If you run an ecommerce shop, you are probably familiar with the term “compliance”. It’s a winding path for online merchants, as the card-not-present space presents more risk, threats, and security issues than face-to-face payments.
That said, online payments also offer additional convenience for today’s consumers, the majority of whom prefer to shop and pay online or from a mobile phone. Card-not-present payments enable your best customers multiple options to browse and pay at their convenience.
Becoming and remaining compliant is a tall order for online merchants. The requirements are complex and every “t” must be crossed and “I” dotted. Going it alone is not recommended for any ecommerce merchant, whether novice or established brand. The best tact is to work with a trusted payment processing partner who can help you navigate the complicated requirements of compliance.
Fast Facts on Data Security & Breaches
A noted issue for novice ecommerce merchants is the cost of compliance. Meeting the requirements of the PCI-DSS and conducting audits can seem expensive. It can seem tempting to cut corners to save time and money, but those savings are an illusion.
That illusion becomes more stark when you dig into the cost of not being compliant and up-to-date with data security. According to the 2017 Ponemon Cost of Data Breach Study, the average global cost of a data breach in 2017 was $3.62 million. Broken down, that equates to an average cost of $141 for each lost or stolen record containing sensitive and conﬁdential information. In the U.S., however, that average total cost jumps to $7.35 million. Going a step further, the reputation cost to U.S. businesses (via lost business) resulting from data breaches eclipsed the global average cost of data breaches at $4.13 million.
The short story is that data breaches are expensive. The direct, reputation, and opportunity cost of a data breach can be catastrophic to businesses. Yet some businesses skirt compliance requirements or are lackadaisical about data security measures. Worse yet, some don’t realize their processing partners are putting them at risk.
Simplifying Compliance for Ecommerce Merchants
There is a raging sea of merchant service providers available to merchants. From simple gateways to full-scale integrated payments solution providers, merchants have endless options for payment processing.
Online merchants, in particular, have a robust variety of choices in how and through whom they can accept payments. The additional risk posed by card-not-present online payments means that ecommerce merchants should be especially picky when choosing merchant services providers. Consider whether or not the provider you’re considering is reputable, if their technology is compliant, and if they maintain certifications (PCI-DSS, HIPAA, SSAE-16).
Online merchants can greatly simplify compliance by working with a payment processor that offers a PCI-compliant gateway. Since the gateway itself is audited for PCI compliance, it reduces scope for merchants who can simply employ one of these audited gateways. The other thing to note is what tier a gateway provider falls under. There are four tiers under the PCI standard and each level has its own set of requirements. The breakdown is as follows:
- Tier 1: process over 6 million Visa transactions annually through card present, card not present, and ecommerce channels.
- Tier 2: process 1-6 million Visa transactions annually through card present, card not present, and ecommerce channels.
- Tier 3: process 20,000 to 1 million Visa transactions annually through card present, card not present, and ecommerce channels.
- Tier 4: process up to 1 million Visa transactions annually through card present, card not present, and ecommerce channels and do not process over 20,000 Visa transactions exclusively via ecommerce each year.
Many gateway providers are classified under Tier 1, making them accountable to the most stringent compliance standards. As a result, many are compelled to use a third-party to conduct annual audits for PCI compliance.
This is ideal for online merchants, because they enjoy the safety and security of Tier 1 compliance without having to undergo that part of the auditing process themselves. In the payments ecosystem, the card brands hold the acquirer responsible, who in turn holds the merchant accountable. Where an ecommerce merchant works with a compliant gateway provider, the onus shifts to the gateway in that regard.
At the end of the day, merchants are still responsible for maintaining PCI compliance. Even those that use compliant gateways must still attenst using the appropriate PCI-DSS self-assessment questionnaires. Additionally, merchants are still responsible for choosing a truly compliant gateway or merchant services provider. There are cases where payment processors claim to offer cutting technology, but instead process through legacy systems that are not up-to-par with today’s data security protocol. This can land merchants in a lot of hot water.
The key is to vet, vet, and vet some more. The self-assessments required by PCI-DSS as of 2017 has helped frame compliance for merchants as a high priority. Any “no” answer to a series of questions on that assessment requires an additional response that includes the expected date of remediation along with what that remedial action will be. This enforces monitoring and penalties for merchants who are not fully compliant.
It can sound very fire and brimstone to new merchants; however, these measure can help ensure the integrity of the merchant’s payment processing and customer data. It also protects merchants from going belly up as the result of a breach that has massive direct and reputation costs. Those costs make the cost of compliance seem like a drop in the proverbial bucket.
As technology continues to evolve and consumer behaviors change, online merchants stand to make huge gains. The best way to ensure they stay in the running is to be sure the emerging technologies they employ (mobile payments, conversational commerce, etc.) are compliant.
- Understanding the Application Process for Domestic Merchant Accounts | PayArc – […] alternative to approaching the bank directly is to work with a trusted, reputable payment processor that has experience with…