Is your ecommerce site ready for the new PCI Data Security Standards?

11406965045_b520282906_m
If you process card payments, read on…

In April 2015, The PCI Security Standards Council released version 3.1 of its “Requirements and Security Assessment” procedures.

The new document, which has outlined the minimum security standards for online stores since 2008, will be familiar to any ecommerce business processing card payments via their website.

In the aftermath of recent SSL vulnerabilities, mainly the BEAST and CRIME exploits, the way in which your server processes HTTPS requests is now under scrutiny.

The good ol’ trusty lock symbol you see in your browser’s address bar when you access a secure page, is no longer an indication your data is encrypted to the new PCI standards.

I have a SSL certificate, does this still affect me?

Yes.

When you visit a “secure” page on the internet using HTTPS, the method in which the data you send and receive is encrypted will depend on your operating system, and browser.

If you’re using the most up-to-date version of Google Chrome, then most likely your request uses the secure TLSv1.2 protocol. However, if you’re using an older version of Opera or Internet Explorer, you may be using a potentially weaker protocol such as SSLv2.

What’s new in PCI 3.1?

The latest round of requirements in the PCI DSS document state the following;

SSL and early TLS are not considered strong cryptography and cannot be used as a security control after 30th June, 2016.

The SSLv2, SSLv3 and TLSv1.0 protocols are all now considered non-compliant, and if your site is subject to a regular PCI DSS scan, and you still support these protocols, you will see these issues being raised very soon.

How the browsers stack up

Internet Explorer breaks the internet. Again.
Internet Explorer breaks the internet. Again.

What’s most worrying about the new standards, is how far behind browser support is for the new PCI compliant protocols.

At some point soon, you’re going to have to make a very difficult decision: Do I comply with the PCI guidelines even if this means losing customers who use older browsers?

Quite simply, by disabling TLSv1.0, any customers using one of the following browsers would not be able to access the secure pages of your website;

Browser Oldest version not to support TLSv1.1
Google Chrome 22.00
Google Android OS Browser Android 5.0
Mozilla Firefox 24.00
Microsoft Internet Explorer 10.00
Microsoft Internet Explorer Mobile 10.00 Mobile
Opera 9.00
Apple Safari 7.00
Apple Safari mobile iOS 5
Google Chrome 22.00
Google Chrome 22.00

That’s right folks, to remain PCI compliant users on browsers as late as Internet Explorer 10 will no longer be able to access your site. Eeek!

How to disable non-PCI protocols

If you’re not on managed hosting, configuring your webserver to only accept TLSv1.1 or above is quite straight forward. On Apache 2.4 for example, simply remove unwanted protocols using the ‘-‘ option in your config directive;

SSLProtocol All -SSLv2 -SSLv3 -TLSv1

We hope this helps! If you’re unsure of your website’s current setup and whether you might be falling foul of the new PCI guidelines, try the handy tool over at SSL Labs.

CC Images by Perspecsys Photos and Andreas Åkre Solberg

Read More

Auto-publish blog posts via WordPress

If you’ve already signed up for one of our monthly blog packages and your site is running on WordPress, you can now choose to auto-publish posts.

Screen shot 2014-05-12 at 17.23.08

This nifty new feature relies on the Copify Plugin being installed, version 1.0.3 or higher. Once your blog posts are complete, we’ll give them a proof read, create an engaging title, and publish straight to your blog.

Screen shot 2014-05-12 at 17.33.03

Need something a little different?

As of today, you can also create a completely custom package on your account.

Any number of blogs per week at any word count you desire. From the packages page, go to “Advanced”.

Screen shot 2014-05-12 at 17.27.48Once saved, your new custom schedule will be available when editing or creating a new blog package.

Screen shot 2014-05-12 at 17.29.12Happy blogging!

Read More

We ♥ IE6

We’re constantly deploying new features to Copify.

Some are small updates that users are unlikely to notice. Others, where changes to the user interface are involved, require a bit more care and attention to make sure things are hunky-dory when it comes to cross-browser compatibility.

Let’s face it – the Internet is a mess. There are so many different browsers and devices, ensuring that your web-app works on all of them can be a bit of a minefield.

Thankfully, most modern browsers play nice, and all render HTML & CSS pretty much the same way.

Oh wait, no. They don’t. Do they, Bill?

Many agencies and web developers have fought hard for a long time to “convert” as many people as possible away from Internet Explorer, and with recent stats on browser usage it looks like it’s not all been in vain.

However, we still have a significant number of visitors using older versions of Internet Explorer (mainly IE6 and IE7) causing us headaches. One of the biggest headaches is testing.

If you’re on a Mac, or running Windows 7, you can’t just download IE6 and see how your site looks. You’re going to need XP.

In this post I’m going to show you how we use a virtual machine to test these older pesky browsers.

All you need is Windows 7 and a few gig disk space going spare.

Ready? You were born ready!

Windows Virtual PC

Head over to Microsoft’s website and download Windows Virtual PC. You don’t need “XP mode” so you can skip this if you like, just make sure that you select the correct version of Virtual PC for your machine and operating system.

Make sure you get the correct version 32bit V 64bit

Once the download has finished, have a bash at installing. You’ll figure it out.

Windows Virtual PC VHD

Next, you need to download the Windows Virtual disk image to run.

I need to test IE6 and IE7 on Windows XP so I download the package called “Windows_XP_IE6.exe”.

Take the mouse in your hand and click the thing that says “Download”

The disk image comes with Windows XP and IE6, and also the installation files for IE7.

However, once you’ve installed IE7 you can’t run IE6 again. So make a copy of the first image, rename it and use this for IE7.

Make a copy if you need to use both IE6 and IE7 regularly

Fire up Windows Virtual PC

First off, select which image you want to run.

Right click on the Windows XP VMC and enter “Settings“. From here you can choose which image to use. Change the setting for “Hard Disk 1” and browse for your disk image.

Choose which disk image to run

Login issue

As with many Microsoft products, there is some kind of annoying, inexplicable problem with its use. In this case, it’s the fact you are presented with an impenetrable login form.

To get round this, choose “Disable Integration Features”. No idea what this does, but it gets you to login screen that works!

Disable this to get to the normal login

You can now login with the username “IE User” and the password “Password1“.

Password is case sensitive! Bless.

IE6

You’ve now traveled back in time and are about to experience the wonders of 1990’s web browsing. I suggest playing some classic Nineties pop tunes  while you test to get the the full effect.

OK let’s Brogram this Mother until all the horribleness is gone. Done? Great!

Probably losing £££s because of this, but it’s too funny to care

We’ve made our fixes to ensure IE6 users get the best browsing experience, and we’re now ready to do the same for IE7.

IE7

If you never wish to use IE6 ever again in your life (highly likely) then just run the IE7 install.

Unfortunately for me I may have to revisit good ol’ IE6, so I just reconfigure Virtual Machine to use the image copy I made earlier. I’ve renamed them so I know which is which.

Choose the IE7 image this time

Again, work your magic and fix all the nasty codez with some CSS hacks.

If like us, you’re using Git (What? You’re not using Git? Why not?) this is a good time to commit your changes and wave and scream at your boss, hinting you’ve made your website look great for pensioners and public sector workers across the country.

Commit your changes. Feels good.

Having problems following this guide? Tweet now or forever hold your forever hold your peace.

Read More

A million miles from Silicon Valley

The ultimate in executive transport?
The ultimate in executive transport?

As an internet business here in the UK, it’s easy to feel a little distanced from all the champagne and pop enjoyed over in the USA.

Apparently, while you’re based in The Golden State you can throw together a small, loss making product and within a few months have acquisition offers bigger than Pete Burns’ face.

Before you know it, you’ll be zooming around Palo Alto on a Segway wondering what quirky snack to put in the office vending machine next.

Fearne Cotton - Ruining your morning since 2003
Fearne Cotton – Ruining your mornings since 2003

Back in the room. Look out of the window, it’s raining. In a few days it’ll be July, yet it feels like November. You’re on your third cup of Yorkshire tea. The only thing more distracting than the fluorescent lighting above your desk is the piercing sound of Fearn Cotton’s voice on the radio as she queues up another awful pop song for the 400th time this week.

This is Lancashire. You’re a million miles from Silicon Valley.

Back int’ day, when your business needed to buy some equipment, or had to hire some sales people, you attacked your best pair of Clarks shoes with a tub of Kiwi and headed down to Barclays to meet with bank manager “Graham” for a chunky loan.

Graham doesn't care about your Instagram-Linkedin mashup
Graham doesn’t care about your Instagram-Linkedin mashup

Hang on…I have to pay it back?

Web startup, meet British business culture. Things are different here in Blighty. A black hole in computer science skills, and a relatively young industry (10 years ago using your credit card online was pretty much the scariest thing known to man) which means that Graham is going to laugh you out of the door when you pitch him your far fetched idea of a new “social media portal”.

But there is an alternative, you’ve got a killer idea and your numbers are crunched. You’re itching to launch your startup on a shoe string… here’s how.

Find a partner

If you have all the skills to pay the bills, great you’re all set. But lets face it…you don’t.

Good with codez
Good with codez

Every aspect of your new venture is going to require a skill and focus in several areas: sales, marketing, design, programming, hosting, accounting, packaging, ordering pizza at 2am, customer support. The list is pretty big, and at a stretch you can cover 2-3 of these areas really well.

Usually folk are in one of two categories: Commercial or Techie.

Do you like trying your hand at building websites? Obsess over the next bit of cool software that will make your life easier? Spend most of your time on Stackoverflow? You’re probably a Techie.

Good on the blower
Good on the blower

Are you good with people? Confident on the telephone? Know exactly how you’re going to work through your list of contacts to grow the business? You’ll be better at the commercials.

Decide which glove fits you best, and find someone to wear the other. This is your new partner.

You now have a basic two person team that can cover almost every area of your business, and if there is still something neither of you can do, one of you learn.

Try to go things alone and you will quickly be overwhelmed, your attention will be spread too thin and you’ll more than likely burn out in a matter of months.

It’s by no means impossible, but working alongside someone offers invaluable support in areas that could take you precious weeks to get up to speed with.

“Never work with friends” is a myth

The reason people say this over and over is that they chose the wrong friend. How could it be worse than working with the wrong stranger?

You might not always get along. Deal with it.
You might not always get along. Deal with it.

When we launched Copify in 2010, I was already good friends with my new business partner Martin, and we immediately had our first issue. Who’s going to build the site?

Me being the Techie, the responsibility lay with me. But hang on, what the hell are YOU going to do while I build the site?

Well obviously, Martin had no product to begin his side of the work with, you can’t start marketing a half finished product so this in itself could have been the first fall out.

From Martin’s perspective, he had chosen the right partner: I didn’t expect more of a stake or to be awarded somehow for my work while he had nothing to do.

I too had chosen the right partner: Any outside issues which were a distraction from the initial site build were taken care of, not quite as time consuming but equally as important for long term success.

The scenario of “I’m doing more than him/her” is a common pitfall which can mean your startup may never get off the ground.

 Get stuck in
Get stuck in

Hang in there and take the rough with the smooth. Do you think the late Steve Jobs, who owned a 50% stake in Apple, refused to do a bit more than others every now and again?

No. That’s what made him a great CEO. He rolled his sleeves up and got stuck in. You’re going to have to do this too. Sometimes you’ll have to do more than another Director. Suck it up.

Working with a friend also means you’ll enjoy what you’re doing, you weren’t just in this for the money, right?

We’ve worked hard, too hard sometimes, argued: sometimes intensely, and on occasion may have needed a break from each other. But fuck me have we laughed. We’ve actually cried laughing at times. Working with a friend can be very rewarding.

You don’t have a clue

Derp
You’ll go full derp occasionally

Neither did we. It’s OK, its normal.

Unless you have successfully run the exact same business model before, you’re about as useful as a ham sandwich at a Bar Mitzvah.

We didn’t know where to get customers, we didn’t know where to get copywriters and we certainly had no idea how to make the idea work financially.

The key to surviving this period is to take small steps based on your common sense, something you’ll need to trust implicitly.

Do you start cold calling potential customers, or work on refining your product? Should we put together an AdWords campaign, or explore some free alternatives first? We’ve got a huge bounce rate on our registration page, do we split test it with another layout or let people signup with Facebook instead?

All these little questions will crop up, all will be unique to your business, nobody has had to make the same judgement call with the exact same factors you are facing, so take advice with a pinch of salt no matter how experienced you think the person is.

You’ll make some small mistakes, and you’ll also make some enormous ones. Keep going, you’re doing it right.

You are not an entrepreneur

You’re just someone who is working hard on something you believe can work, don’t call yourself an “entrepreneur”.

I'm not a one trick pony, I'm a whole field of ponies
I’m not a one trick pony, I’m a whole field of ponies

People who refer to themselves as this are usually scatty, overloaded with crap ideas, have itchy feet and can’t stick something out.

Also, they are usually financially unsuccessful despite having “a name for themselves”. If you actually look in to their accounts most haven’t made enough money to cover their Chamber of Commerce subscription.

Richard Branson is an entrepreneur. You are most definitely not.

Strike while the iron’s hot

In the first few weeks you will be overwhelmed with limitless enthusiasm. Use and abuse it.

You'll have super human productivty...for while
You’ll have super human productivity…for a while

You’ll get a perverse amount of work done in the early stages, you’ll have the energy to work late and start early but recognise when this begins to fade and change your routine to suit.

Take more breaks, work less hours. Ask yourself “how much do I want to go to the office today” and when the answer gets below 9/10 take a step back, or mix things up and work on something completely different on your to-do list.

Keep learning

It’s addictive. Get comfortable trying new things, whether it be a new marketing campaign, new price point or a new language or framework. Every month try and learn something new which helps your business grow or reduces cost. Here are some ideas:

• Do some tutorials online and learn how to code an email marketing template, you’ve just saved yourself £100 in outsourcing costs
• Complete your tax return, you’ve just saved on accounting fees
• Learn about version control and help your Techie with small fixes to the website

Or for the Techies:

• Try something creative (like writing a blog post…hello!)
• Go to a networking event while trying not to think about what you’re missing on Reddit
• Try your hand at design or managing a customer account

You’re building your business, but you’re also building YOU as a business person.

Don’t obsess

You’re already an obsessive person. Go on, admit it.

Don't stop doing your usual stuff
Don’t stop doing your usual stuff

It actually helps to be so, but think of it as a problem that needs to be managed carefully. An obsessive founder can quickly become immersed in their project and end up somewhat blinkered. Clarity of thought begins to disappear faster than Michael Barrymore after a pool party. You listen to other peoples opinion less and less.

Obsessing makes you check your email in the cinema. It makes you login to PayPal under the table at lunch. It makes you think about tomorrows big feature release while you’re on a date.

Switch off! What’s the worst that could happen between 18:00 and 08:00?

Don’t abuse the internet

Enjoy the internet by all means, but when you work online most of the day it can become compulsive. Refreshing Hacker News or Imgur every 10 minutes, or having Facebook open all day long isn’t going to land that next big customer.

The internet is fun, but so is crack cocaine. And we all know how that ends. Even go as far as blocking certain sites through your router if you just can’t handle the distraction.

The same goes for email. Do you sit with your email client open ALL day? Stop. Shut Outlook down, and do some work. Nothing is going to land in your inbox in the next 3 hours that requires your immediate attention. If it is that urgent, someone will phone.

Bad PR is better than being squeaky clean

Unless you’re a major label, nobody cares about you. Not even a little bit. Hurts doesn’t it?

So stop trying to please everyone with a faceless, neutral mush of a “brand”, you’re in business now so by default you are going to forge adversaries no matter what you do, no matter how hard you try to be “great at PR”.

You may as well put this to good use.

In our case, we saw it as any easy way to generate traffic, back-links and stir up some hype. Our product is inherently disliked by traditional, pay-through-the-nose pay-by-the-hour copywriters who see us a not only a threat but somehow derogatory to their profession.

Who better to target for a bit of link baiting?

We emailed a few of them asking if they wanted to sign up and hey presto, several contextually relevant back-links from our furious competitor’s blogs.

Granted most of the posts were scathing attacks, some even plain lies, but aside from the envious PageRank we’ve now acquired as a result, a weird thing also happened.

It was obvious we had been purposely inflammatory, but people we’d never met seemed to find this affable and on a few occasions actually defended us! Further still, we actually acquired our first 4 big paying customers directly though a blog post attacking us.

Great PR is hard. Very hard. It’s time consuming, and we were in too much of a hurry to go down that route. So we put on out troll hats and began stirring up trouble…and it worked.

This is a risky approach, we don’t actually advise you list “start a fight” at the top of your launch to-dos. The takeaway is don’t lose sleep over bad PR and if people dislike what you’re doing, you’re doing something right!

Be honest with your opinion and share enough of your company’s culture so those who do join your following have a genuine reason to do so. They’ll be much better allies!

Sleep on it

Often an idea will seem so important it’s prioritised unnecessarily, especially after a long day fraught with other issues and problems to fix. Unless business has ground to halt (or in our case) your product is offline, sleep on it and review with a clear head.

It’s too easy to knee jerk and change something because of one screaming customer, and when you do this, you’ve possibly made your product a little bit less usable for everyone else.

Don’t be a Facebook douche

There is a big difference between intelligent marketing and begging. Don’t plead with people to “like” or “follow” your company, you come across like a needy girlfriend.

So what, you’ve got 5000 likes from all these irrelevant people when in fact only 4 of them have ever paid for your product, how does that help anything?

The only thing that matters is that your offering is as good as it can be, the likes and follows will come, and they’ll be genuine.

Don’t hire….yet

Because put quite simply, you don’t know who you need. If you’ve been up and running for less than a year, you have no way of knowing what position to fill. At best it’s guesswork, at worst it’s trying to run before you can walk.

For a new web startup knowing what’s going to happen next week is hard to predict, so hiring what right now might seem like the “must have” member of staff could be a costly crippling mistake.

Once you can operate with a skeleton staff of the founders, you’ll have a much better idea of what the company’s needs are. By this stage you should also have enough capital in the bank to be able to afford not only their wage, but your own.

Remain profitable, take baby steps, grow slowly and successfully. After all, you’re not in Silicon Valley…

Read More