In Part I of this article series, we explored the importance of taking into account some of the demands placed on an E-commerce organization. In Part II, we will illuminate some of the initial tactical steps any organization should take toward building a solid E-commerce strategy.  

In terms of strategy and risk management of an E-commerce site, one of the most important steps is to understand what exactly it takes to make the site work. In general terms, this is called an inventory. Defining the pieces that make up an entire E-commerce site allows the organization to take a strategic look at what individual components it has, or needs to have, in order to operate. It also should provide an opportunity to identify components that would help make the site even more successful based on the goals and objectives explored in Part I of this series.  

A generic high-level example of an E-commerce site's inventory may include:

• Consumers
• Products
• The Internet
• Domain Name - Registrar
• Domain Name System - Authoritative
• Web Services
• Web Application/Shopping Cart Application
• Database Services
• Database
• Content
• Merchant/Acquiring Bank
• Payment Gateway
• Payment Processor

Because this is a generic, high-level inventory, various stakeholders may point out aspects of their particular focus that are not represented. For example, someone examining the inventory from a business perspective may point out that marketing isn't listed, and without marketing there wouldn't be any consumers visiting the site. The technical perspective may point out that there isn't any hardware or even a data center listed. The security perspective may point out that there isn't a firewall, SSL certificate or the 200+ other requirements that should be considered for an E-commerce site. All of these points are valid and are meant to show that an organization's E-commerce inventory is unique and should be as broad as possible but appropriate as necessary.  

While the vast majority of the items listed on an inventory will never truly be considered by consumers on a site, the point of the inventory is to capture as much information as possible to formulate a solid E-commerce site strategy. What consumers may notice is the site's ease of use, its accessibility, its performance and its availability, none of which were listed on the inventory. The educated consumer might also pay attention to the privacy or chargeback policy, the 'lock' or 'green bar' image on the browser (Extended Validation), the available payment options, or even the ability to purchase over a mobile device (M-commerce). A well-developed inventory will help guide the strategy that delivers a superior E-commerce experience to the consumer. It will also help to uncover the many areas to consider when building an E-commerce strategy.  

Connect the Inventory to the E-Commerce System's Process  

Once a vetted inventory has been created, as exhaustive as it may be, it's important to understand how all of the pieces work together. This can be accomplished by sitting in the role of the consumer and following the steps they would take to purchase a good or service from your site. While this initially sounds simple, connections between each item on the inventory and the process can become blurred or indirect very quickly, especially if the list is incomplete or overly complex. It's important, however, to carefully connect all the dots between the inventory line items in order to establish an application data flow.

The following sample inventory connects the inventory to the process, and has been categorized into different areas of focus: business, technical, security. It also starts to account for the consumer.  

Business:

Marketing/Sales or other reasons prompt consumer to visit website  

Consumer:

Customer uses their preferred browser or is redirected to E-commerce site The request travels over the Internet (caching name servers/root name servers)  

Technical:

The registered URL is configured to resolve to a Public IP Address through DNS The IP Address resolves to an Internet Service Provider The IP Address request is routed to/through a series of routers The IP Address request is handled by the E-commerce data center The IP Address and port number (80-http/443-https) travel through a series of switches The web service server accepts the request The web application responds with content or sends a request to a database server The database server responds to the web applications request to provide certain information The information travels back to the customer for each request  

Consumer:

The customer views the information The customer makes a decision to continue browsing the site The customer adds an item to the web application/shopping cart The customer continues to the check-out process  

Security:

The customer potentially registers with the E-commerce site The customer potentially provides personal information and/or payment information The payment information is verified and accepted  

Consumer:

The customer receives a confirmation of purchase  

Business:

The customer is billed upon shipment of product  

Compliance: The Next Step  

The next step is to identify what information your E-commerce platform will actually capture, which may introduce compliance requirements.

Compliance needs to be accounted for if sensitive consumer information is transmitted, stored and/or processed through your organization's E-commerce system. Compliance could have an important role in the architecture and security requirements that an E-commerce system must meet. As such, it is extremely important to understand the role an E-commerce system will play in the payment card authorization process. If an E-commerce system processes, stores and/or transmits cardholder information, specifically the primary account number, the Payment Card Industry Data Security Standards (PCI DSS) needs to be understood. Additionally, a strategy for meeting those requirements should be included in the inventory.

For an E-commerce site specifically, there are three ways to meet the PCI DSS requirements. An E-commerce merchant can either:

• use a payment gateway which involves integration with an Application Program Interface (API) to facilitate the transmission of the Primary Account Number with or without the storage of this information;
• an E-commerce system can transmit and store the Primary Account Number; or
• the organization can choose to fully outsource the transmission, storage and/or processing of the compliance-required information.

Ultimately, the route an organization takes to meet the requirements of PCI DSS is a business decision and should be evaluated carefully. Each approach has benefits as well as downfalls that should to be considered.

Just as compliance could play an important role in the architecture of the environment, risks to performance, availability, and scalability need to be considered as well. Information on these risks are covered in "Critical Risk Factors in an E-Commerce Environment," another article in this E-commerce series.