ERP, CRM and eCommerce Blog

In late 2009, I had forecasted that security breaches in 2010 and 2011 would increase significantly in spite of more advanced security technology. The recent spate of hack attacks underscores the importance of security for ecommerce merchants and retailers that have online stores. The latest organization to fall victim is the IMF where hackers obtained sensitive documents including e-mail and other documents during the intrusion. However, other high profile organizations that have been hacked in the recent weeks have included security expert RSA, defense contractor Lockheed Martin, Citi where the personal details of about 210,000 Citi Group cardholders were stolen after a security breach via Citi's web portal, Sony, Epsilon, the world's largest permission-based e-mail marketer. Certainly all of these large organizations had well-defined security policies and several safeguards in place and yet the fell to hackers. How then do smaller companies that are running e-commerce stores with smaller IT budgets and fewer people manage the security of the store?

A good first step is to ensure your ecommerce vendor has PCI Certified software or rather meet the PA-DSS standard. For many the definition of PCI-DSS, PA-DSS and PABP can be confusing. The excerpt below from the Ignify ecommerce PCI Implementation guide should help explain the difference between the three

• What is PABP? – Payment Application Best Practices (PABP) was developed by Visa to provide software vendors guidance in developing payment applications that help merchants mitigate compromises, prevent storage of sensitive cardholder data and support overall compliance with PCI Data Security Standard. In October 2008, the PCI Security Standards Council adopted Visa’s PABP and released the standard as the Payment Application Data Security Standard (PA-DSS).

• What is PA-DSS? – Payment Application Data Security Standard (PA-DSS) is derived from PCI DSS. Traditionally PCI DSS compliance may not apply to software vendors since most software vendors do not store, process or transmit cardholder data. In such cases, PA-DSS applies to software vendors and consultants who develop payment applications that store, process, or transmit cardholder data as part of authorization & settlement.

Many organizations make the mistake of assuming that PCI Certified and PCI compliant software mean the same thing. There is a very significant difference between the two! PCI certification involves not just self-audit but also involves rigorous auditing by a Qualified Security Assessor (QSA) that is certified by the PCI Standards Council and then a final validation is done by the PCI Standards Council. Additionally PCI Certified Vendors have to publish guides on how the product deploys in a way that is PCI Compliant. Finally PCI Certified Vendors will typically build in security and its impact in every release. The combination of these things makes for a very significant different and can increase your level of security by choosing the right platform.

PA-DSS Certification by the PCI Standards Council for Ignify has been a four year journey. We started our preparation and self-assessments in 2007, contracted with our QSA in 2008 and completed our security audit and PCI Certification in 2009. In 2010 we went through a PCI update of the latest version that was released then Version 4.11. In 2011 we are now going through the PCI update of Version 5.0 which we are just in the process of finalizing. The difference between PCI Compliance and PCI certification for us was 2 years. In 2007 we were PCI Compliant but it took till 2009 to become PCI certified. And there was a lot of learning, improvements in the software that we bundled in between those 2 years.

If you wish to find the PCI Certified vendors, please visit the PCI Standards Council Website that lists all of the PCI Certified applications.

Here are some basics that are important for PCI Certification

1. Separation of Database Servers and web servers: This is very basic and almost something that everyone knows.. You need separate servers and your database server should be behind the firewall and the web server should be in the DMZ. It’s the obvious flossing rule of security – but just like flossing we find many sites where it is not done – so if you’re not doing it, start with this one.

2. Encryption and Key Management: Card holder information needs to be encrypted (PA DSS requirement 2.5, 2.6 and PCI DSS requirement 3.5, 3.6). Ideally this means customer name, credit card information etc. You also need encryption during transmission and you need it for storage and while having web servers connect to the database server to protect credentials. So there are at least 3 points that you want to ensure you have encryption.

   For Transmission, you would typically use an HTTPS SLL Certificate. HTTPS encryption keys are managed by public SSL certificate providers. Since HTTPS, uses Asymmetric Cryptography, private key is available on the web server while public key is distributed in the form of HTTPS certificate to browsers. For storage encryption (or database encryption) you would need to use your ecommerce systems native encryption mechanism or if it doesn’t provide one then a 3rd party solution. Ignify ecommerce uses AES 128 encryption for database encryption. In addition, you need to have a key management process so you can update your encryption keys on a regular basis. You should regenerate your keys at least once a year and ideally every quarter. These keys should be stored in a safe place and not anywhere where a hacker can get to them from the server hosting the information being encrypted. Ideally you’d put this on paper (even though that is old-fashioned) and put it in some sort of safe that is accessible by a limited set of custodians.

3. User Login and Session timeouts: To be compliant with the PCI DSS requirement 8.5.15 the duration of session time out should be no more than 15 minutes. Both the Ignify eCommerce Store Front and Manager Panel Applications permit configurable session time out duration – this setting requires the user to login again using his credentials in case the user’s system is idle for specified time duration. To be compliant, By default this setting is 15 minutes with an out of box installation of Ignify eCommerce.

4. Disabling unnecessary services and Daemons on the server: Minimum services / daemons required to support technologies mentioned against each server should be kept running on each server. All other services are recommended to be disabled to meet PCI DSS requirement 2.2

5. Audit Trail and Application log: PCI DSS (requirement 10.1 to 10.3) and PA DSS (requirement 4) require that the application maintain an audit trail. This is required in multiple places. For example, Ignify ecommerce maintains the following

   1. a security audit trail with logs of who logged in when, for how long and what they did. Ignify ecommerce comes with the audit trail enabled by default.
   2. Application log: listing any uncommon events in the application
   3. Order Log: A log of all changes done on the order including price updates, ship method updates, address updates. This ensures that if any customer service representative engages in fraud then the system essentially captures every action they did.

Figure 1. Audit Trail on an Order in Ignify eCommerce showing every change made on the order by a sales person or a CSR

Though this article covers the highlights, there are several other requirements required for PCI compliance. If you are in the market for a PCI certified ecommerce solution, web store or order entry solution please email us at ecommerce@ignify.com so we can have a great discussion on security.

Pankaj Kumar is the Chief Technology Officer at Ignify. Ignify eCommerce is the only PCI certified eCommerce solution in the market that integrates with mid-market ERP systems including the Microsoft Dynamics ERP and Sage ERP. Ignify has been included as the fastest growing business in North America for four years in a row by Deloitte, Inc Magazine and Entrepreneur Magazine. Ignify was ranked in the Red Herring Global 100 in 2011 – this list represents the top businesses world-wide with disruptive and innovative technology.

While the ecommerce market in the U.S. is now considered to be a mature segment of the retail industry, In Asia Pacific the expansion of this space remains in its early stages. eCommerce in USA still continues to outpace traditional brick and mortar retail. However in Asia Pacific the growth in eCommerce is staggering. However, unlike traditional beliefs that Asian consumers are averse to shopping online a report released in 2010 on Global Trends in Online Shopping revealed that only 13% of Internet users in Asia Pacific had never shopped online which was lower than the global average where 16% of users had never shopped online. This forecasts the ecommerce in Asia Pacific will continue to grow fast and only may become one of the largest markets world-wide. The report surveyed over 27,000 internet users in the world.

• The China Internet Network Information Center said the number of internet users in the world’s most populous country jumped 28.9% in 2009 to 384 million, which is more than the entire population of the U.S.
• According to this article on CNBC , “Sales done online nationwide in China have doubled to almost $80 billion in 2010, according to iResearch data, compared to total retail sales, which have grown nearly 20 percent per year in the last five years.”

While this spending burst could be a result of many things, experts say shoppers in Asia Pacific are fast-becoming comfortable with the ease of mobile e-commerce, compared to their Western counterparts. In addition to their web savvy ways, their economy is experiencing a consumption boom which should last for many years. Users in Asia Pacific are more likely to do a purchase using the mobile phone than users in North America.

Here are some key trends we’ve discovered by reviewing all the surveys including the Nielsen one referred to above and others from ComScore and Forrester Research:

• What they are buying: Outside of travel, Items that Asia Pacific shoppers like to buy online are books, clothing/accessories/shoes, cosmetics, videos/DVDs/games, and groceries in that order.
• Where within Asia Pacific are they buying: Total online spending as a percentage of total monthly spending varies by country with Chinese and Korean online consumers allocating the most via the web than any other in the region. Online consumers in New Zealand, Australia, Malaysia and Hong Kong allocate the least.
• Who is buying: The developed countries in Asia Pacific such as Hong Kong, Singapore, Taiwan, South Korea, and Japan follow the same online gender profiling as North America where women dominate men in the traffic to online stores. Less developed countries like India, Vietnam and Philippines have men more dominant in visits to online retail stores.

So with this information, how can you begin marketing to the Asia Pacific part of the world through your ecommerce site ? How can you get their attention and keep it? Here are some tips on what you can do to build out your Asia Pacific ecommerce store.

1. Offer diversity in your online product catalog: The #1 reason shoppers in Asia Pacific go online is when they cannot find products in the store or for diversity. This is very different than the North America buyer where price is often a very significant reason to shop online. So you don’t need to be the cheapest price in town if your store can bring significant diversity. The more products you can offer the higher your chances of success will be in this market. Those testing the market with a very narrow catalog may find that they are setting themselves for failure.
2. Stay simple: While a broad catalog is desired, the store should be simple, easy to navigate and not overly complex. Most online retailers in Asia Pacific make the mistake of throwing a lot of flash and a dizzying array of colors. A busy look and feel is the most common and the least successful. Go for the clean and simple look and feel with a powerful offering.
3. Reviews: Online product reviews are more important than in North America. The strong social connection in Asia pacific means that consumers will like to read and research a lot more before they buy. Reviews (both negative and positive) will help increase the conversion on your store. Don’t sanitize your reviews
4. Promotions: The least used and yet most successful promotion in Asia Pacific is Free shipping. While it is hard to make shipping cost-effective in the region – if you can make that your strength. How do you make shipping pay for itself – tie the free shopping offer to a minimum order size e.g. the equivalent of $50. That will drive up your order size and the difference will pay for the shipping. The free shipping in itself will increase conversion significantly. Shoppers in Asia Pacific are very sensitive to shipping cost.
5. Mobile: The web should be your #1 priority. However the mobile experience should be a close second. Users in Asia are much more comfortable with the cell phone than consumers in North America. Take advantage of this and put in place a mobile offering much sooner than when you’d do it in North America.

Email us at ecommerce@ignify.com for more tips.

Pankaj Kumar is the Chief Technology Officer at Ignify. Ignify eCommerce is the only PCI certified eCommerce solution in the market that is available in the Asia Pacific region. Ignify has been included as the fastest growing business in North America for four years in a row by Deloitte, Inc Magazine and Entrepreneur Magazine. Ignify was ranked in the Red Herring Global 100 in 2011 – this list represents the top businesses world-wide with disruptive and innovative technology.

I am very proud to announce the release of the Ignify eCommerce Roadmap and Statement of Direction. The roadmap sets detailed features for our 15th major version Ignify eCommerce Version 5.0 and also lays down the broad vision for the product for the next 3 years. Our upcoming version due in the second half of 2010 will reflect a cumulative investment of over a million US dollars in the product.

The roadmap in addition to our statement of production also re-affirms our commitment to continue to invest in the product for at least the next five years. Ignify eCommerce already has leadership in the mid-market due to multiple reasons – some of these are listed below. Existing customers will continue to gain from the investment being made by our product development and research teams while new customers can feel confident that the Ignify eCommerce is not only the leader today but will continue down this path.

Some Capabilities that differentiate Ignify eCommerce today are:

1. Native Search Engine Optimization to improve page rankings and increase revenues with very minimal optimization effort from a merchant.
2. PCI Compliance and PA DSS 1.2 Certification to the highest security standards by the PCI Standards Council.
3. Advanced Personalization for Consumers and Business buyers with product recommendations, personalized catalog, personalized promotions.
4. Zero Touch Order Fulfilment that allows for no touch to an order except when the item is ready to be shipped with functionality such as Auto-fraud checks, native Integration to the ERP and to shipping systems
5. Social Media Integration with Twitter and Facebook with ability to automatically tweet/ post updates for promotions.
6. Multi-store Catalog: With the latest release of Ignify eCommerce – the product now provides the ability to full manage multiple stores from a single store management framework with a single login.
7. Item Variants and Attributes: Ignify eCommerce supports unlimited attributes such as size, style and color.
8. Multi-parametric Search with Auto-fill and Search within search Results: Auto-fill for keyword search supported with ranged parameters. Rich ability to filter within search results with automatic 'narrowing' of search results.
9. Multiple user logins per account: Ignify ecommerce remains the only product that provides multiple user logins per customer account with the ability to set different levels of permissions for the various customer users e.g. view orders only, view and place orders, update address book etc.
10.  Subscription: Rich subscription functionality that enables automated periodic billing, payments and if necessary order shipments.
11.  Product Configurator: Ignify eCommerce provides a rich product configurator that allows for rules and multiple components and combinations.
12.  Returns Management: Full cycle returns management with ability to define returns policies and return reason codes. Provide end-customers with ability to start an online return transaction.
13.  Rental Service: Offer rental on a SKU to your customers with ability to define rental duration and payment frequency.
14.  Instalment Payments: Provide flexibility to your customers to pay in instalments. Flexible instalment plans with automated charging of stored credit card or direct debit of bank accounts per instalment schedule.
15.  eCheck as Payments: Accept eChecks as payment. Built in check clearance and automated payment integration with ERP.

The future is bright. For example, our work on the integration with the Dynamics AX for Retail POS means that online customers can place orders for pick up in the store that is convenient to them. Similarly customers in the store can place subscription orders that can then be fulfilled through the online infrastructure.

If you have any questions, please do not hesitate to reach out to me via email at pankaj@ignify.com or email the product support team at ecomsupport@ignify.com or via phone (562) 219-2002.

Pankaj Kumar is the Chief Technology Officer of Ignify. Ignify is a technology provider of ERP, CRM, and eCommerce software solutions to businesses and public sector organizations. Ignify eCommerce is the only PCI certified eCommerce solution in the market that integrates with the Microsoft Dynamics ERP and Sage ERP solutions. Ignify has been included as the fastest growing business in North America for 3 years in a row by Deloitte, Inc Magazine and Entrepreneur Magazine. Ignify was ranked in the Red Herring 100 finalists for 2010 – this list represents the top businesses in North America with disruptive and innovative technology.

 In last four months, we have been hard at work restructuring support services for our flagship software solution – Ignify eCommerce. We have been looking deep internally after our public announcement to become the best customer service of all technology companies. This post shares my experiences working with our support customers, our customer support team, as well as my own support requests where I am a receiver of support and not a provider. Feedback and comments are most welcome as we continue to strive towards “wowing” the customer.

There were two fundamentals for our customer support strategy that we agreed upon at the very outset 4 months back:

1. End User (not necessarily same as customer) is the king. If end user isn’t satisfied, customer support has failed.
2. We would treat every customer as a SAAS customer even if the customer has purchased an on premise license and is operating Ignify eCommerce in their own facility. After all the customer and end users are interested in the service that the software provides and not the software itself.

We also established three simple metrics around customer satisfaction. These included – First Call Resolution, Turn Around Time (Measured as average time taken to close an issue) and Total Open Issues at any point of time for a Customer.

Putting end user at the center of affairs cleared confusion around scope of the work. In quiet a few cases Ignify eCommerce is customized to meet specific customer’s business needs. Customer support earlier had questions whether these customizations have to be supported as a part of Ignify eCommerce Enhancement Plan. Since Enhancement Plan is charged as a % of license cost, it was an obvious question. The answer we arrived at was – “yes, we would support all customizations since the end user really doesn’t understand this difference between standard and customized. He cares about his day to day opeations”. This led to a challenge around retaining knowledge around these customizations. There is usually only one support analyst who is familiar with such customizations, in case this analyst becomes unavailable then knowledge retention as well as end user experience is impacted. We solved this problem by putting a minimum of two support analysts who would know each customization. It did over the short term increase the cost of support but led us closer to our goals of wowing the customer.

Treating all on premise licensed customers as SAAS customer threw a serious challenge of managing environments. Maintaining any software usually requires maintaining multiple environments – a DEVELOPMENT environment where troubleshooting and fixing can be done, a TEST environment where quality assurance team can provide sign offs, a UAT environment where end users can sign off and finally a PRODUCTION environment. While some of our customers were maintaining these environments, most of them didn’t have all four environments in place.

To avoid burdening our customers with environment creation (Note that in a SAAS solution, that burden doesn’t exist), we took an initiative to create DEVELOPMENT and TEST environment for all of our support customers. For DEVELOPMENT, we leveraged Front Page Extensions to create a single environment for multiple support customers and support analysts to troubleshoot / debug on. Each eCommerce Solution was extended using Front Page Extensions, these extensions enabled remote publishing and debugging of multiple eCommece solutions. For TEST – a new virtualized environment using Windows Server 2008 R2 Hyper V on Dell PowerEdge R 905 with Dell MD3000i was created for several hundred eCommerce Solutions. An automated build and deploy process was configured to build these web solutions every night so QA can provide sign off without any dependency from developers.

This solved our DEVELOPMENT and TEST environment problem but we still had to push any software releases on UAT and PROD environment manually. This was done via a semi-automated custom built tool that took care of these deployments.

While working on customer satisfaction metrics, I came across a January 2008 article published by Wired Magazine. This was similar to various other customer feedbacks that we found on user experience with support services. Wired magazine spoke about support being a problem since support analyst is not “emotionally invested” in customer's business. It also spoke about an average customer service rep being uncreative, having low incentive, and demonstrating limited empathy. We took some specific action items to ensure that we do not fall in the same trap:

1. We decided that 50% of our support plan revenues would be invested in customer support salaries.  This allowed us to design attractive incentive plans and compensation structure for our support analysts.
2. We took our entire support team through a battery of presentations to explain how they play a role in our customer’s day to day operations. “The emotional investment” came from the pride taken by increasing store revenues. A reward system based on such a revenue trend helped improve the emotional investment.

The results have been extremely encouraging; we have managed to improve our First Call Resolution by 50%, Turn Around Time (Measured as average time taken to close an issue) by 70%. And average Open Issues have gone down to 0.5 from 5 – almost a 90% decrease.

Are we done with this journey? Not quite – customer support is a fulcrum that can swing end user experience either ways. While we see a much larger debate going on support contracts and their value, we continue to quietly move towards our goal of becoming the best customer service technology company around. How close are we towards that goal? – only our customers can tell .

Pankaj Kumar is the CTO of Ignify. Ignify is a technology provider of ERP, CRM, and eCommerce software solutions to businesses and public sector organizations. Ignify eCommerce is the only PCI certified eCommerce solution in the market that integrates with the Microsoft Dynamics ERP and Sage ERP solutions.  Ignify has been included as the fastest growing business in North America for 3 years in a row by Deloitte, Inc Magazine and Entrepreneur Magazine.