Thursday, April 30, 2009

iCongo Implements New eCommerce Site

iCongo, Inc., a Montreal-based provider of eCommerce and cross-channel systems, has announced that Lecavalier Auto Parts has gone live with the world’s first online retail site for recycled auto parts using iCongo’s eCommerce platform, described as a "million dollar collaborative effort."

iCongo’s eCommerce platform equips Lecavalier with a full-featured, branded online storefront, complete with order management and fulfillment functionality for customers to place parts orders, obtain detailed and up-to-date product and order information, and receive enhanced customer service –– including the scheduling of parts installations through Lecavalier’s certified shops and special tools for insurance companies, which are the largest consumers of recycled parts.

Risk-based PCI Assessment?

David Taylor, founder of the PCI Knowledgebase, Research Director of the PCI Alliance and a former eCommerce and Security analyst with Gartner, writes in a guest editorial in StoreFront Backtalk that the "grading system" used for PCI-compliance is counterproductive and unrealistic.

"PCI Assessments – whether self-assessments or assessments by QSAs – are generally regarded as being valid only for a point in time. But when is that point in time? Is it the day the ROC or SAQ is signed by the assessor merchant, or the day the assessment has been signed off on by the acquirer, or the day that the ROC or SAQ is reviewed and approved by the card network(s)?

"How does a retailer know when that point in time ends? The technical complexity of the controls is inconsistent with the grading system that requires 100 percent to be compliant. Great standard. Bad grading system.

"Thanks to the grading system, and the fact that many of the PCI controls are 'volatile' and can be made ineffective by simple configuration or rule changes, this technically means that an organization may never actually be PCI compliant. That’s because, for a typical Level 1 merchant, an assessment will take more than a month, sometimes several months. Thus, it is very possible that between the time the first controls were tested and the time the last controls were tested, changes were made to the first controls such that they are no longer 100 percent compliant."

The grading system also encourages merchants to shop around for "easy" assessors. "It’s not that these merchants don’t want to be secure. It’s just that they object to being held to a standard where they have to score 100 percent to pass, and get fined if they don’t achieve it. Again: great standard, bad grading system."

Click HERE to read about "risk-based" PCI assessment.

Wednesday, April 29, 2009

Combatting eCommerce Fraud

The Merchant Risk Council (MRC), a merchant-led trade association focused on electronic commerce risk and payments globally, today announced that Tom Donlea, MRC Executive Director, will moderate the session "What Every Loss Prevention/Risk Manager Must Know in Today’s Economy" as part of the National Retail Federation’s Loss Prevention Conference & EXPO in Los Angeles this June.

Donlea will lead an active panel of fraud experts from Apple, Inc. and Staples, Inc. The panel will discuss the most recent advancements that merchants have gained in fraud prevention, as well as highlight the top tips every multi-channel retailer needs to consider in minimizing risk.

The panelists for this session are veteran MRC members who will be providing attendees with real-world experiences, tips and tricks for combating e-Commerce fraud, including:
- How to continuously improve your fraud/risk management system
- The value of effectively managing and disputing chargebacks
- The importance and impact of reporting fraud to law enforcement agencies
- How payments can impact your particular e-Commerce business model (both good and bad)

FTC Weighs In on Behavioral Advertising

The current issue of Target Marketing magazine notes that:

"The Federal Trade Commission recently released self-regulatory guidelines on online behavioral advertising. Here are some of the highlights of what the FTC said marketers should abide by:

• Transparency and Consumer Control: Every site that collects data for behavioral advertising should provide a clear, concise, consumer-friendly and prominent statement. This statement should inform consumers that data is being collected for use in providing them with advertising about products and services tailored to their interests, and that consumers have a choice about whether their information is collected for behavioral advertising. Lastly, the FTC encouraged marketers to develop alternative methods—not necessarily just Web site-based policy statements—for providing disclosure and choice.
. . .
• Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral Advertising: While the FTC expressed support for developing standards that define the term 'sensitive data,' the agency did state that the principle of affirmative express consent be applied to any use of sensitive data for behavioral advertising. Alternately, the commission states such data be prohibited from behavioral advertising uses."

The article goes on to note that "On the industry trade association side, the Direct Marketing Association, Interactive Advertising Bureau, American Association of Advertising Agencies, Association of National Advertisers and Better Business Bureau are working jointly on additional and forthcoming self-regulatory standards."

In the heyday of database marketing prior to the Internet (circa 1985 - 1995), behavioral advertising was a given -- but as an industry technique, not a subject of public discussion. The only question was how best to model, crunch, interpret and act on the data. Of course, with the advent of today's Internet marketing environment, the entire subject is much more fraught with privacy issues, which are themselves a fraught topic.

I agree with the article's conclusion: "the reality is that the new data-driven market shift will require us to respond with reasonable and sound privacy/security safeguards that take into account a self-regulatory landscape that must evolve as new channels and new business models continue to grow in the still-infant interactive age." In short, transparency and consumer-centric decision-making are the high road going forward. Nothing revolutionary there... except that many companies find that adhering to such standards is more difficult than it appears.

Tuesday, April 28, 2009 Acquires Solid Cactus, a provider of online marketing for small businesses, has announced that it has acquired substantially all of the assets and select liabilities of privately-held Solid Cactus, an eCommerce site builder and solutions provider, including call center/order taking services.

The acquisition of Solid Cactus enhances's strategic position as a comprehensive, "one-stop" resource for small and medium-sized businesses seeking online marketing and eCommerce solutions.

Friday, April 24, 2009

Datamann Becomes Morse Data Reseller

Datamann, Inc., a provider of integrated data management solutions for multi-channel marketers and the MOSP order management solution, and Morse Data Corporation, a provider of enterprise management systems for multi-channel merchants, third-party fulfillment companies and publishers, have announced that Datamann has become an authorized reseller of Morse Data’s InOrder enterprise management software.

Datamann will make InOrder available to smaller companies and offer users of Datamann’s legacy MOSP (Mail Order Software Plus) order management solution an upgrade path to SQL-based order management solution. Additionally, because Datamann is also an authorized reseller of Radiant Systems CounterPoint point-of-sale (POS) software, Datamann will integrate CounterPoint SQL’s functionality with that of InOrder for InOrder users who wish to expand their retail operations.

Datamann Co-Owner and Chief Operating Officer William Mann said the Datamann-Morse Data partnership gives his company new ways to help businesses grow. “For example,” Mann said, “when InOrder catalog and e-commerce customers wish to add retail operations, we’ll integrate the point-of-sale capabilities of CounterPoint software with the catalog fulfillment, phone order management and website functionality of InOrder software. And as our customers wish to migrate from MOSP to a Windows-based solution and all the benefits that come with using a SQL database, we can provide a seamless upgrade to InOrder. It’s a great combination to please customers and control costs.”

Morse Data Founder and Chief Executive Officer James Morse said the agreement with Datamann is a win-win solution for all parties. “We welcome the opportunity to serve Datamann’s MOSP and CounterPoint customers,” Morse said. “InOrder offers Datamann’s customers a contemporary software solution while allowing them to be converted, implemented and supported by the Datamann team, with whom they are comfortable and familiar,” Morse said. “In addition, in the past we have had a size threshold for the companies we could serve. Datamann is reducing that threshold to only four or five users, making it possible for small businesses to obtain the enterprise management software they need to grow.”

To assist Datamann in the early stages of the relationship, Morse Data is sharing the management of data conversion, implementation and training for Datamann’s InOrder customers. Ultimately, Datamann will manage all phases of the sales, deployment and configuration process, including ongoing customer support.

Thursday, April 09, 2009

Abison Passes PA-DSS Compliance

Abison Comprehensive Commerce Suite is the first direct commerce solution to be included on the official list of Payment Application Data Security Standard (PA-DSS) of "Verified Payment Applications" that have met all the PA-DSS security standards.

Vendors have until July 1, 2010 to be compliant. For further information, see material at the Guide to Direct Commerce Systems and Services site.

Tuesday, April 07, 2009

Who Owns Hosted Web Analytics Data?

Intelligent Enterprise, April 6, 2009, features an article entitled
Do You Really Own Your Web Analytics Data?

An excerpt -- and I suggest you consult the whole thing:

Hosted service contracts may say the data is yours... technically. But can you get at the raw information, for how long and what about privacy? Consider these access, usage, retention and disposition concerns.

Your Web site analytics solution generates a lot of data, potentially gigabytes a day if you run one or more busy sites. But who really owns all that rich data? It's a complex issue that often gets overlooked during Web analytics vendor selection and contract negotiations. As more customers turn to SaaS-based solutions (where the vendor stores your traffic data) and as Google and Yahoo continue to broaden this marketplace with their free hosted analytics offerings, the question of data ownership becomes increasingly germane.

Unfortunately many analysts and Web managers we encounter at large enterprises either don't read or don't have access to their vendor service terms, and they generally don't ask about data ownership during the vendor evaluation process. Most Web analytics customers just assume that they fully own their Web analytics data and are just granting a limited license to the vendor to generate reports. Depending on what "full ownership" means to you, that may not be totally true.

PRIAM Adds New eCommerce User

PRIAM, Rubgy, England, vendor of multi-channel order management solutions, has announced the Royal Life Saving Society ( as the latest eCommerce site powered by PRIAM.

PRIAM notes that the feature set for its eCommerce platform goes further than a basic solution, supporting browsing order history, "sticky" (persistent) shopping carts, upselling functions, complext discounts and offers, address verification, loyalty schemes, vouchers, personalization, a gift registry, workflow management for customer communications, and advanced site search options.

Sunday, April 05, 2009

Congress, Retailers Slam PCI Standards reports that "In security breach cases last year, such as Hannaford Bros. supermarket and the card processing firm Heartland Payment Systems, the cybercriminals who gained access to millions of consumers' credit card details haven't been--and may never be--identified or prosecuted."

Accordingly, in a hearing last week, the House of Representative's Committee on Homeland Security took aim at credit card companies like Visa and MasterCard, which are responsible for creating and enforcing the Payment Card Industry (PCI) standards that failed to prevent those breaches.

"Given that both Hannaford and Heartland had complied with PCI rules, the congressional panel turned the spotlight on the credit card companies, arguing that their security measures need to be redesigned or supplemented with federal laws--a potential crackdown that could require changes on the part of both retailers and financial services companies."

"'I don't believe that PCI standards are worthless,' said Rep. Yvette Clark, D-N.Y., who led the hearing. 'But I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure. It is not.'"

"Clark called for changes to the standards that included better encryption of data, more frequent updates to the rules to keep up with constantly shifting cybercriminal tactics and new technologies for preventing identity theft like 'chip and PIN' cards--a system currently used in Britain that checks personal identification numbers against a tiny microchip in the card itself.

"Behind those recommendations loomed the threat of legislation. Rep. Bennie Thompson, D-Miss., the Homeland Security Committee's chairman, suggested that the PCI rules were written by card companies to shift blame to retailers and partners rather than actually preventing cybercrime.

At last week's hearing, retailers offered their own criticisms of those standards. Michael Jones, the chief information officer at the retail company Michael's, testified that the PCI rules were "expensive to implement, confusing to comply with and ultimately subjective both in their interpretation and their enforcement."

He argued that the rules were sloppily written and designed to shield card companies from blame. In some cases, he said, card companies required retailers to store more credit card information than was necessary, increasing the risk of data theft. He also pointed to financial services firms that aren't prepared to deal with encrypted transaction data, forcing retailers to send the transactions unencrypted and exposed to potential data thieves.

Representatives from the payment card industry countered that more stringent rules and new technological requirements could be costly for small merchants. "Encryption is an expensive proposition," argued Robert Russo, director of the PCI's Data Security Standards Council. "If we make this mandatory in the standard, there are a number of merchants that will not be able to afford this immediately."

NetSuite Multichannel Retail Suite

NetSuite Inc., a supplier of on-demand, integrated business management software suites for the mid-market enterprise and divisions of large companies, has announced NetSuite Multi-Channel Retail Management Suite, a new vertical suite for retailers in North America.

The new package allows companies to use one on-demand retail software solution to manage multiple locations with a complex point of sale (POS) system, seamlessly integrate new or existing Ecommerce operations, provide hig-level customer experience across all channels, and gain real-time visibility and business intelligence across the company. These capabilities enable the ability to gain visibility across an organization's complete processes for inventory management, orders, customers, accounting, marketing, POS, and customer support across all channels.
Web Analytics