WDTalk

A lot of work goes into shaping a business, but the shaping doesn’t end when you open your doors to the public. Businesses that survive and strive are those that abandon what doesn’t work and use that knowledge to reshape their business going forward. With online businesses, this could be as simple as changing domain names.

I just read an interesting article this morning about one online business that changed their web site five times in five years. This particular business was launched with an investment of  $100,000, but now grosses nearly $3 million in revenue. What I found interesting was that, over the years, they abandoned 60 percent of what they originally came up with. That’s huge, but it reshaped their business into the success they enjoy today.

Why would changing your domain name make any difference?
I think there are two angles to changing domain names. The first is perception. The second deals with Search Engine Optimization.

The Trust Factor
In the first (perception), the key is TRUST. Successful eCommerce ventures start and end with a strong trust factor. Let’s face it – what do prospects see when they search for info on Google, Bing and Yahoo? They essentially see two things – your domain name and a short description of your site. For example, which domain name conveys more (global) trust to you - Steve’sAirTransport.com or AviationTransportationServicesInc.com? Seems obvious to me. The second has a corporate, global feel to it that lends favorably to the perception of trust.

The SEO Factor
Although Google doesn’t disclose its search algorithms, it’s widely perceived in SEO circles that targeted keywords in your domain name weigh heavily on Search Engine Results Pages (SERPS).  When searching for Aviation Transportation Services, two of the top four results have the targeted keywords, aviation and trasnsportation, in their domain names. Would being in the top four results help drive targeted traffic and potential clients to your site? Absolutely!

The Real Challenge
Reevaluatiing your domain name is a starting point, but the real challenge entails staying current with ever evolving technologies like Twitter and Facebook, AND keeping up to date with search engine trends and changes in their algorithms.

Does your brick and mortar store depend on referrals or walk-in traffic to sell your product or service? Online stores allow businesses to reach a wider range of prospects than they could ever imagine reaching on-site. Let’s face it, the majority of prospects today begin their shopping experience doing research online – comparing companies, products, prices – the works.

The Good News
And the good news is that you don’t need a huge server or an $80,000/year IT guy to make an online store work. The majority of eCommerce stores are Mom & Pop shops, selling everything from diet supplements to shoes, and processing their payments through PayPal – on a shared hosting account that probably costs less than $35/month. Compare that to ONE ad (five lines) in a local newspaper that runs 3 days in print and 30 days online – for a whopping $395.00 !!

The Nuts and Bolts of eCommerce
It all starts with a professional website, meaning its design is attractive to the eye, it’s easy to navigate, there are no spelling errors or broken links, and the solution you propose (along with its price) is relevant AND compelling. Beyond that, you’ll need a shopping cart and a payment processor. If you’re collecting credit card information on your site (directly), you’ll also need an SSL certificate, gateway and merchant account AND be PCI compliant. If you use a service like PayPal standard, and are not processing credit card information on your site – meaning your clients are passed off to PayPal’s servers to process the actual order, these don’t apply.

Attracting Visitors
Ok, sales begin with prospects. If no one walks through the door, it’s tough to move inventory. Online, if no one visits your site, the end result is duplicated. Building a site and hoping prospects will flock to your store overnight doesn’t work. Getting them there requires implementing a mix of online and offline marketing. The tried and true stuff still works – word of mouth, referrals, networking & direct sales staff. The new stuff could be Google Adwords, advertisements in forums or social media networks, Search Engine Optimization (SEO), podcasts and so on.

The Importance of Niche Marketing
Let’s start with the prospect as they enter a search query on Google, Bing or Yahoo. If that query is too broad, for example, recipes – the results returned will number in the gazillions, leaving them to find you somewhere among the masses. Aside from the benefit of branding, narrowing your focus on what makes your product or service (in this case – recipes) different is key. If you specialize in cupcake recipes, your competition in search queries for “cupcake recipes” will narrow their search results considerably. Taking this one step further, keying in on specific cupcake recipes, like strawberry cupcake recipes or apricot cupcake recipes, will help define your niche and FINDABILITY. This online marketing principle applies cross industry. Extended keyword PHRASES help narrow and funnel your prospects search to YOU.

RSA keys are an essential crpytologic ingredient for providing TSL/SSL security in eCommerce.

The security of the RSA cryptosystem is based on two mathematical problems: the problem of factoring large numbers and the RSA problem (see below). Full decryption of an RSA ciphertext is thought to be infeasible on the assumption that both of these problems are hard, i.e., no efficient algorithm exists for solving them.

The RSA problem is defined as the task of taking eth roots modulo a composite n: recovering a value m such that c = m^emod n, where (n,e) is an RSA public key and c is an RSA ciphertext. Currently the most promising approach to solving the RSA problem is to factor the modulus n. With the ability to recover prime factors, an attacker can compute the secret exponent d from a public key (n,e), then decrypt c using the standard procedure. To accomplish this, an attacker factors n into p and q, and computes (p – 1)(q – 1) which allows the determination of d from e. No polynomial-time method for factoring large integers on a classical computer has yet been found, but it has not been proven that none exists.

RSA keys are typically 1024-2048 bits long. Some experts believe that 1024-bit keys may become breakable in the near term. Few see any way that 4096-bit keys could be broken in the foreseeable future. Therefore, it is generally presumed that RSA is secure if n is sufficiently large. If n is 300 bits or shorter, it can be factored in a few hours on a personal computer, using software already freely available.

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide security and data integrity for communications over TCP/IP networks such as the Internet.

The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communications confidentiality over the Internet using cryptography.

In typical end-user/browser usage, TLS authentication is unilateral: only the server is authenticated (the client knows the server’s identity), but not vice versa (the client remains unauthenticated or anonymous). More strictly speaking, server authentication means different things to the browser (software) and to the end-user (human). At the browser level, it only means that the browser has validated the server’s certificate, i.e. checked the digital signatures of the server certificate’s issuing CA-chain (chain of Certification Authorities, e.g. Verisign, Thawte, and GeoTrust, that guarantee bindings of identification information to public keys. Once validated, the browser is justified in displaying a security icon (such as “closed padlock“). But mere validation does NOT “identify” the server to the end-user. For true identification, it is incumbent on the end-user to be diligent in scrutinizing the identification information contained in the server’s certificate (and indeed its whole issuing CA-chain). The “locked padlock” icon has no relationship to the URL, DNS name or IP address of the server) This is the only way for the end-user to know the “identity” of the server.. Such a binding can only be securely established if the URL, name or address is specified in the server’s certificate itself.

Malicious websites can’t use the valid certificate of another website because they have no means to encrypt the transmission such that it can be decrypted with the valid certificate. Since only a trusted CA can embed a URL in the certificate, this ensures that checking the apparent URL with the URL specified in the certificate is a valid way of identifying the true site.

One of the most misunderstood requirements as a merchant offering any type of credit or debit card services are the new security standards released by the Payment Card Industry.

Essentially, the PCI DSS (Payment Card Industry Data Security Standard) must be met by all organizations (merchants and service providers) that transmit, process or store credit card data. The PCI DSS (sometimes referred to as a compliance standard) is not a law, rather a contractual obligation applied and enforced (by means of fines or other restrictions) directly by the payment providers (e.g., Visa & MasterCard) themselves. See a list of validated service providers here.

PCI security standards are technical and operational requirements that were created to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats.
The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Compliance requirements are dependent on a merchant’s activity level.

There are four activity levels, based on the annual number of credit/debit card transactions.

In general:

Level 1 Criteria
Merchants with over 6 million transactions a year, or merchants whose data has previously been compromised
Level 1 Validation Requirements
Annual Onsite Security Audit (reviewed by a QSA or Internal Audit if signed by officer of merchant company and pre-approved by acquirer) and quarterly network security scan

Level 2 Criteria
Merchants with 1,000,000 to 6 million transactions a year
Level 2 Validation Requirements
Annual Self Assessment Questionnaire
Quarterly Scan by an Approved Scanning Vendor (ASV)

Level 3 Criteria
Merchants with 20,000 to 1,000,000 transactions a year
Level 3 Validation Requirements
Quarterly Scan by an Approved Scanning Vendor (ASV)
Annual Self Assessment Questionnaire

Level 4 Criteria
Merchants with less than 20,000 transactions
Level 4 Validation Requirements
Annual Self Assessment Questionnaire

Quarterly Scan by an Approved Scanning Vendor (may be recommended or required, depending on acquirer compliance criteria)

For further information

For comprehensive information about eCommerce and PCI DSS requirements, please visit the PCI Security Standards Council website.

Extended Validation (EV) SSL Certificates meet the highest standard in the Internet security industry for Web site authentication. EV SSL Certificates give high-security Web browsers information to clearly display a Web site’s organizational identity. The high-security Web browser’s address bar turns GREEN and reveals the name of the organization that owns the SSL Certificate and the SSL Certificate Authority that issued it. Why is this important? It gives Web site visitors an easy and reliable way to establish trust online.

I’ve started noticing more and more green EV SSL certificates lately, but I was on a local Credit Union’s site yesterday afternoon and noticed their SSL didn’t even show that the site was encrypted. I was stunned. I’ve been in that Credit Union a number of times and know their IT security to be first rate.  Their site was recently revamped, so I suspect their new host cut costs by installing a cheap SSL certificate, as they can be found online for less than ten dollars.

Secure Sockets Layer (SSL) technology protects your Web site and makes it easy for your Web site visitors to trust you in three essential ways:

• 1. An SSL Certificate enables encryption of sensitive information during online transactions.
• 2. Each SSL Certificate contains unique, authenticated information about the certificate owner.
• 3. A Certificate Authority verifies the identity of the certificate owner when it is issued.

You need SSL if…

• You have an online store or accept online orders and credit cards
• You offer a login or sign in on your site
• You process sensitive data such as address, birth date, license or ID numbers
• You need to comply with privacy and security requirements
• You value privacy and expect others to trust you.

Extended Validation SSL Certificates give high-security Web browsers information to clearly identify a Web site’s organizational identity. For example, if you use Microsoft® Internet Explorer 7 to go to a Web site secured with an SSL Certificate that meets the Extended Validation Standard, IE7 will cause the URL address bar to turn green. A display next to the green bar will toggle between the organization name listed in the certificate and the Certificate Authority (VeriSign, for example). Firefox 3 also supports Extended Validation SSL.

There seems to be a great deal of confusion about PCI compliance, on the part of merchants and hosting providers. Who’s responsible for what?

First, the merchant (web host) always remains responsible for compliance – to be certified. Their hosting provider (data center) is responsible within the scope of the infrastructure and services they provide to the merchant – for example, real estate (floor, electricity and controlled physical access). If a hosting provider also manages the merchant’s network, then they’re responsible for that specific scope of compliance.

Having said that, the merchant is required to monitor compliance of their service providers and manage any non-compliant risks, but a hosting provider’s PCI compliance isn’t mandatory for merchants to use that provider.  As a merchant who accepts card payments for products or services, you are obligated to be PCI compliant – but not for the environment in it’s entirety, rather limited to the processing of the credit cards, storage of that data and their respective transmission gateways. To that end, PCI is technology neutral, meaning you don’t have to build out with specific infrastructure.

So what are the minimum requirements? A couple of servers. a firewall, logging, monitoring and IDS / IPS (intrusion detection and intrusion prevention systems) capabilities.

Go to any financial institution’s website, then find the lock icon on your browser and click on it. Does anyone ever do that before typing in their credit card information when shopping online – click on the lock icon? Lock icons can be forged. By clicking on the icon instead of just relying on its presence to validate the vendor, you’ll see an SSL security report. My bank shows Verisign Class 3 Primary CA, identified the URL of the site itself and verified the site was encrypted.

All SSL certificates are NOT created equally.

As a vendor, if you purchase one of the less expensive SSL certificates, you will be able to use the lock icon. To the unsuspecting prospect, for all intents and purposes, they believe they’re placing a secure transaction online. Validation of the vendor is the differentiation between the types of certificates issued.

VeriSign, Thawte or GeoTrust are solid choices for extended validation (EV) certificates. They’re more expensive, but highly recognizable and trusted.  The issue is, if you’re running eCommerce, to minimize abandoned shopping carts by converting more prospects. People buy from reps they know, like and trust. On the Internet, one very important trust level is your SSL certificate.