Our guide for preparing your infrastructure, security, applications, and marketing for the upcoming holiday season.

2017 Holiday Preparation Guide

ECOMMERCE

Site Speed • 25Find Free Capacity • 26Fine-Tuning • 28Monitor Application Errors • 29Manage Bot Traffic • 31Environment Monitoring • 32

03APPLICATION

Campaign Best Practices • 34Email Best Practices • 36Managing Media Content • 37Discount Promotions • 38

04MARKETING

Communicate and Test • 47About the Author • 49

Worst-Case Planning • 41Saying Sorry • 43Recovering Gracefully • 44

05PLANNING

06FINAL THOUGHTS

Assessing Infrastructure • 6Check Baseline Performance • 7Commerce Performance Manager • 8Vendor Capacity Planning • 9Add / Pre-Stage Capacity • 9Load Testing • 10Preparing AWS for Peaks • 13

01INFRASTRUCTURE

Assess and Patch • 18Tune your WAF • 20DDoS Protection • 21 Test and Scan • 23

02SECURITY

CONTENTS

PROJECTIONSBefore you can prepare for any peak period, you need to make sure you have some traffic projections on hand.

Take a look at previous campaigns or peak periods, and identify:

• Visitors to the site during the last few campaigns• How quickly traffic increased on the site (was it

gradual over hours, or did it peak in a short period?)• Conversion rates - completed transactions use more

system resources than simply browsing a site• The accuracy of previous projections - has your team

consistently underestimated, overestimated, etc.?• Your campaign strategy for your upcoming period,

including activities such as:- Email blasts- Social media blasts- Flash sales- Media campaigns

INFRASTRUCTURE01

Capacity and performance assessments are at the cornerstone of holiday planning.

Understanding your organization's ability to fulfill orders during the holiday season includes your ability to receive them. Your infrastructure and application capacity is critical in order to plan effectively.

2017 Holiday Preparedness Guide 5

ASSESS YOUR INFRASTRUCTUREIf your infrastructure provider is not performing a holiday capacity assessment with you and your team, request one. You should also reach out to the vendors that provide integration points for your application. Work with them to understand any limitations, and how to increase capacity during the holidays.

Develop an emergency capacity planDetermine if your vendors can add capacity on a temporary basis, and if they have different pricing options for devices that are staged and powered off. If you pre-stage additional servers, this gives you the option to test and tune before the holiday season. It will also reduce turn-around time when deploying a server in an emergency.

2017 Holiday Preparedness Guide6

Check baseline performanceStart off by assessing your current performance and capacity. If you are seeing issues now, things won’t get better when you add more users.

Look at your traffic projections for the upcoming season; if you have a history of unexpected spikes, use your largest spike as a benchmark for predicting traffic volumes.

Ensure all areas of your application are assessed at all layers. Include your Systems Integrator or application support group in your assessment to ensure that your application is tuned for the level of traffic you expect.

Key Focus Areas

7 | Holiday 2017 eCommerce Preparation

Server Network Bandwidth Database Storage

2017 Holiday Preparedness Guide 7

CPU, Disk, Memory, I/O Wait

Distribution Switch Capacity, Firewall Load-Balancers

CPU, Disk, Memory, Storage, Query Performance, Indexing

IOP, CPU, Latency, Disk Space

Commerce Performance ManagerDynamic application monitoring tools like Tenzing’s Commerce Performance Manager can help you find specific areas in your application and infrastructure that might be impacting performance. Click here to learn more

2017 Holiday Preparedness Guide8

Understand your vendor’s capacity planning processIncreasing capacity during an incident (or unexpected downtime) often takes longer than anticipated. If you have limited budget, now is the time to invest in temporary capacity increases. Speak to your vendors about the process for adding capacity during an incident as part of your holiday planning. Can they automatically scale capacity as demand increases, or will they throttle you?

For example, some infrastructure providers will limit your bandwidth capacity to your commit level, while others will allow you to spike and bill you later for any overages.

Add or pre-stage capacity to your potential problem areasBased on your assessment of current performance, expand capacity to areas that need it. If your budget is limited, prioritize the components which could have the greatest impact on performance, like your Database or Network. CPU is often a bottleneck in ecommerce environments, pre-order larger CPUs and have them on hand should you need them. After you add capacity on the hardware side of things make sure you tell the application it has more through-put available or your changes will be for nothing.

Infrastructure changes can have implications on your ecommerce platform licensing. Make sure you understand what changes impact your license spend so that you don’t unexpectedly find yourself offside.

2017 Holiday Preparedness Guide 9

The real capacity of a website is determined by a combination of the application code and the infrastructure. Testing individual parts will not give you an accurate picture of what the environment can handle.

Load testing is the process of increasing the volume on your site or application to measure its response.

Testing can be completed in a test environment or in production. Most customers do not have the luxury of a separate test environment scaled to the same level as production -therefore we typically recommend testing in production for the most realistic picture of your performance capacity.

It is a good idea to run the test during off-peak times and tell your clients what you are doing. One option may be to post a banner with a message like "Sorry if we're a little slow, the elves are at work getting us ready for the holidays.” You can also proactively notify your customers that you are conducting the test or doing maintenance. Remember, this is also a bad time to run a sale or campaign.

DO A LOAD TEST

2017 Holiday Preparedness Guide10

Tenzing Site TesterThe Tenzing Site Tester is our fully managed cloud-based, multi-endpoint load testing service. By simulating peak loads on your site it can pinpoint performance issues in real time. Best of all, because it is cloud-based it can simulate loads across a range of geographies, device types and networks while keeping the cost affordable for mid-sized retailers.

Click here to learn more

Including a load test before the start of your busy season will provide insight into your sites’ true capacity and uncover problems that might occur when the environment is under stress. It also gives you the opportunity to fix these problems and increase your capacity with time to spare. We recommend performing a load test after every major release or hardware change.

2017 Holiday Preparedness Guide 11

Best practices for a load test• Leverage a load testing service which utilizes distributed geographical traffic

sources• Perform iterative tests involving the System Integrator and Managed Service

Provider so problems can be identified and resolved in real-time• Add the following scenarios to future test scripts:

- Load test a single application server with a single web server. - this will give you a good indication of how much capacity one pair will give you

- Perform scenarios using a test credit card, which will validate the full purchase work-flow from login to order confirmation (call-outs to payment gateways add time to transactions, etc.) - this will allow you to tune timeout values and identify configuration problems

- Test multiple payment gateways (PayPal, PayPal Express etc.)- If using API calls for inventory or other functionality, check their capacities through a

load test- Include Administrators (service desk users and business users) in the test, these users

add load to the environment - include scenarios that represent their activities or have real users operating during the test

• Virtual Users and Human Users do not operate in the same manner and one virtual user does not equal one human - work with your load testing provider to understand what your virtual test number should be based on your projected human traffic

• The following resources should be scheduled to be on hand during the test:- System Integrator- Infrastructure support personnel (AWS, Networking, Database, Sys Admin)- Test specialist (this should be your load test vendor)

We recommend budgeting for multiple load tests. Often the first test will uncover problems, while subsequent tests confirm that the fix had the intended impact on your site performance.

2017 Holiday Preparedness Guide12

Many administrators believe that Amazon Web Services (AWS) is a fool-proof way to handle peaks and valleys in traffic. While AWS does allow you to scale up and down at a rate unimaginable on bare metal infrastructure, it is not entirely automatic.

The fluctuating nature of the environment can also mean significant variances in the cost of the infrastructure. Here are our tips for preparing an environment hosted on AWS.

PREPARING AWS FOR PEAK SEASON

2017 Holiday Preparedness Guide 13

Determine your scaling strategyThe first step in planning your AWS capacity management strategy is to use your projections to determine what kind of scaling you will use this holiday season.

You have a few options based on whether you want to scale horizontally (add more instances) or vertically (increase the size of your existing instances). To help decide, you should know the impact of how scaling or adding instances affects your licensing. If you are not able to add more instances because of licensing restrictions, you can increase the size of your instance. This does require a service interruption and will obviously increase your bill. Make sure you plan for this event.

If you are scaling horizontally, determine if you are going to scale automatically based on load or pre-scale your environment.

A good rule of thumb: if your environment has to scale more than 3 times its starting size within one hour, auto-scaling is not for you.

2017 Holiday Preparedness Guide14

Preparing for auto-scaling• Make sure the threshold set to trigger auto-scaling is right for your

application (if you set it too high, the site will suffer before new instances are spun up, if it is too low, your are incurring additional costs unnecessarily). Auto-scaling needs to be configured to not only scale up properly but also at the right rate.

• Test and review your auto-scaling configuration including setting the minimum and maximum number of live servers. If you don’t set your maximum to the appropriate level your bill might surprise you.

• Ensure your Amazon Machine Image (AMI) contains the latest code release and OS level.

• Ensure your latest code release is in a repository that can be accessed by new instances (servers).

• Load test your application when the environment is scaled at different levels. For example, you can test with a single instance to understand how many users that instance can handle and at which point performance begins to degrade.

Capacity planning beyond your instancesInstances are just one part of your AWS capacity planning process. Understanding when to scale your RDS (Relational Database Services), your admin instances and other components should also be assessed.Two areas that are often forgotten are the elastic load balancers and SES (email services). Make sure to inform Amazon or your managed service provider when traffic is expected to increase. This will allow their teams to pre-warm these services so they can process the extra traffic.

Need help assessing what to scale, when and how?

Speak to us about our Peak Period Assessment Services on AWS

2017 Holiday Preparedness Guide 15

SECURITY02

Keeping your environment secure is not only important through your busy season, it should be in your organization's DNA throughout the year. Much of this advice is relevant all year long, but it is especially important during the busy season when attacks on ecommerce sites begin to spike.

2017 Holiday Preparedness Guide17

Ensure you understand who is responsible for monitoring security patches and applying them in all areas of your environment - from your infrastructure and operating systems through to your applications.

You should also review your infrastructure provider's patch and vulnerability program. Make sure you have either opted into your provider's program, or patch the environment yourself based on your own policies and schedule.

Your final patch (unless an emergency patch is released) should be one month before your busy season starts (for holiday shopping, this is October).

Some ecommerce applications have restrictions on which servers can be patched, but most will allow for public web servers to be updated without violating compatibility restrictions.

Ensure servers that cannot be patched are not accessible to the internet and have other mitigating controls in place like firewalls protecting them from the public internet.

Ensure you have a process to assess vulnerabilities and patches as they are released. As new items are released you can determine quickly if action needs to be taken during your busy season.

ASSESS AND PATCH YOUR ENVIRONMENT

18 | Holiday 2017 eCommerce Preparation2017 Holiday Preparedness Guide 18

Develop an emergency patch plan and security planPlan for problems in the future by making sure you have a plan in place to handle security issues like emergency patching or an unexpected security vulnerability. Know which team you will need to assemble to resolve those issues quickly.

Limit accessLimit access to your environment to authorized personnel. Require your personnel to use strong passwords and regularly review your access list. Complete an audit of users who can access your environment prior to your busy season. Two-factor authentication and encrypted communications are highly recommended for administrative personnel.

Proactively monitor your environment for vulnerabilitiesImplement an Intrusion Detection System to detect potential breaches or violation attempts. These systems monitor behavior and notify you of suspicious activity allowing breach response and even prevention. These systems can be “noisy” so look for a provider who completes an analysis of alerts before you are notified.

Make sure to use HTTPSEnsure you are using at least SHA256 encryption and not older versions. HTTPS should be the standard for all customer ecommerce communications, not just for authentication or payment. If you are concerned about performance with HTTPS always on, consider using a CDN service that can support your SSL implementation and increase your website performance.

Ensure you have Anti-VirusAnti-Virus (AV) is important in helping keep your environment secure. Ensure that Anti-Virus is running on all servers and that your AV is using the most up-to-date virus signature (which is used to detect and identify viruses).

2017 Holiday Preparedness Guide19

TUNE YOUR WAFTraditional firewalls decide if one device can talk to another at the network level, but a Web Application Firewall (WAF) monitors behaviors between an application and a browser. By operating at the application level, it can detect attacks based on stored patterns as well as monitor unusual or unexpected patterns. Application layer attacks are increasingly common in ecommerce making WAFs an essential part of your environment.Like a CDN, a WAF requires tuning to ensure the rule set is configured to respond properly to your application and traffic. Allow yourself enough time to test and tune your WAF before your busy season. Tuning the WAF after every major application release is also a good way to keep this element of your environment healthy.Make sure you understand your WAF providers’ incident response plan . Make sure the right people on your team are set up to receive the appropriate alerts and have been trained how to respond. Do multiple people on your team know how the system works and are they set up as authorized callers with your service provider?In case of issues with your firewall, we recommend setting up a monitor that will alert you when there is a problem with the WAF and then automatically direct traffic back to your origin servers.

Tenzing Web Application FirewallTenzing's security suite includes a Web Application Firewall to protect systems from critical vulnerabilities and meet PCI requirement 6. The 24x7 support team continuously implements fixes and updates to prevent emerging threats.

Click here to learn more2017 Holiday Preparedness Guide 20

Distributed Denial of Service (DDoS) attacks are attempts to take an organization's internet presence offline, usually by overwhelming the site's network connection or servers with traffic from a collective of hacker-controlled zombie computers (also known as a Bot-net).

Denial of Service attacks can bring your campaign strategy to a screeching halt, historically November is a busy month for DoS Attacks. Hackers often use DDoS attacks as a means to distract while credit card data is stolen.

It’s important to understand your service provider's policy and response plan for DDoS attacks. Most vendors will remove the attack target from their network to protect other customers. This means if you are the target of an attack your website will be unavailable until the attack subsides and the risk level for your bandwidth provider is mitigated. This will block the attack, but also all legitimate traffic, which could represent a significant loss of expected holiday revenue.

DoS mitigation providers filter illegitimate traffic, preventing an environment’s resources from being overwhelmed.

PROTECT FROM DDOS ATTACKS

2017 Holiday Preparedness Guide21

DDoS mitigation DDoS mitigation services can be very expensive. If you don’t have room in your budget to leverage this type of service all year round, consider using one during the holidays on a short-term basis. To further manage the costs of this program, consider a “pre-staged” versus “always on” configuration. A pre-staged DDoS mitigation service allows you to have the service contracted and on stand-by until you are attacked. If an attack occurs, your traffic can be routed to the mitigation service with a simple firewall change.

Tenzing DoS AssureTenzing's DDoS Mitigation service DoS Assure provides 24x7 protection from a wide number of incursions including CMP & UDP floods, Port Scans, SYN attack and Distributed Reflection DDoS. Service options include proactive, always-on protection, hot-standby and on-demand emergency services.

We also offer a full Cyber-Security Suite which includes our PCI-compliant DoS Assure service, Enterprise-grade Web Application Firewall and Content Delivery Network Service.

The suite gives you a 24/7 always on Cyber-security service protecting and enhancing the performance of your ecommerce solution. Click here to learn more

2017 Holiday Preparedness Guide 22

Combine security and performanceContent Delivery Networks (CDNs) can also help mitigate against a DDoS attack. If can you afford only one, a CDN or a DDoS Mitigation service, invest in a CDN. The distributed nature of the CDN’s network can help protect your site from low-volume attacks, while also improving your site’s performance.

Run a vulnerability scanVulnerability scanning proactively identifies weaknesses in your network, application or infrastructure. The test is generally automated and will detect known attack vectors. Running a scan can help you identify known vulnerabilities in your environment before your busy season, giving you time to fix them before they become a problem.

Ensure that ample time is given to your web developers to repair any vulnerable code. A good VS should use a variety of industry leading tools to provide a better overview of the vulnerabilities on your ecommerce site. Common coding problems such as SQL injection and Cross-site Scripting (XSS) can make it easy for hackers to compromise your website and steal valuable data. There should be a focus on OWASP Top-10 vulnerabilities and PCI-specific issues.

Run a penetration testPenetration testing will exploit weaknesses in your code and application. This type of analysis uses a combination of automated testing and experienced testers to complete the test. Executing a penetration test annually, before your site is launched or after major releases should be an important component of your security program.

TEST AND SCAN

2017 Holiday Preparedness Guide23

Tenzing Scanning ServicesTenzing's scanning services which include Penetration testing and ASV scanning provides regular verification that you are adhering to PCI best practices.

Administered by our team of security experts, we will work with you to help you prioritize which elements to fix first. You can purchase these services a la carte or in a bundle for the flexibility you need.

APPLICATION03

SPEED UP YOUR SITEAll applications need to be tuned from time to time, and there is no better time than the present. Speak to your application team about the health of your environment. Have them look at session limits, long-running queries, and activities that use many resources.

You can gain capacity and speed up site performance by leveraging Content Delivery Networks or CDNs. However, CDNs take time to set up and tune appropriately to get optimal performance. It’s best to start this activity well before the holiday season.

Tenzing Application Assessment ServicesThe Tenzing Application Assessment conducts an independent review of your application configuration against Hybris and Oracle best practices. Our service identifies the baseline performance of your environment and looks to improve performance and gain capacity by tuning many of the elements overlooked in the day to day operation of these applications.

Tenzing CDNTenzing's Web Application Firewall offers a CDN, available as part of our security suite. It combines a DDoS mitigation and protection with a Web Application Firewall and CDN. Click here to learn more

2017 Holiday Preparedness Guide25

FIND FREE CAPACITYThere are lots of opportunities to find hidden capacity in your environment. It is important to regularly review your application performance and tune areas that are resource intensive, particularly before peak season.

Adjust your cachingCaching can save system resources by holding information in memory, but when the cache has to be refreshed it draws system resources to complete this activity. During peak times increase the time between caches.

Review what is cached and what is not. Make sure frequently called items are cached. By default, some ecommerce applications have caching turned off for some of their database elements. Review the settings for these fields and adjust them appropriately.

Adjust “type ahead” searchType ahead search uses additional sessions and threads within your application. Increasing the number of characters a shopper must type before a type ahead search is initiated will give you added capacity.

2017 Holiday Preparedness Guide 26

Remove and adjust “view all” optionsGiving customers the option to view all items in a category is available on many sites, but if you have a large catalog, the loading of these elements take time and resources. Review all the areas where the option to view all is available and restrict the number of items that can be viewed when it is selected.

Know what is scheduled and whenReview when recurring jobs are scheduled to run. Making sure jobs are not colliding with each other or running during peak times can help better manage your capacity

Key Areas to Consider

Cache Refresh and Application,

CDN

SearchIndexing

Backup Database jobs – archiving,

indexing

Pricing updates

Inventory updates

2017 Holiday Preparedness Guide27

Limit publishing and catalog updatesLimit your publishing during peak times. Catalog updates are resource intensive because in most applications the database and search engines need to re-index and refresh the cache.

Establish a strategy to perform catalog updates during peak season. Ensure updates are performed during the point of the day when traffic is the lowest and bundle changes into small groups.

Review the thresholds under which a catalog change will force a cache refresh. Some applications will allow you to set a threshold to invalidate the entire cache when a specific number of records are changed. Review these thresholds and make sure they are optimized for your business. Indexing is another area which can be adjusted. Make sure a full index is not triggered when a minor catalog change is made to prevent unnecessary resources from being consumed.

28 | Holiday 2017 eCommerce Preparation

Tune your searchWhether you use Endeca, SOLR, or another type of engine to drive search within your site, it is important for you to make sure it is tuned. Start off by assessing the hardware the search environment is running on (CPU, disk, memory etc.) and make sure it has the appropriate resources. Remember, depending on the structure of your data, there are implications for your hardware. If you have a lot of SKUs, beef up your servers with CPU and RAM so that this information can be held in memory. If you have a lot of requests/queries then add additional search servers to increase the output.

Make sure your database has the appropriate indexes to facilitate your searches and focus on periodically tuning queries that are frequently called by your search environment. Targeting long running queries or ones that produce large amounts of data should be looked at regularly. If you are using Endeca, make sure you are checking the size of the queries coming back and ensure they are sized according to Oracle best practices.

2017 Holiday Preparedness Guide 28

FINE-TUNING

Monitor application errorsYou should be monitoring application errors throughout the year. Application errors do not improve under high levels of load. The goal is to identify and address errors before your busy season.

Your database is an essential part of your environment, bottlenecks here can cascade down to your application servers causing requests to back up.

Key items for database tuning• Set up monitoring to see how your database is performing

- Monitor your top SQL statements, Sessions, Actions and Services and investigate if any of these change dramatically

- We also recommend configuring reports that give you snap-shots over time (this can also help you troubleshoot a problem)

• Keep a close eye on the size and performance of your DB hardware to ensure your environment is right-sized

• Tune long running queries so they don’t over-use system resources

• Ensure queries that are called frequently are structured well• Index tables that are accessed frequently to speed up query

response and minimize system resources• Look for database errors. Address these errors before they

become a problem

2017 Holiday Preparedness Guide29

Commerce Performance ManagerTenzing’s Commerce Performance Manager is an application performance monitoring solution that automatically pinpoints performance bottlenecks in your application code and alerts you to defects that affect your customer experience. Click here to learn more

2017 Holiday Preparedness Guide 30

Bot traffic - including scrapers, hackers, spammers impersonators - has estimated to be as high as 61% of all internet traffic. We have seen levels from 30% to 90% in some of our client environments. There are several ways to manage bot traffic and its potential impact:

• Monitor bot activity - if you don’t know it is happening you can’t mitigate against it. Our team has designed a monitoring system to track bot activity over time.

• Set up monitoring that looks for the top ten IP addresses you are receiving traffic from. Review these IP’s on a regular basis and block anything malicious.

• Serve different content to bots - you can display a less resource intensive site and protect your assets.

• Leverage a WAF or CDN to block bot traffic.• Deploy a separate server that just handles bot traffic, separating it from

user traffic. This means if bot traffic is negatively impacting the site, your users are not impacted because they are on another server. Lower the web server session limits for bots. For example, if the timeout value for a session is 30 minutes, set the session limit to 5 minutes for a bot, terminating the sessions faster.

• Scale back Google’s crawl rate.

MANAGE BOT TRAFFICA bot (short for “robot”) is a program that operates as an agent for a user or another program or simulates human activity. There are lots of different types of bots, some malicious and some not.

Good Bots are from well-known companies like Google, Pinterest, Yahoo, and Bing. These bots collect information from your website to power their service. They are crucial to your online presence and search rankings.

Bad Bots, on the other hand, include comment spammers, SQL Injection worms, vulnerability scanners and more.

2017 Holiday Preparedness Guide31

MONITOR YOUR ENVIRONMENTOnce you have your infrastructure and application in an optimal state, it is important to monitor the performance as you move through the holiday season. Sales leading up to the holidays (like back to school) give you the opportunity to see how your environment is performing and make changes before your biggest selling days.

Measure • Analyze • ActMake sure your monitoring strategy is holistic. Infrastructure availability, application performance, end-user experience and traffic levels are all elements you should be paying close attention to.

Don’t forget to include monitoring around connections to third-party systems. You want to understand how links to payment gateways and postal outlets are performing.

2017 Holiday Preparedness Guide 32

MARKETING04

CAMPAIGN BEST PRACTICESThe best teams work to build constant and open communication between the marketing and IT departments. If possible, it’s worthwhile having both teams involved in the campaign planning process, or at least the review and signoff.

CommunicateShare your campaign plans with all stakeholders, including your managed services or hosting provider. Ensuring your teams know the dates and times of future traffic increases will help during the troubleshooting process. When our service desk has access to a client’s marketing plan it gives them insight into what is causing the extra traffic - the last thing you want is for an expected surge in traffic to be interrupted because it is perceived to be a DDoS attack.

Constantly evaluateMonitor your campaigns and application performance in the lead-up to the holiday season. This will give you an idea of your application performance in the upcoming weeks. If you received a higher than anticipated response or your application did not perform as expected this is a good indication of problems to come. We recommend this type of monitoring start at back to school time.

2017 Holiday Preparedness Guide 34

Establish a campaign change processIdentify who can approve changes to a campaign strategy and how they are communicated out to stakeholders. Share the change process with the broader team before the start of your busy season to ensure expectations are properly set.

Freeze system changesOnce you have prepared your environment and planned your campaigns - STOP making changes! Freeze your environment and communicate these dates to your vendors. Make sure you understand all your vendors’ change policies and if they have a freeze as this could impact your planning.

Limit publishing changesPublishing and catalog changes are a huge drain on system resources. Establish a strict policy and process for applying these changes and be disciplined in following this process.

2017 Holiday Preparedness Guide35

Email remains a leading method for engaging and pushing customers to ecommerce sites. It also has the potential to cause a self-inflicted Denial of Service attack. This can happen if responses exceed your capacity - maybe your emails contain large images or a discount code causes unnecessary traffic to the database. Ensure that your email campaigns don’t overwhelm your site with these simple best practices.

Segment your listSegment your campaign into blocks. Rather than sending out one email to 1,000,000 users, consider breaking the campaign up into smaller groups to give you better control of traffic spikes. Instead of creating a stampede, this will spread activity over multiple hours.

The practice of staggering your campaigns extends the life of your capacity as users are alerted to a sale over a longer period rather than creating a mad rush when the sale starts. This strategy allows you to stop subsequent emails from distribution if a problem is detected, limiting the negative customer impact. It also gives you the opportunity to personalize messages based on specific segments or customer behaviors.

EMAIL BEST PRACTICES

36 | Holiday 2017 eCommerce Preparation2017 Holiday Preparedness Guide 36

Manage your media contentThe use of media in an email campaign can have a positive impact on your click-through rates, but using multiple or large images can increase bandwidth and traffic to your environment. As customers receive the email, they will begin downloading images to their workstation resulting in additional traffic. On a large scale this can result in performance degradation.

To avoid this, consider saving your collection of images as flat files to manage their sizes or leverage a CDN to serve your images. You can also store email pictures or media on a separate server to avoid affecting your site performance. If you are using video, host it on YouTube. Again, this will help you manage site performance and bandwidth costs.

2017 Holiday Preparedness Guide37

Tenzing CDNWhile serving images, your environment uses a lot of system resources and bandwidth. Why not use those resources to process transactions?

Tenzing offers a CDN as part of our security suite. It combines a DDoS mitigation and protection with a Web Application Firewall and CDN.

Discount codes are a key driver in holiday selling. We have seen a number of campaigns go horribly wrong when discount codes were incorrectly configured in the application or not tested appropriately.

Don’t get too fancyMake sure you don’t introduce new discount structures during your peak shopping season. If you have never used a “First Time Purchaser“ discount previously, now is not a good time to start. Use new discount structures during off-peak seasons as a test before applying them during your peak season.

DISCOUNT PROMOTIONS

2017 Holiday Preparedness Guide38

Avoid expansive database searchesAvoid discount codes that can put an unnecessary strain on your database. Returning to the "First Time Purchaser" example, this type of discount requires your application to search your database to determine if the user is eligible to use it. The larger your database, the longer the search. This activity will put added load on your database and may impact other users on the site.

Keeping a library of your discount codes and their parameters helps with designing your test plan for new codes and campaigns.

Test discount codesTest all discount codes before using them. Test the new discount code and perform regression testing with codes that are both active and inactive. Treat a discount code like an application launch and come up with standard test cases that can be used for each new code release. Make sure your test cases both meet and break the rules of the discount. This is a good time to use your end-user test group.

Customers are hungry for discounts during the holiday season and in their desperation may behave in ways that the developers never considered.

2017 Holiday Preparedness Guide 39

PLANNING05

PLAN FOR THE WORSTIn our experience it is inevitable that something will go awry, but the most successful teams are those who are prepared. On that note, document, test and communicate your plans to all stakeholders.

2017 Holiday Preparedness Guide41

Creating plans for each of these areas will help you be prepared:• Website overload• Service impacting incident or disaster events• Security or DDoS attacksWork with your team and vendors to review possible scenarios and identify the ones that are most likely to occur, or will have the biggest impact.

Each of these plans should include:• The internal team contest list – who should be

notified and when• A customer communications strategy• Vendors details – support contacts, escalation

contacts, support agreements (response time, resolution times)

• Steps to execute the plan

2017 Holiday Preparedness Guide42

Say SorryA thoughtful “sorry page” can be used to help manage an out of control campaign. You can set up rules that will serve the sorry page if the number of users reaches a specific threshold. You can also add the ability for clients to enter an email address to capture clients who were turned away.

Consider creating sorry pages that are specific to your campaign. Don’t use a generic “We’re doing maintenance” page - your customers know you are not doing maintenance, they KNOW you are down. Think about creating something fun or brand related, perhaps offering a coupon code as an apology. Be creative!

You should have your maintenance page configured in 3 key places:• Completely outside your environment so you can

point your DNS there in response to a major issue.• One at the load balancer in case there is a problem

with your webservers or the pool.• One which resides on your web servers allowing you

to control traffic coming into the site after a restart.

Make sure each of these pages are slightly different. That way if one is displayed you can quickly determine where it is being served from. This will help with troubleshooting.

43 | Holiday 2017 eCommerce Preparation43 | Holiday 2017 eCommerce Preparation2017 Holiday Preparedness Guide 43

Graceful Recovery ExampleImagine you are running a campaign and the response has been HUGE. The site has a problem and you need to do a restart. Here is a good approach:

1. Bring up the maintenance page at the load balancer.

2. Before bringing your web servers back into the load balancing pool, bring maintenance pages up on each web server, then introduce them all into the pool.

3. One by one, remove the maintenance pages on each web server.

This gives you control over which servers can receive traffic. In the short term, some of your users will get through to the site while others will receive the maintenance page. It also allows you to ensure everything is working properly before opening up the flood gates.

2017 Holiday Preparedness Guide44

FINAL THOUGHTS06

So, forty odd pages later you should now have some great ideas to better prepare for the 2017 Holiday Season. We cannot stress enough that careful planning and preparation is the best way to make sure your site stays up and running during this intensive period of online shopping.

2017 Holiday Preparedness Guide46

CommunicateWe've said it before, but it bears repeating, communication is the key to success. Communicate important traffic periods to all stakeholders. Share your emergency planning with everyone that needs to be aware - including marketing, IT, customer service and relevant vendors. Keeping everyone informed will help ensure that planned activities proceed without interruption and unplanned activities are responded to effectively.

Test and test again!Another item we cannot emphasize enough is the importance of testing. Testing your environment end-to-end is the best way to be prepared for the holiday season. Make sure you plan your campaigns, assess your campaign needs and capacities, test and do more tests while always communicating with your stakeholders.

One of the best tools for your holiday preparation is the load test. By simulating a high volume of users you can identify bottlenecks and the levels at which degradation occurs. This can help you determine if you need to invest in additional resources for your peak season.

Tenzing Site TesterAs mentioned earlier Tenzing offers a fully managed, cloud-based, multi-endpoint load testing service. Tenzing Site Tester simulates peak loads on your website across a range of geographies, device types and networks. It speeds root cause analysis and remediation by pinpointing performance issues in real time.

Click here to learn more

2017 Holiday Preparedness Guide 47

P R O J E C T D E S C R I P T I O N

Still not sure if you're ready for the holidays?We can help. Tenzing offers qualifying merchants a free holiday preparedness audit. We will work with you to evaluate your current strategy and develop a plan to address issues before the holiday season hits. Click here to find out if you qualify

2017 Holiday Preparedness Guide48

2017 Holiday Preparedness Guide 49

Elizabeth Scott is the VP of Customer Success at Tenzing, a leading managed services provider for Ecommerce merchants. Inspired by her experience working with retailers and her love of shopping, Elizabeth created Tenzing's Cyber Week and Holiday Season Preparedness Programs to ensure Tenzing clients are well prepared for the holiday season, much of which drove this books’ content.

Elizabeth Scott, @BethxScottTenzing VP, Customer Success

ABOUT THE AUTHOR

www.tenzing.com1.877.767.5577