Total Blue System Ecommerce

Moving into Day 2 of our PCI on-site audit, there's a full schedule ahead. Yesterday's Day 1 proceeded well enough, but the auditor wouldn't be an auditor if he didn't find something to be given more attention or improvement. So as we follow-up on further enhancements itemized in Day 1, here's what we're looking forward to today:

• Analysis of our network and software application topology, which means a map of what data goes where, how.
• The overall transaction flow for payment information will be examined and vetted for integrity. So, too, will be our internal business processes and those of our merchants, insofar as we as the service provider automatically hand off payment details of an order for processing by the merchant.
• More firewall configuration examinations today, as details matter when it comes to who gets in, who doesn't, and who can even observe what exists behind the wall.
• Examination of how, exactly, sensitive payment information is stored after being collected through the shopping cart. Of course, it's encrypted. But this audit actually involves line by line examination of our software's code for doing so, and then some.
• The auditor will assess how our systems monitor access to all parts of the network, and log data about who does what with any sensitive payment or cardholder information. To use an analogy, a hardened wall is insufficient, there are also prying cameras recording what happens on the inside.
• Configuration standards will be given more attention again today. It's fortunate that for what part we rely upon our hosting partner Rackspace, they're well vetted in terms of business process controls and accountability, having been certified to the SAS 70 standard for many years. That's insufficient for the PCI standard and for our own operational processes, but it helps.
• Audit of our anti-virus, spyware, adware systems as a defensive measure from external attacks. As it turns out, this is less of an issue as our ecommerce hosting runs on a hardened Linux operating system, specifically Red Hat Enterprise. And most of our team's personal computers are either Mac's or Linux, which are comparatively less of a target than Windows.

And the march goes on.

As our turn-key ecommerce package includes software and web hosting, Total Blue System bears much responsibility for ensuring merchants can operate it in compliance to data security standards. Obligations for merchants who collect credit cards and other sensitive payment information are defined in the Payment Card Industry's Data Security Standard (PCI DSS). To demonstrate our compliance as a qualified service provider to merchants, we've arranged an audit by a security consulting firm, SecurityMetrics.

Today's the big first day of our on-site audit, where the auditor will personally inspect servers in our data center and much, much more. Visa, Mastercard and American Express require this on-site audit for the largest companies that qualify as a payment gateway, plus anyone who's ever experienced a data compromise event. That "event" is industry lingo for being hacked, cracked, or otherwise had credit card numbers exposed. And that's our sad story, going back to 2005.

Now it's time for a redemption, of sorts. Today's the day our myriad preparations for an incredibly secure ecommerce hosting environment and software application are put to the test. Tests and probes actually started in November, but today's symbolic as the first on-site. On the agenda:

• Examination of our system's firewalls, switches, and overall network configuration.
• Tour of the world-class data center operated by Rackspace that manages our hardware and terrific network, including auditing of access controls and physical security.
• Examination of our security systems, including tests of our intrustion detection system and logging devices.
• Assessment of our system configuration standards and related business processes.

It's not sexy, but it's certainly thorough. We're feeling breathless all the same, either out of exhaustion in getting ready for it all, or in anticipation of being crowned worthy. For our merchants, this gives you the confidence to know our security efforts are validated and your compliance, via our compliance, is going to be certified.

As our e-commerce clients grow in the sophistication of their marketing techniques, no longer is it a safe assumption that you, the site owner, will always be the sender of email marketing offers for your company. New marketing partners, like affiliates, may send out offers on your behalf. Here's a solution for merchants who must manage a common or 'master' suppression file containing a list email addresses who have opted-out of receiving such commercial bulk mail offers:

Now you can present site visitors with a "Quick Unsubscribe" link that's distinctly different from the normal unsubscribe functionality of Total Blue System's email marketing module. The normal method is to link to a URL like http://www.yourdomain.com/profile/unsubscribe/ with a text link called "unsubscribe". This might be linked from the footer of every page of your website, from the bottom of your email marketing offers, and elsewhere. But this ought not be the unsubscribe link that you give to marketing partners who are sending emails on your behalf.

For those who are sending to a different list than the Master list maintained within the Email Marketing module, they need a different unsubscribe form. This is because the normal unsubscribe form assumes that a given email address is ON the list. How could it NOT be on the list, if it wants to unsubscribe, right?  The answer is that such an email address won't be on your master list already because it's owned by an affiliate -- or some other marketing partner -- who is sending an offer that's considered to be from you to their own recipient list. So you need an unsubscribe form that will collect an opt-out unsubscribe request -- even if that email address is not already on your list and one to which you've never sent a commercial email offer directly.

You can now provide your affiliates or marketing partners with such a URL, which is http://www.mydomain.com/profile/quick_unsubscribe . Of course, change the domain to be your own. This page presents a simple form from which any email address can be collected. So your marketing partners would add a link to this page from the bottom of their email offers. (Note: upon form submission, the email address is added to your Master List with the value set to 'on' for the demographic question: Would you like to opt-out of receiving offers by email?)

An important part of complying with the CAN-SPAM Act, federal law in the United States and a good best practice for our UK clients, is to see that opt-out requests are honored in a matter of days. That means all your marketing partners need to NOT email an offer to anyone who has received a prior offer on your behalf if that email address owner has opted out. So all of your marketing partners need to be getting from you a "Suppression File" that contains these common opt-out's.

This suppression file ought be generated by you weekly from within the Admin Area of Total Blue System's email marketing module. (See the "Download records" functionality). The criteria for the export or download of records ought be all those where the demographic question 'Would you like to opt-out of receiving offers by email? Answer: Please don't send me any promotional emails' is set to "on".

• If you'd like hands-on support in understanding how to use this new feature, or how to create your own Suppression file to share with affiliates or other marketing partners, please contact E-business Coach's support team. This opportunity / responsibility can become a core business process for your company.