As e-commerce has emerged and expanded, a string of misconceptions has arisen. Throughout my career as both a CTO and advisor to e-commerce companies, following are the most common myths I’ve encountered:
PCI compliance doesn't matter. Many smaller e-commerce sites fail to address critical security needs, assuming they can fly under the radar while they remain small. This is a huge and unnecessary risk for a company to take, and it is easily avoidable. While obtaining PCI (Payment Card Industry) compliance is a lengthy and expensive undertaking when you store or transfer consumer credit cards, it's a fairly trivial operation when you don't.
How can an e-commerce site not transfer or store credit cards? By utilizing credit card processing from companies such as Braintree or
Stripe, which have offerings where the credit cards are sent directly to their PCI-compliant secured servers and an authorization token is sent to your servers.
Encrypted passwords are safe enough. Once upon a time, this was true, but with the advent of Graphic Processing Units and cloud computing, if anyone got access to your password database they would be able to crack all of the passwords in a matter of minutes. For under $2,000, you can build a home computer that can try well over 1 billion passwords a second. With cloud computing, you can rent this for about $3/hour. For about $300/hour, you could crack around 500 billion candidate passwords a second.
Perhaps you are feeling good right now because you are using a salt, which is an additional string for your encryption that makes a hash unique to you, preventing use of things like bubble tables. A universal salt does nothing to help the matter. The only way to properly secure your passwords is to: 1) have a random salt for each user; and 2) use an encryption library like bcrypt, which is designed specifically for encrypting things like passwords and can keep up with Moore's law by letting you increase the amount of work your hash needs to do, slowing it down and making it harder to crack.
Interested in learning more? See Coda Hale's excellent post.
Speed doesn't matter. Most e-commerce sites rank among the slowest sites on the Internet. Amazon did a study where they identified that there is a direct relationship between page load speed and conversion rates. They found a 1 percent decrease in sales for every 0.1 second decrease in response times. Other studies have identified speed as the single most critical factor for e-commerce conversion.
The manufacturer description and photos are good enough. Typically, the description and photos provided by manufacturers (and commonly found on retail e-commerce sites) are quite poor, consisting of low resolution photos and incomplete descriptions. By crafting your own descriptions and photos, you define your shopping experience. This provides a differentiator from every other shop selling the same merchandise, and it is critical to any store looking to establish itself.
PayPal is an acceptable payment processor. All sorts of alarms go off in consumers’ minds when a supposedly reputable business only offers PayPal (or Google Checkout). Consumers want to purchase from a trustworthy and reliable company. PayPal conveys to the consumer that your site is run by a fly-by-night con man, who isn't trustworthy enough to get their own merchant account.
Consumers don't need free shipping. The Internet has reduced all barriers from comparison shopping. Amazon is often the lowest price on the Internet and offers free shipping on nearly all their merchandise, and in two days if you have prime. Amazon has trained customers that they shouldn't pay for shipping. Surprise your customers with shipping charges at checkout and they will abandon your checkout like it's the Titanic. Either offer free shipping or at least offer flat-rate per-order shipping (like
woot.com). When I ran engineering for OpenSky.com, we did lots of testing around this and found that conversion rates plummeted when shipping was an extra cost at checkout (or in the cart). We even found that consumers would readily pay more for an item if it had free shipping.
— Steve Francia is a technology executive (CTO, CIO, VPE) in New York City.