Key Concepts
Collect requirements to ensure completeness of implementation
Collect both functional and nonfunctional requirements
In this chapter, we describe the typical requirements that a company should seek from a commerce platform. Each commerce business has unique variations and has unique requirements from the commerce platform it uses. This is necessarily so because each company must be creative in the way it does business to compete in the world market.
We cannot possibly provide a comprehensive list of requirements for a generic commerce platform that will suit all businesses. The purpose here is not to provide a complete list, but rather to describe those typical requirements necessary for a single platform to be shared by multiple sites. We do not focus on details of requirements that are common to any business, such as payment processing or product comparisons, but assume that these commerce-related requirements have already been articulated by each line of business. Instead, here we deal with those requirements that are essential to making the commerce platform shared throughout the company—that is, what makes the commerce platform eligible to become shared by multiple sites.
The commerce platform used by a company consists of hardware, software, and administrative services necessary to maintain the operations. It is important that each requirement is met by the overall platform, and not only by a specific component of it. For this purpose, we can apply a corollary of the well-known Amdahl’s law of computers.
Amdahl’s law was articulated in the 1960s as engineers were trying to find ways of building faster computers. It states that a computer cannot work any faster than its slowest component. Intuitively, this statement makes sense: You can have a super-fast processor, but if the memory is slow, the computer will not run very fast.
The same rule applies to many things in life, such as business processes. For example, let’s say your order management and fulfillment are very fast, but due to poor inventory management there are frequent delays because items need to be backordered. Then, from the customer’s point of view, your company is slow at shipping orders.
And getting back to our subject, the corollary of Amdahl’s law is that a commerce platform is only as good as its worst-implemented requirements. You can develop a platform that makes it easy for the business to create and manage the global catalog and then adjust it to the needs of each site with minimal effort. However, if your key requirements also include the capability to share marketing collateral or marketing campaigns among sites, and this feature is not enabled, despite all the excellence in catalog management, the overall platform might not be suitable for the business.
Similarly, if you need to create many dozens of sites for different niche market segments, it is important that order management be done by a single organization that can see and work on orders from all sites, rather than one site at a time. If the platform does not provide efficient order management capability, the business might not make use of it because order management costs would exceed any benefits from the increased revenue of targeted sites.
One more example of the need to consider the requirements for the overall platform is with regard to scalability and performance. The platform might enable the business to create sites that the lines of business could only dream about and even provide excellent tools to administer all aspects of the sites. However, the company must also consider such factors as the maximum number of sites that will be necessary, the number of estimated customers using the sites, and the number of orders that will be created on each site. These considerations have nothing to do with the functional aspects of the platform, but they are just as important. If the platform does not scale up to the demand of the company’s sites, or if the sites end up being too slow for customers to use, the platform is useless and the company cannot employ it in its business.
The set of requirements presented in this chapter were accumulated from experience with a large number of situations encountered in the field. By no means do we assert that this list is 100 percent complete, and it is entirely possible that some requirements are not present. Each industry is inherently unique, and even each business within the industry always has its own peculiarities that result in specific requirements. In some cases, we omitted requirements that were deemed not to be sufficiently pervasive and applicable to all situations. It is also possible that you might have additional requirements that we never thought of. Furthermore, depending on each individual situation, a company might find that some requirements in the list here do not apply to it.
However, the list compiled here is a representative collection of the kinds of requirements typically encountered so that you are aware of the breadth of this field.
Site planning is concerned with such tasks as creating new sites, shutting down or “sunsetting” obsolete sites, and assigning administrators to manage sites.
Ideally, creating a new site should require no involvement from the IT organization. In reality, this is hard to achieve, particularly if the new site needs its own domain name. For example, if the company ABC Enterprises has a division that sells a brand of clothing called FamousClothing, ideally the URL to access the brand’s site should be www.famousclothing.com. This means creating such a site requires the registration of a new domain name and all the associated network setup, which is normally the job of IT personnel. Without this IT work, the URL would be incomprehensible, such as www.ABCEnterprises.com/sites?name=FamousClothing.
IT involvement is also unavoidable if the site requires complex customizations, such as modifications to the standard purchasing flow or unique pricing logic not previously supported by the platform. When such IT involvement is required, it is important for the planners to determine whether these requirements are unique to the new site, or whether they could happen frequently with other sites and should be made available in the shared platform.
For example, if a company has already created several consumer-oriented sites and now is looking to create a B2B site, it probably needs to create a new presentation template. Assuming that this B2B site is one of several to be created, it is a good idea for the IT group to develop the new template and make it available to site planners so that the next time a B2B site is created, the company no longer needs IT involvement to help create yet another presentation template.
On the other hand, if the site is developed due to the special needs of a very large customer, it is possible that the site has a unique requirement that cannot possibly be useful in any other situation. In that case, it makes sense to implement such unique requirements only in the context of that site and not make them available to other sites.
Other significant work is involved in the creation of a site, and as much of that work as possible should be done by business rather than IT-oriented personnel. This work includes the actual creation of the site, the selection of presentation template, a decision on when the site opens for business, the specification of various site terms and conditions, a privacy statement, and even uploading any site-specific graphics to be displayed on the pages.
Aside from the initial planning and tasks requiring IT involvement, the actual site creation should be an easy process that does not take more than a few minutes using an administrative console provided by the platform. Subsequent finishing of the site, such as selecting the catalog, setting payment and shipping methods, and so on, can take days or weeks, but site creation itself must be so quick that it does not draw significant resources from the administrators.
Summary of site creation requirements:
• Routine site creation should be a quick, easy, and low-cost process.
• Routine site creation should require little or no IT involvement.
• If IT intervention is required, it should be possible to make a decision whether the new capabilities developed by IT are to be made available to all sites or are to remain specific to the new site.
A site might need to be shut down either permanently or temporarily. Temporary shutdown is used when the intention is to re-activate the site at a later time. Permanent shutdown implies that this site is not going to be made available to customers in the foreseeable future, and hence all associated data can be archived and removed from the database.
A temporary shutdown can be necessary as an emergency measure if major problems are found on the site, such as incorrect pricing or serious errors in catalog information.
We always hope that security is bulletproof. If security breaches do happen, and if the site is maliciously defaced by a hacker attack, a temporary shutdown might be the only way to immediately stop ongoing damage. The site can then be re-activated after the security issue is resolved.
The most typical reason for a temporary shutdown, however, is the need to make major changes to the site, such as to modify the site’s presentation style or to update site-specific business logic. While the changes are being loaded into the site and the modified site is tested, the company needs to temporarily make it unavailable to customers. The site would be re-activated after the loading or testing is complete.
Depending on the implementation of the platform, sometimes a temporary shutdown might be required to load large volumes of data, such as catalog or customer data. For example, if the update operation takes a relatively long time, and during the update the site becomes unbearably slow, it might be better to temporarily shut down the site while the update is going on.
There are many scenarios in which sites can become obsolete and need to be permanently shut down. If a company sells a division, the division’s sites need to be sunset and transitioned to the new owner’s platform. Sometimes sites are transitioned or merged with other sites due to internal reorganization of the parent company or due to acquisitions. Finally, it is possible that a site was originally created for a temporary purpose, such as a seasonal sales campaign or in support of a product launch, and now the site is no longer needed.
In all these cases, the company must have the capability to shut down the site, archive the associated data, and clean it out of the database. Cleaning out the data is important to avoid clutter so that the administrators of the other sites do not get distracted by data that is no longer relevant to them. Archiving and removing obsolete data are also necessary for technical reasons. For example, databases tend to slow down the more data they have; therefore, it is important to remove stale data to ensure the best site performance.
Whether a site is shut down permanently or temporarily, several requirements must be satisfied. Site shutdown must be an easy operation, with no involvement by IT. When a site is shut down, it must not be accessible by customers—even by those users who had already logged on. This is particularly important in case of emergency shutdowns, when many users might be accessing the site, and it is necessary for all access by these users to be rejected immediately.
Customers should never be able to access a shut-down site but instead should be shown an error message. However, if the site is shut down temporarily, it must still be accessible by selected administrative personnel. For example, if the site is shut down because for some reason the prices are wrong, administrators need to fix the pricing data and also to preview the site to make sure that now the current prices are shown. Therefore, the administrators need the ability to make modifications to a site that has been shut down and to preview and test the site. This way, they can fix whatever problem caused the shutdown in the first place.
Another requirement is that the business administrators need to specify the text that appears to users who try to access the site. Such text can be an apology for service disruption, a link to the new home of the site, or information about when the site will re-open.
Finally, a very important shutdown requirement is that shutting down one site should not affect the operation of other sites in any way so that users of the other sites are not even aware of the administrative activity going on in the affected site.
Summary of site shutdown requirements:
• LOB administrators need to be able to shut down a site temporarily.
• Administrators need to be able to shut down a site permanently.
• Customers should have no access to a shut-down site.
• Designated administrators and testers should have access to a site that is temporarily shut down.
• LOB administrators need to be able to specify alternative text that is shown to customers viewing a shut-down site.
• Temporary or permanent shutdown of one site should not affect other sites.
Each site operated on the shared commerce platform must have administrators who are responsible for tasks such as catalog management, marketing campaigns, or order management. An important task typically carried out by central administrators of the platform is that initially, when sites are created, administrators must be assigned to each site responsible for managing each type of information.
Administering an individual site on a shared platform is not much different from administering a site when the platform is not shared. In both cases, typically the responsibilities are divided into a set of roles, and users are created and granted the roles that they need within their areas of responsibility. In addition to having roles, sometimes users might need access to specific resources managed by the site, such as a customer territory or the categories within the catalog that they need to view or to modify. This scenario is illustrated in Figure 8.1.
The main difference introduced when a single platform is used to operate multiple sites is that frequently an administrator requires access to more than one site. For example, a customer service representative might need to create or modify orders for both consumers and business customers, thereby requiring administrative access to both B2B and B2C sites. Another example is a single call center in India that might be responsible for providing service to customers from many English-speaking countries, such as the United States, Canada, the United Kingdom, and Australia. This scenario is illustrated in Figure 8.2.
Sometimes the situation is more complex, and administrators need to be assigned different roles depending on which site they work on. For example, a sales manager on one site might need access on another site; however, on the second site, this administrator does not create orders but only administers existing orders. This scenario is illustrated in Figure 8.3.
The requirement, then, is that when a new site is created, new administrators can be assigned to the site, either by granting the additional access to existing administrators or by creating new ones.
Frequently, it helps to arrange the sites in a tree-like structure, as shown in Figure 8.4. In this example, Administrator 2 manages the products for all the company’s sites. Administrator 4 acts as customer service representative for all sites in Canada. Administrator 1 acts as a sales manager for site 1 and as an order administrator for site 3.
This arrangement makes the management of administrators easier and less time-consuming because by a single assignment we can grant access to many sites. At the same time, this concept of groups of sites introduces a complexity into the structure of the sites; this requires careful initial design to ensure that the structure of this tree of sites suits the company’s needs. Enabling such access to groups of sites also requires comprehensive training of the site planning personnel so that they can determine the correct role assignments that need to be done.
Summary of administrator management requirements:
• Site managers need to create administrators and assign them roles and access rights to resources within a site.
• Site managers need to assign roles and access rights to an administrator for groups of sites.
Typically, each line of business is responsible for administering its own sites and is not concerned with the operation and performance of the other sites the company has. However, the company as a whole must maintain a good understanding of the overall operation of the platform and measure the success or failure of each site. This includes measuring how well the sites service the customers and how well the sites fulfill the objectives set by the business. In addition, even a single division of a company can end up operating multiple sites and might need to obtain reports on the performance of several sites within its domain.
Site planning personnel also need reports to monitor the operation of the overall platform and see whether it is successful in hosting the sites.
Companies have used many approaches to monitor and obtain reports on their commerce sites. Such approaches range from simply generating reports directly from operational data, creating data warehouses, or outsourcing report generation to third-party analytics providers. All these approaches apply to the multisite commerce platform as well, but with one difference: When all the sites are handled in the same platform, it is much easier to monitor them and aggregate information from all the sites. Because all the information is available in a single data source, administrators can easily collect it all and analyze it without running into complicated data collisions and data cleaning issues that many data warehouses have to grapple with when they merge data coming from multiple data sources.
Each business might have the need for different kinds of reports, but the company might be interested in the following kinds of information to compare sites with each other:
• Top-selling sites
• Top-selling products and categories of each site
• Comparison of success of global marketing campaigns in each site
• Comparison of customer visits and purchases among sites
• Comparison of site activity
• Comparison of response times among sites
As is usual with commerce business, no matter how many reports the infrastructure or the reports vendor provides initially, as the business develops, new report requirements will emerge. Therefore, another requirement is for the business to quickly and easily generate additional reports and analyze the data in multiple ways so that they have the ability to both understand the patterns within their business and forecast expectations of future activity.
Summary of reporting requirements:
• Administrators need to monitor activities on sites.
• Administrators need to produce reports on individual sites or on groups of sites.
• Administrators need to compare sites and the activities within them.
• Administrators need to be able to easily create additional reports and have detailed analysis of site behavior.
From the point of view of site flow and presentation, a platform that is used for multiple sites must enable the IT personnel to create several presentation templates and allow each site to select the presentation template appropriate to it. This selection can either take place initially when the site is created, or an extra degree of sophistication could allow the site administrators to choose a different presentation style later during the site’s operation.
Other than choosing the presentation template, each site must have additional options to vary its presentation, such as changing the position of the navigation bar or changing the color scheme. It might also be useful for site administrators to turn on or off certain features of the site. For example, say a B2B company needs the capability for customers to submit requests for a quote, but this is required only for the U.S. and Canadian sites, and not yet supported in Europe. In this case, it would be useful for European site administrators to be able to turn off this feature within the presentation template, whereas in the United States and Canada it would be turned on.
Another important requirement of site presentation is that site administrators must be able to put up messages specific to their sites, such as a welcome message, news announcement, legal disclaimer, or privacy statement. Depending on the sophistication of the operation, the administrators might need these messages to be only text, or they might need to create rich multimedia messages, including graphic images and even video clips or sounds.
Finally, for a truly unique site, such as a site created for a distinct brand, it might be necessary to create a presentation template and style unique to that site and not shared with other sites as a presentation template. Although creating and maintaining the presentation material for such a site would be expensive, doing so might be necessary to maintain the uniqueness of the site, and it would be undesirable to allow other sites to reuse or have access to this presentation template.
Summary of presentation requirements:
• Selection of presentation template by site.
• Ability for site to select features within a template that it needs.
• Ability to create site-specific messages, either simple text or with rich media.
• Ability for some sites to create a unique presentation that is not made available to other sites.
The key requirement for catalog management is that catalog information needs to be shared among sites. However, the sharing of catalog information must not be all-or-nothing, where the entire catalog, including all products and categories, becomes visible on all sites. Rather, catalog administrators of each site must be able to select the categories and even products that should be displayed on their site; alternatively, they might prefer to select the categories and products that should be excluded from that site. This selection of products and categories to be used on a site is the job of the line of business team and should not require any involvement from IT personnel.
Catalog inclusions or exclusions must be pervasive in the site so that an excluded product cannot be shown or purchased in any way on that site. For example, let’s say there is an item called “product A,” and it has a cross-sell called “product B.” Normally, when shoppers add product A to their shopping cart, they are also shown product B. If, however, product B or its category is excluded from the site’s catalog, this cross-sell should not show up even when product A is displayed. Similarly, no advertisements or promotions for product B should be displayed on the site that excludes this product.
In some cases, site administrators need to create and manage products or entire categories applicable only to that site and not shared among multiple sites. For example, such products could be created for the unique needs of a large customer and are made available only on the customer’s site.
These site-specific products might be entirely new, or they can be bundles of products drawn from the master catalog. In either case, when site catalog administrators create such new products, they must be able to create all the associated information that enables customers to search for, view, and purchase the products. For example, they need to place products within the catalog hierarchy, assigning it to the correct categories, and create all the collateral information for the additional products or categories, including any descriptions or rich media, and even create any associated up-sells or cross-sells.
In some cases, such products might need to be visible in more than one site, but not in all sites. In this situation, the administrators have a choice on how to approach this task. They could create the product in the master catalog shared among all sites and then inform all affected sites to exclude the product if they do not want it to be available on their site. Alternatively, it would be useful to create a product or category and share it with only a group of sites. This approach can be somewhat similar to the way administrators need to be assigned to groups of sites, except that the groups of sites here share catalog information rather than administration rights.
Another aspect of catalog data that administrators must manage is pricing. The common platform must allow both the sharing of prices among sites and overriding the prices within a site. Such overrides frequently take the form of a site-specific price list, which is used only within the site. Alternatively, the site might want to make use of the master pricing data managed with the master catalog and provide percentage adjustments, either uplifts or reductions, to other products or categories. The advantage of such percentage uplifts or reductions is that they remove the need for site administrators to manage the price point of each product, allowing them instead to create only a small number of broad rules that are much easier to manage.
Summary of catalog management requirements:
• Multiples sites need to share the same products catalog.
• Administrators of individual sites need to specify the subset of products and categories from the shared catalog that is to be shown on their site.
• Administrators need to create unique products or categories and to place them within the catalog hierarchy of the master catalog.
• Such unique products and categories can be made available to only one site or to a group of sites.
• Products and categories specific to a site or to a group of sites should not be visible within other sites.
• Prices can be shared among sites.
• Administrators can override prices by either site-specific price lists or by rules that result in uplifts or reductions. Such rules can apply to individual products or entire categories.
We have seen two approaches to sharing marketing campaigns among sites. The first is to create marketing collateral centrally and share it among multiple sites, so that creation of marketing activities is easy for all sites in support of global marketing campaigns.
The other approach is to create a marketing campaign and make it appear on all sites, without the involvement of administrators of each site. As we described in Chapter 4, “Sharing and Caring,” this approach is rarely useful but can be applicable for some global campaigns that are limited to advertising. However, even in this case, it might be necessary to create such shared campaigns for only some of the sites—for example, only for sites in Europe, or only for consumer sites but not for B2B sites. Additionally, each individual site must have to ability to opt out of such a campaign; that way, even if the central administrators create a global shared campaign, some individual sites can still have the option of not showing it.
Summary of marketing campaign administration requirements:
• Administrators need to create marketing collateral and share it among all sites.
• Administrators need to create global campaigns and share them among all sites or restrict them to groups of sites.
• Administrators of an individual site need to create marketing activities using the shared collateral information.
• Administrators of a site need to be able to opt out of shared global marketing campaigns.
Order management requirements can vary greatly depending on the reason the business has created multiple sites. For example, typically, for country sites, orders exist in the context of each site and are managed only in that context. Thus, if customer service representatives need to find and modify a customer’s order, it is reasonable for them to first have to go to the site of the customer’s country.
On the other hand, if sites are maintained for each of a company’s divisions, it is more convenient for the company to look for orders and manage them globally across all sites. This way, if customers look for an order, they or customer service representatives would search for it across all sites based on customer’s name, approximate time the order was placed, and perhaps other information about the order, such as the products it contains.
Frequently, both types of order management are required so that some groups of sites need their orders managed together, and other sites insist on having their orders managed separately within their own domain. It is therefore a requirement that the shared commerce platform allows administrators and customer service representatives the option of searching for orders and managing them within a group of sites. The authorized administrator needs to sell all orders within these sites, without having to access each site separately and manage orders within it. At the same time, administrators must also view orders in the context of an individual site.
Summary of order management requirements:
• Order administrators and customer service representatives need to search for and manage orders within the context of a single site.
• Order administrators and customer service representatives need to search for and manage orders within the context of a group of sites.
Often a single customer needs to access several sites operated by a company’s divisions. From the customer’s point of view, such access must be seamless so that she never has to reinput her address or payment information, and the single customer profile is consistently available to all sites the customer uses. If a customer has business contractual arrangements with the selling company, usually the same terms and conditions should be applicable to all sites that the customer uses. Therefore, a requirement for site administrators is to grant a customer access to multiple sites, whether this customer is a consumer or a business.
If a customer’s profile is revoked, that customer loses access to her profile in all the sites she was registered to.
In other cases, however, when customers access different sites, the company prefers them to be completely unaware that these sites are in fact on the same platform. Instead, these customers view the sites as completely unrelated to each other and maintain separate profiles for them.
Summary of customer management requirements:
• Administrators need to be able to grant customers access to a site or to a group of sites, while using a single profile.
• If a customer accesses a site to which her profile has not been granted access, she views it as a completely unrelated site and must establish a new profile in it.
• Revocation of a profile should disallow access by that customer to all the sites for which the profile is registered.
We have discussed that a large commerce operation has a huge volume of data that needs to be regularly updated. We have also described that many different administrators can be involved in updating the data, such as catalog administrators, marketing administrators, and so on. However, typically, the IT infrastructure for commerce sites is set up in such a way that the administrators cannot directly modify the catalog or the marketing campaigns shown on the commerce site. Instead, the administrators create and change data only in what’s known as a staging environment or quality assurance environment. This concept is illustrated in Figure 8.5.
The production environment contains the actual live sites made available to customers. The quality assurance environment contains all the same sites, except they are not made available to customers, but only to personnel involved in administration and testing of sites.
Any necessary changes are normally done by administrators only in the quality assurance environment. Similarly, if a large amount of new or modified data needs to be loaded, this is done in the quality assurance environment. After the administrators have finished changing the sites or creating the new catalog or marketing data, the testers can preview the sites in this environment to make sure that all the changes are acceptable.
Only after the information is tested can it be approved to be made available to customers, which is accomplished by promoting the changes from quality assurance into the production environment.
Companies have used many methodologies and technologies to ensure such quality assurance of commerce data, and here is not the place to elaborate on these technologies. The issue relevant here is that when a single platform is used for multiple sites, most likely the administrators of several sites are editing the data at the same time. Hence, this quality assurance environment and the associated processes must be able to deal with changes happening to multiple sites at once.
The simultaneous administration by all sites makes quality assurance particularly complex. One site’s administrators might have completed a project and now need to start previewing and testing their changes, whereas other sites are not yet ready to test their changes. After a site’s administrators have approved the changes, they will want to propagate them to the production environment; however, in this case, it is vital to make sure that only the approved data is propagated, that is, only the data associated with the site or sites that have been tested.
This multisite quality assurance environment is illustrated in Figure 8.6.
What we see is that the administrators of each site might be working on multiple projects. Any project, when completed, must be tested independently of other projects, and then the changes relevant only to that project and to that site propagated to the production environment.
A more complex situation arises when shared data is being changed, such as the global catalog or collateral used by marketing campaigns in many sites. In this case, changes to shared data will affect all sites that make use of that data. For example, if a new product is added to a category, all sites that have not excluded that category from their catalog will automatically be showing the new product. Therefore, part of the project involving modifying shared data can involve administrators of individual sites making changes necessary to ensure the new data is acceptable within their sites.
Another important aspect of changing shared data is that the changes must be tested in the context of all the sites that make use of that data. Therefore, this project to create or modify shared data must involve quality assurance personnel who have the ability to preview and test changes in the quality assurance environment for any site.
The project for modification of data shared by multiple sites is shown in Figure 8.7.
With such a project, it is not sufficient to simply allow each site to have its own scope of changes, isolated from other sites. Rather, this project involves both central administrators responsible for management of shared data and the administrators of individual sites. Many administrators work on these complex multisite projects simultaneously, and they test and preview the changes in the context of multiple sites. When finally changes are propagated to the production environment, they affect customers on all the sites that make use of the shared data.
Summary of quality assurance requirements:
• Administrators of each site need to work on projects independently of other sites, including making changes, previewing and testing, and propagating the related changes to the production environment.
• Administrators of individual sites need to collaborate with central administrators on projects that involve shared data and that affect multiple sites.
• Quality assurance personnel need to preview changes to shared data within the context of multiple sites.
From the customers’ point of view, site performance is the amount of time that customers have to wait after every click on the site. Similarly, administrative performance measures how fast the site responds to requests by administrators. Every company wants its commerce sites to be as fast as possible. The goal is to ensure that customers are not annoyed by having to wait a long time after each click and also to ensure that administration tasks can be carried out as fast as possible.
Performance requirements for a site hosted by a shared platform along with many other sites are no different from performance requirements for an independently managed and hosted site. However, one aspect of performance is unique to a shared commerce site platform: It has to do with the scalability of the platform or how well the platform responds to the rising traffic on some sites.
Let’s imagine a situation in which two sites share the same platform. One of them is extremely busy, but the other is not heavily used. For example, during the holiday shopping season, you would expect traffic on the consumer site to be really heavy, whereas the load on the B2B site might be average or even relatively low.
In this situation, you do not want to assign the same computing resources to both sites. If you do that, the capacity of the overall system will be sitting unused due to low traffic, whereas the consumer site will be slow because it cannot handle all the traffic. The desired behavior is that the operational environment will automatically adjust itself so that each site has optimal performance at all times.
Another important aspect to consider is that the platform must scale up as the number of sites grows. When each additional site is created, there should be as little impact as possible to the performance of all other sites. In some cases, a company might need to create hundreds, or even thousands, of sites, and it is important that the platform can handle as many sites as the business needs.
Summary of performance and scalability requirements:
• Sites are to perform in such a way that the customers and administrators do not have to wait for a long time to complete their actions.
• Computing resources should be allocated evenly to all sites, so that a lightly used site does not hold up computing power from the busy sites.
• Creation of new sites should not affect performance of existing sites.
When multiple sites share the same platform, resilience can become a key question that the company must address. Each division of the company certainly wants its sites to be available to customers 24 hours a day, 7 days a week. However, in real life, service interruptions can occur. The IT department can anticipate and plan for some interruptions such as system updates. However, interruptions can also happen unexpectedly due to system failures coming from software or hardware, as a result of mistakes by administrators, or even from overload due to unexpectedly high customer traffic on the sites.
What every company division would be afraid of in the shared environment is that its site would become nonoperational, or down, due to conditions caused by other sites. The following example describes a possible situation in which a defect in one site can adversely affect all other sites on the platform.
Example of Defect in One Site Affecting Other Sites
Imagine that the administrators of one of the smaller sites that normally has relatively little revenue decide to load additional product data for a new product line. They prepare a large file containing the new products and the corresponding attributes of each product. To load this data, they use a new utility written by a high school student on a summer job. This utility generates the product input file from the product spreadsheet. The product spreadsheet contains all the information about the products, including prices, descriptions, and attributes. This utility generates an input file of new products, and the administrators start importing the data and go for lunch.
The utility has a defect: The file it generates contains millions of “dead” attributes for each product. This defect was never noticed because the dead attributes are never displayed.
The administrators start importing the data and go for lunch. When they come back, the data is imported; they preview it and see that all the products are there, and they are displayed correctly in the quality assurance environment. The administrators approve the changes, and soon the new products are propagated to the production environment. What they don’t know is that they have imported not only the data that was previewed and approved, but also the large volume of “dead data” that is never displayed but is nevertheless present in the database.
After the data is propagated, the database of the production environment has hundreds of millions of new attributes that are not visible to customers. Search speed can be easily affected by the number of entries to search through. Hence, if a customer is looking for a product with a particular value of a “real” attribute, searching can become excruciatingly slow because the database must look through huge volumes of data.
Because all sites are actually sharing the same database tables that keep product data on the platform, this search performance issue will affect all sites, even the ones that have nothing to do with the defective catalog load utility and that do not sell or display any of the affected products.
This scenario shows how mistakes made on one site could negatively affect other sites. The worst case scenario, of course, occurs when a problem with logic or data that is specific to one site causes the entire platform to go down, which can cause enormous losses to the company.
It is therefore extremely important for the shared platform to ensure resilience, where problems are confined to the scope of a small number of sites but do not affect all sites. A number of techniques can be employed to promote such resilience, which can take the form of instituting operational procedures to be followed by administrators, of rigorous quality control, and of software- or hardware-based techniques.
The other aspect of resilience is that following a system shutdown, either planned or accidental, IT personnel should restart all sites quickly and easily. We definitely want to avoid a situation in which each site must be started manually one by one, but rather all sites should be made operational with a simple procedure.
Summary of resilience requirements:
• Failure in one site should not affect other sites.
• IT personnel needs to stop and start all sites easily.
In any business system, whether computer based or manually operated, security should never be treated as an afterthought but must be considered at the earliest stages of system development. When many sites share the same platform, security of information among sites is not just important, it is absolutely essential for the platform to be usable by the company.
The question of commerce site security has been made famous by such lapses as loss of personal and credit card information, hacker attacks and site defacements, and malicious administrators. Here we focus only on the issues created by having multiple sites reside on the same platform. Security issues can be classified by their origin—namely, issues originating with a site’s real or malicious customers, with real or malicious administrators, and with healthy or defective computer systems.
With regard to a site’s customers, their expectation is that their activity on the site cannot be tracked by or known to other customers. With a shared commerce platform, an additional intuitive expectation is that their behavior on one site is not tracked or visible on another site. In a poor implementation, such customer visibility can be overt; for example, after having registered on one site, customers can access another site with the same profile. As we described in Chapter 4, this capability can be useful in some scenarios, but sometimes it can cause confusion and even resentment by customers who are surprised that their private profile information has somehow found its way into a different site. After all, the customers might not know or care that the sites are all owned by one company; all they care about is the privacy of their information!
Another requirement for the business is that while customers access one site, they cannot derive any information about another site. For example, while accessing a site’s catalog, the customers should have no way of knowing about products excluded from this site or made available only to another group of sites. Similarly, customers of a site should be unable to view marketing campaigns or any other material that is not made available on the site they are looking at.
In some cases, this isolation of information between sites is hard to achieve. This can be the case, for example, if the entire platform has a single set of user IDs selected by the customers at registration. Imagine the case of a customer named John Jedediah Smith, who has already registered on the site of one of the company’s brands and chose for himself the user ID jedediah, a clearly infrequently used ID that is easy for him to remember. In fact, this person uses this uncommon name on all the sites where he registers and has never encountered a situation in which the user ID is already taken by someone else.
This customer now wants to register on the site of another brand and selects the same user ID. However, unbeknown to Mr. Smith, the second brand’s site is using the same platform as the first brand, and he is informed that this user ID is already taken! In this situation, Mr. Smith might be surprised to find out that another person uses the same rare user ID.
This situation can be prevented in several ways—for example, if the platform tracks not only the user ID, but also the site where it is used, thereby avoiding user ID collisions. The designers of the shared platform must carefully foresee such situations and make decisions whether the possible exposure of information is important enough to worry about or whether it is insignificant and can be ignored by the company.
Summary of customer security and privacy requirements:
• Customers of each site should be unable to determine the existence of other sites on the same platform.
• Customers of each site should be unable to access any information excluded by the site’s administrators or not made available to the site.
• Customers of each site should be unable to derive information about customers of other sites.
• If a customer is granted access to multiple sites, that customer can use the same profile within those sites.
Just like customer security, administrative security is concerned with isolation of information among sites; however, it focuses on access to information by the administrators of the sites. The general rule is that data shared by multiple sites must clearly be visible to administrators of all the sites. For example, administrators of all sites must see the global catalog to make decisions on which categories are to be excluded in their context.
At the same time, data created in the context of only one site or in the context of a specific group of sites should be inaccessible by administrators of any other sites. For example, if a product is created only within one site, the administrators of other sites should be unable to see that product.
There is an additional aspect to administrative security that is important when a single administrator has the right to manage information in multiple sites. It is possible that the administrator’s roles in the various sites are different. Let’s say that an individual administers the catalog in one of the sites, which means that he can view the global catalog information that all sites share and any products or categories specific to that site.
This catalog administrator can both view and modify product information specific to that site. However, the scope of authority of this catalog administrator extends only to his site, which means that he does not have the right to alter the shared catalog information. Instead, he can only view the shared catalog information, but not modify it. The administrator should be able to specify exclusions or inclusions of products or categories within his site.
We thus see a complex arrangement in which an administrator has different access rights to different catalog data, depending on whether the data is owned by the administrator’s site.
However, if the catalog administrator also has the appropriate role assignment to administer the global catalog, it might be reasonable to give him the ability to modify both site-specific and globally shared data.
There can be other examples of differences of access to data in different sites. For example, a single administrator’s role might be to manage orders on one site but also to provide customer service on another site. In this case, we see that an administrator’s role is not absolute but must be qualified by the sites where this role applies.
In the most complex scenario, it is possible that different sites do not even have the same set of roles. For example, the B2B sites can have such roles as customer account manager and contract administrator, which do not exist in consumer sites. There is a requirement, therefore, for each site or group of sites to manage the set of roles that they have and to assign these roles to administrators.
Summary of administrative security requirements:
• Administrators cannot see data created for a site to which they have no access.
• Each administrator can be assigned multiple roles, with different roles applying to different sites or groups of sites.
• Each site or group of sites can decide which roles are applicable to them, and only administrators with these roles would have access to the relevant information in the sites.
• If an administrator is working in the context of a site, he should be unable to modify shared information used by that site, unless he has the appropriate role with regard to shared data and has the authorization to modify such data.
Both customers and administrators have the ability to read information on the commerce site and to either modify that information or create new information. As we described, security is necessary to protect both customers and administrators from possible misuse or malicious use of the commerce site. In addition, there are aspects of security that are difficult to describe as being unique to either customers or administrators but are more related to the system as a whole.
One such aspect of security is the use of secure connections (for technologically minded readers, this is a type of connection that uses the HTTPS protocol). With normal HTTP Web connections, information that the customer or administrator is submitting to the site and that the site is sending back is clear-text; that is, anybody monitoring the communication can easily read the content. Using clear-text is typically acceptable if customers are simply looking at publicly available information, such as a consumer catalog. However, the sensitive portions of the site that contain personal information such as address books, order history, or payment information must be protected by encrypting the data transmitted through the network between the customer and commerce server. Encryption is normally accomplished by requiring the secure portions of the site to use HTTPS connections.
The complexity comes when the multiple sites that share the same platform have different requirements for which portions of those sites require an extra level of security. For example, typically for consumer sites, secure connections are used only when personal or order information is shown, whereas catalog browsing is done with clear-text. However, for B2B sites in which even product information and pricing might be unique to a customer, the company might need to use HTTPS for all access to the site.
We therefore see that for a multisite platform there can be a requirement to define the portions of each site that are secure and the portions that are not secure. Usually, it is not necessary to change this specification every day, so often this specification of levels of security for each portion of the site can be incorporated in the presentation template that the site makes use of.
One final requirement we classify as security has to do with auditing of site activity. All commerce sites require some level of reliable and provable audit so that in case of dispute it is possible to clearly ascertain whether a transaction took place and what the details were. Say a sales representative gives a business customer a discount based on a previous relationship with that customer. When the order is fulfilled, however, the customer expresses dissatisfaction, claiming that the price quoted on the phone when placing the order was lower than the price actually charged. In this case, an audit trail would greatly simplify the resolution of the dispute by showing proof of the price quoted and evidence of the customer’s acceptance of it.
Such audit requirements are not specific to the shared platform for multiple sites; however, with a shared platform there can be additional audit requirements. One requirement is that each site must specify the level of auditing necessary. Typically, for example, consumer sites use much less auditing than B2B sites because auditing slows down the site, can consume large volumes of storage, and is unnecessary for most simple purchases. On B2B sites, however, purchases can be of high value and are governed by complex business rules. Therefore, on such sites, it is important to preserve auditable records about all commerce transactions that take place.
Summary of system security requirements:
• Ability to designate the portions of the site that require encryption to access by either customers or administrators.
• Ability to determine which transactions require an audit trail for each site or group of sites.
In this chapter we described some typical requirements that must be satisfied so that a multisite commerce platform can serve the needs of a large company. Each area of requirements is important, and a company must consider all the requirements to determine the suitability of a proposed platform.
The requirements we discussed came from the following areas:
• Site Planning
• Site Presentation
• Catalog Management
• Marketing Campaigns Administration
• Order Management
• Customer Management
• Quality Assurance
• Performance and Scalability
• Resilience
• Security and Privacy
We must again emphasize that this is not intended to be a complete list of requirements applicable to all companies, and indeed it would be futile to attempt to create such a list. Instead, we focused only on those aspects of requirements that are usually necessary to enable a company to use a single commerce platform for its multiple commerce sites.