27 Jan 2019

ModSecurity: Default on Every Plan

Back in November we discussed the need for web application firewalls and discussed some of the options out there for securing your site with one.  And, well, shortly there after someone reminded me:

Hey, wait, don’t we have ModSecurity implemented everywhere?

Oh yeah, ModSecurity, the old faithful of generic purpose WAF systems.   To be honest, we’ve run it across all of our servers for at-least a year now, silently, in the background, with nobody noticing.  We’re currently utilizing the OWASP Core Ruleset on all of our servers, and while it does detect and prevent a wide range of ‘standard issue’ web based attacks (Cross Site Scripting, Code Injection, SQL Injection, etc), the fact is, it’s we have to be deliberately conservative in what we detect and block at the server level.  Something that may be ‘fishy’ under to one website or code stack could be ‘business as usual’ on another site, so it’s not possible for us to make the rules “extremely secure”, because we don’t want to incorrectly block traffic that someone may actually need for their site to function.

Think of our ModSecurity implementation as a ‘first line defense’, it’s keeping an eye out for the really unscrupulous traffic, the things that we can look at and say “no way that can be legit traffic!”.  But the more granular, focused, specific needs of a given web platform? That’s where the need for a Web Application Firewall specific to your own site and needs comes in.

One thing we have rolled out in the last couple weeks, just in case, is the ability for clients to disable ModSecurity on a given domain under their account.  We don’t recommend it, and I believe we’ve only had one instance of a client really really wanting to do it, but that option is there now.  By default, we enable it everywhere, but if you go into cPanel, under the “Security” section, there’s now a ModSecurity area where you can disable it on a per domain basis.  It’ll warn you that this is potentially unsafe, and not recommended outside of debugging purposes (usually to prove that it’s not ModSecurity causing an issue with a site), but, if you need it, the option is there.

26 Jan 2019

IPv6: Ready, but not yet Prime-Time

IPv6 is one of those weird tech initiatives, in that it’s something everyone seems to agree needs to happen, but actually getting there is just taking way longer than everyone seemed to think it would. We’ve been running IPv6 on many of our own platforms and services for a while now, but coverage has not been 100%, nor had we fully deployed it to customer hosting servers and websites, until now.  Today we’re happy to announce that all customer sites and services are now fully available via IPv6.  Now,  odds are, either you’re reading this and going “Nice”, or you’re going “What the heck is IPv6?”, so lets take a quick moment to cover some likely questions you may have…

What is IPv6 and why do we need it?

Every device that’s directly connected to the Internet needs a unique address that identifies that specific machine.  The internet as we’ve had it all these years runs on a protocol called IP, more specifically, IPv4.  IPv4 gives us unique 32bit addresses that look like this:   139.197.254.128.   Then we use DNS to tell the world “www.purenrg.com = 139.197.254.128”, when you enter or click on our website URL, your computer looks up the DNS name, and gets back that unique address, and that’s how it knows where to connect to pull up our site.

IPv4 addresses can range from “0.0.0.0” to “255.255.255.255”, giving a little under 4.3 billion possible unique addresses ( I hear the deep tech folks groaning already, but bear with me).. due to the way IP address are carved up into into subnets, and the way a number of ranges were reserved for other uses way back in the early days of the Internet, we don’t actually have that many to go around.   Over half a billion where marked ‘reserved’ right off the bat for things like “inside” network space, multicast, etc, so the true number of usable IPv4 addresses is quite a bit smaller than 4.3 billion.

Now, keep in mind, while the Internet as we now enjoy it didn’t exist quite yet, IPv4 was designed in the early 1980s, so at that time, I’m sure the idea of “more than 4 billion devices all sharing the same global network” seemed like “Yeah, that’s not going to be a problem, ever!”   But of course, over the years, we’ve, well, we’ve used them up.  It’s been an ongoing issue for quite some time, but there have been workarounds that have kept things going without major issue:

  • NAT/Proxies/Firewalls.   Odds are you probably have more than one internet connected device in your house.  PCs, laptops, tablets, gaming systems, cameras, etc.  They all have an IP address, but likely not a “public” IP address.  It’s fairly common practice for your ISP to provide some sort of gateway/router device that actually obtains one public IP address, and then handles NAT for all of the devices inside your home.
  • Some of the previously “reserved” space has been “unreserved” and allocated out to the regional registries.
  • Some larger companies that hard large swaths of IP space allocated to them have returned some, or in other cases no longer function as entities and returned huge swaths to be redistributed.  (HP, or companies they merged with/acquired over the years at one point had 64 million IPs that they turned back to the registries)

I don’t want to veer too far into the discussion of IPv4 Exhaustion, but the wiki page linked there gives a great overview of how we got here.  But the basic gist is, while IPv4 got us to where we are today, something different is going to have to take over at some point.

Where did this whole IPv6 thing come from?

Thankfully, in the early 1990s (even then, the Internet was still not “the thing” it is today), someone had the foresight to think that 4.3billion might one day not be enough addresses, so a bunch of folks got together and started brainstorming.   While early versions of IPv6 support made it into things like the Linux kernel in mid 90s, we actually didn’t have a “Draft Standard” for IPv6 until late in 1998, and it didn’t become a true “Internet Standard” until July 2017.  These things, clearly, take time.

So what does IPv6 bring us?  Well, an IPv6 address looks like this:

2604:a880:0:1010:0:0:76:7001   (Again, our main website)

It’s a mouth-full, no doubt, and it’s going to make all of us even more dependent on DNS than we are today.  But, it’s a 128bit address.  That means instead of the 4.3billion possibilities, we now have…  well, billions and billions of possible addresses.  (340 billion billion billion billion addresses, give or take).  So yeah, it should solve our IP address shortage.

Why is it taking so long?

It’s taken quite a while just to get the standard nailed down.  And it’s taken even longer to figure out exactly how to implement it in every scenario.  Then you have the classic adoption problem, nobody wants to be the first ISP to offer “IPv6 only” access, if there’s shortage of content available on IPv6, so ISPs continue to scrounge around and find more IPv4 addresses they can utilize, and (as far as I’m aware), nobody has (yet) been forced into “IPv6 Only” land.

And until there are customers on the IPv6 network, there’s no push on the content providers into offering content on IPv6….  Chicken, meet egg.

Dual Stack implementations solve for this, in that with a Dual Stack configuration, you give your machine both an IPv4, and an IPv6 address, and you can be connected to and connect to others via either one.

So for instance, all of our servers now have an address in both IPv4 and IPv6.  We tell things like our web server to listen on both, and now we’re accessible on both addresses.  Then we publish both via DNS (While IPv4 addresses are stored in ‘A’ records, DNS has a separate ‘AAAA’ record for IPv6 addresses.)

So now, the content is there, even if the visitors are not, just yet, there in large numbers.

So what does IPv6 mean for me?

All the “under the hood” work to make this work for your sites hosted with us is already done.  All of our servers now run in Dual Stack mode, and we’ve ensured web, mail, and other services on every box are listening on both the IPv4 and IPv6 addresses.

So in general, not a whole lot really changes for you just yet, but it’s something you’ll want to be aware of, especially if you write your own code for your website.  You’re going to start seeing those “new, longer addresses” show up in things like your website logs, and at first, it’s going to be a bit confusing and unsettling. 😉

Here’s the part that will blow your mind (it blew mine), there’s a chance, however small, that you may be using IPv6 to read this right now and not even know it.  Many of the ISPs that have started implementing IPv6 are doing so with Dual Stack implementations, quietly, in the background.  A couple days after implementing IPv6 on our own website, we noticed the IPv6 addresses appearing in our client portal logs.  Clients were connecting to the site via IPv6, and they probably didn’t even know it.  That’s, quite honestly,  rather astonishing for something as fundamental to the Internet as IP, that the entire thing can be shifted around under the hood, and a visitor doesn’t even need to notice it.

While most ISPs are being fairly quiet about their embrace of IPv6, there are some larger, established ISPs starting to really make inroads with IPv6, and the number of folks who have IPv6 available to them continues to climb.  It’s not ready to take over the world yet, obviously.  Or own internal observations from our servers show about 3-5% of our traffic comes in over IPv6, and I believe that number is slightly skewed higher by our own servers preferring to talk with one another on IPv6.

But the data consumers are starting to arrive via IPv6, and now with this rollout, we’re ready for them.

If you are interested in finding out the state of your own internet connection, and if it is IPv6 enabled, feel free to visit the IPv6 Test website.

21 Jan 2019

Server Migrations and The Future…

As previously discussed back in November, we’ve been working on a project to upgrade all of our server infrastructure to both stay up to date with the latest operating system releases, as well as to unlock some new technology and ultimately improve the service we provide to our clients.   This project has taken a couple weeks longer to complete than we had originally anticipated as we discovered a couple of additional benefits of the new plan, and wanted to properly investigate how to best implement them, but I’m happy to say that we can now see the light at the end of the tunnel.  Within the next two weeks we should be wrapping up the last of the account transfers, which means that since we can now see the light at the end of migration tunnel, it’s time to talk a bit more about the changes that occurred, and to start thinking ahead to what we do once we do come out through the other side.

Under The Hood

There’s a number of “geeky fun” changes under the hood that will improve both stability and performance of all our servers.  I’m going to add a TODO item on my list to talk about them a bit in-depth in a separate blog post, so that folks who are interested in that type of thing can geek out with me, while everyone else can just focus on the user-noticeable changes.

What I will say now though is, for the first time in a very long time, once this migration is complete, all of our hosting servers will be on the same hardware platform, the same OS releases, and the same software stack, all configured in the very same way.  And that makes our lives much easier going forward.

User Noticeable Changes, Day 1

No more additional cPanel Themes

For anyone who didn’t notice, some of our servers had additional cPanel themes installed on them, allowing users to choose how cPanel would look to them.  It was something we implemented a couple years back as a bit of lark to see how people liked it.  At the end of the day, data showed us that only a small subset of clients ever checked out the alternate themes, and even fewer stuck with them.  The confusion they created by not matching our documentation only caused problems.  We actually stopped rolling these out on new servers quite some time ago, but with the migration project, the last vestiges of “alternate cPanel themes” will cease to exist entirely.

Ruby (Rails) Support Goes End of Life

Late in 2008 we added support for Ruby on Rails applications to our servers.  With the way these integrated with Apache/cPanel, it was always something of a headache for everyone involved.  Applications needed to be setup for Passenger, firewall ports needed to be opened,  it was, quite honestly, just not as easy as PHP, for us or for our clients.  Much like the cPanel themes, client interest was extremely minimal.  In the last 10 years we’ve had perhaps a couple dozen inquiries around Ruby.

Because the implementation of Ruby under cPanel was always somewhat sketchy, we never felt comfortable marketing it as a big selling point, and at the same time, I’m sure that true Ruby aficionados tend to steer clear of cPanel based environments for their Ruby hosting needs because they’ve heard the stories.   At the end of the day, we want to focus on what we can do best, and always offer a service that we’re proud of, so we’re discontinuing Ruby support across our entire fleet once and for all.  From what we’ve seen during the migrations, there are no active Ruby applications hosted on any of our servers, so I believe this is more of a housekeeping / cleanup issue than something that will actually impact clients, but we want to be transparent about Ruby’s removal.

Better Performance

While I’ll cover this more in depth in the later, ‘technical nitty gritty’ post, the short answer is that we believe all clients will see an improvement in the performance of their sites.  Even clients on servers that were already at our current standard level in terms of hardware will see an improvement based strictly on the performance gains we’re seeing utilizing the new software stack.

User Noticeable Changes, The Future

Plan Resource Upgrades

Hardware gets more powerful/less expensive with time.  Our policy has always been to pass our savings onto our clients in terms of increased resource allocations in each of our plans. It’s been 4 years since our last resource adjustments to our plans.   We’re due for an upgrade, and getting all of our servers upgraded is the last blocker to us unveiling our next round of upgrades.  While we’re not quite ready to release the hard numbers just yet, I am comfortable in saying this much:

Our 2015 upgrades resulted in around a 33% increase in resources.
Our 2019 upgrades will exceed that percentage increase.

More details will be forthcoming regarding the resource upgrades once we get the last few servers migrated.

 

21 Jan 2019

2018: A Year In Review

At the start of 2018, in a rather sparse and simple blog update we laid out some pretty ambitious, if vague, plans for the year.  I’d like to take a moment to reflect on what we got done in 2018, and some ideas of where we’re looking to go in 2019…

 

All in all it was a pretty productive year.  But we’re not going to just sit back and rest on our laurels.  Once the current Server Migration Project is complete (blog post coming), we’re looking at the following items as possibilities for 2019:

  • Increasing Resource Limits for all of our Shared Linux Hosting Plans.
  • Unveiling additional new products and services based on client and market demand

 

All in all, I believe 2018 was a great year overall, many of the things we set out to accomplish this year were completed, and we’re in a position to not only finish out the few remaining tasks from 2018, but also to start looking toward the future in new and exciting ways.

03 Jan 2019

Domain TLD Promotions go live!

Today we’ve enabled domain registration promotions, the results of which you can see on the big list of domain TLDs that are available for registration, where there are currently around 65 TLDs running with special “On Sale” promotional pricing.

TLD promotions occur when a given TLD registrar offers a special promotional price on new registrations for a given TLD.  Sometimes these discounts can be rather large (for instance, .accountants domains are normally $91.44/year, but right now can be had for $11.48 for the first year).

Upsides:

  • Sweet low pricing for that first year registration

Downsides:

  • Terms of the promotion are dictated by the TLD.   We don’t control how long the price is good for, or when they expire.   When a TLD promo expires, our pricing will revert back to the normal price automatically.  Some promotions may only last a couple weeks, whereas others can run for months.
  • They usually only apply to 1 year, new registrations.  We hardly ever see promotions on transfers or renewals.
  • As a result, at the end of that first year, you’re looking at a regularly price renewal.

In keeping with our previously stated thoughts on domain pricing, we use the same markup process for promotional pricing that we do for regular price domains.  So the greater the discount the TLD is offering, the lower the price we can offer to you.

In an effort to be as transparent as possible about the eventual renewal costs, if you add a domain that is on promotion to your cart, it’ll show up like this:

example of how promo domain registration pricing is reflected in the cart

We’ll show you both the currently promotional registration price you’ll pay today for the 1st year registration, as well as the current 1 year renewal price, with the goal being to minimize any potential surprises down the road. (Obviously the TLD could raise their price between now and then, but we wanted to at-least show the current renewal pricing, as we don’t know exactly where their pricing may be in 12 months).

22 Dec 2018

New SSL Certificate Offerings

Earlier this year we were very happy to announce that we were going to be able to start offering Free Domain Validated SSL Certificates to all our our hosting clients, backed by COMODO CA and issued by cPanel.

Thanks to the integration with cPanel, clients would be able to gain this benefit with zero work on their part.  cPanel would handle the issuing of the certs, provisioning them into the hosting account, and even handle renewing them every 90 days as they came up on their expiration dates.  It was truly “zero hassle SSL”.

Given the state of the web in 2018, and the growing trend towards “https everywhere”, we were very excited to be able to provide this much needed service free of charge to all of our clients for use with their Pure Energy hosted websites.

The introduction of AutoSSL to our feature lineup has helped to shine a light on the topic of SSL Certificates for our customers, and this has led to a number of questions regarding SSL certificates, their usage, and the limitations of the AutoSSL feature:

  • How can I get a “Green Bar” SSL Certificate?
  • Can I get a “Secure Site Seal” for use on my site?
  • I need a certificate for <X>, and it’s not actually my site that’s hosted with Pure Energy.
  • Whats with this 90 day expiration thing?

 

Previously, when these questions would come up, we would generally point the person towards either RapidSSL, or GeoTrust, depending on what exactly they were looking for.    They would have to procure the certificate directly from the CA, and then, if they wanted to use the cert with their Pure Energy hosted site, venture back thru the gamut of “SSL Cert installation” via cPanel.  Now, to be fair, cPanel does a great job at making this as painless as possible, but even with cPanel’s help, SSL Installation can still be a bit…  cumbersome at times.

So, starting today I’m happy to announce that in addition to the AutoSSL feature, which is still included free of charge for every one of our hosting clients, we’re also going to be offering the following standard SSL Certificates for purchase via our Client Portal:

 

Pricing across the board is far lower than the rates that RapidSSL and GeoTrust charge directly, with certificates ranging from $17.95 for a 1 year RapidSSL Certificate to $279 for a 1 year GeoTrust QuickSSL Premium Wildcard.  2 year certificates are also available, generally at about a 15% discount over (2) 1 year certificates.

These certificates, while they are not included free of charge with your account, will have the standard 1 or 2 year renewal term (your choice), can be used on sites/services/things other than the site you have hosted with us, and will come with all the standard features/warranties/site seals that RapidSSL and GeoTrust offer with said certificate.

If you are a Pure Energy Systems hosting client, and you order a certificate via your Client Portal account for a website domain that you host with us, the portal can even handle provisioning the certificate into your cPanel account once the order is complete and the certificate authority issues the certificate.

It’s really a combination of best of both worlds, and we’re hoping that between “Free AutoSSL” and “Paid Certificates”, we can help do our part to make “https everywhere” as painless and cost effective as possible.

 

 

05 Nov 2018

Upcoming Server Transfers

In just a couple weeks we’re going to schedule some maintenance windows in order to migrate client accounts around to facilitate some server replacements.  Now, I know what you’re thinking:

“Didn’t we just do this four years ago?  Wasn’t moving to the cloud supposed to do away with these hardware refresh cycles?”

It’s true that virtualization and “the cloud” has empowered services such as ours in ways never dreamed off in the days of “a physical server for every need”, but there are a couple caveats and things to watch out for, including two forces that have come into play in our situation:

The Cloud Is Still Built On Actual Hardware

While it’s true that we no longer have to directly touch hardware, our infrastructure is still ultimately tied to physical hardware.  That hardware exists somewhere, and someone has to feed it, care for it, and eventually replace it.  The continual commoditization of PC server level hardware means that the newer stuff is generally faster and cheaper than the stuff from a few years ago.  This leads our providers into interesting situations where they end up wanting to encourage people towards the newer hardware, so they can decommission the older systems.

This is currently happening with us.  A couple months ago I took a phone call that started something like this:

“How’d you like 33% more RAM, 66% more Storage space, and faster, newer generation CPUs, at the very same prices you pay today?”

Now, I’m no fool, so I asked what the catch was.  And I learned: we’d have to migrate our existing servers to their new hardware infrastructure.  The new hardware is in the same data-centers and has all the same connectivity as our existing hardware, but we’d have to migrate over in order to enjoy the additional resources.   Thankfully they offer a “single click” button migration that would take care of everything for us, we just hit the button for a given server, it goes offline, transfers to the new hardware, and spins back up…  about 3 hours later.

Okay, not really the best option in the world, but something for us to consider.  After all, more resources are always a good thing,  we always like getting additional resources for the same price, that means we get to inject more resources into everyone’s hosting plans!  But.. a roughly 3 hour downtime for each server?  That’s kind of a big chunk for us to commit to, even for a significant resource increase, alone.

But there is another aspect to consider…

The Lingering Operating System

Believe it or not, in the last 8 months I have personally laid eyes on a production Red Hat Enterprise Linux 3 server, being used in a very critical and production oriented way at a customer site.  For anyone who doesn’t know, RHEL3 was released in 2004, the last released update was in 2007, and the entire release was announced as End of Life in late 2010, over eight years ago.  The machine in question was stood up circa 2006.  It’s twelve years old, and while it’s a security vulnerability nightmare, it lives on today in all of its 32bit glory.

Why?  Because it’s never needed to be rebuilt.  The company in question was an early adopter of server virtualization.  This rickety old machine was one of their first virtual systems, and it has persisted, and ran proudly, on numerous stacks of underlying hardware over it’s 12 year lifespan.  Virtualization and the flexibility it has brought us has minimized the number of situations that used to lead to a server getting rebuilt from the ground up.  While this is great for uptime and SysAdmin sanity, the dark lining is that it sometimes allows old machines to persist longer than they probably should have.

This story isn’t that unique, we’ve seen countless instances of “It’s still running, so we left it be” over the years, and we’re even guilty of it ourselves.  While we moved to CentOS 7 as our platform of choice shortly after the release CentOS 7.1, we’ve still got a fair amount of CentOS6 still running in our environment today.  While CentOS6 is not scheduled for a full “End of Life” until the end of 2020, we want to get ahead of the curve.

 

So with the these two datapoints lodged in our minds, we started thinking about the benefits of ‘refreshing’ our existing servers.  We built a list of possible benefits:

  • More resources, same cost.
  • Move everything to a newer Operating System.
  • Additionally, we want to move from the basic CentOS platform over to CloudLinux.  CloudLinux adds in a bunch of features and abilities that will benefit us in terms of server stability and management.
  • Look at retooling our systems to utilize PHP-FPM instead of SuPHP.  (Again, increasing performance for clients!)

 

And then we looked at the downsides of performance such a “full refresh” and weighed out the options before us:

Do Nothing

  • — No resource upgrade
  • — CentOS6 continues to live on, with a necessary replacement in the next 24 months.
  • +++ Zero work on our part.

Migrate, but don’t “refresh”

  • +++ Resource Upgrade!
  • — CentOS6 continues to live on, replacement still necessary within 24 months.
  • — 3 hour downtime per server
  • -+- Schedule downtime, “push one button” migration process

Build New Servers and Migrate Clients

  • +++ Resource Upgrade!
  • +++ Operating System Upgrade!
  • +++ Much less downtime per client!
  • — Most amount of work required on our part.

 

So, looking over the three possibilities, it became clear that, well, it makes sense to invest the work and do things right now. (Sorry team!)   Our plan is rather simple:

  1. Build out a new server, in the new hardware environment.
  2. Install everything, get it configured the way we like, test everything out.
  3. Schedule a window to migrate all customers from one “old” server over to the new one.
  4. Repeat steps 1-3 for each server that is getting a refresh.

Now, the only part of this that is impactful to our clients is step (3).    We’ll do all our normal tricks to minimize the downtime (lowering DNS TTLs, etc), but we can’t make the downtime go away entirely.  What we can (and will) do is transfer accounts one at a time, so instead of your website being offline for 3 hours, it will be down for a period of time measured in minutes, based on the size of your individual account.  (We usually lower DNS TTLs to 10 minutes, and most accounts transfer within that period of time).

A few points of interest:

  • We’ll be emailing all the clients on each server in advance of their maintenance window.  Generally we aim for a 5-7 day heads up for something like this.
  • Server names and IPs will be changing.   For cPanel clients who host their DNS with us (your domain is pointed to ns3.purenrg.com and ns4.purenrg.com), no action will be required on your part in order for your site to perform normally after the migration.  If however you have something out there hard-coded to a specific server IP address, you will need to adjust some things.
  • New server names and IPs will be included in the announcement emails that go out to clients on a server before it is relocated.
  • When your account is relocated, your account information in our portal will be updated at the same time.  So if in doubt, you can always use the links within our client portal to access your cPanel interface.

 

Our aim is to begin the migrations in the next 10-14 days, and to have the entire project wrapped up before the end of the year.

21 Sep 2018
19 Sep 2018

Changes to our billing system

Today I’m here to announce that we’re going to be sun-setting our existing credit card processing system via 2Checkout and have integrated our platform with Stripe to handle our billing needs going forward. This is something we’ve been looking forward to and working towards for some time, but since we’re talking about payment processing, the handling of credit card information, and a core business process for us, I wanted to take a moment and talk a bit about the why, the benefits, and the security aspects of this change.

First of all, this move is in no way a poor reflection on 2Checkout or the service they’ve provided over the years. We’ve been happy 2CO customers since our earliest days. Over the years we’ve had the normal ups and downs of any business relationship, but they’ve always done right by us in the end. When Stripe first came out on the credit card processing scene, their rates were a good bit lower than what we were paying 2CO at the time, and the integration options with Stripe, well, they blew us away to be honest. But that old custom home-brewed management platform that we only just recently moved off of? It would have needed quite a bit of work in order to move our processes from 2CO to Stripe. Work that, at the time, we weren’t willing to commit to on a platform we didn’t have faith would be the long term future for us. So we reached out to 2CO and expressed our concerns over the pricing gap versus Stripe. They were willing to adjust our pricing to match what Stripe offered and we back-burner-ed worrying about billing again for a while.

But even with the new pricing, we really wanted the flexibility of the Stripe API and what it could do for us.

With 2CO, you would place your order with us, and then be passed over to 2CO’s site to enter your credit card information. This meant re-entering things such as your name, address, etc a second time, and when the process was finished our system would be notified that a billing order was created (much like a PayPal subscription).

However, much like a PayPal subscription, once created, a billing order can not be altered in anyway. If your account, start a second account, order a domain, change your hosting plan, have a monthly bandwidth overage, or anything else of that sort, a whole new billing order is required. This was always a pain point for us. Customers with multiple accounts would end up with multiple billing dates each month, and every upgrade/downgrade would require a very manual process to get everything straight. Not only was this extra work for us, but it was overly complicated from the client’s perspective as well.

In short, in the interest of credit card security (and PCI compliance!) there was a very hard and fast border between the data we could see/touch/change, and things that required 2CO to change things on their end (or be performed manually via their site), and so the integration options available to us, and thus, to our clients, via the client portal, were very limited.

Even something as simple as updating the card on file for an order (if say, your card expired), we could provide a link to the 2CO site, but you would need to provide the billing order number, plus other pieces of identifying information (last 4 digits, billing zip code, etc) to confirm your identity with 2CO. There was no authenticated way for us to say “This is Bob, please let Bob update his card that you have on file!”.

With Stripe however, we get flexibility in all these things. When you enter your card info on our check out page, it is handed off to Stripe’s API, and what they return to us, and what we store on file for your account, is a unique identifier. That identifier lets us make subsequent API calls to Stripe later, to then take other actions related to that card without needing to know the full card information, and without us having to store the full credit card number/etc on our systems.

In short, armed with our own API keys, and a previously generated for us by Stripe token, we can do things like allow clients to update their own credit card on file directly via the client portal. We can do things likes upgrades, downgrades, services additions, etc all automatically and without a convoluted process requiring multiple steps on both your end and ours. We can even work towards every customer having a single monthly invoice and billing date (and thus, payment!), doing away with our multiple-account clients from being bombarded with various charges scattered throughout the month!

In short, life can be glorious.

Now, to get to this promised land of billing simplicity, we’re not willing to up-end everyone’s day. We’ve simply added Stripe based Credit Card processing to our ordering platform, and disabled the 2Checkout based option for new orders. PayPal remains untouched for those folks who prefer it.

New clients will have all their credit card billing handed via Stripe going forward.

For existing clients, if you currently pay for your hosting via 2Checkout, that won’t immediately change. If something comes up that would require a new 2Checkout order to be started (for instance, if you sign up for a new account, or upgrade your existing plan), that will be done via Stripe instead. Our billing team will help guide you through the process as needed, but by and large the process is going to be “log into the client portal, click to update your credit card on file, and you are done”.

The goal is that over time we’ll gain the benefits and flexibility of Stripe, without disrupting operations or requiring all clients to rush to the portal and enter their card information before their next billing date. We’ll monitor the gradual migration to Stripe, and may revisit the topic at some point if there’s some compelling reason to accelerate the process, but for now, this gets us on the path to a better place.

(c) 2019 Pure Energy Systems LLC - All rights reserved.

back to top