by David Goodale, CEO at Merchant Accounts.ca 
In the previous article we looked back at the emergence of e-commerce and it's journey of acceptance and adoption by consumers over the past decade. E-commerce has indeed matured, and is a regular part of daily life for millions of people around the world. In fact, traditional retail powerhouses like Best Buy and Sears are now on the run from the powers of Amazon.com and other strong and well managed online brands.
What has actually changed though? How has the public focus shifted from skepticism and wariness to acceptance and adoption? Much of this has to do with the establishment and awareness of security policies for e-commerce transactions.
First of all, we must be honest in looking at the growth of e-commerce hand in hand with the emergence of the internet to become an expected part of daily life. In the late 90's most people had a dialup internet connection (if they had internet at all). Baby boomers were being taught how to surf the web by teenage sons and daughters (who were all the while being told hang up and stop hogging the phone line).
It was just too new and radical. How could you safely purchase something from the comfort of your computer chair, through an anonymous machine? As e-tailers and online merchants we can be happy that the work of changing this perception has long since been completed. But by looking back at the emergence and standardization of online transaction security, it will better help us understand the evolution that has been undertaken to reach where we are today.
In the early days of e-commerce there were no clear rules surrounding the governance of cardholder data, especially as it would pertain to online transactions. In an attempt to deal with this problem, the card associations originally came out with 5 different security standards (one for each card brand) that merchants were to use to protect cardholder data. Five confusingly similar standards were not an ideal solution, so a new standard was created — PCI DSS («Payment Card Industry Data Security Standard»). Confusing acronyms aside, PCI DSS is simply a set of rules that a merchant must abide by if they are handling credit card details. All merchants that handled cardholder data had to comply with the PCI DSS Standard, which is why it commonly became known as «PCI Compliance».
If digested in a single bite PCI compliance is both intimidating and confusing. However, once you take a step back and see why PCI compliance exists, coupled with the benefits it provides to you (yes, you, the merchant), PCI DSS changes from something to fear into something to appreciate.
First of all, understand that if you are handling cardholder data, you must do it in a secure and sensible manner. That seems reasonable doesn.t it?
With the understanding that for obvious reasons you want to create a secure shopping environment for your customers, what is the benefit to you? You may think that I'm about to tell you that you will see better conversions? That you will enjoy greater success because you can tell your customers that you satisfy Visa and MasterCard requirements for data security? That's what you expect me to say? Wrong! (Okay, actually that is a huge benefit, but not what I was going to say).
One of the biggest advantages of being PCI compliant is it helps insulate you from a liability standpoint. Have you ever considered how Visa, MasterCard and card issuers look at online security? Let's pretend for a second you were an irresponsible merchant with haphazard and careless security. (Okay, not you, your competitor then!)
If this careless merchant stores hundreds of credit card numbers in an unencrypted text file or database, and they end up stolen (perhaps some happy fraudsters buy a yacht with funds stolen from these cards), how do you think Visa and MasterCard will feel about this? Who is responsible for this having happened? More specifically, who is going to «foot the bill»?
This responsibility is one of the main goals of PCI compliance. The standard clearly explains that «Mr. Merchant, if you are going to accept credit cards then you are responsible for ensuring the security of your sensitive customer data. We will tell you how to do it. Follow the guidelines in this PCI DSS document. If you do this it will help ensure that you are secure»..
Where is the benefit in all this? If you create a secure environment, and you satisfy the PCI DSS standard (in other words, if your website is «PCI complaint») then you have created a desirable situation in that you can shift blame away from yourself. PCI is an extremely strong data security standard. If you follow it the odds of having a security breach are very, very low. However, for the sake of argument let us pretend for a moment that a breach did occur. If you have satisfied PCI compliance you have a very strong case with which to defend yourself. When Visa or MasterCard come knocking on the door asking what happened, you can say «Mr. Visa, I understand your concern. However, I was prudent and diligent, and followed the PCI data security standard that you created and instructed me to follow. This blame does not belong to me». And that.s just it. It would be very hard to prove that you were negligent with cardholder data. The blame likely wouldn't belong with you. If you ensured a safe transaction environment by implementing PCI compliance, from a legal perspective it gives you a great amount of protection from a liability standpoint. Let me immediately qualify that statement by pointing out that I'm an e-commerce consultant and not a lawyer, and it's not meant as legal advice. However, the benefit of stating that you satisfied the standard is obvious for very common sense reasons. That is why PCI can almost be seen like an insurance policy against hackers. If you are PCI compliant, and if you follow the rules and do the right thing, then you will have a very strong argument should a problem ever arise.
Again, I.d like to clarify that PCI compliance is a very strong security standard, and the amount of work it would take to hack a PCI compliant merchant would most likely not be worth the reward in cardholder data. How much supercomputer time and world class hackers will you employ to steal a few credit card numbers? It would never make sense. You.d have to spend hundreds of thousands of dollars on supercomputer time and employ elite hackers to gain what? A few thousand dollars in credit card numbers that would likely be detected and disabled shortly. That is why hackers will usually go after a bank or big names like Amazon or Paypal, in which case a successful breach would render hundreds of thousands of stolen cards.
Let's not kid ourselves, there are bad people out there, and with unlimited resources any security can be broken. However, spending millions of dollars to hack $50,000 worth of credit card numbers is not a winning proposition. If a typical small and mid-sized merchant maintains a secure PCI compliant server environment, they can be assured that they've gone to great lengths to protect their sensitive cardholder data. This is a good thing. PCI compliance makes it so that even the smallest merchant can create a robustly secure online transaction environment.
Now that you understand what PCI compliance is, you naturally want to certify your website as PCI compliant. Fantastic! Except. admittedly it can be a bit confusing and involved at a glance.
Fortunately, there are organizations that exist to specifically make PCI compliance easier to achieve for small and mid-sized businesses. We should start with a basic overview of the PCI data security standard.
The first and most important thing to understand about PCI security is that it is meant for every merchant that touches, sees, handles or stores credit card information. However, how could a small merchant possibly achieve the security that a bank or Amazon.com might achieve? Well. they couldn.t. It would be silly to apply a blanket standard with the same requirements for every business. Fortunately, the card associations have had foresight and created a tiered standard.
There are 4 tiers of PCI compliance. The tier that any business qualifies for depends on the number of transactions they process annually. I will provide a breakdown of the most recent specifications below. This information was recent as of December 9, 2011 on the Visa USA website.
Tier 1 (the highest level of compliance — for banks and very large businesses)
— Merchants that process more than 6 million transactions annually.
Tier 2
— Merchant processing 1 million to 6 million transactions annually.
Tier 3
— Merchants processing 20,000 to 1 million transactions annually.
Tier 4 (the easiest level of compliance to achieve)
&mdash Merchants processing less than 20,000 transactions annually.
As you can see, most small and mid-sized e-commerce businesses will qualify as tier 4 merchants, which the easiest level of compliance to achieve. For the rest of this article I will be discussing PCI compliance as it adheres to tier 4 merchants. If you process more than 20,000 transactions annually more information can be found on the PCI DSS website: www.pcisecuritystandards.org
Tier 4 PCI compliance involves two separate tasks. The first is a self-assessment questionnaire that a merchant must complete. The questionnaire makes certain that you have implemented sensible policies to protect cardholder data. For example, it asks if you change your webserver firewall so that it doesn.t use the vendor supplied default password. (Common sense!).
The questionnaire has some fairly simple questions, and some more difficult questions. A copy of the SAQ (self assessment questionnaire) can be found at: https://www.pcisecuritystandards.org/merchants/self_assessment_form.php. Depending on your level of technical proficiency it's likely that you may need to have your technical staff assist with completion of the questionnaire.
The second aspect of PCI compliance is a security scan. Visa and MasterCard have provided a list of companies that are qualified to carry out a scan of your webserver. The purpose of this scan is to find any weaknesses or vulnerabilities in your server environment.
What happens is a Visa or MasterCard approved scanning vendor (ASV) will try to hack your server in a friendly, positive sort of way. If they find anything out of line they will report back to you and tell you the problem(s). You will fix the problem and re-run the scan until you pass. When you have completed the self assessment questionnaire, and passed your security scan you will become PCI complaint. It's important to note that tier 4 merchants must complete this security scan quarterly. There are a number of security scanning vendors, and pricing tends to range for the service. At Merchant Accounts.ca we often recommend McAfee for their scanning services because of the strong reputation they have for online security, and because the scanning is fairly affordable (about $125 per year).
It's certainly worth mentioning that you must operate a secure server environment if you are going to accept credit cards. So, if you are paying $10/month for your web hosting package it's highly unlikely that you will be able to achieve PCI compliance. A significant part of the questionnaire revolves around server security. If you need PCI compliant web hosting you can find a listing of companies eager to win your business through a Google search. I will add one bit of advice: beware .Enterprise Level. PCI hosting solutions. Some hosting providers think that because you use the word «PCI» they can charge exorbitant fees for the hosting. I won't name any names. A PCI hosting environment should cost more than a normal web hosting environment, but it doesn't have to break the bank. Do your research and talk to several potential vendors before choosing your web host.
One area that is seemingly unclear to the vast majority of online merchants is the exact rules around enforcement of PCI compliance.
If you don't pay your taxes, eventually the tax man will come knocking. If you are not PCI compliant, is there actually a real penalty? A lot of folks have absolutely no idea as to the penalties and fines for non-compliance. Are we talking a $50 parking ticket type of inconvenience, house arrest, or swat teams?
First, e-commerce security is serious business. If card numbers are compromised and abused it costs real money. The card issuer must re-issue cards, and much more importantly, if fraudsters get away with funds there are potentially very significant losses involved. We must be absolutely serious about this: if you are dealing with sensitive cardholder data, you have an obligation to making sure you do so in a secure and responsible manner.
You may be wondering who polices this. PCI compliance is a card industry standard, it is not a law. So it.s not (in a typical scenario) policed through the justice system. Instead, it.s enforced by the card brands (Visa, MasterCard, etc). This is done by way of fines to processors, which are then filtered down to merchants. Here is a question directly from the FAQ of the PCI security standards website:
Q: What are the penalties for noncompliance?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream until it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.
In other words, major fines can be handed down to the processor. In every processing agreement the processor will have language stating that should they receive a fine because of some sort of negligence on a merchant.s behalf, they can pass that fine down in whatever way necessary to recoup that loss. Also, it means that you may end up having your account closed, or even worse, put on a match list so you can not get a merchant account again. Needless to say this is something that every business would very much want to avoid.
It's also important to note that these are penalties for .noncompliance.. If you look at the way this is worded, it.s not even talking about a breach. The card brands, processors, and common sense all dictate that you should not hold onto or store credit card information if you don.t need to. If you are holding cardholder data you will want to make sure you are PCI compliant and dealing with the cardholder information in a secure way. For a moment I.m going to take this discussion beyond the realm of a small merchant to best illustrate a point in regards to the potential cost of a data breach:
Think of a large business that interacts with hundreds of thousands of customers. What if this business had a data breach? How much money is at risk?
This has happened. It happened with Heartland Payment Systems in 2009. The details of the incident are well beyond the scope of this article. However, the fine from Visa is not: 60 million dollars. Keep in mind that Heartland Payment Systems is a payment processor, and therefore must obviously interact with and store cardholder data. This is an example of one of the largest fines for a data breach in history. However, it illustrates the point: cardholder data is sensitive. It's valuable. Real money is on the line. If you are going to implement an e-commerce store you have a responsibly to treat cardholder data as sensitive and ensure adherence to the industry mandated security standards.
In this second article we've explained the concept of PCI DSS (PCI Compliance) and hammered home a very clear reason as to why you do not want to be fined for non-compliance. We.ve also illustrated that PCI Compliance is not something to be feared, and is in fact a benefit to merchants once properly implemented. By following the standard, it will help ensure security and vastly reduce your liability.
In the third and final part of this article we will examine a few interesting ways that small businesses can deal with the issues of PCI compliance, without having to incur significant costs or complicated technical work.
David Goodale is CEO at Merchant Accounts.ca, one of Canada's leading e-commerce payment processors. David has worked in the e-commerce payments industry for over a decade, often consulting on matters related to international and multi-currency e-commerce payments for Canadian and European based businesses.
Merchant Accounts.ca provides credit card processing services for Canadian and international businesses. It was one of Canada's first merchant account providers to specialize in e-commerce transaction processing. Today, Merchant Accounts.ca works with clients across Canada, the US and Europe.
In an unusual departure from the norm in the payments industry, Merchant Accounts.ca has a client focused consultancy model. Each merchant works one on one with the same consultant for the lifetime of their account. This managed consultancy model makes implementing e-commerce transaction processing easier to achieve for businesses that are new to e-commerce or expanding into new territories. More information can be found on the Merchant Accounts.ca website:
Established in 1998, Qualiteam Software is now one of the world?s leading providers of e-Commerce software solutions. Software created by Qualiteam powers tens of thousands of online stores and e-Commerce websites in 111 countries all over the world. Qualiteam is focused on delivering products that create a solid infrastructure for e-business and have both B2C and B2B value. Ongoing support, integration services and consultations are provided to make sure customers derive maximum benefit when using Qualiteam products. Qualiteam Software is headquartered in Limassol, Cyprus, with partner company offices in Ulyanovsk, Russia. For more information, visit http://www.qtmsoft.com
Media contact:
Alex Mulin
Customer Relations department
promo@qtmsoft.com
Feb 8, 2012
No comments:
Post a Comment