The new online payment standard is fast approaching and retailers need to ensure their sites pass the test.
With online fraud a top priority for retailers venturing into the ecommerce world and the September 30 deadline to become Payment Card Industry Data Security Standard (PCIDSS) compliant on the horizon, what can retailers be doing to protect customer data?
The Security Standards Council was launched in 2006 and founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa. The aim of the organisation is to set standard security requirements for ecommerce sites.
Part of this compliance agreement is that the PCIDSS aims to protect customer data. This includes a number of requirements including encrypting transmission of cardholder data across open, public networks, maintaining secure systems and regularly testing security systems and processes.
The Security Standards Council states that companies of all sizes that “process, store or transmit payment cardholder data” must be PCIDSS compliant but there are different options of what this entails, ranging from completing a self-assessment questionnaire to undergoing an on-site data security assessment. The necessary method depends on a number of factors including the volume of transactions and how they are processed.
Becoming compliant can be a costly and confusing process but there are companies out there that can help. CyberSource, whose clients include Debenhams and Gucci, is one such company. It offers a number of options including a “hosting order page”, which allows retailers to link to CyberSource when customers make a purchase online. Therefore, all data entered by the customer is held on the CyberSource site rather than by the retailer.
CyberSource also offers a payment tokenisation process, which involves the customers’ data being sent to CyberSource by the retailer after it is plugged into the retailer’s site. CyberSource then holds the data permanently on its system and sends a code or “a token” back to the retailer that represents that customer. From then on, every time that customer shops with the retailer, it can use the same “token” to process the transaction via CyberSource.
Sage Pay also offers the option of outsourcing payment processes. To customise this, Sage Pay suggests the upgraded option of inserting an iFrame into the ecommerce site’s payment page, which allows the data to be collected by Sage Pay but the customer experience is not affected as they seemingly never leave the original site. Sage Pay will also launch a token system similar to CyberSource’s within the next few weeks.
So whether it is to protect your customers’ best interests, avoid bank fines or defend your site from fraud, it pays to be PCIDSS compliant.