Online PCI Compliance Simplified for Small Business Owners
If you’ve been researching this very much, by now you are probably thinking, “When is someone going to just give me a straight answer about what I need to do?” Ok, that’s exactly what I’ll try do.
For small business owners that accept payments online, there are special considerations, and some limitations that you must observe in order to be PCI Compliant. I’m assuming that if you read this, you know that you DO have to be compliant if you accept payments online. If you don’t know that yet, then you just need to know that you can be fined by the CC company, or sued by your customers in the event of a breach of security with sensitive credit card or debit card data, and in some cases, if you have been warned, you may be held criminally liable as an accessory. Some companies will tell you they can cancel you for non-compliance even if there are no evidences of theft of data.
There are two basic things you need to do:
1. Make sure the WAY you take payments is compliant.
2. Make sure your policies regarding your site management, site access, and site software are compliant.
We’ll tackle the first item first.
The big thing about accepting payments online, is HOW you accept payments. And small business owners are prone to taking shortcuts here, thinking that there are shortcuts that will save them money. The issues are not simple – there’s a lot of technical stuff going on here. I’ll try to simplify it, but may not be able to simplify all of it.
There are three ways that site owners typically choose to accept payments online. I’ll list those, along with the costs, and risks.
1. Collect credit card numbers online, and then process them offline. To be PCI Compliant, you MUST NOT DO THIS! In fact, if your credit card company finds out you are doing this, they’ll slap you hard. The ONLY time you can do this is if you have a third party hosted shopping cart that is PCI Compliant (so you don’t have to bear the burden of it). Don’t assume it is!
This is NOT the least expensive way to do it, and it is terribly risky. You have to store the credit card numbers on your site, and therefore YOU are responsible for all risks associated (even if you use a third party hosted shopping cart). It is expressly forbidden by the PCI Compliance rules unless you meet VERY stringent security standards. You can’t. They are too expensive. Think a couple hundred thousand dollars.
If you are collecting credit card numbers online, and processing them (or handing them to someone else for processing, such as a direct sales parent company), STOP. Immediately. To continue to do so is an unacceptable risk, with potential civil, or even criminal penalties if someone else gets hold of those numbers.
If you have a website where numbers are passed to a gateway (Authorize.net, PayPal Pro, etc), then check to make sure that a “store credit card numbers on server” setting is NOT set to ON, ANYWHERE in the site configuration, because if it is, you may be accidentally doing this when you did not mean to.
2. Use a standard gateway, such as Authorize.net, PayPal Pro, LinkPoint, etc. This option is less risky, and less costly than option #1, but it does have ONE major requirement to it that makes it become costly. You MUST pass quarterly security scans. And those scans will cost you at least $350 per year. This option will not be affordable for most small businesses, in part because of the cost of the scans, in part because of the security enhancements that the scans will tell you that you need.
This option requires PCI Compliant Hosting, a PCI Compliant shopping cart (no, CRE 6.4 does not qualify), and PCI Compliant SSL. These enhancements will prove too expensive for most small businesses.
In this option, credit card numbers are COLLECTED by your cart, then PASSED to the gateway where they are processed. So you are responsible to ensure that the COLLECTION and PASSING processes are secure.
3. Use a hosted gateway service to process payments. This is similar to Option 2, in that it plugs into your shopping cart to accept payments, with one HUGE difference. That is, ALL collection, and processing, take place on the service provider’s site. Your cart is then required to meet reasonable security standards (to keep someone from diverting the traffic to a fraudulent site), but that is all. And MOST carts already have the goal of maintaining that kind of standard security measure.
In this kind of setup, the visitor adds items to the cart, hits checkout, and after reviewing shipping information, is taken to the processor website to finish the transaction. Only the CART CONTENTS are passed to the processor, NOT the financial data, presenting MUCH lower risks.
This kind of system includes the following processors:
- PayPal Standard – when the order is placed, the shopper leaves your site, and goes to PayPal’s website to complete the transaction.
- Authorize.net SIM – Be careful here! Authorize.net has TWO ways that it can be set up – one that falls under the process of option #2, and one that qualifies here. The shopper MUST leave your site before entering in ANY credit card data to fit in this category of risk and cost.
- YourPay Connect – Again, be careful! This service can be set up more than one way. But it CAN be set up to accept payments on THEIR site instead of yours.
- Google Checkout – Takes the visitor to Google’s site to make the payments. NOT RECOMMENDED. Google collects AND USES information regarding your sales, and it DOES affect your site traffic (that is what they are all about). I won’t use this, they really don’t need to be THAT INVOLVED with my business.
- 2CheckOut – Also takes the shopper off of your site to make the payments. Reputation is questionable, this service is used by a lot of scammers.
- Any other system that takes the shopper OFF your website before any credit card information is entered in.
- This is what CRE 6.4 does, and the category it falls into, it just does not allow you any other choice but their proprietary gateway for transaction processing.
Basically, what you are doing here, is OUTSOURCING the PCI Compliance. You are taking the worst of the headache and letting someone else handle it. Not a bad option. Credit card companies will then typically remove the requirement for quarterly scans, and require only that you fill out a form each year, IF that. If you use only PayPal Standard, or 2Checkout (or a few other all in one systems), you won’t even be required to fill that out.
When you hand the headache back to the credit card company, they can NEVER penalize you on that portion of PCI compliance, because it is THEIR headache, not yours.
Drawbacks may be that the site feel changes when they go to the payment processor. This is a common thing though, and generally does not significantly impact sales for small businesses (the equation may be different for big ones). Most systems of this kind (including PayPal) have the ability for you to brand your processor pages with your logo, and to choose between two or more layout options.
If you use this option, we recommend turning it to your advantage – state in your Privacy Policy that payments are not processed on your website, and that it is to protect the sensitive financial information of the shopper. Turn the disadvantage to an advantage.
So, those are your three options, and the rough idea of what is involved in achieving PCI compliance with your shopping cart. There are several other factors which you must also be aware of, to be fully compliant, and they involve things besides just how your cart is set up.
1. Choose software that is updated regularly, and that is not inherently risky. Avoid Resale Rights software for ANY kind of cart functions (TERRIBLY risky!), and avoid creating a shopping cart in FrontPage (it is outdated, and the code it produces is vulnerable), or Dreamweaver (for the same reason). The more popular Open Source carts are usually acceptable, though we cannot recommend OSCommerce or other dinosaurs.
2. You must ensure that security updates are done for your software. Generally this means having a policy to check for and install updates, or contracting this out.
3. You must have a policy for your business that minimizes risks. This policy should include two important elements:
- Avoid sharing site or financial data access with anyone unless there is truly a need, and they are trusted. In other words, don’t be careless with passwords and information.
- Don’t share passwords. Set up individual accounts for anyone who does need access to private information or to the site structure. This allows you to delete users if they leave your employ – very important if they leave with less than positive feelings.
It comes down to minimizing the risks where you can minimize the risks.
Much of it is common sense. Meeting the requirements need not be hard. The simplest strategy is this:
- Choose website software that is reasonably safe.
- Use PayPal Standard (or Authorize.net SIM or YourPay Connect if you are in a high end market that does not respond well to PayPal).
- Keep your website software up to date.
- Don’t share passwords, and limit site or hosting access to necessary personnel.
Those four items will pretty much address the need for very small businesses to be PCI Compliant.
Now, there are people who will tell you to get around all this by just having people phone in orders, and take the CC data over the phone. Not only will this pretty much make having a website useless, but this is MORE of a risk, not less, and the Credit Card companies require you to have a PCI Compliant policy for THAT as well.
This consists of security for handling of the CC data. It cannot be written down and left laying around. It cannot be written down by hand, or on a computer, and stored insecurely. Companies that DO this regularly have a secure software program and a payment gateway in that, OR they manually enter numbers into a terminal, so the numbers are NEVER stored in their facilities. They may store a name and last 4, but any storage of data must be secured, no matter WHERE it is.
So even if you don’t want to deal with an online cart, a merchant account demands certain standards of compliance.
If you have needs that dictate functioning beyond the payment options listed, then you will require a fairly high budget to meet them. That is the reality.
But by following these standards, and simplifying your processes, you can meet the need for compliance without additional expense. The expense and demands will only become prohibitive if you move outside the simpler payment options.
DISCLAIMER: This is my interpretation of the basic requirements. There are those who may disagree with my interpretation of it. Your merchant account provider is the final arbiter of precisely what is acceptable and what is not. If I have made any errors in my interpretations, I invite those with superior knowledge to correct me. I will correct and print any validated information which is other than what I have printed here.
CRE Did It Again
CRE Loaded just released version 6.4. They are selling 6.4 as a “PCI Compliant Shopping Cart”. They are claiming that there is no extra charge to implement the change. Both of these claims are false at heart. I know, I just threw down the gauntlet, but my statements are factual.
They didn’t make CRE PCI Compliant at all! They just avoided the issue in the same way that many other small businesses have already been doing. Their solution lacks originality, and is nothing new in concept. The software is not any more compliant than the previous version. It is still buggy, the same potential vulnerabilities exist. It is no more secure than any other Open Source shopping cart.
All they did is create a third party gateway service, and a wrapper. They achieved PCI Compliance by moving it OUTSIDE the cart. So it isn’t the cart that is compliant at all! And to reach their claims, you have to use THEIR service.
You can do the same thing using PayPal Standard, Authorize.net SIM, YourPayConnect, Google Checkout, 2Checkout, or dozens of other services, and if you use them, your cart is already just as compliant as 6.4 can be. And this is true of Zen Cart, OSCommerce, CubeCart, X-Cart, Magento, PrestaShop, and every other Open Source Shopping cart!
They are touting this as a revolution, when it isn’t even an evolution that offers anything worth getting excited about. The wrapper technology is the only new aspect, and even that isn’t that much of an improvement over existing solutions which DO allow you to coordinate branding (CRE implies that they don’t in their marketing).
That is deception number one.
The second deception they are perpetrating is “free”. They claim the service is free. But when you read the fine print, there are (obscure) indicators that put the lie to that claim. Things like “free when you use one of our merchant account partners”, or “save $69 to $149 per year over the cost of PCI scanning services”. PCI scanning services cost between $350 and $800 per year. Hmmm…. Seems that there’s too big a gap between those numbers to qualify as “free”.
In the same breath, they say that you can use it with your existing merchant account (conveniently leaving out any mention of fees). But they do not say you can use it with your existing GATEWAY, because they are replacing it. And that is all that they have done. They have created a GATEWAY service. They claim they have put a vast amount of money into the system, but what they put the money into was the integration of the service into the cart, and the creation of the wrapper system.
The sales pages for the gateway (CRESecure) do not have a chart of fees, they do not have terms and conditions where you can review them, they have no options but to signup. This means many people are going to be in for a nasty shock when they get far enough into the signup process to read the fine print – or perhaps that CRE is hoping they WON’T read the fine print until they get the bill! The wording on the pages makes it obvious that someone went to a great deal of trouble to cloak the hidden costs and to make it appear to be something other than what it is.
There is no way to compare options – instead they wish to make it appear that there ARE no other options. If theirs really is best, why don’t they allow you to freely access the information you need so that you can make an informed choice? Do they really think that forcing people into a situation where they have to make a blind choice is the best way to maintain customer satisfaction?
The service is now so tightly integrated into the cart that the new version of the cart does not even offer you the option of NOT using it for a new install. This means that CRE has gone the route of attempting to FORCE people to contract a service from them in order to use their cart. Now, I’m sure they will tell you that you can still use the cart WITHOUT using their service. But they have gone to great lengths to make it appear that you cannot, or should not! And the install process is replete with dire warnings if you don’t!
Their current marketing of the cart consists of misleading statements with the goal of scaring you into using their solution. If you question them, they show you the PCI compliance documents (confusing and intimidating to the average site owner), and to make it appear that you have only TWO choices to achieve PCI compliance – use their service, or spend thousands of dollars to do it on your own.
The fact is, you can use one of the existing services (PayPal Standard, Authorize.net SIM, 2Checkout, YourPay Connect, Google Checkout) and achieve the same level of compliance – ANY established and reputable payment service which processes the credit cards on THEIR site instead of within your cart achieves the same degree of compliance as the CRESecure system.
They have promoted this in a dishonest fashion. Call it what they like, and twist it how they wish, it is still dishonest, and misleading, and it creates a dependency between the cart and the company’s services that is unacceptable for small business owners who need full ownership control of their websites.
Get honest, CRE! Growth doesn’t come from forcing people to do it your way. It comes from openly and freely offering CHOICES, and in being up front and honest about what those choices REALLY are.
It really does make one weary. Because it seems that each new version comes with the same longstanding issues, and new layers of what was a bad idea last time. You can explain, complain, and question, and they still doggedly stick to their unsustainable and unwise course. The problems don’t get fixed, because the philosophies never change.
Update on eFront – A Student Speaks
I asked my friend and associate, Kerry Crawford, of WhoMadeYourSite.com run a test on the student interface in eFront. This is her commentary:
Here is me trying to get to a lesson in a course.
1) Took a minute to work out how to register. The button says “I don’t have an account” rather than something like “No account yet? Register here for site access.” A small thing but may confuse some people.
2. Once I was in, I got a green checkmark with “You have registered successfully”. Should also say something about now that you’re registered, please choose your course from the list below and add it to your cart.
3. I really like that you can hover over a course name and get a brief syllabus.
4. if you click on the course title you get an add button with a price. This is good – assuming there is an instruction added to choose your courses and add them. Do not like the course topics are listed here because when you click on one you get an add to cart button that makes it appear as though this is something in ADDITION to the main course rather than PART of the course. Also when you click on a course topic and get the add to cart button you also get a list of lesson content items that don’t do anything when you click them. Would like to see topics and lesson content items hidden so all you see it the course title withsyllabus on hover and the ability to add it to cart when you click it.Moving Along…
So I add the free expert certification course to my cart (cart is not obvious- would like to see a cart image or a big YOUR CART or someting) and then I click Continue. I get taken to a page that says Please Log In To Complete Registration (which is a bit confusing considering the green congratulations message I got earlier). Nonetheless, I log in.
I get a blue bar that lists the course I chose and shows a blue Free Registration button. I think I have already registered but okay – I’ll click it. Now I see 2 courses – the first is Marketing Plan – which if I click it I see I can register for for $25. The second is my course and all of the 9 topics are listed. Would like to see my course at top and Other Courses You Can Take underneath or to the side
I click on the first topic in my course – Protecting your domain name. I get a screen that lists sub-topics for that lesson – which it turns out cannot be clicked – and a message saying that I already have the course Website Ownership. Huh.
After some thinking I click on My Lessons on the left – there is no reason to click that because no lessons are listed. But I click it and lo and behold a list of the 9 lessons comes up. I click on the first lesson and the sub-topics come up. I click on the first sub-topic and it opens.
SO if you are very persistent you can get there. But it is illogical to say the least. I like Moodle about a zillion times more than this system. If you don’t like Moodle there has GOT to be something more intuitive than this out there. Yikes!
I am going to try to address these concerns, and hope that I can do so. The other things have not been complete show stoppers. This could be.
I was able to set up the Groups with an access key, and that seemed to work on my test runs, and it was easy to spot – though the name doesn’t really tell someone what it IS. This feature is a big thing for me, because this is the one major thing that eFront offers that none of the other LMS packages even hint at.
So far I’ve not seen much in the way of organizational or layout flexibility, though I’ll dig and see. The lack of helpful documentation for things that people actually DO is getting in the way of knowing what the system IS fully capable of. This is common with Open Source, and we expect it to a certain degree, though a more functional forum search would solve much of that (and not just for eFront).
The Twitter Implosion
No, I’m not talking about Twitter collapsing under it’s own weight… not literally anyway. I’m talking about the process and change that any popular app goes through, and where Twitter is in the process.
Online, highly popular things seem to go through a process:
1. New and fresh. As such, EASY to get found, if the application is gaining popularity. It is easy to ride the crest of the wave, because you have relatively little competition, and a growing audience base.
2. Commoditization. It becomes common, others start building businesses off the side of it, and people start producing reams of “how to” instructions, touting the benefits, never mentioning that the environment they used to achieve the success is now no longer the same environment because it has grown so much. At this point, everyone is trying to jump on, it becomes a huge fad, and people say good things about it even if they are no longer true, because they are just DOING it, believing that it HAS to be good, not really analyzing the real effect. The company may go corporate at this time, instituting changes that are subtle, but which have major effects.
3. Exploitation. With popularity, comes exploitation. Spam follows any success. And it is not really controllable. As the communities respond to reduce spam, the spammers devise ways to circumvent the limitations. The environment usually ends up being about 10% what you want, and the other 90% trash. During this time, the company may respond to adjust the app to compensate – often doing so kills the spark of originality that made it grow so well in the first place.
4. Implosion. The combination of increased competition, and increased spam and corporate compensation for problems, combine to vastly reduce the effectiveness of the environment. It still grows, but the legit growth actually begins to decline, and the number of people using it in daily life for useful purposes declines. The spam growth continues to escalate, which makes it appear that it is still successful, but close analysis reveals that it is actually declining in real popularity. The big movers and shakers will become bored with it – some will hang on peripherally, maintaining a lackadaisical presence, others will wander off to the next promising thing.
5. Equilibrium or death. Somewhere, after going through all these phases, a state of equilibrium may reached, where either the spam is controlled enough that a sustained legit user base can be either mainained, or increased slowly, or, the venue gradually declines in legit use and the spammers take over. Alternately, the combination of uncontrolled exploitatin, corporate policies which strangle value, and loss of popularity gradually kill the environment. We’ve seen this happen with many online venues and with many marketing tactics. Only some really ever recover from the implosion, and those that do often do so at the expense of the value to the legit users.
I’m not predicting doom and gloom. Nobody knows WHAT Twitter will be after the implosion. But I think that it is either close to this point, or in the middle of it now. With very popular things online, it is inevitable. FaceBook has already been hit, and seems to be surviving, though the value is decreased due to the spam attacks and high competition in the venue. Linked In hasn’t really hit the Implosion stage yet because it hasn’t really taken off with that rabid popularity. YouTube is surviving it, though with reduced value, and MySpace has passed it and gone into slow decline. Google hit it, and is now in a slow decline, due largely to corporate policy which is strangling the value.
I don’t Twitter. I don’t have time. But if it were not for this impending implosion, I might have decided it was worth my time to try it out. But having watched many venues go through this, I knew that the value was temporary as it was at the time, and that if I neglected to get on board, it would pass, and something else would come along. If you miss out on Twitter, no biggie. There is more to life than Twitter, and something else will come along to replace the hype.
In general, the bigger the faddishness of it, the faster it fades into oblivion after implosion.
And if Twitter is your life, then you need to learn how to live!
eFront Lands in the Hot Seat
I’ve been researching LMS systems. We want a system we can move our training programs into, to make them more automated and publicly available, and to be able to charge for the courses and for software or template packs to accompany the courses.
We require a system that will allow us to automate the billing, control the delivery of the courses, and that allows content creation within the system, and not just attachments. It needed to either have a base template that was not embarrassing, or the ability to easily template it. It absolutely HAD to be an independent solution – I will not use a hosted solution for this. And it needed to be freely distributable, because otherwise it is not sustainable right now for us, or our target market to whom we might recommend it as a potential solution for them.
I’ve researched a LOT of them. Most are clunky, unintuitive, and ugly. Tested several, including Moodle, Atutor, Docebo and Dokeos. Dokeos and eFront were the only two to make it into the finals Moodle and Atutor were just too clunky, Docebo lacked functionality in key areas for our purpose. Dokeos bombed in the home stretch, unable to integrate with an effective billing system, though it was a serious contender in other areas.
Well, frankly, eFront doesn’t integrate with our billing either. Their instructions SHOW a PayPal module – but they don’t tell you up front that the PayPal module is only in the Education Edition (paid edition).
I chose it anyway, based on the option of a workaround. It allows the creation of user groups, to whom you can assign a course, and then a key code. Users can self-register, and if they have the right key code, can be automatically enrolled into specific courses. A bit of a round about way to do it, and a lot of extra work to set up groups for each course, but our Billing manager can issue a specific email for a specific product (also a lot of work to set up specific emails for each course), so we can make it work, and once it is set up, it oughta run fairly smoothly, and do the majority of the delivery work for us. Our billing manager can also deliver software packages or auto-installed companion site structures for specific lesson types, so the student has a practice ground. A definite advantage to this setup.
It is nice when you first get into eFront. Big friendly buttons, color and nice looking. Oh, that the elegance went all the way through. It really wasn’t very well thought out – It has all the earmarks of something that was very simple to begin with, and to which layers of function were added wherever the current programmer thought he could most easily work them in. It feels like planning broke down a few places along the way, or that it was first created and then coding standards and practices changed midway through. It is also obvious that it has been fairly extensively developed though – you don’t get this kind of function without a massive endeavor, so we are not belittling the effort.
It has been a trial figuring out just where to go to do things. The instructions are pretty brief (the only downloadable manual for the free version is a Quickstart manual, which runs through it so fast that it leaves skid marks on your eyeballs, and barely hints at the real process), and there is an assumption that you know what you want to do and what it is called, you just need to know where to do it, or that your idea of how to teach something will match with theirs. The learning curve has been needlessly high.
Yes, I did check the Wiki – it contains the same brief and rather unhelpful info that the Quickstart manual does. That is, it tells you everything you can learn by looking at the backend of the interface, but nothing that you really NEED to know, like what the heck to I do to get the thing to do that, or is there any way around the stupid dual login issue?
I also tried the forums – Gotta love those forums that stop you from searching “common” terms, and which are set to judge “common terms” by the ones that are used frequently on the forum. Hence, “student”, “list”, “course”, “module”, “lesson”, “category”, and any other word of value is blocked from the search. By this time you want to cover your head and scream in frustration.
Let’s see if I can give you a step by step on the process for creating a course, with lessons.
1. Create a category – if you want to categorize anything, you have to create a category to put them in – typical CMS type order here. If you don’t create categories, your courses are thrown helpfully into a default category which is unaccountably titled “Default Direction”…. Huh?!?
2. Create the Course. You select the Courses, click on New Course, and fill in a very simplified form. You save that, and then it shows you an extended form. They expect you to add any needed users here – you HAVE to add a professor. If you don’t, you’ll be limited in what you can do, because unlike most CMS systems and well-thought out systems, the administrator in eFront does NOT have access to everything. So, after you save this, you get thrown to the course list – clicking on the course name brings you back to this extended course form and where you control users and groups for the course.
3. Click a button next to the course name, to fill in details about the course – why this could not be in the extended form that you see right after you create the course, I do not know! Heck, why it could not all be in the New Course form initially, I don’t know!
4. Create a new lesson. Much like creating a course, first the short form, but things are in different places than with the courses. They’ve moved the users from being under the name link, to being under the gear tool icon (which means you are always clicking the wrong button somewhere to find them since it is inconsistent). You have to assign users to this also, they do NOT inherit them from the course, even if you say the lesson can only be accessed through a course and not independently. This time we have more buttons. One to fill in information about the lesson, one to set tools for the lesson. There is no way to set a global default for lessons, so if you wish to use a standard set of tools, you MUST enable them one by one for every lesson. And if you click the wrong area to look for where to change something, there is no graceful way to move from one area to another. You have to back out, and try again.
5. We just did the easy part… from here on out it gets more difficult. You can’t assign a course to a lesson. We now have to go back to the course, open it, and pick the lesson from the list of ALL lessons – and we can see that by the time we get even two or three courses completed we are going to have a VERY VERY long list of lessons with no sort options, and no categorization options.
6. We are now done where we are, even though we have done nothing more than create a framework and shell. The administrator can do nothing more. The administrator has no access to lesson contents. None.
7. We have to go to the front of the site, and login as a Professor. This will log us out as an admin. When we get there, we see that the lesson we set up is there, unless of course, we selected to allow access to it only through a course and we forgot to assign it to a course – in which case it won’t show up, even though the professor HAS been assigned to the course. If that happens, we have to logout, then log back in as admin, dig around to find the right screen to assign the lesson to the course, then logout, then log back in as Professor to continue. By now, I’m thinking that there are some serious usability issues.
8. Next, we get to create content. We click on the name of the course, and get a ton of things to choose from. Choosing the Content button presents us with three choices: Update Unit, Create Unit, Create SubUnit. Assuming that in order to add content one must put it inside a Unit (we now have four layers of structure), I create a unit. I am able to paste info in, but the editor has some bugs and issues. It doesn’t do special characters (though they do create some REALLY interesting effects if you try!), and it seems to be inconsistent about formatting, without the ability to firmly control it.
9. After saving the content, I find that I am stuck in the lesson. The top navigation is no help – the breadcrumbs don’t go all the way to the top, and clicking on Home, takes you back to the beginning ONLY for THAT LESSON. Finally I notice a text link at the bottom of the left column that says “change lesson”. I manage to find my way back to the lesson list.
10. At this point, I probably want to create another lesson for my course. But I’m logged in as a Professor. They can only create lesson content. They cannot create a course, or a lesson. I must logout, and log back in as Admin, and go create the lesson, jump through all those hoops, hope I don’t forget a silly thing buried somewhere that I forgot to look, and then logout, log back in as Professor, and create the lesson content. The limitations of the double login are serious – it means that NO SINGLE USABLE PROCESS can be completed through a single login! You MUST switch back and forth if you want to create the structure and the content. I find this a complete and total time waster, even for larger institutions that want control over some things at an admin and trainer level. It means that if you DO have two levels of management, they always have to be asking the other to do half the work. And if one step is missed on the Admin side, the Professor has to nag them and ask them to fix it before he can do ANYTHING of value. C’mon, who thought THIS was a good idea? And no way to change the permissioning! You are stuck in ridged roles with lines that cannot be crossed, and which make no sense for efficient management. This is VERY close to being a showstopper – and would be if there was any real alternative for the other functions we need.
11. The front of the site also leaves MUCH to be desired. All categories, courses, and lessons default to a standard (big, ugly and cumbersome) nested list which opens up Expanded. Category, Course, Lesson, all strung down the page in an unending list. I can collapse them after I am on the site, but I cannot tell the system to open with them collapsed. I cannot control the ORDER of the items in the list – so I cannot put the first courses first, or order the categories. For students who enroll in more than one course, this is going to create an annoyance REALLY FAST.
12. So after creating my courses, I am logged in as a Student (yes, there is a third login you have to maintain). It takes me several tries to get all the right boxes checked in the backend to see the classes as a student – each time having to switch logins. When it finally shows up, I am happy to see that it has a nice percentage completion box next to the individual lessons.
13. Navigating around the lessons as the student has the same unituitive issue that the Professor login has – it is not easy to find where to move from lesson to lesson. Students can mark a lesson as complete when they finish it. I do not see a completion bar for a course though – which would really be helpful to track overall progress through a full course. I can also see that there is a serious need to pretty up the lessons – they are, by default, big, plain, and uninspiring, rather like a cow in aspect, though lacking any chewing of cud. Images and colors will be needed in each lesson.
14. You can’t change the student navigation as far as I can see, without hacking the core. NOT GOOD! It is difficult to find where the bits of the lesson are – they are under different buttons. Who’s to know? It is completely unintuitive and inconsistent. It means the student has to explore several areas for each lesson – you can’t have them move through the lesson smoothly from point to point, and then to the test or project. They are compartmentalized in an obscure way. Many deadends, many confusing areas, or links that take you back somewhere other than where you expected to go, lots of obscure return links that are not clearly labeled. You end up just sort of fishing around over and over trying to get where you want to go, and the navigation keeps changing or disappearing – you go looking for what you want and get thrown somewhere you didn’t mean to go, and it ends up being a dead end with no way back and no way forward. Clicking a Return link can take you anywhere, but not necessarily where you wanted to go. And it isn’t easy to learn either. The rules about what takes you where are so inconsistent that even after messing around with the student area several times, I’m still confused as to how to navigate from lesson to lesson or course to course. I’m not a stupid person, I learn such things faster than average, so if I’m confused about it, there is a serious problem!
15. I had a tester run through the registration and enrollment, to take a course. He could not figure out how to move through the lessons. Again, not good, because you cannot control that workflow. It is what it is. This may end up being a show stopper. If the student has to take lessons on how to take lessons, then the program will be a colossal failure, especially if it is confusing enough that a simple explanation cannot clear things up!
16. My video is not showing up on the front of the site either – it is recognized in the back of the site, but does not play in the front of the site, and there is no link. Just a completely blank page. Will have to troubleshoot that.
Some other issues – the entire thing is coded so that you spend a lot of time watching the Loading message. It times out more frequently than other sites, and it is fairly resource intensive. It runs in shared hosting, but it isn’t happy about it.
The coding also means that if you have a page time out, and hit the Refresh button, it will send you back to the home page for the area you are in, rather than refreshing the screen you were on. It times out often enough that this has been a noticeable annoyance, and the navigation is confusing enough that each time it happens you have to figure out all over again how to get back to where you were.
I seem to be in another situation like I am with CRE Loaded. Being forced to use awkward software, because it is still the only thing that does what I need it to do. The Moodle folks out there will swear that Moodle does it all, but it was more of a hassle than eFront, after you get it installed you can’t even figure out where to go or what to do to get started, and it requires installing tons of modules just to get basic functionality that I require.
There are some things I like about eFront – It handles prerequisites (albeit awkwardly), and delivers quizzes or tests. It has the capability of delivering certificates, though the templates are absolutely apalling! A black box outline with Arial text in it is NOT sufficient. I’m not sure how flexible their RTF default formatting will be, but I’d be flat out humiliated to use the included templates!
I like the ability to group things in categories and subcategories, it helps me to create a large certification course which is made up of smaller modules that can be paid for independently.
It is easier to figure out than Moodle – I installed this yesterday, and I have the base configuration done, with 50 courses entered, and I am beginning to build lessons, two of which are completed with a third in progress (have to make a video for it). So I think that if I can divide the tasks, and create a completion list for each lesson in the Admin, to batch create lessons in the Admin, then login to the Prof login and batch create lesson content, I may be able to endure the hassle, though I still feel that over time it will be costly in lost time. I’m not sure if I can find a way around the frontend workflow issues.
Most LMS systems right now are either so immature they are not usable for flexible demands, or they are overkill – designed for universities, and not appropriate for a small business that wants to put training courses online to sell. In fact, it seems that this niche (which is a strong growth niche) is completely overlooked, though it is apparent from the forum posts that people are asking for it, and not getting it!
eFront seems to be the best of the lot at the moment, for our purposes, though I do hope long term they do something about the permissionings and workflow for creating lessons and courses, and the frontend workflow. If they do, they’ll have an enthusiastic endorsement from us, and it will be added to our list of Top Applications that are recommended to our clients and students.
I will post more on this later as I learn more, and am able to either MAKE it do what is needed, or run into problems which make it unsustainable.
UPDATE NOTE: I need to mention that their forums do receive responses. This is notable in the Open Source world, the developers seem to actually have their ear to the forums, and will respond to rational questions. In this area, they get an enthusiastic vote of approval.
If You’re Thinking 80/20, You’re Wasting Effort
Our company uses the “90/10 rule” instead of the “80/20 rule”. Because we have discovered that if you choose the right 10%, it really does get 90% of the results.
If you are expecting only 80% of the results for 20% of the labor, then you are expending too much effort for too little result. You are doing things that don’t really matter, or doing them inefficiently, or you aren’t really paying attention to what IS getting the results.
We can create a “substantially equivalent” performance in a website, when creating a $5000 site that has to compete with a $50,000 site. You just gotta pick the right stuff, approach it with creativity, and not waste one bit of time, effort, or application. That’s 90% of the results, for just 10% of the cost, time, and effort.
I’ve found this to be true in other areas of life also. There just isn’t enough time in the day to do everything. You have to hit the most important stuff and let the rest go.
It ain’t slacking – and it isn’t doing a sloppy job. In fact, it means giving all you got to that 10%. But the results are so amazing that it really fires you up when you get it working right. Because you can produce so much, and just run circles around the competition.
It works in the home, it works in the office, and it works online.
If you really want to excel and be original, 80/20 just isn’t good enough.
Review of CRE Loaded 6.3 Pro and B2B
Late last fall, I was asked by a representative of CRE to do a review of CRE Loaded 6.3 B2B and Pro. It has taken some time to complete the reviews, due to the need to test out the functions in day to day usage situations. Even with multiple installs of the software running for various clients, we still have not tested everything, but we have tested enough to draw some conclusions and to see where the major changes have occurred.
I am pasting in the entire review here.
Published by
Laura Wheeler
Firelight Web Studio
(a division of Firelight Business Enterprises, Inc)
June 6, 2009
Copyright, 2009
Reprinting of this document is permissible ONLY if the entire document is published. Quotes may be extracted for online publication if a clearly labeled live link to the entire document is published directly below the quote.
CRELoaded Reviews
I have been very vocal about my opinion of the changes in CRELoaded 6.3 Standard, and I’m still a bit confused about why I was asked to review Pro and B2B. My opinion of them is not much gentler than my opinion of Standard, and in some ways, it is harsher, because of the pricing.
It has, in fact, taken MANY months to do this review. Because of a need to use it and actually test out functions in real-life situations. It is impossible to test a cart by looking at it, and most functions are not fully testable until you get them into real shopping demands. That takes time – hence the delay in releasing a useful review.
Even then, it is not comprehensive. There are features we were unable to fully test, because of a lack of demand for them.
I’ve already stated my opinions of the pricing structure, and the feature breakpoints, though I’m fairly certain that they were not read or listened to by anyone who could actually do anything about it.
I am striving in this review to be fair on both positives and negatives. Our clients use various versions of this software, and we depend upon it for some of our core service offerings.
Both Pro and B2B
I have long felt, based on experience with many carts, that CRE is the most flexible and sustainable option out there – not by a large margin, just on many carefully weighed points. Other options are either more complicated to deal with, or completely unsustainable for a number of reasons, or too immature to do what you need them to do. I still feel that way. But it does not mean that I think that CRE does not need work.
So here’s a quick rundown of the changes that I like, and those that I do not appreciate, along with things that should have changed but didn’t.
-
Infoboxes are more flexible to manage. You can position them up and down more easily without getting stuck in a section.
-
Design is harder to manage. Parts were put into the Admin, but since some bits are there, and some bits are still in the templates, it is very difficult to figure out where the change is that you want to make. And they are handled in more than one area in the Admin, further complicating the issue. It is very tedious to have to change the color of each infobox individually, especially when it is a slow and awkward process in the first place. We feel this was a step backward, not forward.
-
We are still having to fix bugs and adjust common elements to get the system to behave in commonly expected ways.
-
The installer still has the merchant account signup presented as a required part of registration. The link to skip it is small and not easily noticed.
-
The template sales in the site backend does not say who the credit card billing is originating from. This is a serious issue, making it seem shady.
-
I also dislike that many longstanding annoyances, inconveniences, and time wasters have not even been addressed. Most improvements were aimed at bells and whistles rather than core function.
-
This version has many things half-finished, or hidden goodies that are unpublished – they are not referred to in the documentation, and no instructions exist for using them. You may stumble on them, but have no idea what they actually are, or if they will work as you assume they logically should. I do not know if this happened because they were abandoned in the middle of them, or if the team did not have time to document them, or if they simply did not feel they were mature enough to want to have to support them.
-
We dislike the RSS feeds in the admin area. CRE’s server is perpetually overloaded, and those feeds can slow down the admin area of a site to the point of outright frustration, especially when combined with the clunky and redundant editing screens.
-
We also dislike the serial number validation methods. While we have no problem with CRE wanting to charge for the software, or wanting to require a serial number, validating it against CREs overloaded servers each time the site is logged into, is problematic for the end user, on a number of fronts.
B2B
Most of the B2B features work at some level, though figuring out how to use them is difficult. The manual is only partially helpful, since it only skims the surface. Many new features have been added which are not documented – some have cursory documentation stating the feature exists, others have no mention anywhere that they are even available, you may stumble on them, and then have to figure out what they do and how they work, or IF they work (many do not).
To me, the real value in B2B, and the only value worth upgrading for, has been the ability to create customer pricing groups – this is a functional feature which increases monetary potentials in measurable ways – most of the other features do not have that kind of return potential. This feature allows wholesale ordering capabilities to run alongside retail ordering. For many small merchants, this is a function that is difficult to find in a shopping cart. It still has some bugs and annoyances. Some are slated to be fixed in the next release, but there is no knowing whether that will actually be done, or WHEN it will be done, or how many new bugs will come with that.
Many of the annoyances have to do with how it is used – if you want to use all the features, you are in for some frustration. Many of the settings are straightforward, and logical. Others are buried in out of the way places, and require either extensive digging to find them, or someone has to tell you how to do it. Those that do work, often do so in a way that is crippled, offering only partial functionality.
The Affiliate program, which is only fully functional in the B2B version, is still too immature to be flexible enough to meet the needs of people who need a robust system. It works, but in a limited way. 6.3 does add some new functionality to it, and some if it very desirable (though undocumented), but it is still fairly simplistic as far as affiliate managers are concerned. It also has some longstanding issues of things simply not working, or being so inconvenient to access that actually using it is very irritating. The frontend links for this have always been broken, not going where they say they do, and the signup process is extremely unintuitive.
B2B ships with only a single template enabled. This is a serious limitation, in my opinion. CRE is fairly difficult to template, and while the templates for 6.2 were no great shakes, between the included templates, you could usually modify one to come up with something to work for most businesses. It is clear that the intent is that you purchase one instead.
Ok… but then that causes another problem, because at this time, templates that are compatible with 6.3 B2B are still very difficult to locate, and they are fairly costly when you do find them. Templates for content management systems are easy to find in the $35 to $50 range (and often free), but for CRE, they start at $135, and no other free ones are available. Hardly worth it when you’ll have to do as much coding on a purchased template as you would to modify the stock template. We have also found that many purchased templates introduce language file errors, and SQL errors when activating infoboxes, or activating other commonly needed functions.
The template that it ships with does have a couple of nice changes from the 6.2 templates. We like the horizontal menu, and the options on it, though the fact that it is hard coded into the mainpage file is unimpressive, to say the least. We’re not so crazy about the tiny links for contact page and policies page at the top and bottom of the page, and have removed them from many sites. We’ve pushed this single template into many shapes, and have done quite a bit with it, but it is more difficult to work with.
Pro
I know designers who think I am nuts for my opinion of Pro, but I’ve never seen the value in this. Not enough to pay for it anyway. It does offer some add-ons that generally cost something to get, but it does not have a significant value breakpoint for small businesses (our expertise is specifically with small business). There are things that make using it more convenient, but little that actually makes more money for the merchant.
I feel that CRE should have given Pro the more functional affiliate features of B2B, while reserving Customer Groups for B2B. This gives a clear monetary and functional advantage for each version.
Templating issues are the same as with B2B – limited, and very hard to find. In fact, Pro templates are harder to find than B2B templates.
When we agreed to test these and review them, I stated that I’d only do so if I could test them on actual client sites. I have been unable to do that with Pro, because I cannot find a client who wants even a free version, when they know they’d be locked into a long term pricing that was not justifiable. They want the function of B2B, but they do not perceive Pro as having enough difference over Standard to pay for it.
Support
Our clients who have attempted to access support have stated that it is “less than helpful”. Answers are often obscure, or the equivalent of the “beats me” shoulder shrug.
Since the documentation is lacking in anything other than descriptions of the obvious, the real problems are hard to find answers for. A search of the forums sometimes helps, but many questions remain unanswered there, and others are hard to find because the search function is so abysmal. It also appears that many of the older helpful answers have been removed – searches now fail to pull up useful information that was once available under the same search terms.
I believe strongly that good documentation is the solution to this – both for providing resources to the tech support personnel, and for providing resources to the customer base. Charge for it, but get it done, because the lack of usable instructions is a huge hindrance to the growth of CRE.
CRE in general
I am still unconvinced that the company will be reliable long term in how they treat their customers. I feel that there have been longstanding issues, which have existed from the beginning, which have never been addressed. Many would be simple things to correct, or which could be easily addressed by placing priorities in the right order. Most criticisms of CRE come back to the same things, over and over. Those problems have been serious impediments to the growth of the company.
Many techs have made a profession around CRE. They’ve been able to do so partly because there is very little in the way of real help or documentation. If you are gifted enough to figure it out, you can make money helping other people figure it out. But it means that techs who are just learning the business go and learn other systems first, and never bother with CRE. Once a tech adopts a system and begins to build services around it, they rarely change to others. CRE’s best chance of getting techs to adopt CRE and promote it, is to make instructions available which address the common issues, and make it easy to get helpful answers.
Setup and sustainability still remain awkward enough that do-it-yourselfers generally avoid it unless they are a techie at heart. Once a client is introduced to the backend of the site, they can usually manage it fairly simply, and can often figure out how to do basic tasks without specific instruction. Beyond that, the learning curve escalates.
Longstanding Problems Still Unresolved
-
The setup screens are awkward, and time wasting. Three clicks to do what you should be able to do in one click.
-
Affiliate links on front of site are inaccurate, signup is awkward.
-
Checkout process loses sales at a HIGH rate due to inefficient workflow.
-
Newsletter manager is buggy, and has no throttling. A serious issue that makes it completely unusable for most businesses.
-
Options and attributes are slow to set up, unintuitive, and clunky. And buggy, they often do not work.
-
Quantity pricing tables are buggy – same bugs they’ve had for many versions.
-
Links system is a spam trap.
-
Mainpage is stored in a file instead of the database.
-
Contact Us STILL has to be hand-edited in the language file.
-
Affiliate Terms still have to be edited in the language file.
-
Articles functions are still awkward, and unintuitive.
-
Still requires a shipping weight to charge any kind of shipping, whether weight based or not.
-
Updating the software is still very difficult, due to the number of items hard coded into language and other files, and due to the number of bugs requiring patching on each install. This is a MAJOR problem for business affordability.
-
Many other functions do not work, are awkward, or require bug fixes on every install. This is true in spite of the “bug fix” updates.
New Goodies
This is not a comprehensive list – just some things we noticed that are helpful.
-
Sort order on products – you can sort the product order more easily.
-
Default customer groups – Saves some time on setup.
-
Product/Article Blurb – Useful for category display.
-
SubProducts – designate at bottom of product listing
-
Article product linking at bottom of article – needs this on pages too.
-
Edit button on Products and Categories – makes product editing slightly faster.
Broken Features and Half Finished Elements
Again, not a comprehensive list, just some of the most obvious
-
Contact Us – They’ve created a Contact Us item in the Pages, but it does nothing. Contact Us page still has to be edited by hand.
-
Affiliate Branding – Half functional and annoying – affiliate info will show up on the front of the site, but the Admin has to enter the information in. There is no interface for the affiliate to do so. The site header also changes for affiliate branding, BUT, there is NO WAY to turn it off! You have to edit the code and remove the branding code, OR, put your header image in for EVERY AFFILIATE, in order to get it to consistently display YOUR header or logo.
-
One Page Checkout is buggy. Still.
Conclusion
Do I think that the new features are good? Some of them yes. The ones that work, and the ones that actually enhanced the usability.
Do I think that either Pro or B2B are worth the current price? No.
My primary reason is that the price is high largely to cover the cost of support which many people do not need, or which they’d gladly do without to get a lower price. And the support isn’t stellar, by any means.
I believe that the slow adoption of 6.3 in general speaks volumes of the reluctance that people have in using software that is priced this high, and which has the issues that it does.
I have always felt that CRE would be better off charging a lower price for the software, and charging separately for support. This makes sense from a business perspective – maximize the profit from replicatable things, while minimizing the revenue streams that are low profit but which are labor intensive.
Reducing sales by charging a high price that has a built in labor intensive factor, is purely stupid. Increasing sales by reducing the price for the items EVERYONE wants (and which are cheap to reproduce because they require less labor), and eliminating the built in labor intensive aspect, would be the intelligent course.
Offer a low priced option with NO support. Let it sell like hotcakes. Offer a separate support package and make the support division of the company self-sustaining.
Long term, CRE needs to focus on fixing bugs, and working out the longstanding problems which affect sustainability for businesses. The competition is already figuring this out, and is making strides toward that goal. CRE is still mired in old problems that are not even on the schedule to be fixed, but which every person who uses it is annoyed by.
The treasure is definitely there – but it is by no means refined.
————–
NOTE: Support was last tried about three or four months ago. All other comments reflect the status of updated 6.3 installs prior to 6.4.
The Loss of Group Conversation
I love a good forum – if that forum emails me when there are posts. I liked being able to post something of value, and get conversation about it. And I liked that the conversation was there, and searchable. I liked being able to ask a question, or brainstorm something, and get responses.
Ryze was one of the best venues to find forums like that – they call them “networks”. But Ryze is dying. It hasn’t been sudden, more of a trickle of attrition.
None of the new big networking sites can come close – their group conversation tools stink. And before you say, “what about Twitter?”, let me clarify – I’m talking REAL conversation, where you can make a comment of more than 140 characters, and where the comment lasts longer than the time it takes to scroll off the bottom of the stream of inanities that flood in.
Blogs don’t cut it either.
FaceBook has “groups”, and “pages”, but there is no notification on either the wall, or forum activity for those. It is like you join a group, and then it NEVER reaches out to you. The only way a group can tap you on the shoulder and get your attention is if the owner does a mass mail to the group. Too many of those, and people drop the group. So on FaceBook, groups really aren’t groups at all – they are just lists of people who never participate because there is nothing to remind them to take time from their busy lives to check in.
Statistically, forums that require you to check in to see if there has been any activity are failures. Stupidly, FaceBook has never figured this out.
But then, neither did FastPitch, LinkedIn, or any of the other major platforms that I checked out. I think they like transience. It takes smaller databases.
So group conversations that are meaningful have all but disappeared.
Sad, really.
And sadder… We downgraded our Ryze memberships today. With a sense of loss as we did so. We closed our own network there, and unsubscribed from some that have become either nothing more than questions about why there are no posts, or mostly ads – and one that has degenerated into mostly a commentary on Twitter (If I wanted Twitter, I’d be THERE, not somewhere else reading about it). The last people to go are the spammers, and a few die-hards who want to try to doggedly MAKE it what it once was.
Our profile is still there – it could come back. I don’t think it will. I give Ryze 6 months before they are forced to close their doors. And it is because they did not listen. They offer something nobody else does, and it has been successful, and is still valuable, but not without additional tools to entice people in to begin with, and to keep them there. And implementing the tools should not be difficult, the technology is readily available. Heck, I can do it using Open Source software! They could still pull out a spectacular recovery. But I think they won’t.
And the loss is more than just a venue… It seems the loss of what they did that no one else has had the intelligence to implement in a smart way.