When I first started in professional web development back in 1999 (that's equivalent to the Mesozoic Period in Internet time), it was really easy to put together an e-Commerce application and start taking orders and raking in cash over the Internet. People were throwing up stores for everything from books to pet food. Some met with wild success, and others went down in flames. When I say "easy" I'm not just talking about business ideas, but also about the technology and regulatory compliance.
You see, back in the early 2000's, you could create a simple shopping cart, make up a checkout process, then take the customer’s credit card information and pass it along to CyberCash or Authorize.net (or any one of a dozen other processors) and they would return either an authorization code that told you money was going to show up, or an error which you could pass back to the user so they could correct their error and try again.
Unfortunately, many programmers were very, very sloppy. In fact, some were just negligent in the way they handled the customer information. For example, storing all of the order information with full billing details in a text file that anyone could request right through the web site (it might have been easy for the owner to get to, but easy for everyone else to get to also). Things like this resulted in the wholesale theft of credit card and bank account details, which in turn led to millions upon millions of dollars of fraud.
Over the past few years, the "Payment Card Industry" has taken matters into their own hands and forced everyone, through their various agreements and contracts, to fix the problem and secure their systems. Now, don’t get me wrong, this is great for consumers, and businesses should be happy that these changes are being implemented, but it is really painful as a whole. At this point, nearly everyone is required to be in compliance with the Payment Card Industry Data Security Standard (PCI-DSS or simply PCI Compliant for short).
The PCI-DSS contains 12 main categories to look at within any business that processes, stores, or transmits information that is covered by the standards. This means that the little web store that just takes the credit card number and passes it to, well, whoever, to process the transaction now has to be fully compliant with every letter of the full requirements, even though they may not actually store any of the information at all and just pass it along.
Many of the things covered by the requirements are simple, such as using encryption during transmission (through SSL between the customer to the web server), encrypting the data once it’s received (if you’re storing it in a database), not storing the card security code, and restricting access to the card data to those who really need to have access to it. Many web developers were already doing these things and took a "reasonable" approach to securing customer data. Unfortunately, even when “reasonable” measures are taken, bad things can happen and the information can end up in the wrong hands. Or worse, someone may get access and you don’t even know it and they steal information over a longer period of time without being detected.
The PCI-DSS covers all of these things and basically forces a business to take data security very seriously. First, there are requirements for how the data is brought into the system, what you can do with it and what you can't do with it. Second, who has access is covered. There are requirements for password complexity, password rotation, account auditing, etc. They cover network and infrastructure security to ensure nobody can just walk up to the server and plug a portable drive into the system and walk away with a copy. The standards talk about logging and auditing so that if someone does break in there is forensic evidence that can be looked at to determine how they got in, and most importantly, what was taken so that customers can be notified. The list goes on and on and gets into a lot of highly technical detail.
The way I see it, the days of "Mom's Apparel" throwing up a store and taking credit cards directly are simply over. Any business that wants to accept credit cards directly will have some serious thinking to do. The cost-of-entry just went up, a lot. Unless they're planning to do more than a certain volume of online sales every month, it’s just not worth the overhead to ensure compliance with the PCI-DSS.
Not all hope is lost, however. Notice that I said "accept credit cards directly." A new business can still take payments online, as long as they aren’t handling "sensitive" data directly. Providers like PayPal have entire departments dedicated to regulatory compliance, and they've been doing it for nearly a decade now. They know how to manage and secure their systems properly, and the fees they charge are about the same as you would pay to a traditional credit card processor. They become the ones who have to be compliant since you are no longer handling the information directly. They just let you know that a payment has been made but you don't have to worry about the actual credit card data.
Unfortunately, companies like PayPal have earned a somewhat negative reputation for some reason. Perhaps the merchant will think their customers won’t take them seriously or believe they aren't a "serious business" if they only use PayPal to process their transactions. Whatever the reason, many businesses are reluctant to wash their hands of regulatory compliance and just keep doing what they’ve been doing in the past. Sure, they can say they're compliant, but if there is ever a breach and data is stolen, the liability will come down upon them like a ton of bricks. Frankly, it has the potential to destroy the business entirely.
All in all, the easy times are over for online sales. Any small operation with dreams of selling online had better get used to the idea of using an outsourced payment service if they want to minimize their liability. No, it's not glamorous, but it's safe, and that is what customers need right now. They need to know that when they purchase from your online store, their information is secure. The best way for a small company to do that is to outsource that piece to the experts who know how to do it properly. It's better from a liability standpoint, and from a trust standpoint knowing, not hoping, the payment data is safe.
0 comments - Posted by Justin Scott at 3:06 PM - Categories: ColdFusion | Business Development