Jon Marsella – The BigCommerce Blog https://www.bigcommerce.com/blog Ecommerce Blog delivering news, strategy and success stories to power 2x growth for scaling brands. Fri, 15 Jun 2018 16:19:41 +0000 en-US hourly 1 https://wordpress.org/?v=4.9.6 https://www.bigcommerce.com/blog/wp-content/uploads/2016/05/cropped-e8d7fa0a-3b0e-4069-91b1-78460a4d4af1-150x150.png Jon Marsella – The BigCommerce Blog https://www.bigcommerce.com/blog 32 32 Everything You Need to Know About Achieving PCI Compliance [Checklist Included] https://www.bigcommerce.com/blog/pci-compliance/ https://www.bigcommerce.com/blog/pci-compliance/#comments Fri, 06 Apr 2018 14:00:47 +0000 https://www.bigcommerce.com/blog/?p=16884 If you’ve been contacted by your bank or financial institution lately only to discover that your credit card information has…]]>

If you’ve been contacted by your bank or financial institution lately only to discover that your credit card information has been compromised, then you’ve felt the growing frustration many consumers face today.

Indeed, the situation with respect to credit card fraud is only getting worse.

Dealing with a compromise is a time-consuming hassle from a consumer’s perspective.

This is particularly because many of us maintain large numbers of (supposedly secure) personal online profiles that afford us a convenient way to deal with recurring monthly or annual payments.

How can we be sure that these online service providers, who so readily accept and retain our credit card information, are taking the appropriate measures to secure it?

This is the purpose of PCI DSS –– and every retailer is required to comply.

Depending on the ecommerce technology and backend a retailer uses, PCI compliance can be an easy check on a long list of things retailers need to do to ensure their customers are transacting securely.

Or it can be a big pain –– costing ample time, resources and money.

In this guide, you’ll learn:

  • What PCI DSS is.
  • How to achieve it for your business.
  • How your ecommerce backend plays a large role in your required effort.

Want more insights like this?

We’re on a mission to provide businesses like yours marketing and sales tips, tricks and industry leading knowledge to build the next house-hold name brand. Don’t miss a post. Sign up for our weekly newsletter.

What is the PCI DSS?

PCI DSS are standards all businesses that transact via credit card must abide by.

Originally created by Visa, MasterCard, Discover, and American Express in 2004, the PCI DSS has evolved over the years to ensure that online sellers have the systems and processes in place to prevent a data breach.

The most recent version is PCI DSS 3.2. Version 3.2 was introduced in April 2016 and officially replaced version 3.1 on February 1, 2018 as the standard all companies must follow.

The PCI Security Standards Council (PCI SSC) defines a series of specific Data Security Standards (DSS) that are relevant to all merchants, regardless of revenue and credit card transaction volumes.

Achieving and maintaining PCI compliance is the ongoing process an organization undertakes to ensure that they are adhering to the security standards defined by the PCI SSC.

The SSC defines and manages the standards, while compliance to them is enforced by the credit card companies themselves.

Again, these standards apply to all organizations that deal with cardholder data.

Cardholder data refers specifically to the credit card number, along with cardholder name, expiration date and security code (CSC).

In total, PCI DSS outlines 12 requirements for compliance.

Twelve requirements may not sound like much. In fact, a quick scan for PCI compliance documentation online will lead you to believe that PCI compliance is easy.

In reality, maintaining PCI compliance is extremely complex — especially for large enterprises.

It actually means you need to comply with a total of 251 sub-requirements across the 12 requirements outlined in PCI DSS 3.2 to fully address the growing threats to customer payment information.

Level 1 PCI Compliant Hosting

Level 1 PCI Compliance is just the beginning. With 99.99% uptime, site-wide HTTPS and more, BigCommerce handles security table stakes.

See how security is built in.

Why Credit Card Security is Often a Neglected Subject

Jasper Studios provides ecommerce development services to omnichannel retailers both large and small.

As such, we have seen every kind of credit card storage transgression imaginable.

We’ve witnessed cardholder data stored in plain text files without any encryption or basic obfuscation residing under the CFO’s desk in a dusty PC dating back to the late 1990’s –– all freshly captured from an insecure payment gateway in a homegrown ecommerce platform.

  • Could my credit card number have been stored in that dusty old PC?
  • Was yours?

This sort of practice is plain negligence.

Fortunately, however, this isn’t a practice undertaken by most organizations, and when done so, it’s typically caused by unintentional ignorance on the subject.

But, these sorts of horror stories still persist today.

No wonder so many of our credit cards have been or eventually become compromised.

It’s not just smaller organizations that can have deplorable standards for data security.

Most Notable Retail Data Breaches:

In 2005, Wal-Mart had a serious security breach targeting their point-of-sale systems.

An earlier internal audit revealed thousands of customer card numbers and other personal data had been found on their servers in unencrypted form.

This data may have been compromised during the breach, although that has not been officially confirmed.

More recently, in 2013, U.S. retail giant Target Corporation was hacked –– a staggering 40 million credit and debit card numbers were stolen from their network.

In 2014, Home Depot saw a similar breach –– with 56 million credit card numbers stolen.

And in 2018, Saks and Lord & Taylor are the latest victim of breach –– this time coming from a hack in their POS solution in-store.

If this can happen to some of the world’s largest retailers, it can certainly happen to smaller ones, too.

Do I need to ensure PCI Compliance for my organization?

If you operate your own on-premise or self-hosted cloud commerce solution, then the short answer is, yes.

Ecommerce PCI compliance is important whether you run a single brick-and-mortar retail location or you are a large organization selling goods across multiple stores and ecommerce sites, anywhere that your credit card merchant account has been connected and integrated requires attention.

All credit card transaction volumes your organization processes are aggregated across multiple channels (i.e. in store retail point-of-sale terminals and online payment gateways) and summed up to determine an appropriate PCI compliance level.

This means a large international retail chain handling 6 million transactions per year will still be considered a Level 1 merchant (the strictest level) and will be held to the highest of PCI compliance standards, even if their related ecommerce store processes less than 500 sales orders per month.

Fortunately, if you operate a SaaS-based ecommerce store and do not have any access to any credit cardholder data (which is the case for most modern SaaS commerce platforms), your need for PCI compliance is greatly mitigated.

The heavy lifting has vested expertly and wonderfully in the hands of the technology experts working for the SaaS companies, which in our professional opinion is exactly where it belongs.

How SaaS compares for PCI Compliance:

SaaS solutions like BigCommerce takes care of the vast majority of the steps toward ecommerce PCI compliance for any customer on the platform.

With an ecommerce software like Magento, a business will have to pay someone to set up servers and networking and take the steps to secure that infrastructure to get them PCI compliant for your online store.

Magento is not PCI compliant out of the box. In fact, thousands of Magento stores continuously experience breach as a result.

Ecommerce PCI Compliance Requirements

If you host and manage your own ecommerce platform (i.e. a custom solution), you will need to ensure PCI compliance for your organization.

The first step is to determine the required compliance level.

All merchants fall into one of four levels based upon credit or debit card transaction volume over a 12-month period.

Level 1 is the most strict in terms of DSS requirements, where Level 4 is the least strict:

Almost all small and medium sized businesses (SMBs) classify as the lower Level 3 or Level 4 merchant, however, this does not preclude the necessity to maintain compliance with the same diligence as larger organizations.

In fact, it’s a costly misconception encountered amongst SMBs who believe they do not need to worry about compliance at all because they don’t do a significant enough volume of online or in-store sales.

Non-compliance is equally as costly as a breach, in which you are required to assess to the Level 1 standard for the next year, including an on-site audit.

BigCommerce’s PCI Compliance:

BigCommerce’s Cardholder Data Environment is PCI DSS Level 1 certified as both a Merchant and a Service Provider.

This protects against credit card data breaches and eliminates the massive cost and hassle of compliance.

Penalties for Non-Compliance

PCI is not, in itself, a law.

It’s a standard that was created by the major card brands including Visa, MasterCard, Discover, AMEX and JCB.

The credit card companies typically do not directly handle payment processing functions themselves, but rely on third party processors (such as Chase Paymentech or Moneris Solutions) to handle the transactional services.

Merchants that do not comply with PCI DSS and are involved in a credit card breach may be subject to fines, card replacement costs or incur costly forensic audits.

The credit card companies, at their discretion, are the ones who administer fines to the merchant’s bank (or similar financial institution, known as the acquirer) and can range between $5,000 – $100,000 per month for PCI compliance violations or breaches.

The bank/acquirer in turn passes the fines downstream until it eventually hits the merchant.

On top of fines that originate from the credit card companies, merchants may be subject to additional penalties from their bank as well.

Banks and payment processors may terminate their relationship with the merchant altogether, or simply increase per-transaction processing fees and require the merchant to pay for the replacement of the credit cards that have been compromised in the originating beach.

What’s arguably even worse is that the bank or processor may require the merchant to move up a level in compliance if they are breached, making the adherence requirements all the more onerous on the merchant moving forward.

Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a business.

It is important to be familiar with your credit card merchant account agreement(s), which should fully outline your exposure.

What the PCI Data Security Standards Involve

The full PCI DSS (data security standard) is an extremely dry read, akin to watching paint peel agonizingly off your wall on a hot summer afternoon.

It’s a pretty technical subject to cover as well, which is summarized in the next chapter.

Most of the topics found in the PCI DSS deal with maintaining a professional data storage solution.

It includes information on securing an internal hosting network, adequately protecting cardholder data, implementing strong user access control measures, managing data security policies, executing a vulnerability management program and performing an external security audit.

It also provides detailed instructions on how to complete your own PCI Self-Assessment Questionnaire.

In all, if you’re a pure play (i.e. online-only) merchant that does not have a physical retail store but you accept, retain or transmit credit card data through your own self-hosted ecommerce store (via open source platforms such as: OpenCart, ZenCart, Magento, etc.) you should positively familiarize yourself with the PCI Security DSS and understand your required compliance level.

Consider hiring a qualified external party who is well versed in PCI subject matter and can provide an objective opinion on how to specifically achieve compliance for your organization.

PCI compliance is its own entire universe of complexity and many organizations don’t have the internal resources qualified enough to delve into its bowels.

We also recommend obtaining an independent adoption consultant along with a Qualified Security Assessor (or QSA). PSC is one such QSA partner who can provide detailed guidance as to how to obtain compliance and also act as an independent auditor to test your internal security.

Ecommerce PCI Compliance on Open Source Platforms

The topic of PCI compliance is immensely important to any online retailer that transmits or stores cardholder data (i.e. credit card or debit card information) in their own, physical on-site servers or remote data farms.

Cardholder data that is processed through an online store and retail point-of-sale system combine to form a single transaction volume used to determine an organization’s merchant compliance level.

SaaS is PCI Compliant Out of the Box:

Keep in mind that if you are using a SaaS or cloud-based ecommerce technology solution like BigCommerce, your PCI compliance is greatly mitigated through your provider.

For those not utilizing a SaaS or cloud-based ecommerce technology, the following information outlines the steps you must take in order to ensure that your online business is PCI compliant.

Your compliance level determines the amount of work you need to do, and the levels are as such:

  • Levels 1 and 2 are for merchants processing 1,000,000 transactions or more per year
  • Level 3 applies to an organization that processes greater than 20,000 credit or debit card transactions per year
  • Level 4 applies to an organization that processes less than 20,000 transactions per year

In the interest of brevity, as this subject is vastly complex, we’ll concentrate on a Level 3 or Level 4 organization.

Self Assessment for PCI Merchant Levels 3 and 4

If you are a Level 3 or Level 4 merchant, the PCI DSS provides you the option of doing an internal assessment, whereby a qualified staff member or corporate officer from your organization can perform his or her own audit and sign-off to produce a formal PCI DSS Attestation of Compliance package indicating such.

The first steps are to determine your required compliance level and then download and review the appropriate Self-Assessment Questionnaire (SAQ) found on the PCI SSC Website.

There are different SAQs for each merchant level and also different related DSS Attestation of Compliance forms for each level as well.

Before you venture down this path and attempt to download your SAQ and get started, you’ll need to first digest a six page document just to figure out which SAQ form to use in the first place.

And, if you aren’t thoroughly bored and confused after doing that, you almost certainly will be after referring to the lengthy PCI glossary of acronyms and technical jargon related to the subject.

In my humble opinion (and also according to the PCI SSC themselves), the best and easiest thing to do here is to contact your merchant bank and have them help you identify which specific documents you need to use.

This is an essential step, as they will often point out deviances in the standard PCI DSS they feel may apply in your case.

Level 3 merchants require quarterly external vulnerability scans by an ASV (Approved Scan Vendor).

A list of ASV’s can be found here and include such companies as Cisco Systems Inc, Alert Logic, Inc and Backbone Security, Inc to name a few.

Completing a self-assessment questionnaire for Level 3 and Level 4 merchants is based upon the honor system, much like completing your income tax return.

It’s tempting for organizations to guesstimate their way through some answers or outright fabricate them to avoid the human and physical resource expenditures required to correct vulnerabilities.

Many frankly don’t understand some of the items on the SAQ to be begin with.

That said, don’t be dishonest or misrepresent information on the SAQ. If you have a data security breach and your documents come under scrutiny, you can be fined heavily and, in the worst case, your merchant account(s) can be dropped by your bank/financial institution.

Achieving PCI Compliance: Getting Started

The PCI DSS contains what are actually common-sense general data security best practices for any system administration team that is used to hosting sensitive corporate information in a modern network environment.

The trouble in reaching compliance begins when an organization does not have experienced enough internal IT/IS departments and can unfortunately discover that their internal hosting environment is wildly insecure and susceptible to both internal snooping by their own staff or they are wide open to outside intrusion.

Every organization aiming to achieve PCI compliance begins in the same place.

There are three steps in the journey to adhering to the PCI DSS and becoming compliant:

  • First, Assess –– Perform your own audit to identify the cardholder data you are responsible for, take an inventory of your IT assets and business processes for payment card processing and analyze them for vulnerabilities that could expose sensitive cardholder data.
  • Next, Remediate –– Fix the vulnerabilities you discover in priority sequence. Ideally move away from storing cardholder data at all unless you absolutely need to. Many organizations store cardholder data within their own homegrown ecommerce platforms after taking a one-off guest checkout order with no intention of using the information again. In this case, why hold onto it at all? Only a merchant looking to set up recurring billing may actually need to retain cardholder data themselves and we’ve often found that B2C ecommerce merchants typically don’t need to support recurring billing profiles.
    • Wherever and whenever cardholder data can be stored by an external qualified body instead of your own organization is ideal, because nothing will help reach immediate PCI compliance more quickly than not storing or transmitting cardholder data at all.
  • Finally, Report –– Compile and submit required remediation validation records (if applicable), and submit compliance reports to the acquiring bank and card brands (i.e. Visa, Mastercard, Amex, etc.) with which you do business.

Completing the Self Assessment Questionnaire (SAQ).

The SAQ is a relatively short document (i.e. five or six pages long) and can itself be completed in a number of hours by someone qualified within your organization.

The work getting to that point, though, comes into play when attempting to answer the SAQ questions truthfully and thoroughly, and in a manner that will actually result in achieving compliance.

In so doing, an organization will doubtlessly encounter some significant technical challenges.

Below is a quick outline of what you can expect based on my own experience is seeking compliance for clients.

1. Technical Challenges to Satisfying the SAQ.

Even if credit card data passes through your self-hosted (i.e. non-SaaS) ecommerce platform, you are still on the hook for ensuring that any related servers you control (be it your database server, PoS system, credit card processing terminal, utility server or internet application server) are sufficiently secure and compliant.

Each server that cardholder data is stored inside or transmitted through is termed a CDE (cardholder data environment) and requires:

  • Tripwire software with a notification escalation profile to alert administrators that someone may have gained unauthorized access to the server and/or tampered with the files/permissions on the server. A tripwire is software that detects the presence of a code change or file structure profile change on a server. A notification escalation profile is a series of automated email or SMS messages. dispatched to key systems personnel in the event that intrusion is detected or an unexpected change to the file structure profile has occurred.
  • Virus scanning software installed and running daily.
  • Its operating system to be kept up-to-date with the latest security patches.
  • The containing room or server rack (i.e. the physical environment containing the computer systems running commerce related servers) be kept under lock-and-key with limited authorized administrative access only.
  • Entrance to/from the room by administrative personnel (including date/time and purpose of access) needs to be logged. These logs need to be archived and migrated off of the primary servers and housed securely elsewhere so that auditors can readily access them if required by the bank or credit card company.
  • All cardholder data that is retained for local storage be done so using what the PCI DSS refers to as strong encryption (see the PCI SSC Glossary of Terms for more info). Encryption protects the data from easily being read and utilized by attackers if stolen during a breach event.
  • The underlying strong encryption architecture must be fully documented and kept up to date.
  • Personnel with remote access (or non-console administrative access) to the server environment must connect via multi-factor authentication only.
  • External penetration testing be performed every six months to ensure the environment is secure.

2. Ongoing Maintenance: Mitigating Common Data Security Exploits.

Physical servers need to be continually patched against newly discovered security vulnerabilities.

Consider various security exploits that have arisen recently such as HEARTBLEED, POODLE and Logjam.

Pro Tip

TLS (transport layer security) – sometimes referred to as SSL – is the underlying encryption protocol for secure data transmission over the Internet. It is the “S” in HTTPS.

Your web application or ecommerce platform that is processing credit or debit cards also needs to be secured against client side (i.e. web browser) code exploits such as XSS and SQL Injection Attacks, to name a few.

PCI Breakdown: Time and Costs to Reach Compliance

On average, our experienced systems administration team will spend three to four business days securing a single server and preparing the appropriate documentation for a Level 3 or Level 4 merchant.

The costs for doing so when factoring our time and the merchant’s staffing resources averages out to about $14,650 USD.

Merchants attempting to reach PCI compliance themselves however, without support from an outside partner, and who are already themselves adept at dealing with data security subject matter, can expect to spend upward of 3-4 weeks of time performing the following tasks:

  • Researching the PCI Data Security Standards (DSS)
  • Determining which level of compliance and which PCI SAQ is required
  • Securing their physical servers (often the largest and most costly aspect of the project)
  • Examining any third party plugins or software components on the servers that cardholder data passes through and ensuring they, too, are PCI compliant and can produce external documentation that proves such
  • Completing the PCI SAQ and Attestation of Compliance (ROC)

For complex undertakings involving more than one onsite data center and where a merchant is both capturing and retaining cardholder data, budget at least six weeks in your project plan and estimate related costs to be between $48,625 – $64,900 USD to reach compliance.

The above estimate factors some time for multiple staff within your organization that usually involves a multidisciplinary group of:

  • Business analysts.
  • System administrators.
  • Ecommerce platform developers.
  • Project managers.
  • Legal teams.
  • Resource protection staff.

It also takes into account some budget for outside consultant/auditor fees, and provision to hire a third party Qualified Security Assessor.

Note that our estimate does not factor in any additional costs related to purchasing new server racks, upgrading computer systems, adding new software licenses and installing access control systems (such as staff ID card systems) or any other physical expenses that may be required to achieve compliance.

How Your Ecommerce Platform Affects Your PCI Compliance

You can acquire ecommerce software in different ways:

  • Buying commercial software to run on your on-premise hardware
  • Using open source software on your on-premise hardware (the Do-It-Yourself approach)
  • Signing up for hosted software delivered as a service (SaaS)

Each approach strikes a different balance between your costs, benefits and ecommerce PCI risks and workload. The table sums up the highlights, and the following sections discuss each option in more detail.

#1: Commercial Software: The Costly Option

This requires you to buy and maintain your own hardware, plus shell out for a commercial software license and annual support.

The ecommerce software might be PCI-compliant out of the box, or you could have lots of work getting there. But any extra support you require from the vendor for PCI will likely cost extra.

This option could work for you, if your company chooses to:

  • Buy and maintain on-premise hardware
  • Pay for an on-premise software license and support
  • Maintain in-house expertise to install, customize and maintain an ecommerce platform
  • Keep someone on call 24/7 to troubleshoot any problem and get the platform back up fast if it ever goes down

Clearly, the drawbacks here are the high costs of hardware, software, and support –– plus the unknown burden of handling some of your own PCI compliance.

If that doesn’t sound appealing, skip this approach and read on.

#2: On-Premise, Open Source Software: Lower Cost, Higher Risk

This option is a lot like writing your own code.

You still pay for your hardware, but you avoid paying any software license fee. Sounds like a bargain, right? Not so fast.

You have to assemble, compile, install and tweak your own software. And, as for PCI, this can turn into a money-pit. Open source is a black box where no one really knows what’s going on.

“The problem with open source is that you’re not buying from any vendor,” says Beckett. “So there’s no one to fall back on for help. You might not get any support, or no phone number you can call. Or maybe the PCI auditor might not like something about the platform.”

In that case, you’re stuck.

You may have to document every step of your process in painful detail. That means holding meetings, analyzing code, sketching flowcharts, writing reports… spending weeks of effort that can easily outweigh any savings you gained from open source.

The DIY option could work, if your company can afford to:

  • Buy and maintain on-premise hardware
  • Maintain in-house expertise to link, tweak and maintain ecommerce software
  • Take staff time to hold many meetings and create PCI-related documents

Using open source software means you are responsible for 100% of your PCI compliance ––  not to mention your store’s uptime.

If you don’t want to take on those burdens, skip this approach and read on.

#3: Hosted Software-as-a-Service (SaaS): Low Cost, Low Risk

Software running as a service is accessed through the web, running on hardware maintained in a secure data center by your service provider.

If you want to save money, and can’t spare a lot of staff to develop PCI policies and write reports, consider using a hosted ecommerce service such as BigCommerce.

This way, you can forget about fiddling with ecommerce hardware and software, pay one monthly fee to cover your ecommerce platform, and remain PCI-compliant with a minimum of time and expense.

An important consideration when selecting this option, however, is that you will still be required to complete an SAQ (self-assessment questionnaire) as a Level 2-4 merchant and an ROC (i.e. report on compliance, also synonymous with Attestation of Compliance) if you are a Level 1 merchant.

Therefore, the work in documenting and reporting on a quality SaaS ecommerce platform regardless of your compliance level is much less involved in terms of cost and risk than the other two options presented.

The SaaS option will work for you if your company:

  • Wants to save money on hardware, software licenses and support
  • Doesn’t have people to fiddle with hardware and software
  • Prefers to pay one monthly fee to cover your ecommerce platform
  • Wants to remain PCI-compliant with a minimum of effort

With lower costs, less risk, and fewer PCI hassles, this option is the chosen path for many online stores.

Here is how a few popular ecommerce platforms breakdown:

PCI Compliance Checklist

Again, this is only applicable to your IT team if you choose not to go with a SaaS solution.

If you use a open source or custom built ecommerce platform, your IT team will need to go through the following checklist annually.

We’ve broken the checklist down below based on the PCI requirement.

Remember, there are 12 PCI compliance requirements.

Maintaining PCI compliance for requirement 1 includes:

  1. Positioning firewalls to only allow necessary traffic to enter your CDE
  2. Having a “deny all” rule for all other inbound and outbound traffic
  3. Dynamic packet filtering
  4. Creating a secure zone for any card data storage
  5. Ensuring all outbound connections from your CDE are explicitly authorized
  6. Installing a firewall between wireless networks and your CDE
  7. Documenting all firewall policies and procedures, including business justification for each port or protocol allowed through firewalls

Maintaining PCI compliance for requirement 2 includes:

  1. Maintaining an inventory of all hardware and software used in the CDE
  2. Assigning a system administrator to be responsible for configuring system components
  3. Implementing a system configuration and hardening guide that covers all components of the CDE
  4. Disabling or uninstalling any unnecessary services, programs, accounts, drivers, scripts, features, systems, and web servers, and documenting which ones are allowed
  5. Changing vendor-supplied default usernames and passwords
  6. Documenting security policies and operation procedures for managing vendor defaults and other security settings
  7. Using technologies such as VPN for web-based management and ensuring all traffic is encrypted following current standards
  8. Enabling only one primary function per server

Maintaining PCI compliance for requirement 3 includes:

  1. Documenting a data retention policy
  2. Having employees acknowledge their training and understanding of the policy
  3. Eliminating storage of sensitive authentication data after card authorization
  4. Masking the primary account number on customer receipts
  5. Understanding guidelines for handling and storing cardholder data
  6. Making sure primary account number storage is accessible by as few employees as possible, including limiting access to cryptographic keys, removable media, or hardcopies of data

Maintaining PCI compliance for requirement 4 includes:

  1. Reviewing all locations, systems, and devices where cardholder data is transmitted to ensure you’re using appropriate encryption to safeguard data over open, public networks
  2. Verifying that encryption keys/certificates are valid and trusted
  3. Continually checking the latest encryption vulnerabilities and updating as needed
  4. Having a policy to ensure you don’t send unprotected cardholder data via end-user messaging technologies
  5. Checking with vendors to ensure supplied POS devices are appropriately encrypting data
  6. Reviewing and implementing best practices, policies, and procedures for sending and receiving payment card data
  7. Ensuring TLS is enabled whenever cardholder data is transmitted or received through web- based services
  8. Prohibiting the use of WEP, an unsecure wireless encryption standard

Maintaining PCI compliance for requirement 5 includes:

  1. Deploying anti-virus programs on commonly affected systems
  2. Setting anti-virus to scan automatically to detect and remove malicious software
  3. Maintaining audit logs for review
  4. Ensuring the anti-virus system is updated automatically
  5. Setting up administrative access to ensure anti-virus can’t be disabled or altered by users
  6. Documenting malware procedures and reviewing with necessary staff
  7. Examining system configurations and periodically evaluating malware threats to your system

Maintaining PCI compliance for requirement 6 includes:

  1. Having a change management process
  2. Having an update server
  3. Having a process in place to keep up-to-date with the latest identified security vulnerabilities and their threat level
  4. Installing vendor-supplied security patches on all system components
  5. Ensuring all security updates are installed within one month of release
  6. Setting up a manual or automatic schedule to install the latest security patches for all system Components

Maintaining PCI compliance for requirement 7 includes:

  1. Implementing access controls on any systems where cardholder data is stored and handled
  2. Having a written policy that details access to cardholder data based on defined job roles and privilege levels
  3. Training employees on their specific access level
  4. Configuring access controls to only allow authorized parties and denying all others without prior approval or access

Maintaining PCI compliance for requirement 8 includes:

  1. Monitoring all remote access accounts used by vendors, business partners, IT support personnel, etc. when the account is in use
  2. Disabling all remote access accounts when not in use
  3. Enabling accounts used for remote access only when they are needed
  4. Implementing a multi-factor authentication solution for all remote access sessions

Maintaining PCI compliance for requirement 9 includes:

  1. Restricting access to any publicly accessible network jacks in the business
  2. Keeping physical media secure and maintaining strict control over any media being moved within the building and outside of it
  3. Keeping media in a secure area with limited access and requiring management approval before the media is moved from its secure location
  4. Using a secure courier when sending media through the mail so the location of the media can be tracked
  5. Destroying media in a way that it cannot be reconstructed
  6. Maintaining a list of all devices used for processing and training all employees to inspect devices for evidence of tampering
  7. Having training processes for verifying the identity of outside vendors wanting access to devices and processes for reporting suspicious behavior around devices

Maintaining PCI compliance for requirement 10 includes:

  1. Having audit logs that track every action taken by someone with administrative privileges, failed log in attempts, and changes to accounts
  2. The ability to identify a user, the date and time of the event, the type of event, whether the event was a success or failure, where the event originated from, and the name of the impacted data or system component
  3. Having processes and procedures to review logs and security events daily, as well as review system components defined by your risk management strategy
  4. Having a process to respond to anomalies or exceptions in logs
  5. Keeping all audit log records for at least one year and keeping logs for the most recent three months readily available for analysis

Maintaining PCI compliance for requirement 11 includes:

  1. Running quarterly internal vulnerability scans using a qualified internal resource or external third-party
  2. Running quarterly external vulnerability scans using a PCI-approved scanning vendor (ASV)
  3. Using a qualified resource to run internal and external scans after any major change to your network 
  4. Configuring the change-detection tools to alert you to unauthorized modification of critical content files, system files, or configuration files, and to configure the tools to perform critical file comparisons at least once a week
  5. Having a process to respond to alerts generated by the change-detection tool
  6. Running a quarterly scan on wireless access points, and developing a plan to respond to the detection of unauthorized wireless access points
  7. Performing penetration tests to confirm segmentation is operational and isolates systems in the CDE from all other systems

Maintaining PCI compliance for requirement 12:

  1. Developing written compliance and security policies
  2. Ensuring every employee working in the CDE completes annual security awareness training
  3. Creating a company policy documenting all critical devices and services within the CDE, including laptops, tablets, remote access, wireless access, and email/Internet usage
  4. Developing a comprehensive description of each employee’s role in the CDE, and documenting acceptable uses and storage of all technologies
  5. Creating an incident response plan in the event cardholder data is compromised
  6. Creating and updating a current list of third-party service providers
  7. Annually documenting a policy for engaging with third-party providers, obtaining a written agreement acknowledging responsibility for the cardholder data they possess, and having a  process for engaging new providers

We’ve Successfully Achieved PCI Compliance: What’s Next?

As if achieving PCI compliance wasn’t complex enough on its own, maintaining compliance year-over-year and keeping up with ever-evolving nuances to PCS data security standards (DSS) has proven itself a perpetual expense and burden to any organization.

The latest PCI DSS standard (version 3.2) released in April of 2016, for example, defines a number of changes to previously accepted rules and regulations on a variety of PCI subjects, touching upon both documentation requirements and technical adjustments to the physical hosting environment (CDE) itself.

This means as a self-hosted merchant you’ll need to concern yourself not only with getting all these requirements perfected the first time around, but you’ll also be expected to manage lists of future change requests and down-the-road migration plans that will keep your technical teams very busy ad infinitum (i.e. forever).

Let’s face it, they often have more than enough to do as it is.

In short, maintaining compliance is an ongoing process, involving all of the above as well as quarterly vulnerability scans and completing a new SAQ and Attestation of Compliance each year.

If your organization is presently at PCI compliance Level 3 and your credit card transaction volume is trending upwards at a rate of 20% or more annually, consider hiring a QSA and having a formal external security audit done every year, even if your bank doesn’t require it.

In this manner, your team won’t be flanked by a last minute crunch to get it done which will result in overstatements, omissions and increased third party auditing costs.

You’ll also proactively position your organization for an easy transition upward to a higher compliance level at a later time.

Want more insights like this?

We’re on a mission to provide businesses like yours marketing and sales tips, tricks and industry leading knowledge to build the next house-hold name brand. Don’t miss a post. Sign up for our weekly newsletter.

]]>
https://www.bigcommerce.com/blog/pci-compliance/feed/ 8
The Ultimate Guide to Ecommerce Replatforming and Data Migration https://www.bigcommerce.com/blog/ecommerce-replatforming-and-data-migration/ https://www.bigcommerce.com/blog/ecommerce-replatforming-and-data-migration/#comments Tue, 23 Jan 2018 15:00:17 +0000 https://www.bigcommerce.com/blog/?p=17031 Whether you’re a developer, marketer, entrepreneur or Fortune 500 CEO, there’s an inkling in the back of your mind that…]]>

Whether you’re a developer, marketer, entrepreneur or Fortune 500 CEO, there’s an inkling in the back of your mind that perhaps, in the near future, your job or company may be obsolete.

It’s not an unfounded fear.

The rules to success for nearly all industries in today’s economy are fleeting, at best.

Everything keeps changing, and the best of the best have to be able to pivot –– quickly and competently –– in order to keep up.

Of course, to keep up with the newest skill sets and execute on the most modern of campaigns, you often need 2 things:

  1. Money.
  2. Headcount.

This need positions the biggest brands of the world well, enabling them to form monopolies, of sorts – in theory at least.

Yet, that isn’t what we’re seeing take shape.

Large organization move too slowly to pivot quick enough to execute well on trends.

Instead, those companies end up buying the brands that do (re: Walmart acquiring Jet.com and Unilever buying Dollar Shave Club).

What enables those up-and-comers to take on their legacy competitors (i.e. Amazon and Gillette)?

Agile marketing that gets these brands to the forefront of customer conversion in a more compelling way than traditional companies.

This guide will walk you through what I believe to be the first step toward agile marketing for large enterprises.

Here is what I’ll cover:

What’s in Our Ecommerce Replatforming Guide

  1. Startups focus on marketing, because their technology is covered: Enterprise brands can do this, too. I explain how.
  2. There are 3 pain points that often forces brands to migrate to new technology – and all of them are signals that you should have done it much, much sooner. But I believe in staring at a problem. We’ll walk through how you can do it right now.
  3. Your 3 options when it comes to ecommerce technology. Not every solution is right for every brand. But there are ones that will eliminate the need for you to migrate ever again –– and ones that will force this process time and time again. We’ll go through the cost/benefit analysis of these.
  4. The 6 steps to an ecommerce re-platforming and migration. The biggest 2 of which are issuing the RFP and transferring the data. I’ll give you an RFP template you can print out and use right now –– and introduce you to services teams that will migrate your data for you. 
  5. A primer on what NOT to do during a shopping cart migration. Again, I don’t like to admire problems. I address them. This is the elephant in the room. The #1 rule? Don’t over invest. The point of your technology is to enable better and more effective marketing and sales. Whizzbang is nice, but not necessary.
  6. I’ll give you an ecommerce replatforming checklist. If you it this far in the piece, I’m assuming you, like me, like to get things done. This list will let you mark off one by one the steps you and your team need to take to do it first the first time, and then never again.  
  7. I’ll teach you how to put platforms to the test. Sure, you issue an RFP and sure, you get answers back. But do not buy before you try. Do not buy before your developers try. Do not buy before your legal tries. DO NOT BUY BEFORE YOU TRY.
  8. Another word on data migration services – because some platforms offer them for free, some services are self-serve and others are just plain worth the dollars to make sure your data transfers effectively. It is how you upset. It is how you better target marketing. It is how you know how your business is running up and to the right and not vice versa. It matters, so it gets its own section.
  9. Finally, I’ll debunk the most common data migration myths out there. Just for fun.

Let’s get started.

Ready to begin the RFP process?

Issuing an RFP is the next step for brands considering a re-platform. However, RFPs can be tricky – and what you include in them makes a world of difference in terms of what you get from your new platform (and also in making the right choice to begin with).

This free RFP includes 188 questions, from big ideas to minutiae, so you don’t miss a thing. 

Download your free RFP template.

Successful Brands Focus on Marketing

What allows these companies to focus on marketing is their choice of technology stack from the onset.

Or, if not from the onset, these companies are quick to replatform to a better solution, so that website maintenance and bug patches are not taking priority over marketing activities.

  • The latter leads to sales, growth and revenue.
  • The former doesn’t have to be business as usual.

That is why you must pick the right ecommerce platform – because you need to focus on marketing and growth.

After all, marketing is expensive, competitive, and requires a lot of time.

It is pay-to-play in so many channels:

  • Adwords.
  • Facebook.
  • TV.
  • Radio.

In the ones where it isn’t – say, SEO – you’re competing against a gamut of competitors and bigger brands, often with a much bigger head start.

And, each of these channels are getting more and more saturated everyday. So why are you spending your time and money on a “good enough” ecommerce solution?

SUCCESSFUL ECOMMERCE REPLATFORMING EXAMPLES

  • The Carolina Panthers: Making the switch from Yahoo to BigCommerce meant a 16% decrease in site bounce rate, 83% increase in mobile conversion rate and a 37% increase in conversion across the board. And that was just after launching.
  • Henna Caravan: Making the switch from Magento to BigCommerce gave Henna Caravan a 33% increase in revenue through SEO and a 2X industry average conversion rate, all within 2 weeks of launch.
  • Veppo: Making the switch from Shopify Plus to BigCommerce saved Veppo thousands in revenue and reduced manual work hours by 40%.
  • Awesome GTI: Making the switch from Magento to BigCommerce increased Awesome GTI’s YoY revenue more than 95%, saw conversion rates increase nearly 15% and nearly a 17% increase in AOV YoY.
  • NaturallyCurly: Making the switch from Lemonstand to BigCommerce gave NaturallyCurly the ability to sync their ERP and storefront, saving the company 520 hours of manual work a week.

Modern ecommerce platforms are the equivalent of a marketing technology, development and IT staff – all in one.

It’s Moore’s law.

Likely when you first launched your brand, ecommerce platforms were cumbersome, expensive and required hours of extra work you ended up taking on internally or that you’ve outsourced to platform experts.

Today, there are ecommerce platforms out there that take all the technical heavy lifting off your hands –– allowing your team and business the time and financial resources needed to capitalize on the market with strategic and engaging campaigns.

This is how you win.

  • You set yourself up for success.
  • You think about the future.

Would you still be using a Nokia brick phone today?

No. The Capt’n Crunch-size chip used in there is now the size of your fingernail –– and it stores a whole lot more.

Upward mobility requires change. Future-proofing is how you blockade against antiquation or even worse, extinction.

The line is drawn in the sand. It’s time you choose your side.

Do 1 or More of These Issues Apply to You?

In a perfect world, a site replatforming project would be a year in planning. You would have allotted budget and defined clear goals.

In reality, replatforming isn’t something companies proactively plan. Most often, there’s some driving issue — or a number of them — forcing a company to migrate.

Our team sees these issues regularly – and have compiled a string list of the most common below.

Go ahead, check off right next to the ones that apply to your business. Check off more than one, and it’s time to replatform.

Financial Issues Related to Your Ecommerce Platform

  • We can’t afford to continue doing business with our existing ecommerce platform due to the high maintenance costs.
  • We experienced a recent merger or acquisition, allowing for consolidation and review of current platforms for efficiency gains.
  • We’re working on new initiatives such as launching new brands, product lines or launching into new markets. With new launches, we want to test out more cost-effective solutions in order to prove out concept. We’ve begun to see that the more cost-effective platforms outperform our legacy platform the main brand is using.

Technical Issues Related to Your Ecommerce Platform

  • Our old solution has grown unstable under peak traffic conditions, resulting in slow site performance and bad customer experience.
  • The catalogue database can’t handle the physical number of SKUs we’ve added to the catalogue over the years.
  • The platform only captures a limited number of attributes, can only associate a limited number of product related assets, has a limited call volume on APIs or, as in some cases, can’t handle certain types of content such as video.
  • It takes too long to develop new features on the old platform and the backlog of projects in IT is becoming unmanageable and cost prohibitive.

TECHNICAL REPLATFORMING DOCUMENTATION

Marketing Issues Related to Your Ecommerce Platform

  • In our organization, our marketing team is the tip of the spear for online growth. Our marketing team is tasked with not only reaching potential customers and driving traffic to the site, but also converting at the highest rate possible. We want something more intuitive, allowing us to be more creative and quick in our GTM execution.
  • Our old ecommerce platform prevents our marketing team from converting visitors that otherwise might have converted on a newer, more featured platform. Worse still, our old platform prevents us from competing in key areas entirely. Some of the key features and capabilities that our marketing team is looking for include
    • Improved Site Search: Directed and faceted. Marketing wants to be able to control search results for the best possible user experience.
    • Personalization: Dynamic content presentation and optimization based on multiple visitor personas.
    • Mobile Commerce: Specific design and funnel for mobile devices in the wake of mobile-first customer expectations.
    • Social Media: Hooks for marketing on the top social sites, easy share-ability and social commerce capabilities.
    • Tag Management: Re-tagging the site for efficient digital marketing, increased search functionality and better SEO based on Google’s indexing of the site map.

Any one of these requirements could be justification enough for a new platform.

Most companies looking to re-platform, however, have multiple of these issues.

Take mobile commerce, for example.

Mobile revenue has jumped dramatically with the combination of social media platforms and powerful mobile devices, over 50% for many retailers.

Not having your ecommerce website support mobile visitors cuts out a large selling opportunity, not to mention the SEO hit you take from Google’s newest search algorithms, which reward mobile readiness and penalize sites that don’t support mobile.

In fact, beginning July 2018, Google will make mobile site speed also a ranking factor for mobile algorithms.

This means your not only need to have a mobile-friendly site, but that it needs to be fast. Really fast.

Not having this one feature (which is really 2: mobile-friendly site and mobile page load speed), which takes months of coding for an on-premise or custom solution, is reason enough to switch — not to mention the financials of having to pay for such coding work.

And that’s just a basic example. What about integration with new payment solutions like digital wallets?

  • Do you want to have to build out your individual brand integration with Amazon Pay, Apple Pay, PayPal One Touch, etc?
  • Or would you rather your platform build that out, test it and ensure it works, take on the PCI compliance and ultimately just have you be able to click, one and done it’s live on the product?

It’s your choice.

The Best Ecommerce Platform Options

Before I begin to outline the process for a replatform, it’s important that you understand your ecommerce platform options:

  • Homegrown.
  • Onsite or on premise.
  • Cloud.
  • SaaS.

Below is an outline of each, including pros and cons based on your particular business needs.

This is the basic background information you’ll need for issuing a complete and structured ecommerce RFP to a technology provider, the details of which I’ll get into in a moment.

Homegrown Technology

This is usually a custom LAMP or .NET-based implementation supplemented by various middleware, the origins of which you may or may not know.

Quite often, these platforms are also connected to backend systems running custom-built ERP software.

In my experience, I’ve even run across the occasional IBM AS400 mainframe locked away in the deep recesses of IT.

This middleware could easily be replaced by your smartphone today, but nobody dare touch it lest it breaks and brings the whole site down.

Homegrown Ecommerce Pros and Cons:
  • Pros: The pros of a homegrown platform are that you have the potential for ultimate flexibility. You can customize each feature exactly the way you want, without the constraint of a template. Although in reality, real world resource constraints can mean that potential flexibility isn’t realized.
  • Cons: The cons with a homegrown platform are that you are a customer of one and every feature you want to add has to be developed from the ground up. Homegrown platforms are also often expensive to maintain on a day-to-day basis.

Focus on Brand Building, Not Building Tech.

“We knew it was going to take us 5 years to get caught up with everyone else if we went with open source or custom build.

We needed a platform that had everything we needed right then already built-in, and one with extensible APIs we could connect to our home grown ERP system.

That meant we were looking at a SaaS solution.”

– Jason Boyce, CEO and Co-Founder, Dazadi

Read the Dazadi Story.

Onsite or On Premise Technology

With onsite, sometimes called on premise technology, the ecommerce platform is licensed from and then hosted on the client’s internal network.

The client, or business owner, is then responsible for managing all ecommerce aspects including:

Commonly deployed onsite platforms include Websphere, Oracle Commerce and Magento Enterprise.

On Premise Ecommerce Pros and Cons:
  • Pros: The pros of this option are less obvious. There’s a perception of improved security, but I’ll let the security experts weigh in. “As online shopping continues to overpower in-store shopping, ecommerce sites are increasingly targeted by hackers as they have become a gold mine for credit card information,” said Shahar Tal, Malware and Vulnerability Research Manager at Check Point Software Technologies. “The vulnerability we uncovered [on Magento] represents a significant threat not to just one store, but to all of the retail brands that use the Magento platform for their online stores – which represents about 30% of the ecommerce market.”
  • Cons: The cons of onsite deployments are that you need a small army of IT staff to run, maintain and sometimes update the platform. Also, quite often, companies customize their deployments to the point that they get off of the platform upgrade path and are then stuck on an old version of the ecommerce platform. The cost of these upgrades and maintenance, however, is likely the biggest con. A scaling ecommerce business can spend anywhere from $100,000 to $500,000 per year to ensure an onsite solution is functioning properly. Here’s a calculator you can use to see what your overall costs would be if you were to migrate to or stay on an on premise solution.

Less Headaches. More Sales.

“When I first bought Spectrum Audio, it was on Magento and I was literally paying developers every couple of days to fix something.

Our overhead on Magento was more than $2,000 a month alone, just between server costs and paying developers. And the sales weren’t near where they are today.

To be a successful store owner, I can’t afford to have this huge team of developers that know everything. You can have someone on the inside for small fixes, but really we can’t be an ecommerce platform on top of being an online store.”

– John McCann, CEO of Spectrum Audio.

Read the Spectrum Audio Story.

Cloud Ecommerce Technology

There’s currently a lot of confusion in market about the difference between cloud ecommerce and SaaS ecommerce.

Let’s put that confusion to rest right now.

SaaS and Cloud ecommerce are not the same.

With Cloud ecommerce, you still pay extra in licensing fees, as well as to patch vulnerabilities and to complete upgrades.

This aspect of cloud ecommerce is similar to on-premise.

In fact, many on-premise ecommerce technologies are those that are launching cloud solutions.

The difference, however, is that the server is hosted and maintained by a third-party, similar to how it is done in the SaaS model.

Here are the differences between SaaS and cloud broken out.

Differences Between Cloud Ecommerce and SaaS:

  • Server tainted and hosted by a third party.
    • SaaS: Yes
    • Cloud: Yes
  • No need to install or keep up with software editions.
    • SaaS: Yes
    • Cloud: No
  • PCI compliance and security handled for you.
    • SaaS: Yes
    • Cloud: No
  • Automatic software upgrades.
    • SaaS: Yes
    • Cloud: No
  • No downtime with new software versions.
    • SaaS: Yes
    • Cloud: No, there will be downtime during versioning updates

SaaS Ecommerce Technology

Before we hop into this realm, know that there are multiple versions of SaaS ecommerce platforms.

  • Multi-tenant: customers share the same instance of the application and receive upgrades simultaneously.
  • Single tenant: customers have their own instance of the application, upgrades are up to the customer
  • Hybrid models: customers share the same instance with simultaneous upgrades, with open APIs for custom iterations

Multi-tenant architecture is one of the main reasons that SaaS ecommerce platforms have cost advantages over homegrown or onsite implementations.

Single tenant SaaS platforms take into account the need for specific brand customizability, but it’s easy to end up off the upgrade path and expose your brand to vulnerabilities (similar to on-premise technology).

A hybrid model is the best option for brands, allowing for low total cost of ownership, simultaneous platform upgrades and open APIs for extreme customizability without falling off an upgrade path.

In other words, business owners get the lower cost of the multi-tenant deployment with the custom capabilities of a single tenant deployment.

An example of a hybrid ecommerce platform would be BigCommerce, where you can have a customized version of the platform but still benefit from the SaaS implementation.

The main aspect all SaaS deployments have in common is their pricing model. Business owners enter into a monthly payment agreement.

Some portions of the first year’s fees are usually due up front, but not always.

Pricing terms vary widely depending on the client’s circumstances, for instance:

  • Number of SKUs
  • Monthly sales
  • Monthly traffic and more.
SaaS Ecommerce Pros and Cons:
  • Pros: The pros of implementing a SaaS platform are primarily based on cost and ease of management. With SaaS, the vendor is developing features for multiple customers and so the expense is amortized across the entire customer base, which keeps costs down for everyone. The SaaS vendor’s roadmap is also usually driven by demand from their customers, so you’re pooling requirements across multiple segments of the industry. This leads to a robust product feature roadmap, which meets and often exceeds the requirements of most clients.
  • Cons: The cons of a SaaS deployment are that you are restricted to some degree by the nature of the fact that the platform is usually multi-tenant. This means that the flexibility you might have with a homegrown or on premise platform is not necessarily there. Many SaaS providers, however, have open APIs, which allow for third-party integrators that often function similarly to if you were integrating the software on your owned and operated system. As the SaaS ecommerce industry evolves, this con is much less of concern thanks to open and malleable APIs. In fact, BigCommerce allows for 100’s of API calls per second, letting retailers sync 25,000 product inventory from an ERP in only 60 seconds.

OK, now that you know you need to switch and you know what your options are, it’s time to issue an RFP.

Your Ecommerce Replatform Strategy

Do you know the #1 reason why brands migrate from their ecommerce platform?

It’s not just about money – but that is a big consideration.

It isn’t just about being able to execute cooler, more impactful marketing campaigns – but of course everything that exists on a RFP is getting at the end goal.

No, the #1 reason is empowerment.

Ecommerce marketing is harder than ever before. It’s also more costly. Brands can’t afford to move slowly. They can’t afford to NOT be agile.

And yet, the vast majority of ecommerce platforms tie your marketing team’s hands behind their back – leaving them bobbing for conversion apples they could on other platforms simply just pick up.

OK, that might not be the best metaphor. So, let’s dive in to the real work: issuing an RFP.

This will allow you switch from one ecommerce platform to another – all without losing your SEO rankings or customized design or legally required security protocol.

1. Get ready to issue an RFP (request for proposal).

A proper Request for Proposal (RFP) process will help dramatically reduce your frustrations or concerns as you determine which SaaS provider is right for your growing business.

RFPs are used by scaling and enterprise brands looking to properly evaluate key stakeholder needs, scope and goals in large-scale projects which will affect the operation of an entire organization.

The more information you provide in the RFP process, the less room there is for confusion later on.

A sloppy RFP could cost you months in wasted time, so be detailed, clear and over communicate your needs. This post will provide everything you need to do so.

SHOULD I ISSUE AN RFP?

For ecommerce platforms, you should issue an RFP. This because of the various attributes unique to online businesses that must be accounted for.

Each ecommerce platform handles these needs a bit differently. You want to see their proposal, along with a quote, not just a quote for typical services.

RFPs generally require more work on both parties –– and this guide will explain your part, as the business.

 

Get your free RFP template.

2. Write the RFP.

Before you start committing the rest of the organization to an ecommerce replatforming project, you should conduct an initial ROI modeling session and begin internally mapping out the RFP process.

This is the first step to writing a RFP.

Sit down with finance and do an honest review of the ecommerce business. Before you can begin developing a detailed set of requirements and an RFP, you will need to have the numbers for your business locked down.

These include the usual:

  • Unique Visitors
  • Gross Revenue
  • Average Order Value (AOV)
  • Conversion rates
  • Number of transactions
  • Number of units per transaction
  • Gross Margin
  • Net Margin

If you decide to go down the SaaS platform route, you will be sharing this information with the vendor so they can calculate anticipated usage and pricing.

3. Forecast revenue and total cost of ownership.

Next, create a three year forecasted improvement on the above metrics if you were to deploy a new platform.

Allow six months post launch for site optimization. Don’t forecast any lift during those six months.

Here’s a sample walkthrough of how you might achieve this for your own business.

The numbers below are based on a last 90 day calculation. The forecast based on 57% overall ecommerce growth by 2018.

Conservative numbers are used here.

Once you figure out your business forecast, look into how much each ecommerce technology solution will cost.

You can use our Total Cost of Ownership Calculator here, or take a look at the sample chart below for reference, based on a business making at least $2,500,000 in revenue annually.

Then, calculate your savings, and figure out the average cost for services like SEO, social media and more.

Finally, add in the revenue lift generally seen by these services, and the upside associated with it for your business’ revenue.

Again, you can use our calculator to do this automatically for you, or take a look at our sample below.

Through this analysis, you will have determined the amount of investment you can reasonably afford for your website replatforming project.

This will save you time later on and help you to avoid looking too far into platforms that you simply cannot afford.

REMEMBER TO ACCOUNT FOR DATA MIGRATION

Many ecommerce platforms will pass you off to a partner for transferring your catalog and customer data (what many people refer to as “data migration”), adding anywhere from $10,000 to $100,000 to your initial launch fee and 6 weeks to 6 months in go-to-market timing.

That’s a lot of money and time – and can significantly affect total cost of ownership.

BigCommerce offers free transfer services with a 4 week GTM timeline when coming from non-custom solutions.

Ask the platforms you’re considering about their options and account for this in your ROI model.

Free data migration services.

4. Investigate built-in functionality vs. third-party apps and integrations.

A technical replatforming project is an opportunity to change and improve your efficiencies in other areas of the business.

To make sure you get the most, then, out of the RFP process, take a look at all existing business processes and determine if there are better ways to achieve the same results.

I also suggest taking a look at the various third-party apps that you have undoubtedly accumulated through the years, including:

  • Automated order notifications
  • Product filtering and faceted search
  • Automatic sales tax calculated at checkout

Many of these can be replaced with features that now come standard on modern ecommerce platforms.

Add the savings from these projected changes into your budget.

For example, 68% of online carts are abandoned and SaaS platforms like BigCommerce now recover on average 15% of those.

Be sure to calculate that revenue in your model. Here is a calculator you can use to do so.

Try to use a fact-based measurement criteria during this discovery process. I prefer projected savings, revenue or ROI.

This phase of the process can be contentious since you’re talking about eliminating tools, processes and potentially people.

The measurement criteria helps to keep the emotion out of the process.

A note on steering committees

I know many people recommend setting up steering committees for this process, but they’re not for everyone and they can definitely slow the replatforming process down.

I prefer to have one decision maker leading the project from the client side and have them ensure that all stakeholder requirements are captured and ranked.

There will, of course, be the need for stakeholder reviews, but they’re different from establishing an actual committee, specifically in the area of final decision-making.

For the fastest and most effective GTM strategy, avoid committees and appoint a project head.

5. Scope integration redirects and initiation.

This is the stage of the replatforming process where you should spend significant time and effort mapping out every touch point between the ecommerce platform and all other systems at your company.

Create a list of each integration point and determine what will happen to that integration during replatforming.

It’s at this crucial stage that you determine what’s in scope for the project and what is not.

Also include a review of any catalog transfers that will be necessary and make sure to include them in the RFP, including:

  • Customer data files
  • Product catalogues
  • Assets or content such as product images

Proper due diligence at this stage of the process will save time and money later on. Review everything 2 or 3 times to make sure that nothing has been left out.

6. Meet with all potential stakeholders.

Confirm that all stakeholders have been given ample opportunity to share their requirements as well as all business processes that interface with the ecommerce platform.

Stakeholders are usually from the following departments/disciplines.

What Not to Do in the Replatform Process

On a very large project I personally worked on, after numerous sessions with all necessary stakeholders, I asked one last time if we had covered every process, integration point and application that would interface with the new ecommerce platform.

Everyone nodded in acknowledgement … until one voice at the back of the room asked if we had accounted for the two guys in Turkey.

I thought he was joking.

He explained that those two guys performed a critical database conversion on the global master product data file on a nightly basis.

True story.

Don’t forget about the two guys in turkey!

But don’t go overboard, either.

I’ve seen countless million – tens of millions of dollars actually – wasted on high priced consulting firms more concerned about billable hours than finding the absolute best solution for the client.

Don’t fall into the trap of over engineering your solution.

I’ve also seen architecture scoped out on PowerPoint slides that look amazing but are entirely unrealistic in the real world, either because they would run too slow, cost too much or just not integrate properly.

It’s a myth that you can take the “best in breed” products in various categories and try to make them all fit together.

It’s much better to get one good platform and use it to the fullest extent possible.

I’d be lying if I said I’ve never seen a company scope out a behemoth of integrated apps only to spend tens of millions of dollars and never see it run properly.

True story:

Recently, a company I know of spent millions of dollars (high teens) to deploy a large, well known ecommerce platform.

Problem is, that by the time they got done engineering their idea of nirvana, the ecommerce platform’s role was basically relegated to that of a shopping cart!

  • A state of the art full-blown platform operating at maybe 20% of its potential.
  • Millions of dollars wasted
  • An unnecessarily complicated architecture that took way too long to implement

What they ended up with could have been replaced with at most, a $3 million alternative.

This was a CIO gone wild. And this isn’t an isolated case. I’ve seen it way too often.

A Handy Ecommerce Replatforming Checklist

There are numerous ecommerce platforms available today, everything from simple carts to enterprise grade platforms that include strong search, personalization and CMS capabilities.

For our purposes, let’s say that there are about 30 different platforms to choose from. That’s far too many to engage in an RFP.

You should be able to narrow down your RFP list to 5-8 vendors based on your:

  • Current online revenue
  • SKUs
  • Ratio of traffic vs. transactions
  • Average order value
  • Units per order
  • Any unique elements specific to your business such as hard goods vs. soft goods, continuity/subscription business or complex configuration capabilities

At JCH, we use a process called the Accelerated Vendor Selection Process (AVSP).

This process is based on our experience and knowledge of ecommerce platforms, and this helps us to narrow the focus of the RFP down to the key features that are most important to the client.

Our RFPs contain over 150 questions to confirm vendor capabilities and for use in vendor comparison charts.

This may seem like a lot, but let’s put it into context: a mid-tier SaaS platform contains over 280 features.

That doesn’t include third party integrations, catalog transfer services, systems architecture or security compliance issues — all of which will need to be addressed in the RFP process.

Ecommerce Migration Checklist:
  1. Determine the best platform options for your business.
  2. Issue an RFP to those platforms.
  3. Forecast revenue and total cost of ownership.
  4. Investigate built-in functionality vs. third-party apps.
  5. Determine integration redirects and initiation.
  6. Meet with all potential stakeholders and put platforms to the test.
  7. Determine data shopping cart migration service and launch migration.
  8. Redesign site, relaunch in beta and QA with stakeholders.
  9. Relaunch site publicly, and redirect URLs.

How to Put Platforms to the Test

Based on the responses to your RFP, you should now have a short list of 3-5 potential vendors.

The next step is to create a detailed set of use cases to be performed by the vendor, via webex for smaller opportunities and onsite for larger deployments.

There are a couple reasons for this:

  1. Stakeholders get to see what a day in the life of using the platform will be like for them. Their feedback is invaluable. They get to see the different ways various vendors have chosen to execute various tasks in the platform and can see which methodologies might suit their particular requirements better. Lastly, maybe most importantly, they feel a sense of ownership in the process and an appreciation for the final vendor selection.
  2. The more important reason for these tests is to make the vendor demonstrate their capabilities live. It’s easy for a vendor to say that they support a feature, but when it comes time to demonstrate it, the finer details are revealed. For example, a vendor may say they support a certain feature but in reality it requires a separate customization to actually deploy it in the field.

The list of use cases that you develop will depend on the size of deployment, but for the larger ones, it is advisable to schedule about four hours.

Some scenarios take 10 minutes to run through, others can take 30 minutes.

It’s very important that each vendor be given the same list and allotted time to complete their scenarios.

This creates a level playing field upon which comparisons can be more easily made, especially for the stakeholders who are new to the process.

You can use this checklist and agenda for your teams and the platform you are testing. This covers the majority of common needs during a replatform.

Download a printable version here. 

We also allow half an hour at the beginning of the meeting for a general company sales pitch presentation, and about 20 minutes at the end for closing remarks and a final pitch.

Here is what our top level agenda looks like, simplified.

Don’t Forget About Data Migration Services

Transferring your product, category and customer data is perhaps the most overlooked aspect of an ecommerce replatforming or replatforming applications, in general.

Accurate data is essential to running your business.

A poor transfer could result in:

  • Incorrect product mapping.
  • Incorrect product commendations.
  • Incorrect product options.
  • Incorrect product images.
  • Inaccurate customer data.
  • Poor syncing with ERP or POS (think Square or Netsuite).

And those are only to name a few.

You’d be stuck going through each individual SKU and updating all information for product data that was transferred or migrated incorrectly.

For customer data, it would just be lost forever. I cannot stress enough how big of a deal this is.

Again, I’m preaching to the choir.

So, once you’ve decided which platform, or have narrowed it down to two, you will switch to, ask immediately about migration and transfer services.

And don’t let an unclear answer pass.

Many ecommerce platforms will pass you off to a partner for catalog transfer services, adding anywhere from $10,000 to $100,000 to your initial launch fee and 6 weeks to 6 months in go-to-market timing.

That’s a lot of money and time – and can significantly affect total cost of ownership.

Do not sign a contract until you have this information. If you are passed off to partner, talk to that partner immediately.

Get a solid understanding of how the catalog transfer or data migration will be done and similar stores they have already transferred, ideally from the same platform you are on. Reach out to that brand, too, and ask about the service.

Better yet, choose an ecommerce platform that provides this service in-house.

At BigCommerce, they have a team of dedicated experts with a combined 30+ years in ecommerce and 15+ years in catalog transfer services.

In the last three years alone, they have transferred more than 20,000 online stores from 50 different ecommerce technology platforms. The service typically take 4-8 weeks for GTM.

This comes at little to no additional cost to a brand.

Because their team has worked with so many brands, they’ve learned that every single online store is unique, and that as they’ve scaled, so has their service.

To ensure catalog & customer data is transferred successfully, our catalog transfer services team implements a 3 steps quality assurance process.

This process includes spot checking the data on your new BigCommerce store. The team’s goal is to transfer these items safely, swiftly and securely.

Top 5 Data Migration Myths Debunked

In the course of performing so many transfers, our team has spoken to a diverse group of business owners, walking them through the process of moving to a new platform.

Below are the top five myths they’ve heard about catalog transfers.

1. Data Migration Myth #1: We miss out on sales while you transfer our data.

Your store won’t go offline during the transfer process.

We do all the work on your new BigCommerce store backend, then give you as much time as you need to customize your settings, test your site and train your team.

When you’re ready, and only when you’re ready, you can launch your new ecommerce storefront — complete with updated data already uploaded into your backend.

This allows you to continue business as usual from day one.

While all of this is happening, your original store stays live on your current platform. We don’t require that it come down, and BigCommerce and our global network of partners actually advise against it.

We understand that uptime is one of the most crucial factors to gaining and maintaining consumer trust, so all our work can happen with no downtime required.

2. Data Migration Myth #2: We’ll lose our design if we replatform.

Worrying about losing your beautiful, custom design? Don’t.

BigCommerce’s open template files allow you to bring custom design elements to your new store, and our design partners, ensure that it happens seamlessly.

Check out a full list of BigCommerce’s best designed customer sites – and how those designs have increased conversion.

3. Data Migration Myth #3: When we move the store to a new host, we’ll lose all our traffic.

It is true that moving to a new server, even when using the same domain name, can impact search engine rankings if done improperly.

The good news, though, is that people move servers all the time, and search engines like Google have best practices which mitigate the effects.

We follow those best practices to minimize all controllable risk. We properly implement 301 redirects for your product and category pages.

Our goal is to move your product data with the same search ranking foundation you had built on your previous platform.

That way, our SEO-friendly platform can quickly drive your traffic to new heights.

4. Data Migration Myth #4: Replatforming means we can clone our store exactly.

No, you cannot clone your store exactly.

You can, however, transfer a majority of your existing data from your current ecommerce store to your new backend. In fact, we make sure that happens without opening you up to any potential issues or liabilities.

As for your store’s look and feel, you’re probably thinking about leaving your current platform because it’s lacking in some way, so why would you want to recreate those same shortfalls?

The quicker you embrace the idea that it requires some change to improve your online business, the quicker you can benefit from transferring to a fully featured enterprise solution like BigCommerce.

We offer a wealth of next-level features that will ensure your transition is as painless — and profitable — as possible.

For instance, with dozens of integrated payment gateways, you’ll rarely need a payment option we don’t offer. Chances are that we have an integration with the payment gateway you are using right now, and you may even find new options like Square and PayPal powered by Braintree that you like more.

In all, BigCommerce offers more than 250 one-click integrations with leading software providers like Survey Monkey, HubSpot, Alibaba and Salesforce. That makes it easy to integrate with the tools you already use.

Plus, our open and unrestricted API blows our competitors out of the water.

Seamlessly connect to critical business software with a powerful API that processes updates up to 100x faster than Shopify Plus.

BigCommerce can handle 100’s of API calls per second. Shopify Plus limits you to 10 per second. Performing an ERP inventory sync of 25,000 products and variants on BigCommerce would take 60 seconds, compared to 2hrs using the Shopify Plus API.

5. Data Migration Myth #5: We have great engineers. We can do it ourselves.

Even if you’re a great developer, our experience has taught us that the first time you undertake an unfamiliar task like this, it rarely goes according to plan.

Anybody who has tried to renovate their own house knows how steep the learning curve can be.

Wouldn’t your time be better spent growing your business and serving your customers while delegating your transfer to veteran engineers who can get it done quickly and correctly?

Your data isn’t something you want to risk, and we’ve heard our fair share of self-transfer horror stories.

When you’re talking about securing and improving your financial future, you can’t afford to let your ego get in the way. Instead, trust your migration to an industry-leading team with more than 20,000 successful migrations completed.

For more information on BigCommerce’s transfer services, read our support documentation on how to move your store to BigCommerce.

And know, this is only documentation. You’ll have an account manager and on-boarding consultant by your side, handling all the heavy lifting, every step of the way.

Tools to Help You Make the Move Now

In all, figuring out which ecommerce platform is right for your business is a time consuming task. But a proper replatforming project is well worth the wait.

A modern ecommerce backend allows you to streamline processes while increasing site speed, stability and security to outperform industry standards.

SaaS works the way technology should – behind the scenes.

Plus, it does so cost effectively, allowing you to invest in marketing initiatives that drive growth for your brand.

Take BigCommerce on a test drive.

Learn more about self-migrating from the following platforms:

Want more insights like this?

We’re on a mission to provide businesses like yours marketing and sales tips, tricks and industry leading knowledge to build the next house-hold name brand. Don’t miss a post. Sign up for our weekly newsletter.

]]>
https://www.bigcommerce.com/blog/ecommerce-replatforming-and-data-migration/feed/ 3
How to Know if a SaaS Ecommerce Platform is Right for Your Business https://www.bigcommerce.com/blog/saas-ecommerce-on-premise/ https://www.bigcommerce.com/blog/saas-ecommerce-on-premise/#comments Fri, 17 Jul 2015 15:19:22 +0000 http://www.bigcommerce.com/blog/?p=13954 The disruption to the widespread on-premise and self-hosted ecommerce paradigm began in 2010, as the world’s most popular SaaS shopping…]]>

The disruption to the widespread on-premise and self-hosted ecommerce paradigm began in 2010, as the world’s most popular SaaS shopping cart offerings were just getting off the ground.

Since then, modern SaaS platforms have continued to improve overall product sophistication and customer support experience. They’ve become increasingly well funded, more technically adept and capable at hosting impressive, global infrastructures. So, what’s holding back your online store from switching to SaaS over self-hosted?


What’s holding back your online store from switching to SaaS over self-hosted?
Click To Tweet


Below, you’ll find everything you need to know about the differences between the solutions and information on which one might better cater to your business.

What type of organization can benefit from a SaaS commerce platform?

A SaaS ecommerce platform is not going to be the right fit for every organization. One specific example is a large international enterprise that has complex omnichannel feature requirements. By this I mean a retailer who also doubles as a wholesaler or distributor, has multiple warehouses operating in multiple countries and languages, or a retailer that has developed significant (i.e. multi-million dollar) fulfillment automation or ERP integration system dependencies. Such retailers often require extremely complex customizations to their shopping platforms that render most SaaS platforms infeasible to utilize.

Those Looking for Feature Richness

Many SaaS platforms have come a long way in terms of feature richness, customizability and overall scalability. They are an excellent fit for the vast majority of SMBs (businesses with 1-100 employees and less than $50 million in annual revenues) who want to setup an online store quickly and professionally. It’s perfect for companies that desire to offload the hosting and management burden of their ecommerce platforms with the minimum amount of upfront expenses and ongoing maintenance costs.


The best SaaS commerce platforms also make sense for larger enterprises.
Click To Tweet


Perhaps surprisingly, the best SaaS commerce platforms also make sense for larger enterprises (with annual revenues ranging anywhere from $50 million to $1 billion) provided that they have sizable investments in their ecommerce back-office infrastructure. The fit can make sense, provided that the organization espouses the appropriate expectations with respect to what a SaaS commerce platform really should be utilized for and what it should not — at least in terms of utilizing a modern n-tier architecture.

For example, by utilizing a modern product information management (PIM) tool to power multichannel publication needs and manage its product data, a larger organization can connect the rest of its legacy ERP systems (i.e. accounting, CRM, inventory, procurement, distribution and fulfillment software) to a modern SaaS platform without having to sacrifice many features or complex integrations typically reserved for on-premise, self-hosted offerings.

Those Looking for Easy Integration and Automation

This said, a SaaS commerce platform for a $50M+ organization should really be used as a thin front end shopping cart only. It should be used as a cost-effective means to a larger scale end, by being a single component in a broader omnichannel solution architecture that’s largely powered through automation, much like an ERP or a PIM.


Products, customer data and order data can be manipulated automatically.
Click To Tweet


Since a SaaS commerce platform generally contains an API, it’s products, customer data and order data can be manipulated both inbound and outbound automatically. Doing this allows the organization to develop customizations in other parts of their ERP infrastructure, keeping the shopping cart lean and malleable.

Those Looking for Ecommerce as a Spoke, Not the Hub

One of the objections I often encounter with enterprise clients who are against SaaS commerce platforms is this: the platform, they say, is just too rigid and there is no access to the underlying source code. A host of ERP related features (i.e. customer management, product management and order management capability) is also cited as being a deficiency or non-starter in a SaaS context, by the same group who tend to still favor on-premise and self-hosted platforms.


One of the objections I hear is SaaS is too rigid. Here’s my rebuttal.
Click To Tweet


Those more familiar with self-hosted solutions also note that SaaS management tools are too simplistic for their needs or that they don’t scale well when used by multiple departments trying to hone the platform to control product or order management workflows at a granular level. My rebuttal:  if you’re using the SaaS platform in a broader scale context by connecting it to other back-office systems and turning it into a simple shopping cart, the SaaS platform can absolutely offer great utility and economy.

Those Looking for Modern Design & Excellent Customer Experience

An ecommerce store, in my view, should have a refreshed design and updated user interface at least once per year for any sized organization and every quarter for large SMBs or mid-market companies. SaaS shopping cart platform frontend templates are extremely flexible, and if the entire platform is treated as a spoke in a broader ERP back-office project, it can be reimagined, redesigned, flushed of its product and order data and reset fully in a short period of time.


SaaS shopping cart platform frontend templates are extremely flexible.
Click To Tweet


In order to determine whether a SaaS or an on-premise ecommerce platform is a better fit for any given organization, refer to the below comparison of each of their core value propositions.

Benefits of a SaaS Ecommerce Platform

Managed Uptime and Security

A modern SaaS platform is managed by a professional and experienced organization, dedicated to ensuring your online store is always up and performing at top speed. They work hard to ensure a consistent and quality user experience for your customers and to reduce potential pain points for your ecommerce business.

Since no SaaS offering is perfect, there is always the risk of an outage to your store from time to time. While that’s true, the same can be easily said about on-premise solutions. In fact, the larger SaaS ecommerce platforms typically enjoy a 99.99% uptime record that often spans over many years — a figure most on-premise solutions hosted by internal IT departments can rarely compete with.


SaaS ecommerce platforms typically enjoy a 99.99% uptime record.
Click To Tweet


When it comes to security, ecommerce technology often requires software updates and patches to address new vulnerabilities. With an on-premise solution, the onus to do this is on the merchant –– meaning you must stay up to date with the most recent technology news and needs to make sure you are protected. With a SaaS solution, these updates and patches happen automatically, behind-the-scenes, allowing your to focus on your business rather than the backend.

Denial of Service Mitigation

DDoS attacks can strike without warning and can happen intentionally by hostile outside parties or be triggered by scripts that scour the internet looking for known vulnerabilities. But when you host your online store with a SaaS provider, DDoS mitigation is handled for you, providing better protection than most self-hosted providers can offer.

PCI Compliance Handling

Handling credit card data is a very sensitive subject, and PCI compliance (the process of ensuring your ecommerce platform is securely dealing with credit card information) is handled by your SaaS provider. This is an incredibly expensive and time consuming endeavour that most retailers really shouldn’t try to handle themselves.

Adherence to Best Practices for Overall User Experience

SaaS platforms provide pretty rigid workflows for enforcing a particular checkout experience. While an organization can change the skin (i.e. graphics, colors and layout) of many elements, the functionality remains set-in-stone.


Stay on top of ever-changing best practices without facing development charges.
Click To Tweet


When it comes to researching the best practices and performing professional A/B testing, SaaS platforms really know how to produce a streamlined and frictionless checkout experience, both on desktop and mobile platforms. In addition, the convenience of easily updating themes on a SaaS platform allows the merchant to always stay on top of ever-changing best practices without facing development charges each time they want to test a new look.

Dynamic, Cost Effective Performance Scaling During Peak Traffic

A quality SaaS host provider can handle massive amounts of traffic that would otherwise render self-hosted solutions out-of-service. During the holidays, for example, many self-hosted solutions become unresponsive as their internal network struggles to keep up with the consumer traffic demands. Quality SaaS providers ensure their networks can handle peak traffic, meaning your store is up when your competitors may not be.

Professional, Knowledgeable Support Staff

Rather than having to hire, train and maintain your own internal IT/IS team to manage your shopping cart and keep your online store up and running, SaaS providers employ very knowledgable support teams that know their software inside and out. Often, the more experienced Tier 2 account reps and technical teams are extremely well versed on commerce topics and can provide you with endless insight to help you get the most out of your shopping platform.


SaaS platforms offer dedicated account management serving as expert ecommerce advisors.
Click To Tweet


In addition, SaaS platforms offer dedicated account management, essentially serving as an expert ecommerce advisor for your store and giving you the benefit of working with someone who knows your whole business story, eliminating the need for you to re-explain yourself every time you seek advice.

Fast Go to Market

Using a SaaS solution, you can get up and launched with a true enterprise-level store in weeks versus months. Typical SaaS stores, even those who hundreds of thousands of SKUs, launch in two months, in comparison to the typical six month setup time needed for an on-premise solution.

Many enterprise level retailers stumble upon a SaaS solution when looking for a quick go to market offering to test out a new product item, brand direction or simply to get something up and running to compete directly against their competitors. Take Cetaphil, for example, which needed an ecommerce presence to supplement their information-rich website. The brand wanted to launch this project quickly and also be more nimble than their competitors –– so they went with a SaaS solution.


Get up and launched with a true enterprise-level store in weeks versus months.
Click To Tweet


In summary, fast go to market means you get an edge on your competition with the ability to quickly and easily test new products and markets to scale your business.

Benefits of a Self-Hosted, On-Premise Ecommerce Platform

Feature Flexibility

There is nothing quite like the flexibility of having complete access to the source code of your ecommerce platform. It means your organization can craft absolutely anything and everything it may desire in terms of feature set, both front-end features that are visible to the customer, as well as complex back-end system integration. It also means your organization can manage its own development and deployment cycles.

The trouble with this flexibility, however, really begins when companies modify their platform so much that they, in effect, break all the rules of adhering to best practices and open themselves up to security holes and performance degradation. This happens when they change too much too quickly without proper testing. While the intention may be to improve the platform, the repercussions could be much worse.


Over-engineering your commerce platform can also introduce bugs.
Click To Tweet


Over-engineering your commerce platform can also introduce bugs or open your solution up to security exploits that can be hard to pin down and troubleshoot. Ultimately, customizing one’s own platform leads to a hard-to-manage and under-documented solution over time.

Access to Customer and Order Data

Having access to your commerce platform source code and database directly (via command line tools, for example) offers larger organizations the ability to access their information in countless ways, typically for integration or backup automation purposes. This is absolutely a benefit for larger organizations who need to do real-time data mining or for those who feel comfortable with the thought that they have boundless access to their own data whenever they need it.

But, with great power comes great responsibility. Having access to your own data means you positively need to consider its security both from internal staff and external hackers, as well as ensure that the data doesn’t become corrupt.

High Level SaaS Readiness Checklist

The following are the top three questions I supply to prospective clients in order to gauge at a high level whether or not a SaaS platform might be a good fit for them. Being realistic about your business’ strategy and future scaling goals is the first start to deciding if a SaaS ecommerce platform is right for your business.

SaaSCheckllist copy

 

Photo: Flickr, Caleb Roenigk

]]>
https://www.bigcommerce.com/blog/saas-ecommerce-on-premise/feed/ 6
Brand Breakdown: How Chuck Levin’s Bridged Online and Offline Expectations to Increase Annual Gross Sales 3x https://www.bigcommerce.com/blog/chuck-levins/ https://www.bigcommerce.com/blog/chuck-levins/#respond Thu, 18 Jun 2015 16:05:47 +0000 http://www.bigcommerce.com/blog/?p=12753 In 1958, a soon-to-be-legendary brick-and-mortar opened its humble doors in Washington, DC: Chuck Levin’s Washington Music Center. Today, Chuck Levin’s…]]>

In 1958, a soon-to-be-legendary brick-and-mortar opened its humble doors in Washington, DC: Chuck Levin’s Washington Music Center. Today, Chuck Levin’s is the single largest independently owned retail music store in the U.S. –– and its brand name alone connotates exceptional customer service and dedication to musicians around the world.

Yet, this success and brand recognition was once in peril –– and it was the internet age to blame. While the physical store continued to modestly grow year-over-year revenue, its online store suffered from a poorly conceived ecommerce platform that generated slow performance, poor aesthetic and a lack of a truly scalable ecosystem that catered to the regular needs of commerce –– things including shipping, taxes and more.


Brand recognition was once in peril –– and it was the internet age to blame.
Click To Tweet


This underperforming online store affected the brand through low consumer shopping confidence which hindered checkout conversions and created –– at best –– an underwhelming brand experience. Worse, not only did consumers not want to shop online, they weren’t compelled to come in store based on their poor experience of Chuck Levin’s online.

In 2014, Chuck Levin’s set out to change the fate of their online presence and provide a cohesive, end-to-end experience that would address its online channel’s largest pain points: flat sales, low conversions and poor consumer shopping confidence. The details of this now successful shift were the main topic of conversation at an event in Toronto, Ontario on June 16, where the multiple agencies involved in creating the current Chuck Levin’s experience spoke to the benefits of SaaS for an enterprise brand.


Chuck Levin’s set out to change the fate of their online presence.
Click To Tweet


How Chuck Levin’s went about migrating their store, addressing huge pain points and ultimately creating a digital presence that reflects their unparalleled reputation is outlined below.

Screen Shot 2015-06-18 at 8.04.46 AM

Photo: Current Chuck Levin’s website

A Rock-Solid Platform That Delivers

First, Chuck Levin’s needed a scalable and flexible ecommerce platform. In the industry, scalable means one really big thing: that the platform has undergone full diligence in testing its API for merchantability [the ability to upload massive amounts of SKUs] and connectivity [the ability to easily integrate properly with third-party applications and partners]. Once a platform has proven this to be true, it becomes the backbone of a company’s website –– no matter how large that company grows.

Equally important, however, are a quality, responsive and technically adept support team, and a commitment to an impressive 99.99% of uptime SLA [service level agreement].


Scalable means that the ecommerce platform has undergone full diligence in testing its API.
Click To Tweet


In short, this means that the platform will always be up and always be fast. For Chuck Levin’s, Bigcommerce was the first-in-class choice, with a data proof point of 100% uptime during the busiest online shopping days in history to date: Black Friday/Cyber Monday of 2014.

With this platform in place, Chuck Levin’s connected a legacy ERP system (i.e. Inventory Management and Accounting platform) to their product management tool, effectively creating a sophisticated publication engine that powered the automatic creation of products online in record time.

Design Experts That Execute

Screen Shot 2015-06-18 at 8.21.45 AM

Photo: Jasper Studios

When it came to design, Jackson Wynne was the design partner of record. Their brand consultants rose to the challenge of taking this legacy brand and modernizing its identity while paying respectful homage to a very near-and-dear sentiment amongst its key stakeholders, many of whom have been with the company for decades.

Jackson Wynne is credited with not only producing a gorgeous responsive theme and executing a clean, highly-usable product grid and detail pages, but also with producing quality print collateral material (i.e. business cards, t-shirts, letterhead, stickers, etc.) and generating a creative brand guide that provided direction for the Chuck Levin’s internal design team.

In essence, they overhauled a brand 50 years in the making –– and did it by figuring out how to measure the pulse of both the passionate employees and customers who made Chuck Levin’s what it is.

On-site Search Functionality That Increases Customer Satisfaction

Product grids and auto complete on-site search capability are essential tools in the ecommerce arsenal for bringing a world-class online shopping experience to customers. Given Chuck Levin’s already customer-centric brand and reputation, it was critical they find a partner to provide extensive on-site search and product functionalities –– and they found that partner in Nextopia. Nextopia is a well-known and respected enterprise ecommerce brand, working with many of Internet Retailer’s top 500 e-tailers annually. What makes their service so reliable is a robust, tried-and-true API and uptime performance record that’s second to none.

For enterprise brands like Chuck Levin’s and the dozens of other online stores utilizing Nextopia, uptime and performance integrity are essential to creating a reliable solution and keeping customers shopping with confidence.


Nextopia’s advanced faceting capability allows customers to find products quickly and intuitively.
Click To Tweet


Nextopia’s advanced faceting capability allows customers to find products quickly and intuitively, and was essential in helping Chuck Levin’s deal with one of their previously large pain points: sales conversion rate.

By setting up and maintaining a fast, user-friendly product navigation and search experience, Chuck Levin’s is able to get the right products in front of the customers searching for them, every single time. For brands serving niche segments, on-site search functionality is crucial –– and is one of the only ways to capture an audience in the purchase level of the conversion funnel. Doing so will easily increase conversions given that you are providing online shoppers convenient and quick access to the items they need.

To be fair, Nextopia’s search capabilities are an add-on feature and only supplement the already built-in product faceting and search auto-complete capabilities that Chuck Levin’s ecommerce platform, Bigcommerce, provides.

Detailed Product Photography That Mimics the In-Store Experience

Screen Shot 2015-06-18 at 8.20.43 AM

Photo: Jasper Studios

Product photography is a critical element to success for any online store. Shoppers want to be sure that the product they see online will be the one they have delivered. And, with specialty items, shoppers want to be able to see the details and get a sense of the item in a similar way to how they would be able to do so in-store. HD and 360° product photography is how you do this.

Chuck Levin’s partnered up with Ortery Technologies, a company well known to be capable of producing 14,000 quality HD product photos and 3D panoramic views on a single piece of equipment. To maintain Chuck Levin’s’ customer-centric reputation, this photography partnership was key.

Ortery worked to enable photo automation on the new Chuck Levin’s site, bringing rich media to their product catalog without extensive work on maintenance for the Chuck Levin’s team themselves.

The Results Speak for Themselves –– 3x Increase in Sales

In just three short months after the new Chuck Levin’s site launch, their online store achieved a 5x increase in conversions and a 3x projected annual increase in gross sales.

With the combination of professional partners including Jasper Studios, Bigcommerce, Nextopia, Ortery Technologies and Jackson Wynne, the teams were able to bring a respectable enterprise solution to market (not including prototyping time) in only six short weeks, easily the fastest integration time my own team here at Jasper Studios has ever encountered with any other platform.


Chuck Levin’s achieved a 5x increase in conversions and a 3x projected increase in sales.
Click To Tweet


With the blending of these partnerships, consumer shopping confidence was effectively restored. Not only could customers now readily find what they were after, new high quality imagery and robust search capability was absolutely critical in helping turn browsers to buyers –– and these aspects are also bringing more foot traffic into the Chuck Levin’s brick-and-mortar as well.

For example, shoppers have been calling into the physical store, commenting about how they saw a beautiful, new Paul Reed Smith electric guitar in full panoramic detail, and indicated that they wanted to come into the store to try it out. In all, unlike the previous site, Chucks Levin’s online is increasing revenue both digitally and in-store.

Now that is truly an enterprise-grade success: multi-channel benefit from a smart executed online strategy.

]]>
https://www.bigcommerce.com/blog/chuck-levins/feed/ 0
The Benefits of a SaaS Ecommerce Solution for Enterprise Brands: Robust APIs, Speedy Support, Real-Time PIM Integration https://www.bigcommerce.com/blog/saas-solution-for-enterprise-brands/ https://www.bigcommerce.com/blog/saas-solution-for-enterprise-brands/#comments Mon, 15 Jun 2015 16:05:23 +0000 http://www.bigcommerce.com/blog/?p=12726 Imagine having the capability to store your products safely and securely in one centrally hosted software-as-a-service (SaaS) solution and then…]]>

Imagine having the capability to store your products safely and securely in one centrally hosted software-as-a-service (SaaS) solution and then publishing those products out to multiple channels and marketplaces at once, automatically. That’s the dream for every multi-channel retailer out there (which is, these days, just about everyone). This is exactly what a product information management system (PIM) can do.

PIM systems are built specifically for modern omnichannel environments, and they are becoming increasingly important for mid- to large-sized businesses as part of their efforts to streamline workflows and create more sophisticated information management stacks. It’s been my observation that most SMBs who sell physical goods and have SKU counts larger than 500 could benefit from a PIM.


Most SMBs with SKU counts larger than 500 could benefit from a PIM.
Click To Tweet


That said, we’ll be diving in today to outline the capabilities and benefits of a PIM, what it can do for your business and how a robust and open API is central to ensuring proper data transfer and streamlined workflows.

First, what is a PIM?

A PIM system is a middleware software solution that abstracts and protects your organization’s unique product data, including SKU data, product photography, merchandising meta-data and pricing information from any particular underlying commerce platform or ERP system.

In short, a PIM is used to provide your overall modern ecommerce infrastructure with flexibility. Consider the following example: products for your online store are often mastered directly by hand inside the Bigcommerce admin console (or another, similar web-based management tool). While there is nothing inherently wrong with this, it presents multi-channel publication challenges which become increasingly important for retailers who want to sell product in their physical brick-and-mortar stores, via Amazon or eBay and through a variety of alternative online stores that may be branded differently or contain products that are meant for different consumption audiences (such as B2C vs. B2B customers).

How a PIM Works and Solves for the SaaS Issue

Once your products are added, barcoded, photographed, categorized, merchandised and lit up to various portals or publication channels inside your PIM, automation rules are created that publish to a limitless number of platforms, including your Bigcommerce store itself.


A professional PIM can also be setup to aggregate sources from multiple inbound feeds.
Click To Tweet


A professional PIM can also be setup to aggregate sources from multiple inbound feeds. Say, for example, as a retailer, you’d like to automatically create products that you can publish to your Bigcommerce store, while also setting rules so that your staff can go in and simply do the following:

  • Review the data that has come in from the inbound feeds or ERP ingestion pipeline
  • Massage the data a little bit, adding custom photos and pricing where needed
  • Setup merchandising rules such as categories, attributes, tags, promotions, sales, etc.
  • Define its publication channels (i.e. which stores does this product sell from?)
  • Define custom price groups & tiers or other override data like names or imagery depending on publication channel
  • Finally, decide which store(s) or output channels you’d like to publish to (and at what frequency) and the PIM takes care of the rest

I have clients who publish their content not only to Bigcommerce via our PIM, but also to third party professional search services such as Nextopia, Google Merchant Center (for remarketing ads), Amazon and eBay. Having your staff edit product only once, rather than countless times in multiple back-end admin consoles, is the only sane way to manage anything more than a few hundred SKUs, let alone tens of thousands.

Additional PIM Benefits

A PIM really shines, however, when connected to your inventory management system (IMS), such as JDA or MS Dynamics Navision. Many IMS systems don’t have awesome controls for managing rich media file types (i.e. HD product photography, 360° panoramic imagery, 3D mesh/wireframe data, videos, etc.) or multiple sets of product meta-data, nor do they contain advanced merchandising capabilities, such as the ability to specify complex outbound channel publication rules.

These publication rules determine which products should be published to each supported multi-channel storefront, and which should not. A PIM is used to build upon the IMS, then, by adding these capabilities.


Publication rules determine which products to publish to each multi-channel storefront.
Click To Tweet


Additionally, the PIM can be setup to run an automated ingestion process against the IMS to bring in master product records. This can happen once daily, hourly or in real time. The greatest benefit in connecting an IMS to a PIM is to empower workflow enhancements, whereby staff no longer need to manually create products in the PIM at all, but rather they use it to simply manage the missing rich media that the IMS doesn’t support.

What’s more is that a PIM empowers sophisticated and extremely granular user access controls centered around the product data itself. This becomes important in keeping unauthorized staff away from pricing data in your ERP or IMS, as well as any other sensitive financial information from your accounting platform.


You can instruct the PIM to hide all pricing data from certain staff members, for example.
Click To Tweet


As such, you can instruct the PIM to hide all pricing data from certain staff members for example. It’s incredible how many times I’ve seen junior staff with username/password access to the entire financial platform (including views of the balance sheet and income statement) just so they could update product descriptions for their bosses’ online store. This is not a safe practice.

Another nicety of a PIM is that you can train your staff on one administrative console to use, instead of having to train them on multiple. This minimizes staff workflow and training efforts, and also avoids the process of manually publishing product data to various storefronts one-by-one via copy-and-paste; reducing the margin for error in the process and maintaining the overall integrity of your product information.

Publishing Products from Your PIM to Bigcommerce Enterprise

Now that I’ve detailed what a PIM is, and hopefully articulated some of the unadulterated sanity in using one, let’s outline below what was involved in connecting Jasper Studios’ PIM to the Bigcommerce API.

Our PIM was developed atop the increasingly popular Laravel MVC framework and the original prototype was developed specifically against the Bigcommerce Product API in April of 2014.


We ran a creation test against the Bigcommerce API involving an estimated 150,000 SKUs.
Click To Tweet


The first goal was to ensure that our PIM could support a significant number of SKUs that would doubtlessly come from a professional ERP/IMS source or multiple inbound feed sources via automation. That necessitated, in our case, running creation tests against the Bigcommerce API involving an estimated 150,000 SKUs. Yes that’s correct –– 150,000 SKU’s.

That’s more than any single product data entry clerk could ever hope to accurately manage manually, even if they had fifteen lifetimes to do it in.

Automation here was key and, while we assumed the Bigcommerce API was built for this sort of thing, we needed to run a battery of tests to corroborate the fact that the platform could stand up to our needs for timely and integral operation. Otherwise, we’d have been shopping around for another commerce platform.

Here’s what we tested and how it turned out.

Speed Test

Adding tens or a few hundred products via the API we postulated would predictably take seconds or minutes, but what would happen if we tried to add 150,000 products within the same hour?

Our first attempt in using the product API did take an unholy amount of time, unfortunately; an order of three days to complete, as we were also attempting to add as many as 35 custom product attributes to each product record. Product attributes are details such as color, size, SKU, series, brand, weight, height, condition, etc.


We were able to get the creation time for 150,000 SKUs down to a matter of 4 hours and 36 minutes.
Click To Tweet


We needed to get the ingestion time down to something more palatable and thus opted to package all of our attributes from our PIM into a single product entity field known as a JSON object. Once we did that, we were able to get the creation time for 150,000 SKUs down to a matter of 4 hours and 36 minutes. That’s not altogether shabby, since we weren’t planning to add 150,000 SKUs every 15 minutes, or even every day. We just need to do this once when we onboard a new client during the initial load (or ingestion) process before a new store goes live.

Since we predicted that many of our customers would likely only peak at about 30,000 SKUs or so, we now have the initial ingestion time down to about an hour, which is absolutely reasonable.

Integrity Test

Coming from working with Magento Enterprise, where we had countless integrity issues due to its poor inner handlings of large product grid indexes, at no point did we encounter any integrity issues with the Bigcommerce API. Of course, you might be thinking, what else would we say on the Bigcommerce blog? But, let’s walk you through it as proof.


At no point did we encounter any integrity issues with the Bigcommerce API.
Click To Tweet


An integrity issue is simply a case where we attempt to add or update a product by making a REST call to a function inside the Bigcommerce API,  and the function call either:

  • Leaves the data in a corrupt state
  • Deadlocks or hangs the calling process
  • Crashes the server or bungles up the store or database powering the API

No such issues were encountered and thus we were able to move on with our final test.

Important Note: Integrity Tests are meant to give us comfort in a go-forward plan to execute with a given partner. If this test fails, our development team loses faith in the product and has no choice but to move its integration plans elsewhere.

Reset Test

The joy of using a PIM comes into play when you wish to make detailed wholesale changes to product content. At the time of writing, the Bigcommerce API doesn’t have the provision for search and replace functions of product data, i.e. modifying attributes with special prefixes or adding watermarks to all product imagery, for example. These are all things a professional PIM could support, but would require a wholesale reset of the products inside Bigcommerce.

We tested a wholesale catalog UPDATE and a wholesale DELETE. In both cases, the experiments produced satisfying results, at least for our purposes.

Screen Shot 2015-06-15 at 10.43.16 AM

Why Enterprise Support Matters

Once our PIM had been developed and approved by our client, things were going along quite nicely leading up until the planned launch. We did encounter, however, some last minute challenges in using the API that was a result of bugs (i.e. faults) in the PHP Bigcommerce Library itself. The library, which was not maintained by Bigcommerce, hadn’t been updated on Github in about a year or so it seemed.

Bigcommerce Support to the Rescue

The Bigcommerce support experience from an enterprise integrator’s perspective is that of legend, at least, at the Tier 2 level. Having access to this Tier 2 support representative before a critical launch is essential to any solid project management planning efforts.

Often when we had worked with other commerce platforms on Tier 1 (or even Tier 2) support teams, they may have had the best of intentions, but they simply lacked the technical capability and perspective to provide cohesive insight that yielded rapid results during a crisis. Turns out, we had just such a crisis at a very sensitive time in our relationship with a newly beloved client. Two days before launch, our PIM publication engine was deadlocking in attempts to publish to the API. This meant, no product on the website. No products predictably would have meant very little sales, if you can imagine the stretch in this analogy.


Access to Tier 2 support before a critical launch is essential to project management.
Click To Tweet


Anyhow, it’s often a frustrating process for system administrators to work with technical support reps, and my experience working with Bigcommerce support was unparalleled in the industry, for the following reasons:

  • The support rep answered the phone quickly, was empathetic and helpful.
  • The support rep wasted no time in putting me directly in touch with someone more technical, who was himself both pleasant and astute; with a mastery of English that was refreshing. The rep was very patient as I described in painstaking detail the precise symptoms as best we could tell from our diagnostics.
  • As soon as the rep realized he was out of his pay grade, he directed me to one of the engineers that was involved in mastering the API itself. Surely, if this individual didn’t know what the issue was, no one likely would.
  • The API engineer provided clear direction and we iterated over the phone on a number of attempts to solve the problem, until the solution was sorted out.

If you’re at all interested to find out what the integration issue specifically was (and how we patched the Bigcommerce library on our own) visit our website. You’ll find a link to download an updated version of the PHP library on our website as well, should you so be inclined to use it.

In all, I found working with the Bigcommerce API to be a first-class experience. It’s well documented, functions with integrity and was speedy enough to handle more product SKUs than we’d have any need.


A PIM system is integral to the scalability and success of enterprise level ecommerce companies.
Click To Tweet


What’s more important than that, though, is having a company and support team dedicated to world-class customer service. A PIM system is integral to the scalability and success of enterprise level ecommerce companies, and without such a robust API as well as speedy support, a SaaS solution for enterprise, like Bigcommerce, wouldn’t be an acceptable one for larger companies.

Thankfully, it is –– saving those companies more than $60,000 a year in expenditures. Of course, you can use this calculator to figure out exactly how much your own company could save.

]]>
https://www.bigcommerce.com/blog/saas-solution-for-enterprise-brands/feed/ 1
The Details Behind a Denial of Service Attack: What It Is, Why It Matters and What You Can Do to Stop It https://www.bigcommerce.com/blog/denial-of-service-attack/ https://www.bigcommerce.com/blog/denial-of-service-attack/#comments Tue, 02 Jun 2015 14:00:11 +0000 http://www.bigcommerce.com/blog/?p=12638 If you’re self hosting your ecommerce store using WooCommerce, OpenCart, Magento, ZenCart, or perhaps your own homegrown, custom solution, and…]]>

If you’re self hosting your ecommerce store using WooCommerce, OpenCart, Magento, ZenCart, or perhaps your own homegrown, custom solution, and do not have a dedicated managed hosting provider or sophisticated ISP that can detect and mitigate denial of service attacks, a hacker might be able to bring down your store (and keep it down) for hours or days on end. It is important that you educate yourself on denial of service (DoS) and distributed denial of service (DDoS) attacks in order to prevent them, as well as know what to do in the event that one occurs.

Note: as a hosted SaaS solution, Bigcommerce provides DoS and DDoS protection, both from our primary service provider (SoftLayer) and a supplementary service (BlackLotus). All online stores utilizing Bigcommerce are protected.

What is a DDoS Attack?

A denial-of-service (DoS) attack is a concentrated, automated attempt to overload a target network with a large volume of requests to render it unavailable for use. It is achieved by launching a series of data packets very rapidly at a target computer system until it becomes too slow to be usable or is brought down entirely. The target system becomes slow as its central processing unit (CPU) attempts to handle the requests and serve responses. As the CPU grinds to a halt, any servers running on it –– such as a web server powering your ecommerce store –– become very latent or fully unresponsive altogether.

A DoS attack involves a single initiating source computer system. A distributed-denial-of-service (DDoS) attack is a much more serious version of DoS, however, and it involves reflecting and amplifying requests by enlisting hundreds or thousands of other source computers from across the globe to concentrate its efforts against the target.


A DoS attack involves a single source computer system. A DDoS attack is a much more serious version.
Click To Tweet


There is only so much CPU processing power and network traffic (i.e. request and responses) a single system can produce, but when a DoS is amplified into a DDoS, the effects can, and often do, result in significant website and network outages. If a DDoS attack was aimed at your ecommerce store for example, it would make it extremely difficult for your customers to shop, if they could shop at all.

The objective from a hacker’s perspective is to frustrate the target, damage its brand equity and force the target organization to spin its wheels and burn resources trying to handle the issue. It can be done for political reasons, to achieve activist means or as part of a corporate sabotage campaign by competitors. It can also be done by a single teenage hacker from the comfort of their parent’s basement, simply for the pure amusement of it.

DDoS Attacks: Some Recent Statistics

A denial-of-service attack may be part of a larger campaign aimed at a retailer for a variety of reasons and it has a horrible way of manifesting itself at the most inopportune time, such as during a Black Friday/Cyber Monday sale or on the morning of an important new product launch. It’s important to consider what the financial impact could be to your own ecommerce store should you be hit with such an attack.

In recent news, open source infrastructure giant Github underwent a serious DDoS attack that lasted roughly 120 hours (that’s about 15 working days!) which was ultimately blamed on China.


Consider the financial impact on your ecommerce store should you be hit with such an attack.
Click To Tweet


According to a Q3 2014 Verisign report, DDoS attack sizes and frequencies are growing at an alarming rate, gaining 38% in a single quarter in 2014 alone. Most of the attacks are targeted against media and entertainment companies, exploiting well known vulnerabilities in NTP (network time protocol) by way of UDP (user datagram protocol) reflection attacks.

Note: NTP and DNS are the principal types of reflection attacks but there are many others using both UDP and in rare cases TCP.

Prolexic (part of the Akamai group of global cloud hosting providers) estimated in 2014 that 32% of all websites may be hosted on an insecure network that could be susceptible to denial of service attacks.

Types of DDoS Attacks

There are three fundamental forms of denial-of-service and distributed-denial-of-service attacks:

  • Volume (i.e. Network) based: This form of attack involves large numbers of requests being sent to the target system, and the system may perceive them to be valid requests (i.e. spoofed packets) or invalid requests (i.e. malformed packets). The goal of a volume based attack is to overwhelm your network capacity. The requests can be across a range of ports on your system. One type of method hackers use are UDP amplification attacks, whereby they send a request for data to a third party server spoofing your server’s IP address as the return address. The third party server then sends massive amounts of data to your server in response. In this way a hacker need only dispatch small requests himself, but your server will ultimately get lambasted with the “amplified” data from the third party servers. There could be tens, hundreds or thousands of systems involved in this form of attack.
  • Protocol based: Protocol based attacks are performed on load balancers or servers which exploit the way that systems communicate with each other. The packets can be designed to make the server wait for a non-existent response during the normal handshake protocol, e.g. an SYN flood for example.
  • Application based: Hackers use known vulnerabilities in the web server software or application software to try to cause the web server to crash or hang. One common type of application based attack is to send partial requests to a server to attempt to use up (i.e. make busy) the entire database connection pool of the server which in turn blocks legitimate requests.

Preventative Measures

The first step in preparing for a potential attack is to setup a remote website monitoring service that will send out notifications when your online store becomes latent or goes down altogether. On the simple and cheap end, I use a service called BinaryCanary for many of our clients, but if you self-host with Amazon Web Services you can also set up hardware performance alarms via their CloudWatch service, which tracks various network I/O metrics and can also signal performance degradation, indicating that your store may be under a DoS or DDoS attack.


A good practice is to point your DNS nameservers to a DDoS mitigation service such as CloudFlare.
Click To Tweet


Consider setting up an external logging service, as well. If your store comes under attack its web server logs may still be accessible from another source.

Another good practice is to point your DNS nameservers to a DDoS mitigation service such as CloudFlare. This can be useful later in making it harder for hackers to determine the actual location (i.e. IP addresses) of your servers. It acts as a proxy in front of your real systems and can be very useful as a front line of defense for large scale attacks that frankly most SMBs are utterly ill equipped to combat.

How to Know You’re Under Attack

Even if you’re alerted to what might be a DoS or DDoS attack, it is unlikely that you will be able to determine the actual target or source of it, but there are some telltale signs for which to keep an eye out.

  • The website becomes extremely slow or totally unresponsive, for long periods of time and may or may not show signs of intermittent relief throughout the day.
  • You contact your IT department, technical provider or Internet Service Provider (ISP) to restart your webserver (or you attempt to do so yourself) and after doing so the problem persists.
  • You additionally discover that your server logs are overrun with massive amounts of activity, from one or many more IP addresses, but you can sometimes identify sets of the same IP addresses appearing in the logs very frequently.

Note that what can be interpreted as denial-of-service can also just be a badly configured or corrupt web server, with overrun hard drive storage or database performance issues.

How to Mitigate the Attack

DDoS attacks are sophisticated and often involve vulnerabilities in low-level operating system or web server application software. WordPress (WP) for example had a recent XML-RPC reflection vulnerability that made it easy for hackers attempting a DDoS against a WordPress site or WP backed store. They can be very hard to mitigate without specialized knowledge. If you self host your own on-premise web server, you’re going to have to call in a third party that specializes in DDoS to help. Incapsula is one such provider.


To mitigate an attack, you can either attempt to; absorb the attack or block the attack.
Click To Tweet


To mitigate an attack, you can either attempt to; absorb the attack or block the attack.

Absorbing the Attack

This may involve spinning up new servers, or provisioning new computers and a load balancer. This can quickly become very expensive, assuming your hosting environment is in the cloud to begin with.  Provisioning an n-tier on-premise architecture, deploying more physical web servers, configuring and optimizing the application stack, adding a load balancer, etc. are all equipment used to bring high traffic websites to scale.  Attempting to do this to absorb the attack (and organizations often attempt this, I’ve attempted it myself as well) to mitigate a DDoS is not only extremely time consuming and technically involved but it’s also often a futile effort, as the DDoS amplifies it vastly outscales your ability to defend against it.

Blocking the Attack

This is a better approach than absorbing the attack, but here’s where you’ll need that third party service to profile the traffic so that you can effectively create a mitigation plan. You may get lucky and find a small number of IP addresses that are causing the problem. That would be the best case scenario, in which you could create firewall rules to block the address and be on your way. For a more serious internal DDoS mitigation environment if you’re self hosting your own store, consider purchasing caching software and servers, picking up advanced hardware firewalls, a load balancer, etc. or other supporting network devices.


You may get lucky and find a small number of IP addresses that are causing the problem.
Click To Tweet


DNS level DDoS attacks can be mitigated by setting low TTLs (time-to-live) and employing multiple DNS providers to be able to fail over.  Sometimes your DNS will be attacked not because of you specifically, but because of someone else on the same DNS provider.

What to do During an Attack

One of the most important things during a DDoS attack (or any other kind of public incident affecting your online store) is to communicate transparently with your customers and stakeholders.  Ensure that you’re ready within short notice of coming under attack by doing the following:

  • Employ an escalation profile (a list of people to contact in priority sequence to let them know what is happening),
  • Have a backup static TEMPORARILY UNAVAILABLE website setup on an alternate reputable host provider that ensures they will provide DDoS mitigation services.
  • Redirect your store DNS to the temporary site and work with your staff, partners and stakeholders to determine how best to deal with the servers that are vulnerable.  In this way at least your customers won’t find your website under duress and think it’s just badly designed and poor performing.

In all, the best defense is a pre-emptive defense. It’s much easier to deal with a DDoS attack if you’ve taken steps to prepare for it ahead of time. In a future article I’ll detail the contents of an effective overall Disaster Recovery Plan (DRP) of which an entire section is typically dedicated to DDoS event mitigation.

]]>
https://www.bigcommerce.com/blog/denial-of-service-attack/feed/ 3
Your Guide to Achieving PCI Compliance for Self-Hosted Ecommerce Solutions https://www.bigcommerce.com/blog/pci-compliance-self-hosted/ https://www.bigcommerce.com/blog/pci-compliance-self-hosted/#respond Mon, 18 May 2015 18:48:20 +0000 http://www.bigcommerce.com/blog/?p=12488 The topic of PCI compliance is immensely important to any online retailer that transmits or stores cardholder data (i.e. credit…]]>

The topic of PCI compliance is immensely important to any online retailer that transmits or stores cardholder data (i.e. credit card or debit card information) in their own, physical on-site servers or remote data farms. Cardholder data that is processed through an online store and retail point-of-sale system combine to form a single transaction volume used to determine an organization’s merchant compliance level.

If PCI compliance is an entirely foreign concept to you, a good primer on the subject can be found here. Keep in mind that if you are using a SaaS or cloud-based ecommerce technology solution, like Bigcommerce, as opposed to a self-hosted or an on-premise solution, your PCI compliance is mitigated through your provider. The heavily lifting is vested expertly and wonderfully in the hands of the technology experts working for the SaaS companies, which in our professional opinion is exactly where it belongs.


If you are using a SaaS ecommerce solution, your PCI compliance is mitigated through your provider.
Click To Tweet


For those not utilizing a SaaS or cloud-based ecommerce technology, the following information outlines the steps you must take in order to ensure that your online business is PCI compliant. Your compliance level determines the amount of work you need to do, and the levels are as such:

  • Levels 1 and 2 are for merchants processing 1,000,000 transactions or more per year
  • Level 3 applies to an organization that processes greater than 20,000 credit or debit card transactions per year
  • Level 4 applies to an organization that processes less than 20,000 transactions per year

In the interest of brevity, as this subject is vastly complex, we’ll concentrate this article on a Level 3 or Level 4 organization.

Self Assessment for PCI Merchant Levels 3 and 4

If you are a Level 3 or Level 4 merchant, the PCI DSS provides you the option of doing an internal assessment, whereby a qualified staff member or corporate officer from your organization can perform his or her own audit and sign-off to produce a formal PCI DSS Attestation of Compliance package indicating such.

The first steps are to determine your required compliance level and then download and review the appropriate Self-Assessment Questionnaire (SAQ) found on the PCI SSC Website. There are different SAQs for each merchant level and also different related DSS Attestation of Compliance forms for each level as well.


There are different SAQs for each merchant level.
Click To Tweet


Before you venture down this path and attempt to download your SAQ and get started, you’ll need to first digest a six page document just to figure out which SAQ form to use in the first place. And, if you aren’t thoroughly bored and confused after doing that, you almost certainly will be aftering referring to the lengthy PCI glossary of acronyms and technical jargon related to the subject.

In my humble opinion (and also according to the PCI SSC themselves), the best and easiest thing to do here is to contact your merchant bank and have them help you identify which specific documents you need to use. This is an essential step, as they will often point out deviances in the standard PCI DSS they feel may apply in your case.

Level 3 merchants require quarterly external vulnerability scans by an ASV (Approved Scan Vendor). A list of ASV’s can be found here and include such companies as Cisco Systems Inc, Alert Logic, Inc and Backbone Security, Inc to name a few.


Don’t be dishonest or misrepresent information on the SAQ.
Click To Tweet


Completing a self-assessment questionnaire for Level 3 and Level 4 merchants is based upon the honor system, much like completing your income tax return. It’s tempting for organizations to guesstimate their way through some answers or outright fabricate them to avoid the human and physical resource expenditures required to correct vulnerabilities  Many frankly don’t understand some of the items on the SAQ to be begin with.

That said, don’t be dishonest or misrepresent information on the SAQ. If you have a data security breach and your documents come under scrutiny, you can be fined heavily and, in the worst case, your merchant account(s) can be dropped by your bank/financial institution.

Achieving PCI Compliance: Getting Started

The PCI DSS contains what are actually common-sense general data security best practices for any system administration team that is used to hosting sensitive corporate information in a modern network environment.

The trouble in reaching compliance begins when an organization does not have experienced enough internal IT/IS departments and can unfortunately discover that their internal hosting environment is wildly insecure and susceptible to both internal snooping by their own staff or they are wide open to outside intrusion.


The PCI DSS contains what are actually common-sense general data security best practices.
Click To Tweet


Every organization aiming to achieve PCI compliance begins in the same place, and there are three steps in the journey to adhering to the PCI DSS and becoming compliant:

  • First, Assess –– Perform your own audit to identify the cardholder data you are responsible for, take an inventory of your IT assets and business processes for payment card processing and analyze them for vulnerabilities that could expose sensitive cardholder data.
  • Next, Remediate –– Fix the vulnerabilities you discover in priority sequence. Ideally move away from storing cardholder data at all unless you absolutely need to. Many organizations store cardholder data within their own homegrown ecommerce platforms after taking a one-off guest checkout order with no intention of using the information again. In this case, why hold onto it at all? Only a merchant looking to set up recurring billing may actually need to retain cardholder data themselves and we’ve often found that B2C ecommerce merchants typically don’t need to support recurring billing profiles.
    • Wherever and whenever cardholder data can be stored by an external qualified body instead of your own organization is ideal, because nothing will help reach immediate PCI compliance more quickly than not storing or transmitting cardholder data at all.
  • Finally, Report –– Compile and submit required remediation validation records (if applicable), and submit compliance reports to the acquiring bank and card brands (i.e. Visa, Mastercard, Amex, etc.) with which you do business.

Completing the Self Assessment Questionnaire (SAQ)

The SAQ is a relatively short document (i.e. five or six pages long) and can itself be completed in a number of hours by someone qualified within your organization. The work getting to that point, though, comes into play when attempting to answer the SAQ questions truthfully and thoroughly, and in a manner that will actually result in achieving compliance. In so doing, an organization will doubtlessly encounter some significant technical challenges. Below is a quick outline of what you can expect based on my own experience is seeking compliance for clients.

Technical Challenges to Satisfying the SAQ

Even if credit card data passes through your self-hosted (i.e. non-SaaS) ecommerce platform, you are still on the hook for ensuring that any related servers you control (be it your database server, PoS system, credit card processing terminal, utility server or internet application server) are sufficiently secure and compliant.

Each server that cardholder data is stored inside or transmitted through requires:

  • Tripwire software with a notification escalation profile to alter key systems and alert administrators that someone may have accessed the server. A tripwire is software that detects the presence of a code change or file structure profile change on a server.  A notification escalation profile is a series of automated email or SMS messages. dispatched to key systems personnel in the event that intrusion is detected or an unexpected change to the file structure profile has occurred.
  • Virus scanning software installed and running daily.
  • Its operating system to be kept up-to-date with the latest security patches.
  • The containing room or server rack (i.e. the physical environment containing the computer systems running commerce related servers) be kept under lock-and-key with limited authorized administrative access only.
  • Entrance to/from the room by administrative personnel (including date/time and purpose of access) needs to be logged. These logs need to be archived and migrated off of the primary servers and housed securely elsewhere so that auditors can readily access them if required by the bank or credit card company.
  • Ensuring that all cardholder data that is retained for local storage be done so using what the PCI DSS refers to as strong encryption –– see the PCI SSC Glossary of Terms for more info on that. Encryption protects the data from easily being read and utilized by attackers if stolen during a breach event.

Ongoing Maintenance: Mitigating Common Data Security Exploits

Physical servers need to be continually patched against newly discovered security vulnerabilities. Consider various security exploits that have arisen recently such as HEARTBLEED, POODLE.

Note: SSL is the underlying encryption technology behind the HTTPS protocol for secure data transmission over the Internet.

Your web application or ecommerce platform that is processing credit or debit cards also needs to be secured against client side (i.e. web browser) code exploits such as XSS and SQL Injection Attacks, to name a few.

How much time and costs are typically involved in reaching compliance?

On average, our experienced systems administration team will spend three to four business days securing a single server and preparing the appropriate documentation for a Level 3 or Level 4 merchant. The costs for doing so when factoring our time and the merchant’s staffing resources averages out to about $13,740 USD.


The costs for PCI compliance for a Level 3 or 4 merchant is about $13,740 USD.
Click To Tweet


Merchants attempting to reach PCI compliance themselves however, without support from an outside partner, and who are already themselves adept at dealing with data security subject matter, can expect to spend upward of 3-4 weeks of time performing the following tasks:

  • Researching the PCI Data Security Standards (DSS)
  • Determining which level of compliance and which PCI SAQ is required
  • Securing their physical servers (often the largest and most costly aspect of the project)
  • Examining any third party plugins or software components on the servers that cardholder data passes through and ensuring they, too, are PCI compliant and can produce external documentation that proves such
  • Completing the PCI SAQ and Attestation of Compliance

For complex undertakings involving more than one onsite data center and where a merchant is both capturing and retaining cardholder data, budget at least six weeks in your project plan and estimate related costs to be between $44,600 – $59,500 USD to reach compliance.

The above estimate factors some time for multiple staff within your organization that usually involves a multidisciplinary group of business analysts, system administrators, ecommerce platform developers, project managers, legal teams and resource protection staff. It also takes into account some budget for outside consultant/auditor fees, and provision to hire a third party Qualified Security Assessor.


The estimate does not factor in any additional costs related to purchasing new server racks.
Click To Tweet


Note however that our estimate does not factor in any additional costs related to purchasing new server racks, upgrading computer systems, adding new software licenses and installing access control systems (such as staff ID card systems) or any other physical expenses that may be required to achieve compliance.

We’ve Successfully Achieved PCI Compliance: What next?

Maintaining compliance is an ongoing process, usually involving quarterly vulnerability scans along with completing a new SAQ and Attestation of Compliance each year.

If your organization is presently at PCI compliance Level 3 and your credit card transaction volume is trending upwards at a rate of 20% or more annually, consider hiring a QSA and having a formal external security audit done every year, even if your bank doesn’t require it.

In this manner, your team won’t be flanked by a last minute crunch to get it done which will result in overstatements, omissions and increased third party auditing costs. You’ll also proactively position your organization for an easy transition upward to a higher compliance level at a later time.

]]>
https://www.bigcommerce.com/blog/pci-compliance-self-hosted/feed/ 0
Credit Card Data Security: What You Need to Know to Protect Your Store and Your Customers https://www.bigcommerce.com/blog/data-security-pci-compliance/ https://www.bigcommerce.com/blog/data-security-pci-compliance/#respond Mon, 04 May 2015 16:18:05 +0000 http://www.bigcommerce.com/blog/?p=12365 If you’ve been contacted by your bank or financial institution lately only to discover that your credit card information had…]]>

If you’ve been contacted by your bank or financial institution lately only to discover that your credit card information had been compromised, then you’ve felt the growing frustration many consumers face today. The situation with respect to credit card fraud is only getting worse.

Dealing with a compromise is a time consuming hassle from a consumer’s perspective; particularly because many of us maintain large numbers of (supposedly secure) personal online profiles that afford us a convenient way to deal with recurring monthly or annual payments.

How can we be sure that these online service providers, who so readily accept and retain our credit card information, are taking the appropriate measures to secure it?

Enter PCI (Payment Card Industry) Data Security Standards (DSS)

The PCI Security Standards Council (PCI SSC) defines a series of specific Data Security Standards (DSS) that are relevant to all merchants, regardless of revenue and credit card transaction volumes.

Achieving and maintaining PCI compliance is the ongoing process an organization undertakes to ensure that they are adhering to the security standards defined by the PCI SSC.


All merchants who process credit card information are responsible for ensuring PCI Compliance.
Click To Tweet


The SSC defines and manages the standards, while compliance to them is enforced by the credit card companies themselves. Again, these standards apply to all organizations that deal with cardholder data. Cardholder data refers specifically to the credit card number, along with cardholder name, expiration date and security code (CSC).

Credit Card Security is a Neglected Subject in Many Organizations Including Large Enterprise Establishments

Jasper Studios provides ecommerce development services to omnichannel retailers both large and small and, as such, we have seen every kind of credit card storage transgression imaginable. We’ve witnessed cardholder data stored in plain text files without any encryption or basic obfuscation residing under the CFO’s desk in a dusty PC dating back to the late 1990’s –– all freshly captured from an insecure payment gateway in a homegrown ecommerce platform. Could my credit card number have been stored in that dusty old PC?  Was yours?


It’s not only small retailers that can be negligent.
Click To Tweet


This sort of practice is plain negligence. Fortunately, however, this isn’t a practice undertaken by most organizations, and when done so it’s typically caused by unintentional ignorance on the subject. But, these sorts of horror stories still persist today. No wonder so many of our credit cards have been or eventually become compromised.

It’s not just smaller organizations that can have deplorable standards for data security. In 2005, Wal-Mart had a serious security breach targeting their point-of-sale systems. An earlier internal audit revealed thousands of customer card numbers and other personal data had been found on their servers in unencrypted form. This data may have been compromised during the breach, although that has not been officially confirmed.

More recently, in December of 2013, U.S. retail giant Target Corporation was hacked –– a staggering 40 million credit and debit card numbers were stolen from their network. If this can happen to some of the world’s largest retailers, it can certainly happen to smaller ones, too.

Do I need to ensure PCI Compliance for my organization?

If you operate your own on-premise or self-hosted cloud commerce solution, then the short answer is, yes. Whether you run a single brick-and-mortar retail location or you are a large organization selling goods across multiple stores and ecommerce sites, anywhere that your credit card merchant account has been connected and integrated requires attention.


If you operate on Bigcommerce, the heavy lifting of PCI compliance is done for you.
Click To Tweet


All credit card transaction volumes your organization processes are aggregated across multiple channels (i.e. in store retail point-of-sale terminals and online payment gateways) and summed up to determine an appropriate PCI compliance level.

This means a large international retail chain handling six million transactions per year will still be considered a Level 1 merchant (the strictest level) and will be held to the highest of PCI compliance standards, even if their related ecommerce store processes less than 500 sales orders per month.

Fortunately, if you operate a SaaS based ecommerce store and do not have any access to any credit cardholder data (which is the case for most modern SaaS commerce platforms), your need for PCI compliance is mitigated entirely. The heavily lifting has vested expertly and wonderfully in the hands of the technology experts working for the SaaS companies, which in our professional opinion is exactly where it belongs.

How to Quickly Determine Required PCI Compliance Level

If you host and manage your own ecommerce platform, you will need to ensure PCI compliance for your organization, and the first step is to determine the required compliance level.

All merchants fall into one of four levels based upon credit or debit card transaction volume over a 12-month period.  Level 1 is the most strict in terms of DSS requirements, where Level 4 is the least strict:

0BwOfmHM_yBDZlyfZxWO4hfeH2XucLIsIP3AsWHWKYI

Almost all small and medium sized businesses (SMBs) classify as the lower Level 3 or Level 4 merchant, however, this does not preclude the necessity to maintain compliance with the same diligence as larger organizations. In fact, it’s a costly misconception encountered amongst SMBs who believe they do not need to worry about compliance at all because they don’t do a significant enough volume of online or in-store sales.

Penalties for Non-compliance

PCI is not, in itself, a law. It’s a standard that was created by the major card brands including Visa, MasterCard, Discover, AMEX and JCB. The credit card companies typically do not directly handle payment processing functions themselves, but rely on third party processors (such as Chase Paymentech or Moneris Solutions) to handle the transactional services.

Merchants that do not comply with PCI DSS and are involved in a credit card breach may be subject to fines, card replacement costs or incur costly forensic audits. The credit card companies, at their discretion, are the ones who administer fines to the merchant’s bank (or similar financial institution, known as the Acquirer) and can range between $5,000 – $100,000 per month for PCI compliance violations or breaches. The bank/acquirer in turn passes the fines downstream until it eventually hits the merchant. On top of fines that originate from the credit card companies, merchants may be subject to additional penalties from their bank as well.


PCI is not, in itself, a law. It’s a standard that was created by the major credit card brands.
Click To Tweet


Banks and payment processors may terminate their relationship with the merchant altogether, or simply increase per-transaction processing fees and require the merchant to pay for the replacement of the credit cards that have been compromised in the originating beach.

What’s arguably even worse is that the bank or processor may require the merchant to move up a level in compliance if they are breached, making the adherence requirements all the more onerous on the merchant moving forward.

Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a business. It is important to be familiar with your credit card merchant account agreement(s), which should fully outline your exposure.

What the PCI Data Security Standards Involve

The full PCI DSS (data security standard) is an extremely dry read, akin to watching paint peel agonizingly off your wall on a hot summer afternoon. It’s a pretty technical subject to cover as well, which will be summarized in a subsequent article.

Most of the topics found in the PCI DSS deal with maintaining a professional data storage solution. It includes information on securing an internal hosting network, adequately protecting cardholder data, implementing strong user access control measures, managing data security policies, executing a vulnerability management program and performing an external security audit. It also provides detailed instructions on how to complete your own PCI Self-Assessment Questionnaire.


Familiarize yourself with the PCI Security DSS if you’re using a self-hosted ecommerce store.
Click To Tweet


In all, if you’re a pureplay (i.e. online-only) merchant that does not have a physical retail store but you accept, retain or transmit credit card data through your own self hosted ecommerce store (via open source platforms such as: OpenCart, ZenCart, Magento Community Edition, etc.) you should positively familiarize yourself with the PCI Security DSS and understand your required compliance level.

Consider hiring a qualified external party who is well versed in PCI subject matter and can provide an objective opinion on how to specifically achieve compliance for your organization.

PCI compliance is its own entire universe of complexity and many organizations don’t have the internal resources qualified enough to delve into its bowels.

We also recommend obtaining an independent adoption consultant along with a Qualified Security Assessor (or QSA). Trustwave is one such QSA partner who can provide detailed guidance as to how to obtain compliance and also act as an independent auditor to test your internal security.

]]>
https://www.bigcommerce.com/blog/data-security-pci-compliance/feed/ 0