Edge cloud strategies for ecommerce

Introduction

When it comes to online shopping, digital transactions have become the norm and the significance of having a high level of online security cannot be overstated. Shoppers are entrusting their personal and financial information to websites and apps on a daily basis. This reliance underscores the importance of implementing robust security measures to safeguard sensitive data from malicious actors and cyber threats. Extremely fast performance is the other critical piece to optimizing ecommerce, and we will take a close look at speed and improved user experiences in this report, but you’ll also see how security solutions can be key to driving performance improvements too.

However, effective online security in ecommerce goes beyond mere protection against data breaches; it is a cornerstone of building and maintaining trust between businesses and consumers. When customers feel confident that their personal information is safe and secure, they are more likely to engage and establish long-term relationships with brands. Conversely, a single security lapse can have far-reaching consequences for this industry, eroding trust, damaging reputation, and potentially leading to legal and financial liabilities. 

More than any other industry, ecommerce companies are constantly making changes to their website. Content is in flux as inventory changes, but there is also pressure to fine-tune performance. The way people shop and the tools and outlets also differ over time, and there are regulatory requirements to adhere to. We will look closer at all of these challenges facing ecommerce and recommend optimization strategies when it comes to both online security and performance. We will examine malicious bots and the security risks they bring but also look at how they can have a significant impact on the performance of an online storefront. 

While upcoming changes - such as the PCI 4.0 specification - are mandatory for the industry to comply with, others are recommendations and goals for highly responsive and agile experiences. To that end, we will take a look at Google’s Interaction to Next Paint (INP).

Results from our research

Performance remains paramount in ecommerce as it directly impacts user experience, conversion rates, search engine ranking, and, ultimately, the bottom line. Ultra-responsive websites, seamless navigation, and unintrusive and efficient checkout processes are all essential for securing and retaining customers, reducing bounce rates, and maximizing sales opportunities in today's competitive digital marketplace.

Studies consistently show that even minor delays in page loading times can lead to increased bounce rates and decreased conversion rates, highlighting the pivotal role of performance optimization in driving online sales. Beyond user experience, the performance also impacts search engine rankings, with search algorithms favoring websites that are quick to load and feature responsive designs. 

Additionally, ensuring optimal performance across various devices and screen sizes is essential for reaching and engaging with customers wherever they are. Prioritizing performance optimization ensures that ecommerce companies present a smooth and satisfying shopping experience, fostering customer satisfaction, loyalty, and sustained business growth.

The data and what we found

For this industry report, we looked at several web-native, direct-to-consumer companies vs. an incumbent in their space to see how they compared. Maybe the direct-to-consumer brands would outperform those having started with physical stores. 

As expected, ecommerce companies showed lower latency and responsiveness compared to our previous reports on other industries. With fierce competition and ever-impatient shoppers, those not doing all they can to optimize the shopping experience are playing a dangerous game. For this reason, we were somewhat surprised to see that 60% fell outside the “Good” category of Google’s core web vitals index for LCP. Clearly, there is still room for improvement, and if anything this proves how much of a challenge optimizing for performance is.

A quick side note is that in January 2024, we examined the Airline industry and found performance data that left a lot to be desired. At the time we commented that while we fully expected airlines to aim for responsive and agile experiences, they have some protection from customer churn via loyalty programs and in some cases even lack of alternatives. For more information and to access the report in full, click here.

As swift performance plays a critical role in maintaining favorable search engine visibility, we purposely examined Google’s Interaction to Next Paint (INP) which on March 12, 2024 replaced First Input Delay (FID). INP is a metric used to evaluate how quickly a webpage content starts rendering after a user interacts with it. Websites that are slow to load content tend to have lower rankings on Google search because ranking algorithms prioritize user experience. Slow-loading websites can negatively impact visitor engagement and satisfaction. It’s fair to assume that not all sites tested are optimized for Good INP scores at this point, but we were still surprised to see that seven out of ten of those we examined, fell into the less attractive “OK” category.

For our ecommerce test we used the February Chrome User Experience Report dataset on BigQuery. We ran our test from February 1 through 29, and compared our findings against Google’s core web vitals for web applications. For this particular report we focused on two sets of data: Interaction to Next Paint (INP), and Largest Contentful Paint (LCP). For definitions of these and the data set, see our methodology page.

In addition to what’s mentioned above, here are noticeable data points:

• Incumbents show impressive response times, and in the data we extracted there is no obvious distinction between old and new.

• For INP, three companies scored Good, which is a delay of less than 200ms. Interestingly some of those scoring well in this category have a poor LCP rating. If you want to improve your rank, you can work on one of these at the time.

• We saw quite a variance in load times. The slowest site to fully load was almost six times slower to load compared to the fastest. There is no obvious reason for this - the site to fully load the fastest - Victoria’s Secret - draws heavy use of images and content that could potentially make it slow to load. 

When we set out to look at ecommerce, we were curious if there was a consistent trend where the web-native direct-to-consumer organizations were outperforming more established competitors that entered the online shopping arena as an extension to their stores and outlets rather than the other way around. At this time, there’s no indication this is actually the case. Instead, when looking at the data, we can conclude that few are doing good but that most have their work cut out for them if they want to remain relevant to potential shoppers.

Also of note: Looking at desktops vs. devices, it’s clear that people are overwhelmingly shopping more from their mobile devices than their desktops. The CrUX dataset does not collect iOS data, making the device density number higher in reality. This again highlights the importance of being able to personalize content to the device receiving the data.

Performance is hard, even for the best sites

Given the complexity of their platforms and underlying architecture, ecommerce sites face several challenges that can affect their performance. Many are still using an architecture where too much of their data is processed and served from a central location. Heavy loads on the origin can cause slow loading times when handling shopper interactions like searching for products, adding items to carts, and processing transactions. Additionally, securing transactions creates another layer of complexity, requiring robust encryption and authentication mechanisms that can cause site performance to take a hit.

As shopping experiences grow more inclusive, they become reliant on personalization data that in an older architecture only resides at the origin. Features such as store locators, “often bought together with” items, and low inventory warnings will typically require sending requests to the origin. Furthermore, online shoppers have notoriously high expectations and low patience, which add pressure on ecommerce sites to deliver seamless and ultra-responsive experiences. Visitors expect pages to load instantaneously, and any delay can lead to frustration and cut the visit short before checkout. Mobile shopping continues to rise in popularity, which for ecommerce sites translates to challenges of optimizing performance across various devices and network conditions.

Security is paramount to building and maintaining a successful ecommerce business, but that in itself can present the IT organization with a serious task to solve as it relates to performance. Legacy security solutions can be inefficient at scrubbing and analyzing data and can slow things down considerably. 

There are several other factors that can affect site performance such as non-optimized image files and code. As mentioned earlier, malicious bots can consume so many resources from your infrastructure that the origin can struggle to serve content at the required speed resulting in poor experiences for your legitimate users. They have no idea you’re currently undergoing an intense bot attack – they only know that their experience is slow. You can read more about this in the Security section below. Poorly written third-party tools and plug-ins can also affect performance, making it challenging for ecommerce sites to meet expectations. 

Issues outside computational resources can also affect the perfection of the overall performance. A non-intuitive UI can leave the shopper with a perception of a clunky app leaving them frustrated if the in-app navigation is not intuitive. As mentioned above, shopping experiences are continuously being improved, and developers face a hard task when being asked to add features without compromising the speed with which a purchase can take place.

To remain competitive in the crowded ecommerce landscape, businesses must prioritize performance optimization strategies, which will overlap with their security strategies, to ensure smooth and efficient user experiences.

Security: more critical than ever

Prioritizing security in ecommerce is not just a matter of compliance or best practice but a strategy for ecommerce businesses in a constantly evolving landscape of cyber threats and vulnerabilities. Any single breach can erode trust and damage reputation, resulting in financial loss and, while in most cases unfair, a virtual egg on the face. Ensuring privacy and protection is essential for building consumer confidence, maintaining brand loyalty, and upholding the integrity of a online storefront.

Online security is very broad and a topic that, if covered in detail, far exceeds the scope of this report. Instead we have selected three topics relevant to ecommerce: Bots, Distributed Denial-of-Service attacks (DDoS), and Web Application Firewalls.

Bots – Not just a security threat

Ensuring a positive user experience and establishing trust are crucial for online businesses to succeed. However, with malicious bots responsible for 47.4% of all internet traffic, both can be compromised, leading to frustration and mistrust. The presence of bots on ecommerce sites and in applications, whether legitimate or malicious, raises concerns about how to prevent malicious bots' negative impact without disrupting legitimate ones.

Managing bots is no longer just a security team's concern as it affects the overall user experience, and they should be treated as a serious threat. They can be used to generate fake reviews and sway purchase decisions. Bad actors will leverage bots to discover and exploit vulnerabilities, manipulate systems, and engage in fraudulent activities that harm businesses and online shoppers alike. Here are five examples of how bots can seriously harm an ecommerce business.

1. Price scraping: Price scraping is one of the most common uses for bots in ecommerce. Bad actors can scrape pricing information for competing ecommerce sites. The information gathered becomes the source for adjusting prices, thereby gaining a competitive advantage.

2. Probing for costly errors: Bots can also be used to find incorrectly priced products in the pricing category. While uncommon, or maybe uncommonly reported, this can be an expensive proposition for the merchants who often must honor the lower price out of fear of bad publicity. Click here for some examples that gained fame.

3. Scalping: Bots are also used for scalping. Online scalping of concert tickets is probably the most publicized example of this, but automatic buying and hoarding inventory of products in high demand and reselling through own channels can also be a very lucrative business. Toilet paper, anyone?

4. Account takeovers: Like several other businesses, ecommerce also must deal with bots launching takeover attacks. Whether using credentials obtained unlawfully or exploiting weak security protocols, once inside, bad actors use the access to make unauthorized purchases or redeem gift cards.

5. DDoS: Finally, and while rare, bots can be utilized to launch distributed denial of service (DDoS) attacks against ecommerce websites, overwhelming their servers with fake traffic and disrupting their operations. Attacks like these can lead to downtime, loss of revenue, and damage to the brand's reputation.

Implementing robust security measures and monitoring systems is essential to mitigate these threats and protect against malicious bot activity. 

The hidden cost of DDoS attacks

For years, ecommerce has had to deal with the significant threat of DDoS. Malicious computers work in tandem to flood an online store with an enormous and continued amount of traffic, which overwhelms the infrastructure and makes it unavailable to serve content to legitimate users

In the event of an online attack, the most significant expense is almost always the loss of revenue due to downtime. If your website or online service is unavailable during the attack, your sales, advertising revenue, or customer trust may decrease, significantly impacting your bottom line. 

Here are five additional areas that can be affected by a DDoS attack and cause direct and indirect financial losses due to an online storefront being unavailable. 

1. Mitigation costs: The need to quickly implement DDoS mitigation measures, such as purchasing additional bandwidth, deploying DDoS protection services, or hiring specialized security personnel, can result in significant expenses.

2. Damage to reputation: DDoS attacks can damage your brand's reputation if customers perceive your services as unreliable or insecure. Rebuilding trust and repairing your reputation may require investing in public relations efforts or marketing campaigns.

3. Customer support costs: Dealing with customer inquiries, complaints, and support requests during and after a DDoS attack can strain resources and increase operational costs.

4. Productivity loss: Employees may be unable to access critical systems or perform their duties during a DDoS attack, resulting in lost productivity and potential overtime costs.

5. Third-party service costs: If your business relies on third-party services or vendors that are affected by the DDoS attack, you may incur additional costs related to service disruptions or downtime.

There are other costs as well, such as legal expenses. Depending on the nature of the attack and the jurisdiction in which your business operates, you may incur legal fees, fines, or penalties for failing to protect customer data or maintain service levels.

Overall, the financial impact of a DDoS attack can extend far beyond the direct costs of mitigating the attack, making it essential for businesses to have comprehensive security measures and response plans in place.

WAF – From optional to required

Web Application Firewalls (WAFs) are an essential part of securing ecommerce platforms but legacy implementations will be challenging due to the dynamic nature of online retail environments. They present challenges to the overall infrastructure, the departments managing them, and ultimately the shopping experience. One of the significant challenges is finding the right balance between robust security measures and seamless user experiences. Ecommerce sites must provide fast and frictionless transactions, and any disruptions caused by overly aggressive WAF configurations can lead to abandoned shopping carts and dissatisfied customers. Therefore, it's important to configure WAFs carefully to effectively identify and mitigate threats while allowing legitimate traffic to flow smoothly.

Additionally, the diverse landscape of ecommerce applications and integrations presents another hurdle for WAF deployment. Many ecommerce platforms rely on a combination of custom-built applications, third-party plugins, and APIs to provide enhanced functionalities and streamline operations. Each of these components introduces potential vulnerabilities and attack vectors that must be protected by the WAF. 

Ensuring comprehensive coverage across the entire ecommerce ecosystem while maintaining compatibility with existing systems can be a complex undertaking. Furthermore, the rapid pace of technological innovation and the frequent introduction of new features and updates make it challenging to keep WAF configurations up-to-date and effective in the ever-evolving threat landscape. Therefore, while WAFs offer invaluable protection against cyber threats, their implementation in ecommerce requires careful consideration of these challenges to maximize security while minimizing disruptions to business operations and customer experiences.

The complexity of these issues can cause legacy WAF solutions to be installed with default values and be left unoptimized, or even worse, in logging mode where they don’t actually block anything. As a lot of traffic passes through them, it can be detrimental to users who are caught by false positives or an overall slowdown, causing internal demand for the WAF to be taken offline. Case in point: a recent study shows that only 22 percent of WAFs deployed in organizations both detect and block attacks!

Your WAF doesn’t have to be complicated, which is good news for ecommerce as new PCI requirements will require ecommerce companies to have a functioning WAF in place by March, 2025. For more on this, see the following section.

When bad actors knock on the door, time to mitigate is crucial 

Countering DDoS attacks is crucial for any online business. DDoS attacks can make your whole site unavailable for long stretches of time and can also affect backend applications. 

As DDoS attacks become more prevalent and sophisticated, ecommerce businesses must strengthen their defenses and implement proactive mitigation measures. This includes investing in comprehensive DDoS protection strategies that include network resilience, traffic analysis, real-time monitoring, and rapid response protocols. By doing so, businesses can safeguard the integrity, stability, and continuity of their operations in the face of cyber threats.

The significance of prompt incident response in ecommerce cannot be overstated. This is essential for survival, gaining back trust and future success. Any security lapse can have severe consequences such as financial losses due to fraud, regulatory fines, and legal liabilities. Moreover, a security incident can cause lasting damage to the reputation and credibility of an ecommerce brand. Customers nowadays are more perceptive than ever, and any indication of a security breach can make them lose trust in a company, leading to churn and negative word-of-mouth that can ruin the brand image permanently.

Three things ecommerce companies must to do to stay relevant

1. It’s time to upgrade to an effective and unintrusive security solution

Security remains one of the most important areas where ecommerce companies should focus. Better security and bot protection can help ensure their sites stay up and available. Modern online security solutions can do so without causing additional latency, and therein lies the rub – lack of security can hurt performance, but some security strategies can also introduce performance bottlenecks that wipe out any performance gains. When choosing an effective WAF solution, great care must be taken not to affect the overall latency with which online shoppers experience your website. Some security solutions, especially on-prem WAFs, can create their own bottlenecks as requests for security checks pile up in the queue. Edge security solutions can help, but not all edge security solutions are built equally well for latency. If your security checks happen on a separate edge network from the rest of your operations then there’s a latency tax every time a request has to hop from one network (like from your CDN network or edge computing) over to the security network and back. It’s important to note that malicious bots able to enter because of a lack of security can also hurt performance, but some security strategies essentially wipe out any performance gains.

As an ultra-responsive online outlet is the cornerstone of every online store, ecommerce should consider the benefits that can come by embracing edge computing together with security. As an example, authentication at the edge can be executed far quicker as no query has to be sent to servers at headquarters.

Having real-time monitoring tools, threat detection systems, and incident response plans in place allows ecommerce companies to detect and respond to security breaches promptly, minimizing the impact while also mitigating further damage. By prioritizing security and investing in proactive measures to combat online threats, ecommerce businesses can protect their customers' sensitive data and earn their trust and loyalty.

2. React quicker by implementing faster development cycles

Ecommerce companies often struggle to shorten the development cycles of their complex and highly optimized applications. While project and resource management can help, advancements in edge technologies offer significant improvements in performance, productivity, and speed. Continuous Integration/Continuous Deployment (CI/CD) is one such area where edge deployment can help with faster deployment and scalability.

CI/CD practices benefit a wide range of development teams, but those with frequent code changes benefit the most. Automating integration and deployment processes reduces the risk of errors and ensures that changes are quickly and reliably pushed to production. Teams tasked with smaller application development, such as web or mobile, benefit greatly from the agility brought by CI/CD. It allows them to iterate quickly, gather user feedback, and deploy updates rapidly, helping companies stay competitive. Overall, development teams that prioritize speed, reliability, and agility in their software delivery processes stand to gain the most from adopting CI/CD practices.

Incremental releases allow you to continuously develop and implement new use cases, which may influence future software updates. This approach also enables you to discover issues along the way, rather than waiting for a complete release, at which point multiple bugs may be intertwined and harder to detect and address. It also allows you to quickly respond to bugs and new requirements. There is also an important security component here: DevOps teams can rapidly release bug fixes in reaction to newly exposed security vulnerabilities and provide instant protection for applications and web properties.

When building out shopping apps to support new features such as “Typically bought with” (see below), it's crucial to exercise caution when adding features that can potentially slow down performance. While new features can enhance user experience, each addition introduces complexity that can impact app speed and responsiveness. Prioritize optimizing existing features and carefully evaluate the performance impact of new additions to ensure a seamless shopping experience for users across various devices and network conditions.

3. Take your ecommerce business to the edge

In ecommerce, personalization is a crucial aspect that enhances the experience of customers and businesses alike. Using customer data and behavioral insights, online stores can customize product recommendations, marketing messages, and appearance according to individual preferences, interests, and browsing history. This level of customization fosters a deeper connection between customers and brands, leading to higher chances of converting customers by presenting relevant and compelling offers. Personalization builds customer loyalty and satisfaction by creating a more engaging and intuitive shopping experience, ultimately leading to higher retention rates and lifetime customer value. Additionally, personalization enables businesses to optimize their marketing spend by targeting specific audience segments with relevant promotions, thereby maximizing their return on investment and driving revenue growth in the highly competitive ecommerce landscape.

Edge computing is an ideal solution for ecommerce businesses looking to personalize their customers' shopping experience by processing and analyzing data in real-time, closer to the user's device. By taking advantage of edge computing capabilities, ecommerce companies can quickly gather and analyze user data within just a few milliseconds. In addition, by personalizing the shopping experience directly at the network's edge, ecommerce companies can reduce latency and improve responsiveness, increasing customer engagement and satisfaction. Image optimization and A/B testing are great examples of something that can be executed at the edge rather than at the backend. Not only is latency brought to a minimum, but you are also freeing up costly resources at the data center.

Further, Edge computing brings the computational resources closer to the source of data generation, significantly reducing latency, resulting in faster response times and improved user experiences, which can translate into higher sales. Additionally, edge computing allows ecommerce businesses to quickly adapt to evolving user interactions and market trends, ensuring that personalized experiences remain relevant.

Finally, the proximity provided by edge computing also enhances security by minimizing the exposure of sensitive data to potential cyber threats. Furthermore, edge computing enables applications to function seamlessly in ecommerce.

New compliance and benchmarks that will impact user experience

Google updates Core Web Vitals

On March 12 Google updated part of its core web vitals to replace FID with INP. As mentioned in the introduction, INP is a metric used to evaluate how quickly a webpage content starts rendering after a user interacts with it. Websites that load content slowly tend to have lower rankings on Google search because its ranking algorithms prioritizes user experience, and slow-loading websites can negatively impact visitor engagement and satisfaction. 

While there isn’t much you can do to predict how Google will score performance metrics in the future, moving to a comprehensive solution for better performance can help you perform better today and safeguard you against changes like this in the future. As an example, moving more interactivity to edge computing (dynamic APIs, advanced caching, edge storage, etc) enables you to serve more of your site responses from the edge providing for faster user experiences, better conversion rates, better SEO, and higher cache hit ratios. Just as important, this also prepares you for different ways to measure site responsiveness in the future.

A working Web Application Firewall will soon be a requirement

The Payment Card Industry Data Security Standard (PCI DSS) is a crucial framework for securing payment card information, and a significant factor for all entities involved in payment card acceptance or processing. It spans the entire lifecycle of payment card information from data entry to storage and transmission.

In 2022, The PCI Security Standards Council announced Version 4.0 with a range of new requirements. It includes a new requirement (6.4.2), forcing organizations dealing with online payments to adopt technology to enhance their application security. As such, by March 25, 2025, all organizations abiding by PCI DSS must have a working Web Application Firewall (WAF) in front of their public-facing web applications to detect and prevent attacks.

Many organizations are likely already fully compliant with this requirement, but it will undoubtedly involve changes for many organizations, whether budgetary or in workflows. We strongly urge companies looking to add or upgrade their security stack to look past legacy WAFs. They are known to block legitimate traffic or break applications, impacting the organization’s bottom line and reputation. Further, they can be hard to manage and fine-tune and sometimes require dedicated personnel to administer.

Conclusion and additional resources

This report focuses on the challenges that ecommerce companies face, and every organization may encounter them to varying degrees. However, leveraging the edge cloud and switching to a modern security solution can provide significant benefits in almost any situation. If you need assistance in understanding how these solutions can be implemented in your company, please get in touch with us today. Alternatively, you can explore some of the related resources below.