As e-commerce has emerged and expanded, a string of misconceptions has arisen. Throughout my career as both a CTO and advisor to e-commerce companies, following are the most common myths I’ve encountered:
PCI compliance doesn't matter. Many smaller e-commerce sites fail to address critical security needs, assuming they can fly under the radar while they remain small. This is a huge and unnecessary risk for a company to take, and it is easily avoidable. While obtaining PCI (Payment Card Industry) compliance is a lengthy and expensive undertaking when you store or transfer consumer credit cards, it's a fairly trivial operation when you don't.
How can an e-commerce site not transfer or store credit cards? By utilizing credit card processing from companies such as Braintree or
Stripe, which have offerings where the credit cards are sent directly to their PCI-compliant secured servers and an authorization token is sent to your servers.
Encrypted passwords are safe enough. Once upon a time, this was true, but with the advent of Graphic Processing Units and cloud computing, if anyone got access to your password database they would be able to crack all of the passwords in a matter of minutes. For under $2,000, you can build a home computer that can try well over 1 billion passwords a second. With cloud computing, you can rent this for about $3/hour. For about $300/hour, you could crack around 500 billion candidate passwords a second.
Perhaps you are feeling good right now because you are using a salt, which is an additional string for your encryption that makes a hash unique to you, preventing use of things like bubble tables. A universal salt does nothing to help the matter. The only way to properly secure your passwords is to: 1) have a random salt for each user; and 2) use an encryption library like bcrypt, which is designed specifically for encrypting things like passwords and can keep up with Moore's law by letting you increase the amount of work your hash needs to do, slowing it down and making it harder to crack.
Interested in learning more? See Coda Hale's excellent post.
Speed doesn't matter. Most e-commerce sites rank among the slowest sites on the Internet. Amazon did a study where they identified that there is a direct relationship between page load speed and conversion rates. They found a 1 percent decrease in sales for every 0.1 second decrease in response times. Other studies have identified speed as the single most critical factor for e-commerce conversion.
The manufacturer description and photos are good enough. Typically, the description and photos provided by manufacturers (and commonly found on retail e-commerce sites) are quite poor, consisting of low resolution photos and incomplete descriptions. By crafting your own descriptions and photos, you define your shopping experience. This provides a differentiator from every other shop selling the same merchandise, and it is critical to any store looking to establish itself.
PayPal is an acceptable payment processor. All sorts of alarms go off in consumers’ minds when a supposedly reputable business only offers PayPal (or Google Checkout). Consumers want to purchase from a trustworthy and reliable company. PayPal conveys to the consumer that your site is run by a fly-by-night con man, who isn't trustworthy enough to get their own merchant account.
Consumers don't need free shipping. The Internet has reduced all barriers from comparison shopping. Amazon is often the lowest price on the Internet and offers free shipping on nearly all their merchandise, and in two days if you have prime. Amazon has trained customers that they shouldn't pay for shipping. Surprise your customers with shipping charges at checkout and they will abandon your checkout like it's the Titanic. Either offer free shipping or at least offer flat-rate per-order shipping (like
woot.com). When I ran engineering for OpenSky.com, we did lots of testing around this and found that conversion rates plummeted when shipping was an extra cost at checkout (or in the cart). We even found that consumers would readily pay more for an item if it had free shipping.
I have also been victimized by the hands of Pay Pal. For no apparent reason Pay Pal sealed my account claiming that there was some "suspicious" activity in my transactions. Although the balance in the account was only a couple of hundred dollars, I never got to see the money again.
I hadn't given any thought to negative consequences of paying via PayPal. Not being large user of online purchases and a sometime recipient of funds paid to me, I didn't realize their was a bias against that form. I'm thinking that since Ebay is associated with PayPal most people would certainly be used to it by now and have no real negative feeling about using it. Now I would expect HUGE companies not to use it but otherwise seems fine to me.
Thank you for that section on password encryption. An area that's of particular interest to me. I wonder what the future of passwords is given the current state of affairs in the password security realm. What with a computer that can crack millions of passwords in under an hour....
That is the advice, but not always followed by users, especially when they have to choose their own password. In the enterprise password policies work fine as the system admin can make people enforce that.
While the point in the post was on password storage, users can take their own steps to be protected.
In short I recommend a separate passphrase for every site the longer the better. I typically use passphrases no shorter than 16 characters. I'd also recommend using a password manager like 1Password or LastPass as it makes having a separate password for each site quite easy, easy enough you'll actually do it.
Excellent additions, though search only matters when you have a lot of products. For most e-commerce shops the number of SKUs is fairly limited and search becomes a bandaid for poor usability.
I'm with those who are put off by PayPal or other external payment setups. I registered with PayPal early on but regretted it (tons of untrustworthy spam seemed to result) and found myself not trusting the technique that much. I'm still leery of ordering things online anyway, and unless a site has its own comprehensive security I will order by phone or not at all.
I see PCI used in two ways: 1. For security pro's to get what they want and say, "Its for PCI and we need it". 2. For people who don't want to do security and are only concerned with looking good.
Even though PCI is a pain in the butt, it can be useful if you're dilligent and be made as a baseline of a place that you'll never go under.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Social media has been with us for a decade -- but employer policies and the law are anything but firm about the most appropriate usage of this powerful tool.
Businesses often struggle to decide which domain to use. When it comes to purchasing a domain name, you have plenty of extensions to choose from, ranging from .com and .net, to .me, and even .mobi. But which one should you pick?
I've been writing about how the next evolution of the Internet might just be an advertising revolution, and how corporate IT can stay involved as the enablers and providers of the technologies that make this possible.
In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
