between a seller and a buyer. A TNS survey conducted in 2005 for Verisign and rerun in 2006 for TRUSTe established that 70% of internet shoppers had abandoned a shopping cart because of a lack of trust in the site or in the vendor. Now “trust” can be described a number of ways, trust that the merchant is who they say they are (important in these days of phishing sites), trust that the merchant will act in a moral way and that the merchants privacy policies etc. are worth the pixels they are printed on and finally trust that the transaction will be undertaken in a secure method and that critical data such as identity and credit card data will be safeguarded from interception or misuse.

One method of establishing this “suspension of disbelief” is the display of a trust mark. Although the available options out there vary wildly from company to company the most common type are the ones that provide some degree of vulnerability scanning with a result badge that is hosted on the mark providers site and displayed on the merchants website. Some examples of these kinds of products are McAfee Secure (formerly HackerSafe), TRUSTe and Comodo HackerProof. Here’s some summary data from that TNS survey,

  • 78 percent of online shoppers say that a seal indicates that their information is secure.
  • Only one in five shoppers did not know what purpose trust marks served.
  • The overwhelming majority of consumers feel it is important for sites to include a trust mark.
  • 88 percent of U.S. online shoppers say it is important for an e-commerce site to include a trustmark of some kind on its site.
  • 79 percent of online shoppers expect to see a trust mark displayed on a Web site’s home page. The majority of shoppers also expect to see trust marks displayed on the page where personal information is entered and where the final transaction is completed.
  • 71 percent of online consumers shop only at sites they know and trust, while 38 percent of online shoppers will only make purchases through sites that include a trust mark.
  • Shoppers not only recognize and value third-party trust marks, but the presence of a trust mark can also persuade them to complete the purchase.
  • Nearly 70 percent of online shoppers have terminated an online order because they did not “trust” the transaction. In those cases, 53 percent indicated that the presence of a seal would have likely prevented the termination.

Now there are some caveats to all of this before you go rushing off to buy a subscription with these providers.

Firstly, the bottom line, will your sales increase and abandonment decrease with these badges on your site? The answer is yes but how much will depend on the other actions you have taken to improve trust. Does your site look robust and professional? Are you on your own custom domain? Are you protecting your cart pages with SSL? If your site looks untrustworthy then these badges aren’t going to help you by themselves, they have to be part of an overall strategy. Numbers from the badge providers are always suspect but they seem to claim between a 10% and 20% increase in sales. In order for them to claim this then you should expect they would have to prove it also so look for the small print that describes the basis for their claim.

Secondly, having a trust mark on your site does not mean your site is protected against breaches and hackers. Although the badge provider may offer a periodic vulnerability scan please know that this scan is necessarily shallow and effectively meaningless from a security perspective. They cannot risk a true intrusion scan on your site in case they cause data loss. Additionally, XSS and SQL injection testing (which is what most of these scans are limited to) will only reveal a minor part of your actual attack surface. Do not rely on a trust badge to substitute for responsible vulnerability assessments.

Thirdly, have a plan for reacting to when you fail the third party scan. Most of these scanning products will give you a narrow window in which to remediate a failure after which they will turn into a warning swatch. This is the polar opposite of what you want so when you get a warning notification on Saturday morning you better have a way to get hold of your developer and the support team at the trust mark provider otherwise you will drive sales away.

And finally, more is less. Don’t plaster your site in low quality badges, your customers frequent a lot of e-commerce sites and repetitive exposure to the same brands of trust mark reinforces the trust effect. Choose a couple of well known brands that you believe your customers will respond to. McAfee’s product is an example of this, a lot of people know the brand through their AV desktop products and seeing the McAfee name will work in your favour. It’s true that 20% of your visitors will be oblivious to your efforts but the savvy ones will check to see that the trust mark is the real deal and static graphics and home grown alternatives will give themselves away.

If you want to read more about trust marks then Verisign has a great white paper here, just remember to discount the obvious self-promotion in it and read the underlying messaging.

Leave a comment »

Network Solutions leaks credit cards?

July 25, 2009 · Filed under Security · Tagged

Ouch! This is going to hurt some people. There are reports that Network Solutions, a major hosting provider and domain registrar has been pwned over an extended period of time and have exposed over half a million credit and debit cards of mom & pop ecommerce stores.

network-solutions-thiefTo quote the Washington Post “Herndon, Va. based Network Solutions discovered in early June that attackers had hacked into Web servers the company uses to provide e-commerce services – a package that includes everything from Web hosting to payment processing — to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores, Network Solutions spokeswoman Susan Wade said.”

Click here to read the rest of the article. I hear a lot of people talking about how they aren’t at risk of leaking credit cards because the relatively low numbers they hold don’t make them an attractive target. Sure, they can’t beat Heartland (40M cards lost) for sheer scale but I believe we are going to see more and more of these second rank card accumulators getting targeted. What concerns me even more is the length of time this breach went on for (three months) and the fact that Network Solutions still has no idea who and how the breach was executed. And these are the guys we are supposed to emulate? Hopefully Visa and Mastercard will give them some PCI-DSS loving.

And of course when you pop over to Network Solutions themselves to get the down low you can be entertained by the wonderful damage control double-speak they use to minimize the fall-out from this unfortunate lapse.

For clarification Network Solutions is the owner of MonsterCommerce a well known hosted ecommerce brand.

Leave a comment »

Cart abandonment primer, shipping cost shock

July 22, 2009 · Filed under Cart science · Tagged ,

escape-keyWelcome to part 1 of my “understanding shopping cart abandonment” primer, my effort to make the process of reducing your cart abandonment rates more science than shamanism. There are a lot of self appointed ecommerce gurus out there that will tell you that they and they alone have the true secrets to maximising your completion rates. Here’s a fact for you, if they have a buy button on their site then they are probably taking advantage of the relationship and you are probably stuck in the middle of someone’s sales letter and about to raise their completion rate.

It’s tough to get real information about abandonment rates. Most people who do know their rates have very little reason to spill the beans. By understating the true abandonment rates they attempt to market to a difference that may not be there. Software vendors are even more unreliable, cart abandonment is often viewed as a commercially sensitive number and if provided it will more than likely be a vanity number created by hand selecting the underlying merchant dataset. Some studies done by U.S. universities suggest that a blended rate of 70% for all ecommerce may be reliable. Another study gives a very precise 58.9% result from a survey of 1100 North American merchants. The truth is probably somewhere in between these two numbers, 60-70% of online ecommerce transactions end without a successful result. If the merchant is selling a high risk product (high ticket or intangible product) then the rates would sensibly be even more.

So why are so many people getting so far into a sales process only to navigate away or close the browser? There are a lot of reasons and a lot of research to explain the psychology of the buyer in this medium. But the subject I will work through today is the phenomenon of shipping cost shock. Here’s the skinny, according to Zen Cart 46% of respondents to their surveying had abandoned a cart due to the unexpectedly high cost of shipping presented at the checkout step. You need to understand the irrationality of buyer behaviour. The buyer is going to unconciously compare the cost of acquisition to non-similar sources. That is, they will compare the total cost they are presented with against the total they would pay in their local high street store or shopping mall. It’s not fair but a common mistake that internet retailers make is that they only need to compete against other internet retailers for the customers wallet.

Got that? Okay here’s a curve ball. A study of over 40,000 completed auctions on the internet auction giant EBay discovered that almost 8% of auctions ended with a sale price higher than what the customer could have bought the same item for in a big box retailer. Hold on, isn’t that a contradiction? No, you see the main driver in this seemingly irrational behaviour is that those items offered fixed price or free shipping. So the fact that the vendor offered free shipping or fixed price shipping lent considerable weight to the purchasers buying decision, enough to tip the balance. The customer responds emotionally in a situation that demands rational behaviour. In his or her head they say “I know it’s a bit more than the store, but I don’t need to drive. I can remain passive and the product will come to me.” Convenience wins.

So how do you as a retailer replicate these results? Well there’s some basic things that you can consider. Firstly, look at your sales history on your item, where do your customers live? Is it possible for you to calculate a flat rate shipping option that will account for all the permutations of shipping cost over the medium term or life span of the inventory. Do you have sufficient margin in your pricing to be able to absorb this cost into your own business? If you can then you can offer the Holy Grail of ecommerce, free shipping. If you can do either of these things then you can speak to the customer about the total cost of the transaction before they get to the checkout page. The customer has already moved over the hump of the decision point and will likely click that button. Many internet retailers make the mistake of treating the cost of packaging and shipping as a profit center rather than a cost center. That is they try to derive a profit from this overhead and instead surprise their customer and end up losing the sale. I can’t count the number of times I have reached the checkout page myself and found either an inflated cost for shipping or only premium options being offered.

To that last point, make sure that the shipping options you offer include a truly budget method. Many potential customers will be looking for a reason to assuage buyers remorse at this point, if you can offer a low cost shipping option then the emotional response will be to choose that option so that they can assert to themselves that they are being “responsible” and not wasting their money. By all means offer rush or premium shipping options for those folks who like their gratification in that Gen-X instant form. But the lower the budget option is, the lower the sticker shock will be.

A blended option here is to follow the model that Amazon uses, at a certain cart value, shipping becomes free. This will enable you to be able to prevent low margin, low value transactions from nickel and diming you out of business while driving ticket average up, everybody wins! Make sure that the cart you use is able to present a range of ways for your shipping and shipping discounts to be offered. Then put these options into practice by offering your product in a number of different shipping models, free, discounted, coupon discounted, free-at-a-trigger-level. Then a moderate amount of sales history (over a month or so) will give you the sweet spot, where the shipping price has been muzzled as a driver for your cart abandonment woes.

And as a final suggestion, if you can’t offer free shipping, try offering the shipping price blended in as a sort of bundle. This tactic helps allay the skepticism that many shoppers show toward shipping prices and has been found to be effective as shoppers tend to forget the total price when comparison shopping.

Leave a comment »

Follow

Get every new post delivered to your Inbox.