Online retailers face strict new security rules

An online business must be able to accept credit card payments if it’s going to be successful – but the security rules for being able to do so are being tightened.

January 21, 2014

An online business must be able to accept credit card payments if it’s going to be successful – but the security rules for being able to do so are being tightened. Fortunately, says Peter Harvey of payment services provider PayGate, staying on the right side of the security fence need not be onerous.

“The trendsetters in this space are the global card associations like Visa and Mastercard,” says Harvey. “Their first priority is to protect their own customers, the credit card holders, from any financial loss if their card data is stolen or hacked. If a card holder disputes a transaction they can get a refund – and the merchant who passed the transaction is the one who pays.”

But the card associations can’t rely only on chargebacks, adds Harvey: “If it gets too risky for merchants to accept credit cards, card holders will lose out on the convenience of online shopping. So the card associations have developed a set of security standards to benefit everyone in the industry, by protecting card data properly so it can’t be used fraudulently.”

The Payment Card Industry Data Security Standard (PCI-DSS) specifies a broad range of business practices and processes that should be in place at any organisation that processes, stores or transmits credit card data. The data that’s protected includes the credit card number, the card-holder’s name, the card expiry data and the CVV number or security code on the back of the card.

If any of this data falls into the wrong hands through a security leak, explains Harvey, the responsible organisations face hefty fines – and the risk that their banks might stop them from processing any more transactions. “This could sink an online business overnight,” he says.

Achieving full compliance with the PCI standards is an onerous and expensive process, says Harvey – but online merchants have a way out. “The very best thing you can do as a merchant is not to process or store any card data at all,” he says. “The easiest way to do that is to have a hosted payment page with a payment services provider which is itself fully PCI-compliant. That means none of the customer’s card data ever touches your systems – it’s all handled by the gateway, and the compliance problem is theirs.”

If merchants must store card data themselves, he says, they should use tokenisation. “This is a system for replacing actual card numbers with secure tokens that get validated at every transaction. This reduces the number of places any person’s card details are stored, which makes it easier to secure.”

In addition, says Harvey, merchants should use fraud monitoring services to help identify suspicious transactions before they’re processed.

“Maintaining card data security in compliance with the PCI standards is increasingly going to be a condition of doing business online,” says Harvey. “Merchants should approach their payment gateways to find out exactly how they are affected and what steps they should take to protect their business.”