Life on the Road

We interrupt this fun family blog to bring you a bit of business info.

This tutorial was put together by my good friend and successful online business owner, Alicia Staz (check out the links to her gorgeous jewelry in her credits at the end!).  It explains what everyone with an online store needs to understand about complying with the laws protecting consumers’ credit card information.

———————————— 

PCI Compliance is required…this is not an option.  Anyone who accepts credit cards must comply with certain standards based on the number of transactions you complete each year.  It doesn’t matter if you use a payment gateway to process your cards or do them manually.  It doesn’t matter if you use a shopping cart or PayPal… you still must commit to keeping all data that is collected safe.  The PCI Security Standards Council has all the information you will need.  Personally I didn’t get into the technical aspect of it.  I knew I needed it and so I set out to get it done.

Who does PCI scanning?

I happen to have the Hacker Safe certification through Scan Alert - this includes PCI scanning at no extra charge.  Scan Alert also offers a PCI scan for $149 a la carte, so you don’t have to have buy the Hacker Safe certification to get it through them.  That said, there are many organizations that offer a PCI scan, just Google it.  

If you use PayPal, they have partnered with ScanAlert, a Visa and MasterCard-certified PCI vendor, to help their customers comply at no cost for the first year. Enroll online with ScanAlert at: https://www.scanalert.com/SignUp.sa?oc=9673.

So what does PCI scanning entail?  

When you have your domain scanned for PCI compliance it has nothing to do with PayPal, your shopping cart or anything else.  That is a huge misconception!  I left my host because she thought the PCI vulnerabilities had to do with my shopping cart, not her servers.  

When a company scans your domain, they are scanning the servers that your domain resides on.  They do all kinds of checks and challenges to try to “get into” the server - similar to what a hacker might do.  It will completely mess up your website statistics… they are hitting pages randomly, every day.  They are trying to find nonexistent pages so your “404 not founds” will be off the charts.  I know someone said there is a way to block them from your stats program (not register any visits by scanalert.com) but I haven’t figured that out yet.  If anyone else know how to do this, please let me know!

Which hosts are PCI compliant?

Not many that I know about.  The only two options I considered seriously were Hand-On Webhosting and A2 Hosting.  I Googled it and had to really search for hosts that were compliant.  I emailed my list of questions to the ones I found, and surprisingly only a handful got back to me with answers.  

Here is my personal checklist for a host:

1. Do they maintain their own servers?  If not, can they tell me where they are physically located?

2. Do they allow spammers or adult sites to reside on their servers?  If so, it could negatively affect my search engine ratings.

3. Are they Hacker Safe compliant?

4. Are they PCI Compliant?  If they are PCI Compliant they are Hacker Safe compliant because PCI compliance is a step more intense than Hacker Safe.

5. Are their prices reasonable?

6. Are there any negative reports about them online? I Googled the names…

7. Have they been in business for several years?  This is my business and I don’t want someone else’s hobby ruining my business because it goes under.  That is why I want to be with a host that owns the physical servers.  Chances are, if they have invested that kind of money in severs, they are in it for the long haul.

What are the next steps?

Once you choose a host that is compliant and get your site moved to their servers, you will still have vulnerabilities to address.  A PCI scan generates vulnerabilities that may or may not be valid for your particular host.  They are testing based on the worst case scenario and in many cases, there is a reason the host does things in a particular manner, and they have other measures in place to protect the data.  

Once I had a PCI Compliance report that listed the vulnerabilities, I emailed it to A2 Hosting’s Technical Support and they typed up answers to address the issues.  Once I had responded to the issues and completed the PCI Questionnaire, I was considered compliant.  Since I have less than 20,000 transactions a year, I am only required to have quarterly scans to be in compliance.  I printed my compliance report and don’t need to print another one for 3 months.

What is the PCI Questionnaire? 

It is just a list of questions you need to answer that ensures that you personally (and any other people your company employs) are doing everything necessary to protect the cc data.  Do you store it on a secure server, do you password protect the data, etc.

I think that about does it.  If you have any other questions, I can try to answer them, but I am by no means an expert.  I just did what I had to do to become compliant and I think I have detailed it all here.  If any of you want to forward this to others I don’t mind… I only ask that you maintain my signature line as part of the article. : )
Alicia E StazOwner, Designer, Beaded Royalty

http://www.beadedroyalty.com

Visit my blog at: 

http://www.handmade-sterling-jewelry.com

Okay, I have SEVEN (I kid you not) unfinished draft posts up there vying for my attention…  But instead I’m going to vent about Internet Passwords - because I just got bugged again.

Every website has their own requirements for passwords.

This has evolved over time, to prevent everyone from using their middle name as their (not very secure) password on every website.  I understand it.

But some places require it to be 6 digits, and some 8.  Some require a combination of letters and numbers.  Some require letters, numbers, and a “special character.”  And a few have a 4-digit numeric code!

So how am I supposed to keep track of all these?

My mom writes websites and passwords on an index card in the top drawer of her desk.  I used to think that was silly, but I’m begining to relate.

I admit I used to use the same password for everything.  But it wasn’t something I felt anyone could guess, so I wasn’t concerned.  But it was letters only, so soon a lot of sites wouldn’t accept it.

So then I had a few alternatives that I began using.  Sort of “variations on a theme” - things I could remember.  So when I tried to log in, if one didn’t work, I’d try another, which usually did.

I’m happiest, of course, when a site remembers me, or my AutoFill pops it up for me…  But alas, things don’t run well unless you periodically delete all those “Temporary Internet Files”.  Then you’re on your own again.

But more and more site have made more and more cryptic requirements, forcing me to use other passwords…  PLUS they limit the number of login attempts, to prevent hackers from sitting there guessing.

What I would like, though, is for them to GIVE ME A CLUE!  Not about my password, necessarily (although the places that have hints and secret questions are nice), but about their REQUIREMENTS. 

At least, if I enter the wrong password, tell me “Passwords must be 8 characters long and contain both letters and numbers” along with the “that username and password don’t match” error message.  Then I’d know it’s one of the LONGER ones, but not one that requires a “special character” - which would probably be enough for me to re-guess what I used.

… or maybe I’ll just start having them tattooed on the back of my hand.

Oh, wait, then there are those sites that require you to change your password on a regular basis…

I cannot express how frustrating this migration process was.  Everything that could go wrong, did.

Apparently the FTP program I have been using is not what you might call reliable, and a lot of files were lost/corrupted/whatever during the backup process from the old site.  So we had to download fresh WordPress files (and a new FTP client).  Then we had to work around the SQL errors being generated by the database.  Then we had to figure out how to use the quirky system 1 & 1 has in place to access the database.  Then we had to diagnose the errors WordPress kept throwing - including deleting one of the plugins altogether.

I could never, never have done this on my own.  And, frankly, the 1 & 1 Tech Support email team left something to be desired in the exchange (you know that feeling you get that you’re talking to someone in Pakistan who is reading you rote responses off a checklist?).

The hero of the piece?  “MichaelH” of the WordPress Support Forums.  What a guy!  Patient and knowledgable…  Thank you!!

So, as far as I can tell, other than my frayed nerves, the only damage done is that the “uploaded images” folder was found to be completely empty.  I do have all the pictures on my hard drive, but now they need to be manually uploaded all over again, one by one, and inserted into the appropriate place in all the posts in the history of the blog.  I’m going to work my way backwards.  It may take a while… 

Just an advance warning that there may be some periodic downtime over the next couple of days as this domain is migrated over to a new hosting provider.  Unfortunately, time constraints do not permit me to do this in a more orderly fashion.  Read on… 

I’m not one to call people out in public, but I do think the public deserves to know when a company is behaving badly.

For the last couple of years, my websites have all been hosted at Angel Towns.  Although there is not a lot said about, they appear to be a Christian company - Bible verse on the homepage, restrictions about your site content, etc.  And best of all - Cheap! 

So, as I say, things have been going smoothly for a couple of years now.  I have a few minor complaints about the ease (or lack) of using certain features, but I always figured that was part of the price I paid, for the price I paid… if you know what I mean.

Then earlier this week I got an error when I tried to upload a photo to a post I ws writing about Jewel’s First Haircut (very cute!).  After tracking it down in the WordPress Support Forums, I concluded that it must be a PHP Memory limitation on my server.

I logged into my cPanel and checked, and sure enough there was an 8 MB limit there (just as the Forum users suggested), and it was not configurable on the user side.  Immediately I emailed Angel Towns Support, asking why this limit had suddenly appeared, and requesting that it be raised or removed.

The email I got back was probably a form letter, and it explained that the 8 MB limit had been placed on all hosting accounts “as a temporary measure,” and it would be removed “soon.”  Further inquiry yielded the clarification that it would probably be lifted in about two weeks.

Two weeks?!

I can’t post any photos larger than a thumbnail for two weeks?  Not only is that not acceptable for my personal posting, but I have a commitment to Guest Host a really great contest for a popular blog on Monday (make sure to check it out!).

So I emailed again, explained my predicament, and informed them that if they did not remove or raise the limit on my account (which I never agreed to when I signed up, BTW!) I would be forced to move my hosting business elsewhere - and fast.  Well, they never even responded…  Not good business practice, nor good Christian ethics.

I have begun the process of transferring the entire domain to a new provider.  1 & 1 has great features, great service (already used it!), and … Cheap! 

The move includes our business information page at http://www.tiffanyblitz.com, and two complete subdirectory installations of Wordpress which house this blog (http://www.tiffanyblitz.com/blog) and our sales team training website.  Whew!

Keep your fingers crossed that the process goes smoothly, and I’ll be ready for Monday’s BIG CONTEST POST!

Well, what do you think?  Pretty cool, eh?

We’re actually still refining the details, as this is a custom theme created just for us by the gracious and talented Nataly of Simply Beautiful.

If you have any feedback, we’d all love to hear it!  Don’t be shy…

Okay, I KNOW it doesn’t look quite right yet…   But it’s better than being SOOOOO SLOW like the previous one - right?

Be patient with me, I’m working on something better! 

I can’t tell if the blog is really slow loading lately, or if it’s just the hazards of a travelling wireless Internet connection…

What do you think? Is it slower since I switched themes? Or does it seem slow to you in general?

Thanks!

Much more than I ever realized, apparently!

What do you think of the new look?  Give it a chance, okay? 

I’ve been frustrated for some time with having the blog ignore my formatting instructions - things like centering pictures, not wrapping text, etc.  The answer that someone finally shared with me was a surprise:  Get a new theme!

So I’ve picked out one that has a lot of great features, and hopefully is better behaved overall.  I hope I won’t have to switch again, but don’t hate me if I do, okay?  At 3 months old, we’re still pretty new to the wide world of blogging…

I’m always a little disappointed when I see an ad for something that goes against the values a site is espousing.

Although Google and other “ad-words” providers typically do allow you to block ads that you see on your site and don’t like, from what I’ve been able to determine there is no way to filter, block, or select what will show up beforehand. 

They claim it’s going to work out well because the ads selected are based on your content…  But a WAHM frined mentioned the scary story about the ads that started popping up on her site after posting an article about the debate surrounding infant circumcision.  Yikes!

If I had a ragingly popular site that could generate some ad revenue, I think I’d go the safe way.  Selling the spots on the page leaves me in absolute control of who shows up there, and is thereby associated with me in readers’ minds.

I recently saw a link in the Google Ads box on a WAHM business blog that sounded fishy.  Being me, I clicked on it to check it out.  Sure enough, it was one of the many types of schemes that seem to be everywhere these days:

• Pay for my (book/system/website/whatever) and you’ll make tons of money with no effort what-so-ever
• Complete these offers from our sponsors to access this cool stuff
• Sign up all your friends to do this and you’ll get rich
• Drive traffic to your website by joining our site and clicking on other members’ links

And so on, and so on…

I guess the people who put those ads on their site figure that “everyone KNOWS those are just the Google Ads, and nothing really related to me.”  It’s just like the people with blogs on free sites have to put up with the ads placed on their pages, right?

I don’t know, but I’m not buying into it.  Why should I let them spew stuff onto my page that I have no control over (unless I HAPPEN to notice something offensive, then I can remove it after the fact!)? 

I went to all the trouble to get a domain, host my blog myself, and all this other stuff - why?  Precisely so that I could be in control of everything. 

As much as I’d like to think I might earn some extra money, I’m not selling out.  It’s like I’ve heard in sermons more than once:

Go through your house, and clean it up as if Jesus was coming over for a visit.  Do you have magazines or movies you wouldn’t want Him to see?  Guess what - He sees them now, so you shouldn’t have them! 

So if Jesus decides to take a few minutes out to surf the web and runs across my blog, I hope He is pleased with His servant’s work.

Many thanks to Staci at Desktop Designs, who graciously agreed to help me with a banner and a plug button to help let people know about this blog.

I figure, heck, I’m already out there leaving our ads on plugboards for our dental benefits, our business opportunity, and even for Tupperware…  So why not stick this one on there, too? 

The more readers, the merrier, right?

Have you seen our plugboard?  Just click “Plug Board” in the box of “Pages” in the top right corner of the page (that’ll work at least until I change the layout, eh?).

The thing that frustrates me about some online advertising - including plugboards, is that I haven’t found a good way to track traffic, and know whether they are doing me any good.

When I send people to our dental benefots site personally, or on our business cards, we use our forwarding domain, http://www.LowCostDental4U.com - better to have something easier to remember, which is the whole point of getting a forwarding domain, after all.  With clickable graphic ads online, I can point people directly to the actual benefits site, including a “code” to track traffic.  I don’t use tons of different ones, but for instance I might use http://tiffany.my123card.com/plug for Plug Boards.

But I don’t have a good way to track traffic to the business opportunity site. 

I prefer to send people who are new contacts to my info-gathering site at http://www.TiffanyBlitz.com.  I have a trackable site for the business like the one for benefits, above, but it seems to me that I’d rather get their info and talk to them before sending them on to that.

And when you ask people (on the form, or when you talk to them on the phone)?  they tend to vaguely say, “I saw your banner on one of those WAHM sites”…  Which of course covers almost everyplace I advertise!

Anyone else out there have a good idea?