As we hurtle toward the holiday season, it seems appropriate to look at one of the most misunderstood concerns for the online retailer - PCI compliance. Nominally, this is a set of requirements designed to ensure that all companies with a merchant ID for processing credit cards, especially those which store and/or transmit credit card information, adhere to specific rules and principles. The Payment Card Industry (PCI) is comprised of all major credit card providers. Since there have been well publicized security breaches at major retail operations this year, the public is understandably nervous about this issue.
Proof of compliance
Before you go stuffing any online shopping cart, the consumer should look for an SSL certificate on a website. This ensures that the site is PCI compliant. Look for https:// in the URL. This is the secure version of http, indicating that an SSL certificate is in place. Data is being encrypted and encoded, instead of transmitted in plain text format, and far more difficult for others to read.
Many sites will even specifically name the digital certificate provider. Some names to look for include:
It doesn't matter who the SSL provider is, the key to the consumer's trust is the site's SSL certification.
Policing the policy
Five years ago, when we published a blog about PCI levying fines if they found businesses which weren't in compliance, there was a lot of anxiety about the policing of this policy. Now, however, the Internet's vastness has changed the nature of the situation.
It's probably very difficult for the PCI to know precisely what's going on with merchants, since so much of the security features are written into the back-end in code. Early in 2014, Verizon conducted an expansive review of compliance within the Data Security Standard (DSS) protocols. The results showed a shocking percentage of merchants failed to adhere to many security standards. Does this mean that you are at serious risk when you shop online? Not really.
How it works
We had a client very recently tell us that their website had to be moved to a PCI compliant server because they were now going to accept credit cards. This is a very common misconception. The vast majority of commerce websites don't need to be hosted on a PCI compliant server. You just need that SSL certificate, ensuring that your website is an online retailer instead of somebody named Yuri in a basement in Smolensk, Russia.
It also establishes that information is being encrypted properly between a home computer and the site. The critical data passes through a payment gateway, and there are a number of these providers which the merchant can select. We generally recommend eProcessing Network. They take the credit card information, storing it on their servers. It is these gateway providers who actually authorize the sale, and deposit the funds into the merchant's bank. Using this scenario, there is no credit card information which gets stored on your website or in your server. If a customer wishes to have recurring payments, for example, there are still methods in place where the transaction is processed through the gateway.
Of course, there are businesses who, for one reason or another, must store credit card information; and that is when a secure, PCI compliant server is needed. There are relatively very few of these, and they are subjected to rigorous scrutiny with a long list of procedures and rules to follow, all mandated by PCI.
The holiday factor
Because of the data breach problems at so many big name retailers, many experts, like CNET's Tim Stevens, believe that online shoppers are actually safer than those who make their purchases from brick and mortar stores. It's understandable. Brian Krebs, an expert on cybersecurity, estimates tens of thousands of consumers in the U.S. have been victimized.
The unpleasant fact is, credit card data exposure is with us, and likely to stay for the foreseeable future. We take precautions, and hope for the best. Me? I'll still shop both online, and in store. There's certainly a lot of ease in purchasing a Christmas present at my desk, but sometimes you just have to see and touch something to know if it's good quality. That's when I go to the local store, and I buy it there.
I have it on good authority that Santa does the same. Want his VISA number?