The Reality of E-Commerce

Who can forget the Dot-Com Bubble? Brand new start-up companies with a plan to sell things over the Internet suddenly had market valuations of billions of dollars. According to the “Story”, conventional brick-and-mortar retailing was going to disappear, and we’d all buy and sell everything electronically.

The amount of activity in the “E-” space was spectacular — new companies went public; already public companies (some nothing more than static shells) scrambled to create or acquire an e-play story to catch the wave. Even individuals started small e-commerce web-sites, lured by the idea of the millions of surfing shoppers with money burning a hole in their pockets.

Of course, it didn’t quite work out this way. The Bubble became a Bomb; a few made a lot of money on the speculation, while most lost (funny how that worked out). Of the hundreds of companies which were in the game at the peek of the boom (early 2000), only a few survive now.

Why? Two main reasons. First, E-Commerce is extremely hard to do properly (read: securely). Secondly, in the publics mind there is still an understandable fear in entering one’s credit card details into a web-form.

The security requirements for an Internet based business goes far beyond that needed for simple web and e-mail access. The Internet is a dangerous place, and an e-commerce site is going to be high on the list of compromise targets. Many stories have come out over the years of sites being compromised, and thousands of customer credit card details being stolen. And there have been many more compromises than publicly acknowledged.

A secure Internet site is not something which can be set up easily by a small organization. As an example, I recently designed and implemented the security posture for a bank here in Barbados in preparation of their offering Internet based e-Banking.

The solution involved a dozen separate Linux based machines, of which six were configured as firewalls, and the rest as Intrusion Detection and Proxy devices. Heavy compartmentalization — extensive monitoring. The solution was then reviewed by way of a Penetration Test by an independent “White-hat Cracker” team.

Clearly, running an e-commerce site involves a serious commitment of both infrastructure and technical staff (or partnering with an e-commerce hosting service). The dream of setting up a site and then sitting back and watch the orders roll in is unrealistic. I’ve counseled individuals and organizations for years that running an e-business is as hard, or harder, than running a regular business.

Let’s next look at the customer side of the situation. First, there’s the issue of trust — an individual is likely going to be hesitant to give some unknown company their credit card information to purchase a product, regardless of how much of a discount they’re getting. This is one reason why traditional retailers (e.g. Dell, Lands’ End) are a high percentage of the surviving e-commerce sites.

Additionally, the fear of entering credit details into a web form is not at all irrational. In addition to the risk of the remote site being compromised, there’s also the possibility of the user’s own machine leaking this information. Even though the form may be “secured” by way of HTTPS (secure HTTP), several new Windows worms can intercept the information as the user enters it into their browser.

Lastly, let’s not forget one of the great things about the Internet: Search. When someone is looking to purchase something, most will go to Google or another search engine, and will find the lowest price available. Thus, unless the e-seller has unique products, they will be faced with pricing pressure from everyone else.

As a result of all of this, Business to Consumer (B2C) operations are growing at a much slower rate than (irrationally) expected back in the Bubble days, with large, technically sophisticated companies being the strongest players.

This is not to say that smaller operations cannot be successful — simply that it’s a lot harder to do than many would have you believe. My advise to anyone considering an e-commerce play is to run with an adjunct to a traditional business, and retain some seriously paranoid security talent.

Oh, and one last but very important point which far too many sites miss: never, ever, ever, store the customer’s credit card information on the e-commerce server. As soon as it’s received, the details should be encrypted using a public key before being written to disk. Then, as soon as possible, transfer this information to another machine in a separate firewall zone.

Few e-commerce sites win repeat business after having to notify customers that their sensitive information was stolen. In some jurisdictions, such situations also results in immediate monetary penalties. From every point of view, a security compromise is a Very Bad Thing. Either manage the risk, or don’t take it on.

Published in the Victoria Business Examiner.