BV Commerce Forum
»
BV Commerce Support
»
General Support
»
Email Template Tag (BVC 2004 upgrade to BVC 5)
Rank: Member
Joined: 8/4/2004(UTC)
Posts: 35
|
BVC 2004 email templates had tags to link to downloads - I used [[downloadlink]] in my New Order notification email. I don't see a similar tag for templates in BVC 5. Am I missing something?
I am particularly concerned about the situation of an anonymous user purchasing a download from my site. I want to provide them as much opportunity as possible to locate the download link without contacting our customer support. Since they don't have an account to log into to see order history, I at least want them to have a download link on their order confirmation email.
Thanks in advance. |
|
|
|
|
|
|
Rank: Administration
Joined: 4/2/2004(UTC) Posts: 2,393 ![United States]( "United States") Location: Hummelstown, PA Thanks: 6 times
Was thanked: 163 time(s) in 158 post(s)
|
I'm not sure that there is a download link...in that case you could either disable anonymous checkout or customize your store to include the download link. |
Aaron Sherrick
BV Commerce
Toll-free 888-665-8637 - Int'l +1 717-220-0012 |
|
|
|
|
|
Rank: Member
Joined: 8/4/2004(UTC)
Posts: 35
|
Thanks. Wish it was a different answer. ;o) |
|
|
|
|
|
|
Rank: Member
Joined: 12/23/2003(UTC)
Posts: 909
|
Speaking from experience through a couple BV5 stores, lasted about a week with anonymous checkout....
It's a great feature but it's not as groomed as it should be. Without the account, the customer is literally lost in the database.
Requiring a user account solved all of the issues and there really hasn't been any protest from the customers.
My two cents is to disable anonymous checkout to relieve yourself of the issues it's going to create.
You can setup the single page checkout workflow to require an account and it's smooth sailing. |
|
|
|
|
|
|
Rank: Member
Joined: 8/4/2004(UTC)
Posts: 35
|
that's really interesting feedback, Matt. Practice is always different than theory. I do know we get customers whining all the time about how they have to create an account in our store. I've never quantified our abandoned carts so don't know what this means financially.
I guess you are saying that the implementation in BV of anonymous checkout is lacking somehow?
Just wondering if you might share more of an example. I would imagine that a customer can email support and we could look them up via email address or name to find their orders and figure out the issues - as long as we didn't get too many of these kinds of requests. Was it the non-stop customer support requests? Would love to get a handle on this as I was looking forward to implementing anonymous checkout, but I will also do most anything to minimize our customer touch costs. |
|
|
|
|
|
|
Rank: Member
Joined: 12/23/2003(UTC)
Posts: 909
|
I would get phone calls from my client and it would be a flustered confusion of how to find a customer's order. It made them look awkward when on the phone. The customers would call to check the status of their order. Not being able to find the orders promptly turned into further errors. This all happened within a week of switching the site from BV2004 to BV5.
We're talking more than a year ago, to be honest, there were one or two specific things that were happening that added a speed bump to the process.
The prominent one was there is no way for a customer (that checked out anonymously) to check the status of their order. Without the account created, there is no true "link" to the order and the customer.
I know there were multiple threads on the topic and the end result of using the one page checkout with anonymous checkout enabled, was to add the require user login to the one page checkout workflow.
There were several submissions for feature enhancement suggestions that I believe we'll see in future versions. I cannot speak for BV5 and whether or not we'll see it improved.
I am a fan of the anonymous checkout process as I do this on certain websites that I know I'm going to get baraged with email after email after email and it seems to me that this process has helped keep that stuff at bay.
Great feature, just needs some tweaks in my opinion. |
|
|
|
|
|
|
Rank: Member
Joined: 8/4/2004(UTC)
Posts: 35
|
thanks for sharing that. I guess it is a pretty straightforward matter to just disable anonymous checkout if it ends up not working out? |
|
|
|
|
|
|
Rank: Member
Joined: 12/23/2003(UTC)
Posts: 909
|
attached is a visual. Dashboard > Options > Orders 1. 1 page checkout 2. force email on anonymous checkout Edit Workflows (link in dark green bar) 1. edit "Checkout Started" workflow 2. Drop Down box, select "Require Login Before Checkout" 3. click new button once selected
All in all though, the only thing that's missing is the ability for an anonymous user to check their order status. Be it enter an order # and email address, "find order" button. I'm sure there's capable developers in the community to tackle it and it may be worth it in the end if your user base is asking for it. Matt@9BallDesign attached the following image(s):  Untitled-1.jpg (95kb) downloaded 53 time(s).You cannot view/download attachments. Try to login or register. |
|
|
|
|
|
|
Rank: Member
Joined: 12/23/2003(UTC)
Posts: 909
|
To add to this enhancement. here's a visual from a website. I think this would be nice to see on the Login.aspx page as well as the Customer Service menu content block. To find my order on the website, I clicked an "Order Tracking" link which was in a Customer Service section and was also provided in the email receipt. Matt@9BallDesign attached the following image(s): sample.png (15kb) downloaded 44 time(s).You cannot view/download attachments. Try to login or register. |
|
|
|
|
|
|
Rank: Member
Joined: 11/25/2003(UTC)
Posts: 370
|
My partner Jason and I took a quick look at order look-up for anon users that did not log-in or create an account on BV5.
Looks like this was already there although not working at all until we made a couple small changes. This is a V5.4 website.
So, has anyone built on this yet for BV5? I suppose it could be combined with a log-in as well. |
|
|
|
|
|
|
Rank: Administration
Joined: 4/2/2004(UTC) Posts: 2,393 ![United States]( "United States") Location: Hummelstown, PA Thanks: 6 times
Was thanked: 163 time(s) in 158 post(s)
|
Cool! Any thoughts on the security of just requiring an order number and zip code? Seems a bit more hackable than using an email address as part of the validation process. Although, I guess the thinking is that depending on your admin settings email can be an optional field. |
Aaron Sherrick
BV Commerce
Toll-free 888-665-8637 - Int'l +1 717-220-0012 |
|
|
|
|
|
Rank: Member
Joined: 12/23/2003(UTC)
Posts: 909
|
I pulled this example from potterybarn.com
hackable? not sure. A mega-multi-million dollar company went this route.... doesn't mean we have to follow them, but if they're doing it with only a zip code and order number... adding the third option might just be too many? |
|
|
|
|
|
|
Rank: Member
Joined: 11/25/2003(UTC)
Posts: 370
|
I think the zip and orderID are good. The only thing you might consider adding is a CAPTCHA. |
|
|
|
|
|
|
Rank: Administration
Joined: 4/2/2004(UTC) Posts: 2,393 ![United States]( "United States") Location: Hummelstown, PA Thanks: 6 times
Was thanked: 163 time(s) in 158 post(s)
|
I wasn't necessarily thinking of adding a third element, but perhaps opting for email address over zip code. For example, if I wanted to hack the system, I could place an order using an invalid credit card (or stolen one) to get the current order number. Then I could work backwards from their using major metropolitan zip codes (i.e. NY, LA, etc). An email address would be more secure in this scenario. How likely is this? Probably not that likely, but it's worth mentioning... |
Aaron Sherrick
BV Commerce
Toll-free 888-665-8637 - Int'l +1 717-220-0012 |
|
|
|
|
|
Rank: Member
Joined: 12/23/2003(UTC)
Posts: 909
|
I understand what you're saying, but what are you hacking for or trying to hack into?
If you place an anonymous order with a stolen card, you won't get a successful order when the card processor returns an AVS mismatch. You need to have an AVS match in order to get an order number. In this case, correct zip code.
Am I missing it? |
|
|
|
|
|
|
Rank: Administration
Joined: 4/2/2004(UTC) Posts: 2,393 ![United States]( "United States") Location: Hummelstown, PA Thanks: 6 times
Was thanked: 163 time(s) in 158 post(s)
|
Originally Posted by: "Matt@9BallDesign"  I understand what you're saying, but what are you hacking for or trying to hack into? Customer names, email address, and billing & shipping addresses. I don't think you could get to any payment info, except maybe the last 4 digits of a credit card number. But, consider the value of this information to a competitor. It would be possible to write an automated process that could extract all the customer contact info from the major metropolitan areas (in theory you would go through all zip codes, assuming the ISP doesn't catch on). Originally Posted by: "Matt@9BallDesign" If you place an anonymous order with a stolen card, you won't get a successful order when the card processor returns an AVS mismatch. You need to have an AVS match in order to get an order number. In this case, correct zip code. That's not true in all cases. For one, the merchant may not have AVS turned on with their payment gateway. Second, the default behavior of BV is not to reject invalid credit cards. Even if you have those two items wrapped up, if your goal is to steal information rather than product, why not use a stolen card's real address info? |
Aaron Sherrick
BV Commerce
Toll-free 888-665-8637 - Int'l +1 717-220-0012 |
|
|
|
|
|
Rank: Member
Joined: 12/23/2003(UTC)
Posts: 909
|
Right but what I don't understand is that you're using a stolen card to create an order. Hypothetically.
There is no account history for anonymous orders. So when you go to hack the store, you're hacking your own order. So.... you already know all the info you need to access the invalid order you placed. What's the value?
Now... if you learned a zip code and an order number of a different customer. Then yes... you can now get some useful information and see that asking for an email to access an order would be useful. |
|
|
|
|
|
|
Rank: Administration
Joined: 4/2/2004(UTC) Posts: 2,393 ![United States]( "United States") Location: Hummelstown, PA Thanks: 6 times
Was thanked: 163 time(s) in 158 post(s)
|
Originally Posted by: "Matt@9BallDesign" Now... if you learned a zip code and an order number of a different customer. Then yes... you can now get some useful information and see that asking for an email to access an order would be useful. You gotta think like a hacker, Matt! :) The reason I was saying to place a test order is so the hacker can see the order number format and get the latest order number. Then they would write an automated process that would start at that number and count backwards, trying major metropolitan zip codes with each order number until it found a match. Here's some psuedo code to maybe help illustrate this... Code:
orderNumber = myNewOrderNumber
While orderNumber > 0 {
For Each zipCode in metropolitanZipCodeList {
If TryToHackAccount(orderNumber, zipCode) = True {
StealCustomerInfoAndSaveInCompetitorDatabase()
Exit For
}
}
orderNumber = orderNumber - 1
}
You couldn't do this if an email address was used instead of a zip code. Kim also mentioned using a CAPTCHA. That should help discourage this. |
Aaron Sherrick
BV Commerce
Toll-free 888-665-8637 - Int'l +1 717-220-0012 |
|
|
|
|
|
Rank: Member
Joined: 12/23/2003(UTC)
Posts: 909
|
I say give it a shot on pottery barn and see if they stop your attempts after 3 fails. |
|
|
|
|
|
|
Rank: Member
Joined: 11/25/2003(UTC)
Posts: 370
|
Cool, yep let us know Matt. I am leaning towards including the email address. Another benefit of using the email address is you could send back a list of order numbers. Did that at one clients site. |
|
|
|
|
|
|
Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.