CRE Did It Again

CRE Loaded just released version 6.4. They are selling 6.4 as a “PCI Compliant Shopping Cart”. They are claiming that there is no extra charge to implement the change. Both of these claims are false at heart. I know, I just threw down the gauntlet, but my statements are factual.

They didn’t make CRE PCI Compliant at all! They just avoided the issue in the same way that many other small businesses have already been doing. Their solution lacks originality, and is nothing new in concept. The software is not any more compliant than the previous version. It is still buggy, the same potential vulnerabilities exist. It is no more secure than any other Open Source shopping cart.

All they did is create a third party gateway service, and a wrapper. They achieved PCI Compliance by moving it OUTSIDE the cart. So it isn’t the cart that is compliant at all! And to reach their claims, you have to use THEIR service.

You can do the same thing using PayPal Standard, SIM, YourPayConnect, Google Checkout, 2Checkout, or dozens of other services, and if you use them, your cart is already just as compliant as 6.4 can be. And this is true of Zen Cart, OSCommerce, CubeCart, X-Cart, Magento, PrestaShop, and every other Open Source Shopping cart!

They are touting this as a revolution, when it isn’t even an evolution that offers anything worth getting excited about. The wrapper technology is the only new aspect, and even that isn’t that much of an improvement over existing solutions which DO allow you to coordinate branding (CRE implies that they don’t in their marketing).

That is deception number one.

The second deception they are perpetrating is “free”. They claim the service is free. But when you read the fine print, there are (obscure) indicators that put the lie to that claim. Things like “free when you use one of our merchant account partners”, or “save $69 to $149 per year over the cost of PCI scanning services”. PCI scanning services cost between $350 and $800 per year. Hmmm…. Seems that there’s too big a gap between those numbers to qualify as “free”.

In the same breath, they say that you can use it with your existing merchant account (conveniently leaving out any mention of fees). But they do not say you can use it with your existing GATEWAY, because they are replacing it. And that is all that they have done. They have created a GATEWAY service. They claim they have put a vast amount of money into the system, but what they put the money into was the integration of the service into the cart, and the creation of the wrapper system.

The sales pages for the gateway (CRESecure) do not have a chart of fees, they do not have terms and conditions where you can review them, they have no options but to signup. This means many people are going to be in for a nasty shock when they get far enough into the signup process to read the fine print – or perhaps that CRE is hoping they WON’T read the fine print until they get the bill! The wording on the pages makes it obvious that someone went to a great deal of trouble to cloak the hidden costs and to make it appear to be something other than what it is.

There is no way to compare options – instead they wish to make it appear that there ARE no other options. If theirs really is best, why don’t they allow you to freely access the information you need so that you can make an informed choice? Do they really think that forcing people into a situation where they have to make a blind choice is the best way to maintain customer satisfaction?

The service is now so tightly integrated into the cart that the new version of the cart does not even offer you the option of NOT using it for a new install. This means that CRE has gone the route of attempting to FORCE people to contract a service from them in order to use their cart. Now, I’m sure they will tell you that you can still use the cart WITHOUT using their service. But they have gone to great lengths to make it appear that you cannot, or should not! And the install process is replete with dire warnings if you don’t!

Their current marketing of the cart consists of misleading statements with the goal of scaring you into using their solution. If you question them, they show you the PCI compliance documents (confusing and intimidating to the average site owner), and to make it appear that you have only TWO choices to achieve PCI compliance – use their service, or spend thousands of dollars to do it on your own.

The fact is, you can use one of the existing services (PayPal Standard, SIM, 2Checkout, YourPay Connect, Google Checkout) and achieve the same level of compliance – ANY established and reputable payment service which processes the credit cards on THEIR site instead of within your cart achieves the same degree of compliance as the CRESecure system.

They have promoted this in a dishonest fashion. Call it what they like, and twist it how they wish, it is still dishonest, and misleading, and it creates a dependency between the cart and the company’s services that is unacceptable for small business owners who need full ownership control of their websites.

Get honest, CRE! Growth doesn’t come from forcing people to do it your way. It comes from openly and freely offering CHOICES, and in being up front and honest about what those choices REALLY are.

It really does make one weary. Because it seems that each new version comes with the same longstanding issues, and new layers of what was a bad idea last time. You can explain, complain, and question, and they still doggedly stick to their unsustainable and unwise course. The problems don’t get fixed, because the philosophies never change.

7 Responses to CRE Did It Again

  • Jason Miller says:

    PCI compliance itself is outside of the scripts installed.. (first and foremost its the server the domain is on.. and out of control to the end user .. unless they manage their own server) unless you process/transmit all data on a known compliant server (which cre secure does do) And the beauty of it.. it keeps your site branding/template.. unlike all the other examples you provided.. which none of connect to an existing merchant (less maybe authorize sim as I have no experience with it)

    It CAN and DOES snap in to existing merchant accounts.. depending on your processors bank (something you can not do on any other cart.. and cre secure is also targeting those carts.. as a payment solution.. not forcing them to abandon the cart they already use)

    and in the near future.. it can use a sub domain (or your domain)for the processing

    Not sure how they are forcing anyone into anything.. if one wants PCI compliance where the checkout process matches their existing site.. AND/OR tied into an existing merchant account (or a new one) then this is (a) solution for them

    I would like to see your list of things that do not work.. and I am sure the cre community would as well

  • Laura says:

    I did not say it did not work with other merchant accounts – I said that it is NOT free if you do so, and that CRE has gone to some trouble to conceal that fact.

    To offer only a single choice in a cart install, and to make threatening statements that warn you if you don’t (“Your cart will NOT be PCI compliant if you choose ‘no'” – a false statement since you can make it PCI Compliant in other ways), and using deceptions in those warnings, is an attempt to force people to use their solution.

    My issues are over the lies, not over the functions. To call CRE Loaded 6.4 “PCI Compliant” is a deception, because, as you state in your first paragraph, it is not the cart that is compliant. And to call the gate way “free” is also a deception, because it is only CONDITIONALLY free.

    The wrapper is the only advantage – and since other gateway/processor combinations allow you to coordinate branding and colors with your site, this is only a marginal advantage. To imply that other systems do NOT allow this is a misleading statement also.

    They could have marketed this honestly, and in a way that respects the intelligence and right to informed choice for the purchaser. The fact that they did not is what I am critical about.

  • Laura,

    Thanks for the passionate post about our recent release. I feel though we are taking some friendly fire. Your post presupposes some things that are not necessarily true. Please consider the following clarification:

    1. CRE Secure is actually not a gateway. We connect your store to other existing gateways that we are certified PCI compliant with.

    2. If your bank requires you to purchase security scans you may purchase them from any vendor and you are not required to purchase them from our recommended partner.

    3. While a valid SSL certificate is required to connect to CRE Secure it is not necessary to purchase it through CRE Secure.

    4. With the CRE Secure Implementation, you may qualify to use only SAQ-A which actually allows you to be eligible to avoid scans, if your acquirer allows.

    5. We created a whole new technology to present a payment page that is unlike anything available by any of the 3rd party payment providers. This patent pending process is available at no charge and helps merchants retain more control over their customers’ experience and dramatically reduces the abandoned carts scenarios due to the confusion that some hosted payment page providers (PayPal, Google, etc.) cause.

    6. As part of our PA-DSS certification as a Level 1 Service Provider, we must provide a comprehensive integration guide document that clearly explains how to use our product in order to benefit from our Certification. Using the product outside the guidelines means you will not be considered PCI compliant and run the risk of your bank refusing to process credit card transactions in the future. If a merchant wishes to use CRE Loaded and install any other payment module available for download from our community support website, they are most welcome to do so, bearing in mind that the burden of proving PCI compliance to their acquiring bank remains with the merchants.

    It is a misstatement to say we have not ‘dealt with PCI in our cart’, just because we integrated a solution that takes the issue out side of the application. In fact, we validated each version of our CRE Loaded shopping cart PA-DSS compliant along with the integrated CRE Secure payment module. Our software applications will appear shortly on the official PCI Standard Council’s approved list after an administrative process. As a company, we have invested a significant amount of our internal capital, time and energy to make these products and services PCI compliant largely so that our smaller online merchants can satisfy their acquirer banks requirements and ensure a safe and secure merchant site for their customers to submit their confidential cardholder data. Our independent PCI auditors have commented that no one else in the industry has taken this initiative and developed a solution so very compelling for small merchants.

    Again, CRE secure is not a gateway. It is a hosted payment page solution that requires a payment gateway. We say CRE Secure is free, because we don’t bill you for the hosting of the PCI complaint payment page. We only require you purchase gateway services with a CRE Secure supported gateway, which is an expense you would already have as a credit card processing merchant. So CRE Secure is a Free Service at this time.

    The reason we went this way is because certifying an ‘IN SCOPE’ solution puts incredible burden on the small merchant to host the site in a PCI compliance data center. And, contrary to some misconceptions in the marketplace, this is not just about passing ASV scans. Once we dug into in to PCI DSS requirements we found that most of the market was misguided in what liability there is in even collecting and processing credit cards within a server environment. Using direct requires that you fall under SAQ – C if not D. That was not something we felt you or your merchants would appreciate.

    Also you mention that it’s just another solution like so many other hosted payment solutions, but it’s not. To use those that you mentioned would mean merchants would have to abandon their existing merchant services accounts or use the poorly integrated SIM or similar method. Our solution does require a change of gateway today but preserves the merchant service account, and presents a hosted payment page like nothing you have ever seen before. Did you take a look at our HTML Clone™ technology? We have merchants signing up everyday telling us this is exactly what they we hoping would come along. A completely templated hosted payment page, that looks like their template, in real time, every time.

    We knew the only solution was to go out of scope, so we created a better out of scope solution. And instead of making merchants pay for it, we tied it to payment gateway partnerships so it essentially free, or no additional cost to the merchant.

    All you need to use CRE Secure is:

    1. the payment module

    2. your existing merchant service account

    3. and to use one of our current partner gateways, Chase Orbital or ePN. We will be adding others, soon.

    With CRE Secure we have created a PCI compliant solution that gives the merchants hosted payment page that has their template on it, at essentially no additional cost to them. We presently working to expand our gateway partners, expand the carts CRE Secure integrates with and the countries that we can settle in. The merchant processing industry is excited to work with us to bring our mutual merchants into compliance in a real way that merchants can afford. Everyone wins.

    I hope that clear things up, a little. I want to follow up with you offline to answer any questions and hear your comments on CRE Secure now that I have laid some misunderstandings to rest.

    Sal Iozzia
    Founder, CVO
    CRE Commerce

  • ringsting says:

    Hi Laura

    Thanks for your posts, I am just setting up an ecommerce business and trying to figure out which cart to use.

    I read some reviews for cre-loaded that basically said it was the best of the three main ones OS & Zen.

    I am starting to use it but more and more it seems that they haven’t understood the concept of open source, and how to make a business around it. Getting rid of their spam on the front page is a nightmare as people aren’t allowed to post the solution in the community forum.

    All in all it’s made me realise that Cre probably aren’t a trustworthy company and they will probably shaft me/force me into paying for thing I don’t want in the future.

    So what alternative would recommend for a small startup trader?

  • Laura says:

    I’m tending to lean toward Joomla with VirtueMart more and more. VM does 90% of the stuff that CRE does, and Joomla does stuff that CRE does not, and will never do. The 10% that VM does not do, is stuff my clients rarely need, or that I can code in and reuse if they do. It is much simpler to code for.

    It also WORKS where CRE is broken. Many of the features of CRE are so buggy, or limited, that they are not practically usable. Those features do work in the VM/Joomla combo.

    Newsletter management is one example. The CRE newsletter manager is not robust enough to handle customer lists of more than a few hundred names, it has no throttling capability, so it will cause problems on most servers with even moderate sized lists.

    I can install a newsletter manager into Joomla, and integrate it in whatever manner I want, and set the email send rate to match my server limitations. I can set up multiple lists for a range of purposes, and control precisely who receives what.

    The other huge benefit is ease of templating. I can create Joomla templates fast, and VirtueMart is simple to template as well. CRE’s templating, by comparison, is far more time consuming and complicated, and I have to dig through bits of code that are not even inside the template folder to control some elements. Add to that the fact that to set up a CRE store, I will always have to edit language files, and tweak other files that are hard coded, when with Joomla I NEVER have to do that, and you have another HUGE time waster both for setup, and for sustainability, since it complicates the update process significantly.

    It used to be that about 50% of our cart clients went into CRE. Now only a handful do, and many of those would have been just as happy with Joomla and VirtueMart.


  • ringsting says:


    I’m just having a look at Magento at the moment but if that doesn’t work out (I have heard its a resource hog) I might have a look at Joomla/Virtue mart, the problem is I don;t like the back end of Joomla that much.

    For newsletter management, I have been using mailchimp for a while now and I think it is absolutely incredible and it is hard to imagine a built in feature being anywhere near half as good as mailchimp… granted it’s not free.

  • Laura says:

    I reviewed Magento. Did not like it. Some slick features, but too many bugs, and the bugs changed with every update – one thing would be fixed, another critical thing would break, so it wasn’t stable enough to even use. It was updated so often that you always felt that you were waiting for the next thing to break every few days. This was six or eight months ago, I don’t know what may have changed.

    The templating was also IMPOSSIBLE to work with. For some unaccountable reason they threw XML into the templates, which means you have to learn not 3 coding languages, but 4 to template it. The templating is supposedly very flexible, but it is clear that I’m not the only person who felt it was unreasonably complicated, given the dearth of available templates for Magento, and the number of sites with nothing more than the default template being used.

    AcaJoom News, as an extension for Joomla, is very simple, but very flexible. I’m not real thrilled with the clunkiness and unpredictability of the Pro version (we’ve had a very hard time getting it stable with scheduled newsletters and autoresponders), but the simpler free News version is terrific, and meets the needs of the majority of my clients. I like it because it can be integrated into site functions – auto-subscribe on registration with the site, possible integration with Community Builder profiles, etc.

    Joomla requires a bit of time to figure out how to “think like Joomla”. But once you get that, the interface makes sense, and it is consistent. Pretty much when you figure out something, that will be the rule almost everywhere (except in sloppily coded extensions). And it is smartly coded software – good separation of core and styling. Updates take all of 5 minutes and can be automated.

Grow a Garden!

Gardening doesn't have to be that hard! No matter where you live, no matter how difficult your circumstances, you CAN grow a successful garden.

Life from the Garden: Grow Your Own Food Anywhere Practical and low cost options for container gardening, sprouting, small yards, edible landscaping, winter gardening, shady yards, and help for people who are getting started too late. Plenty of tips to simplify, save on work and expense.