Ensuring PCI DSS compliance without going broke or sacrificing your customers’ experience

By Greg McGraw, [email protected]



In 2008, approximately 212 million online records breaches occurred as a result of malware designed by hackers to harvest sensitive information, namely credit-card numbers, according to a study conducted by Verizon Business. Findings indicated that 81% of organizations that were victims to these breaches were non-compliant with Payment Card Industry (PCI) Data Security Standards, or PCI DSS. These standards were created by the PCI Council, a global group of credit-card issuing brands, including Visa, MasterCard, American Express, and Discover, to protect their cardholders from fraudulent credit-card use, loss, and theft.



Mandatory PCI DSS compliance

Regardless of size, all retailers are at risk of fraud through a potential point of vulnerability in their online checkouts. Traditionally, when a consumer makes a purchase through an online retailer’s payment page, that consumer’s credit-card data is processed within the merchant’s online environment briefly before being passed to a secure gateway. In that instant, data is vulnerable to hackers.



To combat such rampant instances of online fraud, which costs merchants approximately $4 billion in losses per year, according to online fraud reports, the PCI council will be releasing a set of mandatory data security standards in October. There will be a 14-month grace period before merchants of all sizes must be able to prove that their online payments network complies with the newly mandated PCI DSS standards. According to the PCI Standards Council, those that are found to be non-compliant following this timeframe risk fines, legal fees, decreases in stock equity, and the ability to accept credit-card payments.



Weighing the options

As October approaches, retailers are beginning to evaluate different measures to ensure that their payment systems will be compliant with the upcoming regulations. Retailers have two choices: either completely outsource their payments acceptance using hosted payment pages or maintain an in-house payments system.



Choosing between both options is proving to be difficult for merchants because of significant differences in terms of higher costs for in-house systems and customer confusion associated with hosted payment pages as a result of customers being re-routed to a third-party payments site.



Customizing an in-house payments system would help to validate PCI compliance while keeping retailers’ branding intact during the checkout process as customers would come to a proprietary payments page that exhibits branding (colors, themes and logos) that is consistent with the rest of the site. However, the amount of internal and monetary resources needed for this method is significant, especially for small- to mid-sized merchants.



In-house payments systems require merchants to earn their PCI certification, a process that could take at least six months to complete in addition to the time it would take to customize the system itself. Plus, the monthly costs of maintaining of an in-house system can range between $2,000 to $10,000 in terms of technology, including PCI scans and secure servers, and personnel. These figures do not even include ancillary costs associated with regular PCI audits.



Outsourcing online payment systems presents a much more viable option for two primary reasons:



1. Cost: Cloud based payment security solutions are more affordable and scalable than in-house systems. Typically, fees range between 10 cents to 20 cents per online transaction along with a nominal monthly service fee.

2. Ease of use: Hosted payment acceptance solutions shift the burden and scope of PCI compliance away from merchants altogether, allowing them to focus on their business instead of being preoccupied with audits, maintaining their payment systems and other headaches associated with PCI.



Unfortunately, outsourcing online payment systems, while secure, does have its drawbacks when it comes to an end-user’s experience. Historically, hosted payment solutions have negatively impacted the customer experience, even sales. Traditionally, when customers decide to checkout on a website that uses an outsourced payments system, they are brought to a third-party payments page that is aesthetically inconsistent with the branding and feel of the retailer’s website.



The perceived disconnect between the payments page and the retailer’s website can confuse customers or make them feel that their information is vulnerable to hackers. Such concerns over being re-routed to a third party site is a significant contributor to the number of shopping carts that are abandoned by customers before check out. In fact, a recent PayPal survey found that more than 20% of respondents indicated that concerns over the security of credit-card data was a “very important” reason for cart abandonment.



Best of both worlds

Fortunately, online retailers can experience the time and cost savings of outsourced PCI DSS compliance without having to sacrifice their brand or their customers’ experience. Developments in cloud based payment security integration make it possible for third-party payments pages to visually blend in a seamless fashion with the retailer’s website. Pages are elegantly designed and updated to ensure branding continuity between the merchant’s website and the hosted payment page. And by integrating full payment card vault and tokenization capabilities, subsequent transactions authorized to the same card can also be secure and simple to enable.



A customer browses through the website, fills a shopping cart, proceeds to checkout, and is routed to a third-party page that securely acquires and routes their data directly to the gateway.



The branding and visual format of the payment page is consistent with the entirety of the site, which prevents the customer from ever knowing that they have been routed to a third-party site and helps to eliminate any concerns they may have over the security of their data.



As October nears, it is important for merchants to fully evaluate their options when it comes to complying with the required PCI DSS standards that are ahead. New developments in the hosted payment acceptance and security space will make the evaluation process much easier for merchants as outsourced payment systems no longer require them to sacrifice customer experience for affordability and compliance.



Greg McGraw is president and CEO of Atlanta-based CRE Secure, one of the industry’s first cloud-based, elegantly designed, secure payment solution for online merchants. He can be reached at [email protected].