New technology helps garden centres make & save money

Garden centres can benefit financially from our latest Electronic Point of Sale (EPoS) technology.                  

All our software is created in-house specifically for garden centres and nurseries and it allows them to improve their efficiency, reduce errors, increase security and increase turnover and retention.

One of the key areas where garden centres can make money from the system is by using it to record and target customers thus making marketing effort much more effective. Our EPoS system allows people to create loyalty schemes and give discounts to specific customers.

We can install a real-time set up that sends accurate product data to and from tills and master/back office as and when it happens. It can record accurate sales data using simple screen layouts, programmable touch screen keys and multiple button sets/layers.

The most important two aspects are how the system helps minimise errors associated with complex promotions, such as multi buys and mix and match offers, as it automatically calculates them. It also helps increase security by providing an audit trail of changes.

10 top tips for creating an e-commerce site

E-commerce is a very competitive field because your rival is just a click away. If a customer doesn’t like your site, they will simply look for another to buy the products they require from. Therefore, your website needs to be as usable and as customer-friendly as possible.

Design 

Make sure the design you choose complements your products and is easy on the eye.

Navigation

If customers get confused navigating your website they aren’t likely to buy from you regardless of whether your prices are very low or you have the best products in the market.

Try to think like a consumer and put your products in more than one category. By making your goods and services easy to find, people are going to be inclined to purchase more.

Photos

It is important to use clear, colourful images of your products as people like to have an idea of what the product looks like before they buy. Try not to use large images as this means the page will take longer to load and people will be put off waiting.

Wording

People don’t want to read really long product descriptions, a good rule of thumb is to try and keep headlines to eight words or less and make sure sentences are kept short. Aim for summaries to be 30 words or under and keep paragraphs to no more than 70 words.

It is also important to use simple language that is easy to understand. Avoid the jargon, even if you are selling to the trade.

Description of any product plays an important part in selling that product. Still, description is the part which is the most undervalued while building an ecommerce site. The description needs to be targeted and persuasive. It also fulfils the SEO part of the ecommerce website. The descriptions work as your salesperson.

Contact

When there is a problem most customers will prefer to have someone they can talk to, so putting a phone number in a visible place on your site is a good idea. Feedback forms put people off.

Be clear

Make sure you display clear pricing, shipping and returns information. There is nothing worse than getting to the checkout only to find out that it is going to cost more than you thought it would.

Create loyalty

Repeat custom is vital to a business so it is important to create customer loyalty. Creating a newsletter on email so you can keep in touch with your existing customers is also an excellent sales device and gives customers the opportunity to take advantage of your latest offers before everyone else.

M-commerce

More shoppers are using their smartphones or tablets to browse or buy products online, so it is important to make sure your site is compatible with mobile devices.

SEO

Internal links are a great way to improve your site’s SEO. For example, if you have a blog on your site you can link back to products when appropriate. 

Promote your site

It is important to leave yourself plenty of time to build your website before your launch date. Also, make sure you factor in for delays.

Many people are of the belief that once the site is live they can sit back and wait for people to find them. However, this is not the case and as with any business you need to promote it so people become aware of you. Even when you do start to make sales, you still need to keep this momentum up.   

Hi-tech café culture helps with sales

Garden centres with restaurants and cafés looking to improve their customer service and sales should be embracing new technology.

The implementation and better use of EPoS (Electronic Point of Sale) systems can benefit garden centres tremendously when it comes to customer flow.

These days it’s quite uncommon to visit a garden centre that doesn’t have its own restaurant or café but a lot of garden centres aren’t making the most of technology within them, which can help themselves and their customers.

We have three systems that cafés and restaurants can benefit hugely from. The standard checkout service, which allows customers to serve themselves and queue up to pay at the end, the table allocation service, which is table number driven and the waitress centred table service.

By linking them directly into the kitchens where orders are printed out, service is much quicker, thus improving customer feedback and the number of diners that can be served.

All of our software is created in-house specifically for garden centres and nurseries and it allows them to improve their efficiency, reduce errors, increase security and turnover and retention.

Restaurant EPoS systems are extremely user-friendly and include touch screen technology. We can install a real-time set up that sends accurate product data to and from tills and master/back office as and when it happens. It can record accurate sales data using simple screen layouts, programmable touch screen keys and multiple button sets/layers.

They will make the running of the restaurant or café much more efficient and we can arrange installation and staff training too.

We can also link EPoS systems with our various loyalty card schemes, which encourage customers to keep coming back. With the schemes restaurants and cafes can benefit from increased customer retention and spend.

The Easitill Loyalty schemes can also be used in the rest of the garden centre so that customer’s points are earned not only in the restaurant but between the various parts of the business as a whole.

Joe Awome to handle pre and post sales customer support for the South West, North West and Wales.

We have appointed Joe Awome to handle pre and post sales customer support for the South West, North West and Wales.

In his new position the 39-year-old will deal with all aspects of customer support before and after the purchase of an Easitill system, as well as installation and training.

Joe said: “I am pleased to have secured my new role with Easitill and I’m looking forward to helping the company progress.

“My day-to-day duties include dealing with a variety of support calls from customers, installing new systems at garden centres and training customers on how to use our software.”

Prior to his role at Easitill Joe worked for Retail Systems Group in a similar position and before that was in the Royal Marines for six years where he completed a computer engineer course.

Joe, who is married with two children, enjoys coaching an under 14s football team and playing poker at a semi-professional level.

Our Managing Director, Rob Gardner, said: “We would like to congratulate Joe on his new position in the company. We look forward to working with him to develop the future of the business and our systems.”

PCI Compliance & Websites

What is Payment Card Industry Data Security Standard (PCI DSS)

• PCI compliance is there to ensure that cardholder data is not stolen and shared around the internet. As a store holder, if you take card payments of any kind either via your website, over the phone or via a card machine, it is your responsibility to make sure your customers’ data is protected.
• PCI DSS compliance is a standard set out by the PCI Security Standards Council (PCI SSC) https://www.pcisecuritystandards.org that is designed to help you comply with the laws that protect the storage of sensitive cardholder information. PCI compliance is not itself a law but compliance with this standard will help you avoid the risk of prosecution under the Data Protection Act - http://www.legislation.gov.uk/ukpga/1998/29/contents.
• Account data consists of:
  • cardholder data
    • Primary Account Number (PAN) – the long number on the front of the card
    • Cardholder name
    • Expiration date
    • Service code – messages contained within a card’s magnetic strip or Chip that tells a terminal the process to follow when processing a transaction.
  • sensitive authentication data 
    • Full magnetic stripe data or equivalent on a chip
    • CAV2 (JCB) / CVC2 (Mastercard) / CVV2 (Visa) – the 3 digit card security code
    • CID (AMEX) - 4 digit security code printed on the front of the card
    • PINs/PIN blocks

(PCI DSS v2, page 7)

• Under no circumstances are you permitted to store sensitive authentication data. The PAN must always be stored in an unreadable form. The cardholder name, service code and expiration date can be stored in a readable form.

Do I need to be PCI DSS compliant?

When it comes to online payments you have broadly 2 options:

1. You can take card payments and store account data on a 3rd party’s website known as a hosted payment gateway. The 3rd party will store, process and/or transmit account data, you will use their Merchant ID to collect the money and you will simplify your PCI DSS compliance. There are different types of hosted payment gateway:
   1. The redirect method takes the customer to another webpage and are returned back to you site once they complete payment.
   2. The iframe method puts a payment form that's fully hosted by your payment service provider inside a page on your website. The customer does not leave your website but your PCI DSS compliance is simplified, since you're still not storing, processing and/or transmitting account data on your server.
   3. The direct post method uses a form on your website but sends the data directly to the payment service provider thereby not storing any data on your server. The customer does not leave your website, so your PCI DSS compliance is still simplified.
2. You can take payments directly on your website by storing, processing and/or transmitting account data on your server. You will need your own Merchant ID and will be required to comply with a higher level of the PCI DSS.

Option 2, Storing account data on your server comes with considerable additional costs due to the legal requirements for data protection. 

As such Easitill use only theoption 1a outlined abpve and integrate with 3rd party PCI compliant hosted payment gateways such as SagePay, Paypoint, WorldPay, Barclaycard. 

Costs for taking payments on your website using a hosted payment gateway

• Cost of the payment service provider charged as either:
  • a fixed monthly cost plus a flat and/or percentage fees per transaction.
  • or no monthly cost with slightly higher flat and/or percentage fees per transaction.
• Though an SSL certificate is often not required it does give customers an extra sense of security and so can be beneficial.

Additional costs incurred in order to take payments directly on your website thereby storing, processing and/or transmitting

• Payment processor monthly fee.
• Flat and/or percentage fees per transaction.
• Merchant ID monthly fee.
• Potentially paying a Qualified Security Assessor (QSA) to audit your systems.

Which Self-Assessment Questionnaires (SAQ) do you have to complete?

The minimum PCI DSS requirement is to fill out the PCI DSS New Self-Assessment Questionnaire (SAQ) and the PCI DSS Attestation of Compliance (AOC SAQ) A and retain a copies of the completed form for presentation if requested. This is all you have to do if you fulfil all of the following requirements:

• Process less than 10,000 transactions a year.
• Do not store any card payment details on your site.
• Use only PCI compliant service providers.
• Do not use offline payment methods such as a pdq machine or a merchant terminal.
• Utilise no system components that are included in or connected to the cardholder data environment.

If you do not fit any one of the above criteria then you will have to fill out additional forms according to the following criteria.

Form	Criteria
A	E-commerce, mail or telephone order merchants that do not store cardholder data (CHD). All cardholder data functions are outsourced. This does not include face-to-face merchants.
B	Merchants that do not store electronic cardholder data. Instead, this applies to merchants that use an imprint machine to copy cardholder information. Also applies to standalone, dial-out terminal merchants.
C-VT	Web-based virtual terminal merchants that do not store electronic cardholder data.
C	Merchants that use a payment application system connected to the Internet and do not store electronic cardholder data. If using a software vendor for the payment application system, they must take security measures to ensure the app meets PCI compliance.
D	This includes all of the other merchants that aren’t included in the above categories, including all service providers defined as eligible to complete an SAQ and approved by a payment brand.

Download the PCI DSS New Self-Assessment Questionnaires (SAQ) and Attestations of Compliance (SAQ AOC) here

What do you need to know most about PCI compliance as a website owner?

• PCI DSS only applies if the long number on the front of the card is stored, processed and/or transmitted.
• The long number on the front of the card (PAN) must always be stored in an unreadable form.
• PCI DSS only applies if PANs are stored, processed and/or transmitted (PCI DSS v2, page 8). For small merchants it is easy to minimise your PCI DSS compliance by isolating (segmenting) the cardholder data environment from the remainder of your network (PCI DSS v2, page 10). One way of achieving this is by using a hosted payment gateway that stores, processes and/or transmits account data on your behalf. In this case it is important to ensure that the service provider fully complies with PCI DSS since it is your responsibility to do so.
• Any merchant or service provider with annual transactions totalling 10,000 or more is required to have a quarterly network system scan.
• PCI DSS compliance applies to four types of organisation;
  • Merchants are businesses who take card payments for goods or services e.g. a retailer.
  • Service providers e.g payment gateways like PayPal , SagePay, WorldPay or Authorize.net.
  • Acquirers (merchant banks) e.g. a bank such as HSBC which interacts with all the issuers on behalf of the merchant and/or service provider.
  • Issuers e.g. the various credit card schemes such as Visa or Mastercard. 
• The job of payment service providers is to collect the requested money and pay it into your merchant account. You can either have your own merchant account or you can use the merchant account of your payment service provider, but either way the money will then have to be transferred into your business bank account.
• It’s your responsibility to ensure that your service providers are fully PCI DSS compliant to the appropriate level.
• If you do store, process and/or transmit account data, PCI DSS compliance requires that the financial transactions carried out on your website or offline are carried out securely and your customers’ cardholder data is stored securely during and after transactions.
• The consequences of a business’ failure to protect their customers’ account data are usually a one off fine followed by a monthly fine for every subsequent month that the merchant or service provider remain non-compliant and restriction on the business’ future ability to take card payments. A breach of cardholder security will also drastically compromise your organisation’s credibility in the eyes of your customers and can lead to lawsuits, insurance claims and loss of earnings as a result - https://www.pcisecuritystandards.org/security_standards/why_comply.php 
• This excellent article details a case study of the breach of security of the Lush website and the response http://www.out-law.com/page-12147 
• PCI compliance does not just apply to your website, it applies to any scenario where you handle and store card payment details including any offline payment solutions that you use such as PDQ machines and remote payment terminals.
• If you do use a virtual terminal, the processes you go through surrounding its use must be PCI DSS compliant. To ensure that this is done in a compliant manner the sensitive authentication data should never be written down and stored anywhere and the PAN should never be written down and stored anywhere in a readable form. Instead type the account data directly into the virtual terminal and keep the card holder on the line until payment has been fully accepted.
• You should also think about the technology that you use to take a payment. If you are using a virtual terminal, do you keep the anti-virus software on the computer you are using up-to-date? Also do you also install all the software security updates?
• Sometimes technology that you don’t directly use to take payments might compromise your PCI DSS compliance. The computer that you use to take virtual terminal payments may be connected to the internet using a wire, yet the router will probably also have wireless. Is your wireless network secure? TJX, owners of TJ Maxx had credit card numbers stolen from its system when a hacker broke into its wireless network - http://www.out-law.com/page-11732 
• PCI compliance applies to all system components that are included in or connected to thecardholder data environment. The cardholder data environment is comprised of people, processes and technology that store, process and/or transmit cardholder data or sensitive authentication data. System components in the context of PCI DSS are defined as any:
  • network component (including but not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances),
  • server (including but are not limited to web, application, database, authentication, mail, proxy, network time protocol, and domain name server), 
  • application (including all purchased and custom applications, including internal and external (e.g. Internet) applications),
  • or virtualization components (such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors).

(PCI DSS v2, page 10)

The 12 steps to PCI DSS compliance (taken from PCI DSS v2)

These 12 steps to PCI DSS compliance are actually just good security practice for you internal systems and you will benefit from following them anyway in order to protect your business data in addition to that of your customers.

Build and maintain a secure network	1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameter.
Protect cardholder data	3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks.
Maintain a vulnerability management program	5. Use and regularly update anti-virus software or programs. 6. Develop and maintain secure systems and applications.
Implementing strong access control measures	7. Restrict access to cardholder data by business need to know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data.
Regularly monitor and test networks	10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes.
Maintain an information security policy	12. Maintain a policy that addresses information security for all personnel.

Resources and further reading

• Download the PCI DSS New Self-Assessment Questionnaires (SAQ) and Attestations of Compliance (SAQ AOC)
• PCI Security Standards Council website
• PCI SCC Small Merchants website
• Download the PCI DSS Instructions and Guidelines Document