Total Blue System Ecommerce

Do you mail a printed catalog (or catalogue?) to your customers? Website visitors have long been able to request such catalogs from merchants using Total Blue System's ecommerce package. But now you can ask the same question of someone requesting a catalog as you can of someone creating a website account:  How did you hear about us?

The possible answers are configured by you in the Admin Area, under the User Accounts tab. See the subsection Customer Sources, where you can name and code sources and their manage their display.

The answer selected by the visitor who requests a catalog can be passed into your order fulfillment system along with regular website orders. If you're using Dydacomp's Mail Order Manager (MOM), then this will be included in the appropriate data format as part of the order file that's downloaded by you each day.

With seasonal changes in your web catalog, or with organizational changes driven by search engine optimization (SEO), the work to keep your catalog's categories or departments in order can be a chore. What's called the 'category tree' in Total Blue System's Catalog module now makes this work easier for you.

When your web catalog goes through some turmoil, consider this:

1. For any category that has subcategories, does it have its own products associated with it?
   
   If yes, those products won't display on the public pages of the site. The category gateway template will only display subcategories; thus those products are effectively invisible. To clarify, they'll be invisible until there's a category gateway template offered that merges the role of the category gallery template (showing products) with that of the category gateway template (showing subcategories...).
2. Are there any categories with 0 products? Now you can more quickly spot these likely unfinished or old categories.
3. Are there any categories with more than 30 products? If yes, it may suggest a need for better allocation across multiple subcategories. Or else you ought delete old products to simplify management of the category.
   
   Now you can see how many products are contained in each subcategory. (Note: The product count is specific to that category only, and not inclusive of subcategories beneath it.)
   
   
4. Are products hidden that ought not be? The view of the category tree now makes this obvious.

Lastly, you can now spot hidden categories a little easier as they're highlighted. Hidden categories can serve a search engine optimization (SEO) purpose in ways that don't clutter your primary category or department tree, typically visible from a left side navigation bar. There are also merchandising considerations that suggest hidden categories. For example, a category like "online exclusives" OUGHT be hidden and linked to prominently from teaser spots rather than being lumped next to topic or functional or gender categories in a main navigation bar. By making the category hidden, it won't be visible in the left nav bar. Ask us about how to evaluate which categories ought be hidden and which visible...

The category tree deserves special attention, as it serves not only as the "path to purchase" for the human shopper, but a key factor in your site's overall search engine optimization.

In our ecommerce site management tool known as the Admin Area of Total Blue System, the "Contacts" section now distinguishes between Customer accounts and Admin accounts, with the organizing tab being renamed "User Accounts". Formerly grouped together as "contacts," they are now managed from separate screens or pages, which reflect deeper changes in how the software functions.

Driven by our compliance to the Payment Card Industry's Data Security Standard (PCI DSS) and timed for the conclusion of our audit of compliance, admin accounts are now managed distinctly and more intensively than customer accounts because admin accounts can grant access to sensitive order payment details.

Here are some notable changes:

• You cannot login to the public side of the website, the customer's My Account area, if you are using an admin account. Only customer logins gain entry to the My Account area now.
• Passwords for your Admin Area account are now encrypted. We cannot know them or help you recover them. Passwords can only be reset if need be to restore access.
• If you forget your Admin Area login details, you've got about 5 chances to enter the correct username and password. After that, you'll be locked out of the Admin Area for a period of time. This helps prevent what's known as brute force or dictionary attacks.
  • If you need further assistance after being locked out of your account, you can contact another Admin Area site manager or E-business Coach's tech support team for assistance unlocking your account. Direct the person helping you to edit your account in the Admin Area and follow the prompt to unlock the account.
• The login URL for the Admin Area has changed slightly. That explanation may help make it easier to login.

There are other significant, sometimes subtle changes going on as we complete our PCI audit. Find out more by reading those posts categorized as ecommerce security.

Total Blue System's ecommerce software includes a full-featured Admin Area, enabling site owners to maintain their site's catalog and content from within a web browser. The login URL to the Admin Area that you ought bookmark is https://www.yourdomain.com/admin/ and that will remain the same after this latest software system update. But there is the potential for confusion when logging in, as the redirect from https://www.yourdomain.com/admin/ to the form where you enter your username and password will change effective 26 February. The changes are part of a number of security enhancements related to our compliance to the Payment Card Industry's Data Security Standard (PCI DSS). Learn more in posts categorized as ecommerce security.

Whether you have a problem logging in will depend much on whether you use a password manager tool (we recommend RoboForm and 1Password),
or rely on your web browser to save and manage your passwords, or you type directly in the form fields.

Here are some tips on how to login if you don't know your password and the software you use to manage your password seems confused by the updated login URL:

• View and edit your password from within the software you use as your password manager. Once you fetch your password, then enter it directly into the form by manually typing it into the fields. As you submit the form to login, you'll be prompted to save this information. Choose to save the login details and this ought update your URL and make it easy to login next time.
  • In the Firefox web browser, for example, you can go to Edit -> Preferences. Then choose Show Passwords and find the URL of your website's admin area. Then enter the password as you see it there into the form fields for the Admin Area login. Try a similar process if you use Microsoft's Internet Explorer.
  • In 1Password, you can edit the URL that's saved. In this case, the old URL may look like https://www.yourdomain.com/admin/signin.php. Instead, change it to just https://www.yourdomain.com/admin/
  • In RoboForm, you can't typically edit the URL. But you can view the password and then manually enter it into the form field. Upon form submission, you can save a new "passcard" to use the next time.
• If at least one person in your company who has Admin Area access does know his or her password, then the others who do not can ask that person to update their passwords from within the Admin Area. Go to "User Accounts" then "View / Edit Admin Accounts". Choose to edit the admin user in question. You can enter a new password in the  so-named field and save your changes.
  • Just remember that communication of the new password need be in person or by phone and never by email. The sensitivity of the password excludes email as a means of communicating it, unless the email message itself is encrypted.
• If none of the above options are working or make sense, then contact our technical support team for assistance. We can reset your password for you if you have an existing account. (We cannot tell you your existing password, as it's encrypted and not available to us.)

Total Blue System's email marketing module permits a customer visiting your ecommerce website to opt out or unsubscribe from the email marketing list. When this happens, a demographic called "Please don't send me any promotional emails" is set to "on".

As a good practice, a retail merchant needs to ensure that email marketing messages are not being sent to customers who have unsubscribed. This is done through the segment (formerly called filter). Each email marketing message which is sent should have a segment associated with it.

Each segment should include as part of its logic statement a demographic restriction of "Please don't send me any promotional emails" is blank. That means that the customer has not requested to unsubscribe.

The following is a screen shot of what a segment might look like as well as a screen shot of the fields to check to achieve this result.

We would be happy help if you need assistance in checking and explaining your segments. Or, if you prefer, we can update these for you as a billable service.

If there's a risk to an e-commerce website's up-time or performance that's hard to eliminate, it's the periodic instance of what's known as a denial of service attack (DOS). (In short, it means someone floods your server with so many requests that it chokes -- and prevents your site visitors from viewing your pages.) Refinements of Total Blue System's hosting infrastructure released this week ought improve your e-commerce site's ability to weather such an attack.

We'll spare the details, suffice to say there are configurations at the Linux kernel level (we use Red Hat Enterprise as our Linux distribution), as well as tuning of our connection management for our database, MySQL. And more.

The DOS attack, if even inadvertent, represents the majority of instances recorded in our Status blog which identifies our server cluster's unscheduled hosting downtime.

Moving into Day 2 of our PCI on-site audit, there's a full schedule ahead. Yesterday's Day 1 proceeded well enough, but the auditor wouldn't be an auditor if he didn't find something to be given more attention or improvement. So as we follow-up on further enhancements itemized in Day 1, here's what we're looking forward to today:

• Analysis of our network and software application topology, which means a map of what data goes where, how.
• The overall transaction flow for payment information will be examined and vetted for integrity. So, too, will be our internal business processes and those of our merchants, insofar as we as the service provider automatically hand off payment details of an order for processing by the merchant.
• More firewall configuration examinations today, as details matter when it comes to who gets in, who doesn't, and who can even observe what exists behind the wall.
• Examination of how, exactly, sensitive payment information is stored after being collected through the shopping cart. Of course, it's encrypted. But this audit actually involves line by line examination of our software's code for doing so, and then some.
• The auditor will assess how our systems monitor access to all parts of the network, and log data about who does what with any sensitive payment or cardholder information. To use an analogy, a hardened wall is insufficient, there are also prying cameras recording what happens on the inside.
• Configuration standards will be given more attention again today. It's fortunate that for what part we rely upon our hosting partner Rackspace, they're well vetted in terms of business process controls and accountability, having been certified to the SAS 70 standard for many years. That's insufficient for the PCI standard and for our own operational processes, but it helps.
• Audit of our anti-virus, spyware, adware systems as a defensive measure from external attacks. As it turns out, this is less of an issue as our ecommerce hosting runs on a hardened Linux operating system, specifically Red Hat Enterprise. And most of our team's personal computers are either Mac's or Linux, which are comparatively less of a target than Windows.

And the march goes on.

As our turn-key ecommerce package includes software and web hosting, Total Blue System bears much responsibility for ensuring merchants can operate it in compliance to data security standards. Obligations for merchants who collect credit cards and other sensitive payment information are defined in the Payment Card Industry's Data Security Standard (PCI DSS). To demonstrate our compliance as a qualified service provider to merchants, we've arranged an audit by a security consulting firm, SecurityMetrics.

Today's the big first day of our on-site audit, where the auditor will personally inspect servers in our data center and much, much more. Visa, Mastercard and American Express require this on-site audit for the largest companies that qualify as a payment gateway, plus anyone who's ever experienced a data compromise event. That "event" is industry lingo for being hacked, cracked, or otherwise had credit card numbers exposed. And that's our sad story, going back to 2005.

Now it's time for a redemption, of sorts. Today's the day our myriad preparations for an incredibly secure ecommerce hosting environment and software application are put to the test. Tests and probes actually started in November, but today's symbolic as the first on-site. On the agenda:

• Examination of our system's firewalls, switches, and overall network configuration.
• Tour of the world-class data center operated by Rackspace that manages our hardware and terrific network, including auditing of access controls and physical security.
• Examination of our security systems, including tests of our intrustion detection system and logging devices.
• Assessment of our system configuration standards and related business processes.

It's not sexy, but it's certainly thorough. We're feeling breathless all the same, either out of exhaustion in getting ready for it all, or in anticipation of being crowned worthy. For our merchants, this gives you the confidence to know our security efforts are validated and your compliance, via our compliance, is going to be certified.

As our e-commerce clients grow in the sophistication of their marketing techniques, no longer is it a safe assumption that you, the site owner, will always be the sender of email marketing offers for your company. New marketing partners, like affiliates, may send out offers on your behalf. Here's a solution for merchants who must manage a common or 'master' suppression file containing a list email addresses who have opted-out of receiving such commercial bulk mail offers:

Now you can present site visitors with a "Quick Unsubscribe" link that's distinctly different from the normal unsubscribe functionality of Total Blue System's email marketing module. The normal method is to link to a URL like http://www.yourdomain.com/profile/unsubscribe/ with a text link called "unsubscribe". This might be linked from the footer of every page of your website, from the bottom of your email marketing offers, and elsewhere. But this ought not be the unsubscribe link that you give to marketing partners who are sending emails on your behalf.

For those who are sending to a different list than the Master list maintained within the Email Marketing module, they need a different unsubscribe form. This is because the normal unsubscribe form assumes that a given email address is ON the list. How could it NOT be on the list, if it wants to unsubscribe, right?  The answer is that such an email address won't be on your master list already because it's owned by an affiliate -- or some other marketing partner -- who is sending an offer that's considered to be from you to their own recipient list. So you need an unsubscribe form that will collect an opt-out unsubscribe request -- even if that email address is not already on your list and one to which you've never sent a commercial email offer directly.

You can now provide your affiliates or marketing partners with such a URL, which is http://www.mydomain.com/profile/quick_unsubscribe . Of course, change the domain to be your own. This page presents a simple form from which any email address can be collected. So your marketing partners would add a link to this page from the bottom of their email offers. (Note: upon form submission, the email address is added to your Master List with the value set to 'on' for the demographic question: Would you like to opt-out of receiving offers by email?)

An important part of complying with the CAN-SPAM Act, federal law in the United States and a good best practice for our UK clients, is to see that opt-out requests are honored in a matter of days. That means all your marketing partners need to NOT email an offer to anyone who has received a prior offer on your behalf if that email address owner has opted out. So all of your marketing partners need to be getting from you a "Suppression File" that contains these common opt-out's.

This suppression file ought be generated by you weekly from within the Admin Area of Total Blue System's email marketing module. (See the "Download records" functionality). The criteria for the export or download of records ought be all those where the demographic question 'Would you like to opt-out of receiving offers by email? Answer: Please don't send me any promotional emails' is set to "on".

• If you'd like hands-on support in understanding how to use this new feature, or how to create your own Suppression file to share with affiliates or other marketing partners, please contact E-business Coach's support team. This opportunity / responsibility can become a core business process for your company.

E-commerce merchants that operate Dydacomp's Mail Order Manager (a.k.a. MOM) can now more easily, precisely control the flow of data between MOM and their website. The Total Blue System integration with MOM goes back four years, so there's not a lot that's new in the way of raw functionality in this latest System Update. What is new and important is the introduction of a dedicated MOM configuration tab within the configuration options of Total Blue System's Admin Area.

Our objectives included:

• Enable site owners to directly control site-wide configuration settings, managed in one place, that affect all relevant data on the site. So in contrast to the MOM configuration setting specific to one product described here, the merchant can more efficiently control data sync behaviors.
• Make explicit and obvious to site owners and their web team the behaviors that govern the MOM integration. Now you can see exactly what's going on for product names, description, inventory, web order types, and more. And you can make adjustments directly as you work out the best solution for you.
• Update the chart in the Help section showing data flows and behaviors for MOM and Total Blue System. This chart concerns products that exists within MOM and the web catalog.

If you don't use Mail Order Manager, then don't be concerned with this. You'll only see the new MOM configuration tab if your site has been set-up for such an integration.  E-commerce merchants using something besides MOM will prefer the API integration with Total Blue System that uses RESTful XML over HTTPS.