Google’s Free “Search As You Type” Offering

Google is firing on all cylinders when it comes to offering new or improvised products in the e-commerce space. I had noted a couple of recent products introduced by Google in my earlier posts. None of them are major innovations, but they are bringing Google closer to partnering better with e-commerce merchants. The latest offering from Google literally intrudes into the very website of a retailer.

Google's "search as you type" feature allows an e-commerce merchant's customer to use onsite search and find products to buy on the website. This is not much different from an autofill or autocomplete solution offered literally by any search solution provider in the market like Endeca or Solr. The good thing about Google is that it also allows the display of certain products with images, price and a brief description. As a customer, one may find the products displayed as an opportunity to directly view the product details and purchase them if needed. This makes a lot of sense especially if customers are looking for some specific products they have already researched and are just checking to see if the the retailer is carrying them or not. For the rest of the customers, this is just noise and in fact makes the search drop down big and ugly. Lowes and Hasbro have participated in the pilot program and as usual this comes for FREE from Google.

Conversion rate from onsite search can be as high as 3% or more. In my experience, I've seen that it certainly scores better than search directed from an external search engine either through organic or paid means. Onsite search converts better as we already have the customer shopping the website and all it takes is relevant products to be visible and available for purchase. A great onsite search solution solves that purpose. Google makes life easy for a lot of online retailers who don't have the money to purchase an expensive solution like Endeca or invest resources to use the open source yet complicated search solution Solr. The catch is however that all this magic can only happen if retailers share all their product related data to Google so that they can create the unthinkable (unless it is a different, less intrusive solution that I am not aware of!).

Google yet again is working hard to gain big from this "free" offering. Consumer shopping patterns and buying behavior is all now in the hands of Google, which can mine the search data to figure out what products are being searched the most in each retail website, what products are carried by them and what products don't sell. With onsite search becoming the most used feature on a website as it becomes the easiest and first point of interaction for a customer to shop, literally everything about the fate of the website can be deduced by Google through the patterns it sees. This can obviously be used to improve the Google Shopping experience and the way products are displayed in Google's search engine, which in turn is the bread winner for the company via its Adwords program.

Time will tell if this is something retailers will sign up for. Most major retailers don't need Google search on their website. They have enough money and are spending enough on SEO and paid  Adwords campaigns to attract customers, following which they have better onsite search solutions to convert them. Even without Google onsite search, they can get enough insights into onsite search behavior if they are ending up using say Google Analytics as their in-house Analytics powerhouse. Now, this brings up an interesting question though. Maybe Google is also planning to make some interesting improvements to onsite search reporting in Google Analytics. It could possibly show detailed product information and conversion breakdown so that retailers know what products are selling better or are not working. Overall, I think Google's product team is relentlessly trying to touch every possible area in retail and somehow link it to their cash cow- Adwords. Nice going!!

Google Trusted Stores Badge

Google is getting serious about e-commerce and hence any e-commerce Product Manager should get serious about Google. I recently read the Google Commerce blog and came across this news: Connecting shoppers and great stores online.

It is no surprise as to why Google is serious about the e-commerce industry in particular as a growth platform to mitigate their over-dependence on mere ads as their primary source of revenue. This infographic by Wordstream explains it all-

Google’s annual revenue of $38 billion in 2011 came primarily from advertising. If you look at who are the biggest individual spenders on Adwords, the answer screams out loud- retailers and among them largely e-commerce merchants. supposedly spent about $55million and E-bay spent about $40 million. Lowes and Home Depot combined spent about $100 million although it could be for driving some traffic to their stores too. In fact, among the top 10 industries that spend heavily on Adwords and hence contribute significantly to Google’s revenue, most are in the e-commerce and related online transaction businesses.

This makes the relevance of Google’s new move called the “Trusted Store” badge very significant. Google is trying to expand the pie here by making sure that any e-commerce business struggling to make any entry in the competitive marketplace (the US market in this case) is able to gain prominence in Google search (and outside) by getting a “coveted” trust badge. This is probably a strategy aimed at two things. One- help an e-commerce player struggling to gain prominence in the highly competitive e-commerce market by getting a little nudge from Google through the trust badge. Two- get e-commerce players spending actively on adwords but getting poor ROI turn things around by getting some additional FREE help from Google to gain acceptance (trust) from customers, thereby boosting sales through better conversion. While the first objective is not that noteworthy in a mature market like the US (where this program is active), the latter objective seems more relevant. Why not make Google search more useful for the advertisers who tend to spend the most on its ad platform? if things works, they will spend more on Google, right!

For an e-commerce advertiser, getting clicks on adwords impressions is only half the battle won, albeit a significant one. After that, it becomes the e-commerce merchants sole responsibility to hold on to that customer and make him complete a purchase. Bounce rates can be high if the customer does not find what they want in the first two or three navigation steps. The conversion rate is also poor if the website does not help in influencing a customer to purchase. For a large player like, getting a customer to their website is more than enough as customers trust their business and hence would convert high once they come to their website. A smaller e-commerce player on the other hand struggles in this area. Customers are wary of spending their hard earned money on a website that they are unable to completely trust.

This is where Google steps in. They have determined that there are two areas that are most important in the mind of a potential customer looking to purchase from a website – reliable shipping and exceptional customer service. Google is taking a very serious approach by investing in a highly complicated mechanism required to generate the trust badge. Google is working very closely (in fact way too close) with the e-commerce merchant and its customers to understand how their business is performing when it comes to shipping and customer service. This is no trivial exercise and the efficacy of this program can only be measured over time. All this is coming at Google’s own expense. To top it all, they are making it more attractive for the potential customers by offering a $1000 lifetime purchase protection. The reason Google is possibly able to make this happen for free (with a good amount of cost for itself) is because it realizes the real battleground is in the Adwords space. The war for keywords and product listing in Google Shopping can only grow bigger if the players are equipped with the right tools to fight the battle. This is what the trust badge does.

Can anyone replicate the trust badge and make Google’s presence irrelevant? The answer is a simple NO. Google has made the trust badge program fairly complicated to execute to the point that it acts as an entry barrier to say a Norton verisign to equally compete on. Google also has the relevant customer base using its search service again acting as a huge competitive advantage against any other player trying to do something similar.

Will customers buy in to the trust badge program of Google? This is the single biggest driver for the success of the program. Customers are no longer taking what Google is offering for granted. They understand that Google also makes money (at least for the sake of its investors) and hence whatever is done for free doesn’t necessarily mean that it is best for them. However, Google has tried to address this issue by making the program entirely free on both sides (advertisers don’t pay to get the trust badge) and also by making the ratings process very transparent (it shows a report card that explains how the score was achieved).

So, what should Google do to make this program work or continue to grow?

  1. Continue keeping the program FREE. They cannot do a product listing ads u-turn by commercializing a free offer with a Google Shopping feature in the future. While a free lunch may sound shady, a free service to help a customer and a merchant benefit from each other sounds reasonable!
  2. Make Google trust badge a true and stringent test of QUALITY. Anyone and everyone running an e-commerce business shouldn’t get it easily. What is the difference between an A+ or a A or B+ or a B-? I don’t know if they have that many ratings but the one thing I hated about graduate school grades is that they are largely useless for making any big decision in life. I know that an A+ is a standout rating but what about all the others with an A? Google themselves don’t recruit people with less than exemplary grades in their company. As a customer, I can be very mean by ignoring a merchant whenever I see an A (irrespective of the trust badge showing up). Or, I could get confused when I read why someone has an A+ compared to an A. For e.g., 98% on-time shipping is an A whereas a 99% on-time shipping is an A+, but this is based on 1000 transactions with e-commerce company X! There are way too many data points for me to consider and make a judgement call on. What would bode well for Google and the customer is if the trust badge is a “hard-to-get” prize because the way to get it requires a lot of hard work for the merchant.
  3. Make Google trust badge a SIMPLE to understand seal. In the same lines as the previous point, the badge must be simple to understand. We should not make the customer work hard to understand the badge in a better manner and then make a decision on whether to go with the merchant or not. Google gains by doing it for the customer. Verisign’s trust seal is very simple. It just verifies and let’s a customer know that the business is a legitimate entity. For that, it has a verification process that goes into checking the credentials of the business. That’s it. There is nothing more to it. There is no grading and there are no levels to comprehend. While whether it is useful or not is a different question, simplicity is still important. Google can make their badge simple by not having many grades. It can have additional parameters under which an e-commerce player is evaluated, but getting the trust badge should just be a simple final outcome. The scoring methodology can be explained in a separate place, but the report card should have a final score so to speak.
  4. Add additional PARAMETERS to the trust badge. While reliability of shipping and customer experience are very great parameters for rating someone, there are more parameters that can be added to augment the trust factor. The biggest worry that customers have is around the post-purchase experience. Google can benefit the customer by looking at frequency of order cancellations initiated by the merchant, ease of returns, exchanges and refunds and quality of products shipped (damages, WYSIWYG).
  5. Finally, go INTERNATIONAL. Maybe Google’s product manager’s are all concentrated in Mountain View and their thought-leadership is largely centered around the US market. Hence the decision to maybe launch this program only in the US. But, a trusted stores program works wonders in the international market and may hardly make a big difference in the vastly mature US market. The international market (especially BRIC nations like India) is flooded with new, young and serious entrants seeking dominance in a very attractive market where TRUST is tremendously low. Bounce rates are high and conversions drop especially during checkout in a market like India. Each of these markets have internet consumers who know Google, love Google and believe what Google says and does. While there are several hundred e-commerce merchants in the US, the consumer market is very mature and they are not swayed by too many offerings around trust. Research may indicate otherwise, but research in the US always indicated that customers are worried about safety of payments on the internet, no matter how big the e-commerce industry and online payments is growing every year. Sometimes, we are better off not asking too many questions to the customers around safety and trust. The answers are always the same!

Digital Wallet Service by

As any serious Product Manager in Indian e-commerce may have noticed,, the best online player in India as of today, had introduced a feature called “digital wallet”. Now, the concept of a digital wallet is nothing new in itself. Paypal has one of its own. So does Google have one. Check this article to see what Paypal is up to with the concept of “money”- I am not particularly sure who pioneered digital wallet in the first place, but I don’t care much about that. What I do care for is that the team at Flipkart (hopefully a smart Product guy) figured out how valuable and important it is to have a digital wallet system in the Indian e-commerce scenario. The wallet that Flipkart offers is a bit different from the so-called wallet offering of others, but it has definitely been tweaked to benefit the Indian consumer. themselves have defined the benefits of a Wallet as the following:

  • Make one payment and shop multiple times
  • Simpler and faster check-out process
  • No more worries of failed payment transactions

While the first benefit is not something that Indian consumers will drool over, the third benefit is in my experience, a very big deal for both the consumer and the company. The first benefit is obvious to the consumer once they understand the basics of what a wallet is used for. The good thing going for is that it has a music download service called “flyte” that works really well with a wallet. Nobody would care to make repeated purchases of Rs. 6 each for purchasing a music title. A wallet stores funds that can then be released for making these one-off payments. If flyte didn’t exist, the first benefit would rather be an aggressive MBA-trained marketing guy’s sales pitch for corporate glory than anything meaningful from a customer standpoint. Indians take pride in making a profit out of every penny they hold, whether in a bank or through tax savings (or evasions) to avoid paying too much to the government. They wouldn’t be happy parting with their money even before they make a purchase with the satisfaction that flipkart has it with them. Yes, it is true that the above points will be refuted once Flipkart turns into a giant e-commerce player and becomes a household name like Amazon.

Another reason why consumers will not like the idea shared in the first benefit is that the amount that you store in your digital wallet cannot be refunded by in case you no longer want to purchase anything on the website or just plain want your funds back. is not a bank and RBI regulations does not allow it to function as one unless it applies to become one. It is possible that is currently working towards getting the needed RBI approvals to become one but it would only make sense if the digital wallet in its current sense is really taking off for them and this issue is constantly turning out to be a customer painpoint that needs to be addressed. A look at the digital wallet FAQ on indicates something very interesting. It has a question that says – What is the change in the refunds policy of the digital wallet?. The answer is “As of 2nd February 2012, the Refunds Policy for the Wallet has been slightly modified. As per the earlier policy, the entire balance in the wallet was fully refundable. Under the updated policy, the Topped-Up balance in the Wallet will not be refundable starting 2nd February 2012.” The top up balance is basically funds that a customer directly puts into the wallet to make future payments and it is not refundable due to the regulations mentioned earlier. The fact that it was changed effective 2nd February indicates that probably was not aware of the regulations that were meant to be followed and then had to correct their actions after the fact. This single issue with the functioning of a digital wallet turns against the overall benefits of offering one.

Now, coming to the third benefit, the challenge of facing failed payment transactions is very real in the Indian context due to the over-dependence of e-commerce retailers on a third-party gateway run by either an aggregator (CCavenue, EBS, PayU) or a bank supported entity (HDFC, ICICI pay seal). An e-commerce retailer can see about 30-40% of its customers lost at that point after having taken pains to carefully hold their hands and take them through the checkout stages. This is a very painful loss especially for Indian e-commerce retailers. It is not easy getting a customer that far only to see him drop. None of the payment gateways in India have a foolproof method of preventing such issues. The best success rates boasted by the best in the industry comes to about 78%-80%. Gateways like EBS and PayU offer a retry option for helping a customer try a payment again when things fail, but this doesn’t solve the issue 100%. In this context, having funds in a digital wallet ensures that a customer need not go back looking for his credit card, netbanking bank details or debit card and start entering all information in a 3rd party payment gateway only to see that things are slow due to the internet, the banks are not processing their payments or the payment gateway is down for maintenance. For an e-commerce site, on a per transaction basis, we no longer have to deal with bad payment gateways, good payment gateways who still can’t control issues and fickle minded or busy customers who may drop out at the last stage.

The digital wallet system should however evolve to provide more incentives and benefits to the customer to influence them to use the wallet and park funds there. These could be in the form of discounts at the checkout stage for using the wallet or as Paypal is doing, help the customer chose how the funds are used. The question of why build this service in-house when someone like a Paypal or Google may eventually do it better in India is however worth thinking about. Ideally the link with a 3rd party like Google or Paypal would turn out to be more reliable payment instruments in the mind of the consumer and also provide additional benefits that are not easy to replicate. As of now, given the aggressive pace with which Indian e-commerce retailers are racing against each other, waiting for something better to happen may not be a wise option. Getting things out the door and then re-adjusting (like the change in refund policy that Flipkart did) is the way the game needs to be played.


Google Analytics Solves a Great Need With Content Experiments

The Google Analytics team recently launched a feature called “content experiments” . I believe this feature is an amazing boon to a Product Manager struggling with the challenge of what design or layout to build for a particular improvement to a website page and prove that it works for the customer. This feature is extremely helpful for an e-commerce website and I almost feel that the Google Analytics team smartly identified this need and came up with a modified solution tailor made for e-commerce retailers (although it can literally work for anyone else).

Google Analytics is probably the most preferred start-up analytics tool as it is free and comes loaded with a lot of features that helps any business measure its performance effectively. Having used Omniture, WebTrekk and Google Analytics at different times in my career, I have come to respect Google Analytics as a very user-friendly tool. While top-notch analytics and highly insightful reports can be generated with a great degree of accuracy using Omniture or WebTrekk, those tools are highly expensive to purchase. They are also very complicated to use. Google on the other hand gives a whole bunch of standard reports that give the complete picture on the performance of a business. Any analytics tool is usually confusing to use and a lot of insights that are generated from metrics such as pageviews, bounce rate, exit rate, conversion rate and so on should only be interpreted to the extent that it is useful to make good business decisions. A lot of noise is generated in analytics and a Product Manager should not make brash decisions merely based on a certain metric they have analyzed.

Coming back to this new feature called “content experiments”, Google defines it as a A/B/n test that one can conduct on say a product page of an e-commerce website. The flexibility comes from the fact that one can test multiple options of the same page and at the same time, also test various combination of components displayed in those pages. This, in my mind, is a combination of both a A/B test and a multi-variate test. The blog world is still confused with what content experiments can really allow with many accusing Google that they no longer will be able to conduct multivariate testing!. I believe that content experiments may not be exactly similar to a multivariate test, but the option to conduct an experiment with five variations of a single page allows a smart tester to come up with the right amount of changes that can be effectively tested with the customers. Google is doing away with Website Optimizer and slowly integrating content experiments into Google Analytics as the future of testing for its users.

While recently working on some new variations of a product page, the design process with the UI team led to the realization that subjectively speaking, there was more than one ideal variation of the product page that people liked in the company. This is a very common situation that a product manager faces in any organization. My team of Product Managers smartly came up with the idea of having specific event-based tracking across various CTA, buttons, content and links on the product page. This, we hoped, will allow us to use Google Analytics, look up under Events and track how each of the various components in the product page performed. This could then help us determine what components (or images or content or features) was widely used or accepted by a customer. This is a powerful tool for Product Managers to shut highly opinionated HIPPOs and other noisy characters in an organization from talking out of turn. Because, we now have data (however accurately representative it may be of the absolute truth) to silence the critics.

However, we were still left with one particular challenge. We had glaringly different design approaches that we couldn’t nail down for the product page. So, an A/B test was finalized with two different versions of the product page. If we had content experiments available, we could have actually used the various combinations we came up with and tested more than two combinations of the product page in one go. Given that we can randomly display these variations of the product page to different segments of visitors, we would have easily determined which version of the product is the winner.  In fact, testing different designs and layouts of banners on a website (in home page, category page etc.) can also now be achieved in a very effective manner.

Now, content experiments in itself cannot be called as a game changer as it is not introducing anything new in the analytics market that doesn’t exist today. In fact, Google’s website optimizer can help one achieve almost similar results.  But, Content Experiments is going to make Google Analytics a one-stop shop for all needs that an internal analytics or Product team in a company has by making it easy to create experiments helpful in making data-driven decisions on website changes.


PCI DSS Certification for E-commerce Websites in India

I recently worked on the PCI DSS certification process and did some research, vendor analysis, contract negotiation and technology task integration for getting certified through an audit (it is still a WIP). It was a daunting task that highlighted some interesting lessons that I thought can be shared for the benefit of the community. As a Product Manager, my role was limited after a certain extent as pure technical tasks around software and hardware took over and I merely worked on coordinating things to successfully work towards certification. All this is being presented largely in the context of an Indian e-commerce setup.

The Payment Card Industry is an interesting game changer in a World of money-driven over-consumption. First, they introduced the addiction with credit through plastic cards and their heavy abuse. Then, they got all merchants (non-consumers) to play along with the high fees and cost structure required as a prerequisite to forcibly do business with them. Unhappy with all this, they then introduced the concept of a data security standard (DSS) and the subsequent audit that follows it. This last change was surprisingly done finally for the benefit of the consumer! That benefit is now being reaped by a host of boutique IT firms around the World selling their version of PCI rules and certification as a service to merchants who cannot get it done on their own.

So, what is PCI DSS certification and why am I angry with it?

Well, for starters, I am not angry with anything although I have a very cynical tone. It is just that there is a website called the PCI security standards council ( where a bunch of people employed to write wonderful content have baked up a set of rules and regulations around PCI DSS certification and why we need it. The problem is none of that is useful although everything written in it is very helpful. The website tries to address every question you may have in your mind about PCI certification to the point where you no longer understand what the certification is needed for.

Frustration apart, PCI certification was mandated by the payment card industry as a set of security rules required to keep customer data safe within the environment in which you as a merchant is doing business. It covers all aspects of an IT and company set up where customer credit card information is captured, stored or transmitted internally or externally within a networked environment- both physical and virtual. It has about 12 or so mandatory checks that need to be satisfied by a merchant so that they are considered as security compliant in the eyes of the PCI. The only problem is that it is the merchant’s headache to make sure that they are compliant in every manner possible and the PCI never signs up for any risk that the merchant is exposed to post getting certified. Getting the certification, maintaining the certification and protecting consumer data is all the merchant’s problem with PCI nowhere in the picture except for levying fines in case a “noticeable” security breach has occurred at the merchant’s end.

So, why is this important in the context of the e-commerce industry in India?

The answer is obvious. E-commerce as a business transacts on the internet and thanks to very smart hackers who love the internet, an e-commerce business is prone to severe security issues where customer data can be compromised. While several e-commerce players in the developed world have just taken this up as yet another target in a yearly roadmap of technical tasks, the upcoming players in the Indian e-commerce space have been slow in working towards PCI certification.

One big impediment is the cost associated with getting a full audit done and getting certified. The cost can run from anywhere between Rs. 8-12 lakhs depending on the level of technical expertise or consulting help you take from a PCI certification vendor. This is followed by quarterly scans and yearly audits that soon add up to the costs. Just so that money is not lost in this unique business model of conducting audits for PCI, scans are done by an approved scan vendor a.k.a ASV. The ASVs are approved by the PCI to conduct scans. Why? Who knows! Those scans can as well be done by a good engineer in a merchan’ts technology team too. Much more painful than the cost of getting the initial certification though is the investment that needs to be made in hardware, software and network infrastructure to get things right for the PCI audit. This can be a huge dent on resources and cost depending on how big an e-commerce player you are and what are your data needs around customer card information.

So, how do I know if I am not complying with PCI security standards?

If you are not certified, then you are largely in violation of some rule or the other around DSS and hence run the risk of being hacked and as a result penalized. A quick check as a merchant can be done by one-talking to your payment processor or two-checking the checkout stage on your website.

Talking to your payment processor or payment gateway (CCavenue, TPSL, EBS, ICICI Payseal, HDFC, PayU etc.) is needed in the case you have your checkout integrated with a payment gateway to process customers payments and finalize the transaction. This is needed as the payment gateway (which is always PCI DSS certified) shares the risk of non-compliance in case there is a security breach on the merchant’s side due to an improper security practice that led to a hack. Hence, the gateway usually mandates and ensures that the merchant is PCI DSS certified in order to process customer transactions. The rumor (!) is that gateways and banks are rewarded for enforcing PCI DSS certification mandates on merchants (Hmm…). However, the point to note is that the actual compliance need or mandate comes from the merchant acquiring bank rather than a payment gateway. However, the process works in tandem and hence talking to your payment gateway helps get an answer.

Looking at the checkout stage on your website by far is a quick and dirty check when it comes to realizing whether PCI DSS certification is necessary or not. Many Indian e-commerce websites do not collect any credit card information of the customer. If a customer chooses “credit card” as a payment option and proceeds to complete checkout, they are redirected to a payment gateway’s payment page (e.g. CCavenue) where a customer completes a transaction by entering all the card details. In this scenario, the e-commerce merchant is not really bearing any risk of being hacked nor running into any PCI risks. A basic PCI certification (will be explained later) is recommended but is not really necessary (the unofficial opinion!).

If the checkout stage has a provision for allowing customers to enter their credit card number following which you are directly integrating with a payment gateway to process the customer transaction, then you fall under the purview of a PCI audit. You are required to be PCI DSS certified in order to collect credit card information even if you are merely holding it in temporary memory and not storing it after the transaction is complete. Direct integration is the method by which a seamless checkout experience is created for the customer by not taking him away from the merchant e-commerce site to a payment gateway site to complete the payment. This can be achieved through a special custom integration with payment gateways/banks or through a proper API-based integration with them.

I am still confused?

Great, because if you weren’t then you understood nothing. Having a seamless checkout experience is usually the desired experience an e-commerce merchant likes to provide to a customer. Also, holding on to a reasonable amount of customer credit card information helps you with building a one-click checkout experience wherein a customer who comes back again to make a purchase on a website already has his basic credit card information stored and made available for quick selection. Drop out rates in checkout hurt an e-commerce business especially if the reason is due to a transaction completion process that a customer is not comfortable with. In order to do all these things for the customer, one has to be compliant with PCI DSS.

So, what should I do to get certified?

There are two different ways in which you can get PCI DSS certified depending on the annual number of transactions you generate on your website. The transaction limits are defined individually by the credit card companies into four levels of classification. Level 1 for VISA is considered as any merchant generating 6 million or more in annual transactions on the website using the VISA card. Check this link to get the scoop on how VISA looks at merchant levels –

As a merchant in the Indian e-commerce scene, you may have not crossed as many transactions to get to a level 1 classification just yet. This could mean that merchants are possibly under level 2, 3 or 4. This brings in an interesting twist to the audit process. The choice of going for a full onsite audit (expensive) or for an internal self audit (painful).

What is the difference and which audit option should I go for?

A vendor in the business of running PCI scans will always recommend an onsite audit. A merchant is better off doing an onsite audit as internal resources need not be pulled into tasks that are not necessary for the daily running of the website. An onsite audit needs to happen if the merchant is a level 1 business. They need to get an annual audit done along with quarterly scans and certifications. For all other levels (including level 4 where things are optional), you can go for filling something called a self assessment questionnaire a.k.a. SAQ. Going for an onsite audit is still recommended as the DSS checks that one needs to comply with is the same (except for a few exceptions) irrespective of whether you go for an onsite audit or a self-assessment. The onus is on the merchant to get all the compliance checks completed in both cases and based on a conversation with a technology expert I worked with, filling up the SAQ and being compliant with its needs isn’t pretty either. In fact, it amounts to getting the same things done that one would have completed with an onsite audit in place. The convenience factor is lost with the SAQ.

Now, the SAQ is still a viable and cost-effective option for a merchant. In fact, it is an option, which if executed well with a strong technology team, can get you on the road to PCI DSS certification much more faster than a regular onsite audit. In fact, there are tools in the market that do full-network scans (similar to what your onsite auditor will do) and let you know what is missing from a compliance standpoint and what needs to be fixed. However, the reality leans more towards leaving all the pain of compliance research  to a 3rd party vendor. Coming back to the SAQ, there are four different types of SAQs – A, B, C and D. Each one of them are tailored towards a certain business model or business practice that you adhere to as an e-commerce merchant. The problem is that the definition for the SAQ classifications could get confusing. It almost makes you nervous that you don’t choose the wrong option like in filling out a job application. I’ve had a payment gateway provider ask me to fill a SAQ A to a bank asking me to fill a SAQ D. End of day, the technology team said, “let’s go with the onsite stuff”.

Is this for sure the way PCI DSS audit and certification works?

A very good question. In fact, several people have asked me this question and I’ve even asked myself this question time and again. There is no straightforward answer. The Standards Council has given such a vague definition of the various compliance rules that there are people fighting out daily on the nuances of the pseudo-legal rules that PCI has come up with. See the comments section of this article for example:

Every vendor who has made a business out of PCI scans, audits and certifications have further tweaked the interpretation of rules to their business advantage and seldom give a satisfying picture to the merchants who hire them. In fact, even the banks and payment gateway providers who are ideally PCI DSS certified, don’t know why and how they got certified. They give answers, but they don’t give answers that make complete sense. A high profile Country Head of a leading payment gateway once proposed that we can get a level-4 PCI certification in lightning speed if we go with his product. When I said that levels are not a certification option that you can pick and choose from to go with, he put his high-paying top notch job on the line and swore this is how PCI certification works. When I pushed further, he eventually asked me to go talk to his PCI vendor team and strongly cautioned me as to how his job expertise lies in this specific area of work. His team eventually accepted that they used the “level” language to make things simple for clients. The last I heard of, he didn’t resign from his job yet. It is fine though, as, after all, I was only taunting him on the technical understanding of what levels meant. Eventually, if you are identified as a level 4 merchant, you get PCI certified for whatever is needed at that level.

What if I get penalized for violation of PCI DSS?

Well, there is no straightforward answer yet again. It depends on the level of security breach and what amount of customer data was lost. End of day, nobody closes your shop. You pay a fine (could be heavy) and you need to go through a full audit to resume business the same way as you were doing “before”.

For good or bad, PCI DSS certification helps all e-commerce merchants be on a level footing when it comes to security and protection of customer data. It also helps as a cool marketing tool to build TRUST with customers by tagging oneself as a PCI compliant business (similar to the Verisign trust seal that gives some nice fuzzy feeling supposedly to the shopper!). Getting certified also clears the way for an e-commerce merchant to build some useful features for its customers as Product Managers. Last but not the least, all these measures don’t necessarily prevent an e-commerce website from being hacked as hackers don’t look for PCI certification to not attack. A strong technology team with strong network security is needed to save a business and its customer’s private information.

[polldaddy poll=6288035]


Is copying the brightest idea for your business?

There are these interesting strategic meetings in companies where I’m pretty sure one of you may have heard this from some corner of the room – Why don’t we copy what Amazon is doing? Why re-invent the wheel? They set the standard anyways.

I’ve heard it before in team meetings or from people I’ve had casual conversations with. After all, there seems to be some truth in what they are saying. is by far the most successful e-commerce retailer in the World. What they did for the website became a standard that others were forced to adopt in the market. For example, until they did something amazing with product recommendations, it wasn’t considered even as a bad idea. A product recommendation engine was merely ignored. It has now become a standard for any e-commerce website. When Amazon prime was launched, the cacophony in the US market was remarkable. Everyone wanted to do a “prime”, but they just couldn’t figure out how to do it even reasonably well for a small loss.

Are’s highly talented bunch of Product Managers responsible for this constant innovation and out-of-the-box thinking that leads to these strong features on the website? It is a tough call to make without knowing the inner workings of the organization. If I had to take a guess, it is due to a coordinated top-down and left-right coordination across all teams in the organization in collectively delivering the desired outcome. The failure of one team is compensated for by the success of another team in getting things done. Product Managers are getting the execution details ironed out, while the business teams are working hard to make the structure work. In organizations where Product Management makes unilateral decisions or decisions are “handed out” to them, things start to fail.

When different stakeholders in a company come together to decide on a certain course of action, trying the tested is an easy remedy to follow. You are after all not introducing something new that a customer needs to learn, you are not surprising them, you can get it out into the market faster and you don’t have to bear the risk of any downfall. Logically speaking, if a website like Amazon is literally attracting more than half the number of internet consumers, it is nearly futile as a competitor to introduce something new as you are depending on a part or whole of those same consumers for your business.

Here is the catch though. Every consumer visits a website for a certain reason. By far, a customer visiting does so as they want to identify products as related to the “Walmart” brand offering. This can be translated from an aspiration standpoint as EDLP on products sold on the web. The reality could be a little dispersed, but the fact is that the Amazon customer is different from a Walmart customer. This customer may be fine seeing the same features or look and feel across both websites, but is looking for something more when they visit them separately. Multi-channel retailing became a very high strategic initiative when I worked at Walmart. It was for a reason very obvious but yet took long to implement. Playing to your strength is what keeps you going. We introduced a program called “Pick Up Today” primarily for that reason. Why wouldn’t you use a store network of 3000+ stores to your advantage, to’s disadvantage and the customer’s benefit. Walmart and for that matter any other retailer with a dual presence in the offline and online world have a strong message for Amazon. However, the challenges these companies are fighting are more to do with internal roadblocks that are not easy to clear. Departments that worked with clockwork precision to deliver results in stores cannot go online or mobile overnight.

So, if blindly copying features is a bad idea, then how about copying the look and feel of the website. is probably the most cluttered website one can ever find. Nothing in the website talks beautifully well about the user interface or design applied. It screams out loud the question, “do we really need a beautiful, well designed website to make money?”. However, it has worked beautifully well for its customers. Jeff Bezos never seems to be worried about how beautiful his web store looks. Very similar to the way Sam Walton never cared about the beauty of the Walmart store, but cared about what it sold within it. Both leaders seem to have a similar viewpoint on one shopping aspect of the customer- if you give the customer what she wants, she will forget about how she got it. This is similar to how passengers get very impatient and fidgety while waiting for their flights in beautiful, well serviced airports. They don’t care about how the airport is. They care about getting on to that delayed flight and going home early. It is not the airport that they care about. It is the flight that they are concerned about. They are paying  money for the flight, not for the stay in the airport. But yet, we see millions of dollars being spent on creating huge, luxurious airports for the comfort of the passenger. I have seen people look at Amazon’s checkout process and say, “let’s do this. It looks perfect”. Now, while there is nothing imperfect about Amazon’s checkout, it does bother you with a lot of information to digest. Things like detailed delivery timelines, benefits of using an Amazon credit card or benefits of using prime are all additional snippets of information generously sprayed everywhere. Only a seasoned shopper at Amazon can navigate that mess without being distracted and still make a purchase. Luckily for Amazon, they have plenty of such shoppers. You and I don’t have that luxury with our shoppers.

So, if the look and feel is also something that is not worth copying, then what else should we do? isn’t the shortest path to product management or business success centered around getting workable things out the door faster. If so, isn’t copying the best the easy way out? Yes, it is still true that copying (or let’s say being inspired by) the best player in the market helps your business in turn. The reason is not necessarily because we have copied it well, it is because we are looking at our competition, figuring out where the majority of our target customers shop, see what they are shopping, see how they are shopping and provide the same tools more or less to help them out. All this is being done ignorantly by us while we copy the market leader and its offerings.

If we indeed need to copy, or be inspired by it, we should look at the way they are looking at their shoppers. Understand if these shoppers intersect with our business. If they do, we look at what our internal strengths are and see if we can build something better (or at worst similar) to Doing that will help us realize where we truly stand in the market and how many customers are truly loyal to our brand. It also sets you apart as a Product Manager and as a person seriously in the business of making product work.


So, what is Product Management?

Tips for following the blog:

Question: A tormenting yet very insightful and purposeful question asked by a super-boss

Answer: A painful yet honest answer given by a product manager

Cloud: The imaginary bubble in one’s head that doesn’t have a voice in the physical world and hence goes unheard

Question: What is Product Management? So that you may know. I am your boss’s boss and I hired you. So, I need a straight answer. ha…ha…(cloud: Don’t give me rubbish. I have an MBA and I know how to ask great questions)

Answer: Well, it is a cross functional role that sits between the various business teams and IT technology. It acts as a gatekeeper of what business initiatives need to be developed, across what timeline (time-to-market decision) and how best to deliver (trade-off decisions) (cloud: and why the hell did you hire me for a role you don’t know about!?)

Question: Oh ok, so if I have technical requests to make on the website, I give it to you and you get it done for me!? Right? Umm….(cloud: I’m already starting to hate this guy. What happened to straigthforward answers in bits 1 and 0!)

Answer: No, I don’t take technical requests (cloud:….from you just for the heck of it). I understand two things – business opportunities and business problems. I try to solve for both through initiatives in different product areas. I then submit these initiatives for the technology team to deliver according to their release cycles.

Question: So, you probably belong to a business team then! Hmm…So what is the “product” you are working on!? I don’t think you sell any products on the site? My Merchandising Manager does that for me.

Answer: Mine is a cross-functional role. I don’t necessarily sell products. But, I make products sellable on the website. My product is the website itself and its inherent back-end operations. For simplicity, each core area within the website from a user standpoint can be considered as a product. E.g. checkout. I also look into the backend operations like say a world-class WMS.

Question: Oh yeah, I helped build a great WMS when I was a consultant. Once you get the basic right, things are simple for us to use after that. So, tell me, is it correct to say that your team is responsible for managing the look and feel of the website and everything that goes into building the right experience for the customer?

Answer: bingo! you got it. Yes, you can say so. Although the look and feel department is something I co-own with a user experience designer. (cloud: and what’s with that WMS stuff you just blurted. Do you even know what it means!?)

Question: Ah! my friend. You have brought one other character into the story. You know this dilutes the need for you in the company. I have business owners who take care of business opportunities, I have Operations Managers who solve business problems and I can have technology teams just do things for me. Why do I need you in the middle?

Answer: You are right. But, they all don’t coherently bring the voice of the customer together. They have a P&L to manage and a target to hit. What a customer likes to see, how they discover products on the site, what pain points they have with the overall purchase all need uniformity in execution of a solution. It is true that I help and work with all these business teams to deliver results. But, I do it from a customer centric viewpoint. I bring all the teams together on customer initiatives and eventually help technology solve the final puzzle by breaking down requirements into meaningful chunks for architects/programmers.

Question: All right, you sound more like a project manager to me. So, what “business” intelligence do you use to make decisions that my other business teams cannot do on their own? (cloud: Boy! am I running out of questions or am I getting confused!)

Answer: Well, I do act like a Project Manager at times to get things out the door in a timely manner. But, maintaining Gantt charts is better left to an expert who has done it as his job. Coming to business intelligence, I look at site metrics, I look at customer orders, I look at customer returns, I look at information that is hidden within them. While everyone can look at data and make decisions, I use it build what is called as a “Product Strategy”. I also look at the competition and understand consumer trends in the industry. All this also goes into what strategy I employ (cloud: Hmmm…I think I got him this time. But, this conversation is getting uncomfortable)

Question: My friend, if that is the case, where is your Product Strategy? I haven’t seen anything from you except for some features you seem to keep adding to the pipeline of work that technology needs to do? (cloud: If I only had a gun…)

Answer: Sorry, but I don’t build a Product Strategy without knowing what the overall business goals are and what we want to achieve as a business and where we want to go as a company…I’ve asked for it but we have never had closed door meetings to understand those goals.

Question: What do you mean there were no meetings? I said weeks before that we should increase our conversion rate. It should in fact be doubled. I know for sure that it can be achieved. Isn’t that enough information for you? (cloud: If I only had a gun that is loaded…)

Answer: Yes, but conversion rate can be increased by increasing our products, by increasing relevant flow of traffic or by providing incentives. What is our strategy to have our customers shop more or come back more to the website?

Question: Isn’t it your job to come up with answers on that?? (cloud: …the trigger should work…)

Answer: Yes, it is. But it has to be linked to an overall strategy that every business team in the company is aligned with. For example, Increase market share by X% in next two months by leveraging our ability to deliver products faster within a promised delivery timeline. If I had this in hand, my focus would purely be on what I should be doing to achieve this goal as part of my Product Roadmap.

Question: So now you have moved from a Product Strategy to a Product Roadmap! I guess your roadmap is a list of inititatives that the technology team can help deliver, thereby generating measurable results for the business?

Answer: Yes (cloud: I knew you were smart. People don’t get to do an MBA by just practicing brain teasers and vedic mathematics problems after all!)

Question: You are creating processes after processes, while I want to be nimble and just get things done. There is so much to fix on the website. I haven’t seen anything in your so called roadmap to address that. What is the high impact stuff that I can do sooner!? Last night, my grand mother was searching for a toothbrush and it took a while before she realized we don’t sell them. We should list out things we don’t sell on the website my friend.

Answer: Well, we only fix things that don’t work for our customers. For that, we need to know who our target customer segments are? Who transacts higher? Who can contribute more to the bottomline? Who buys the products we sell? If we know who they are, we can find what they don’t like and see if anything needs to be changed. I cannot change the website for a few customers or users who didn’t like what they saw. (cloud: ok grandma. You should have sent your grandson to the nearby store to get that brush…)

Question: So, if there is nothing to fix on a priority, you sit idle and don’t do anything then. Why can’t you fill a backlog of things that can still be done? (cloud: Is he arguing with me or providing mere answers? He should know that I always won noisy group discussions in business school)

Answer: No, we do build what is called as a Product Backlog. It can be thought of as a low-level roadmap. I need to get my backlog cleared, measure the outcome of the initiatives and see what else can be done to make things better based on the target that has been defined. Right now, my backlog is still pending halfway with the technology team. (cloud: why do people always look at the website as something that needs to be fixed!?)

Question: So, you measure the outcome of some targeted initiatives you are driving to achieve our common business goals. If they deliver then you go after your next strategy to gain strength in the marketplace. If you don’t deliver, then I can fire you, right? Ha…ha…(cloud: this is what I call as the death blow!)

Answer: Well, if the initiative is a success, then yes, I keep building my strategy, roadmap, backlog, requirements, project plan, UI assets, wireframes, process flowcharts, financial model and success metrics. If things fail, I learn what has failed and apply them to make things better for the customer. Of course, there is a cost involved in delivering results and this does affect my performance scores.

Question: Ok. you just blurted out a lot more stuff on what you do as a product manager with your team. But, I don’t think you are allowed to fail. (cloud: Failure is like missing out on those premimum tickets to fancy jobs at Goldman Sachs or McKinsey. Everything else is an unpardonable loss)

Answer: Well in e-commerce, our customers are fickle. While we do everything to make things work for them, a lot of times, it is the mistakes we make that help us understand the real opportunities we can pursue. After all, brands are not built overnight. (cloud: Did I just sound philosophical all of a sudden!!)

Question: Oh yeah. Except that in business, we can’t sit and watch someone make mistakes. We fire them and get someone else to do things. (cloud: Jeez, is this why I had to leave my earlier company!?)

Answer: agreed. Product Quality comes from collective evaluation of our strategy, roadmap and the individual initiatives we drive as a company. A Product Manager will of course own the success and failure of it. But, I’m glad that you now understand what Product Management is all about…

Question: Well, not quite yet. I have to take off for a very important strategic meeting to discuss the future course of our business. We will catch up again. (cloud: If I don’t know how to fire you, what’s the fun in keeping you!!)

Answer: Oh ok. Let’s catch up soon (cloud: How about calling me to that strategic meeting as a starter? I’ve just spent my time “usefully” with you talking about what Product Management does….)