Although ecommerce fraud incidents as related to sales are at historically low rates, online retailers (particularly small ones) should be concerned about credit card information theft and transaction fraud even beyond the familiar Payment Card Industry (PCI) Data Security Standard (DSS).
In 2008, online retailers lost approximately $4 billion in revenue to transaction fraud, according to CyberSource, an ecommerce payment management company. And a recent Visa 2009 Global Security Summit Panel described card-not-present (i.e., online or telephone sales) fraud as "a growing global problem." The panel said that while "PCI DSS is an excellent framework … it is not the answer to every challenge."
Ecommerce merchants have to take every possible step to ensure that they are protecting the customer data they collect and not processing orders made with stolen credit card numbers. Fraud security measures are vital to a seller's business life, since breaches could ruin brand reputation and cost a seller millions in reparation and fines.
In this "eCommerce Know-How," I am going to (1) briefly describe what PCI DSS compliance is, (2) point you to other excellent PCI resources right here at Practical eCommerce, (3) describe why PCI compliance might not be enough to protect your customers, (4) mention a new Massachusetts law, and (5) encourage you to get your customers involved.
Video: What is the PCI DSS in 90 Seconds
What is PCI Compliance?
The PCI DSS is a set of comprehensive and multifaceted requirements that collectively help to ensure the security of payment account data. Leading credit card brands like American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. developed the standard that includes specific requirements for security management, policies, procedures, network architecture, software design and more. If an online store wants to accept credit cards, that store must comply with these standards. Non-compliant operations may lose the right to accept credit card transactions or be fined. You can learn more about PCI compliance from Brian Getting's article, "What is PCI Compliance And Should Merchants Be Concerned About It?" and from the article "New PCI Compliance Standards Take Effect." You may also be interested in the Practical eCommerce articles "How To Steal Credit Card Numbers" and "Credit Card Theft: Steps to Protect You and Your Customers."
Now that you know what PCI compliance is, take steps to ensure that your transaction pipeline meets the standard. The easiest way is to work only with PCI certified vendors.
PCI DSS Compliance is a Starting Point, Not a Finish Line
Combating fraud is akin to an arms race, explained Visa's chief enterprise risk officer, Ellen Richey, during a keynote address in March 2009. As new security is added, hackers become more creative, changing their methods or looking for vulnerable (often smaller) stores. In this arms race, PCI DSS compliance is the starting point, not the end of transaction security. Although no fully-compliant merchant has been known to ever lose customer data to a hacker, compliance is not a once-a-year, or even once-a-quarter, check up. Compliance is something that has to be maintained all of the time. When brick-and-mortar retailer TJX, which operates brands like T.J. Maxx, Marshalls, and HomeSense, was compromised in 2006, it had been PCI-certified, but was not in complete compliance when the incidents occurred. A small breakdown in policies can give a thief just the opportunity he or she needs to pilfer customer data.
Many online merchants believe that their payment gateway or payment processor will handle PCI DSS compliance for them, but this is not entirely true. Certainly companies like PayPal, Authorize.net, or Chase Paymentech will strictly adhere to the network, telecommunications, and software requirements, but merchants can still mismanage customer data or process stolen credit cards.
For example, even if a merchant uses a hosted cart (Yahoo!, for example) and a secure payment processor, that merchant can expose customer credit card data through an unsecured wireless network. A hacker could tap the network, see what the merchant is seeing, and take customer card numbers right off Yahoo!.
Responsible merchants have to take steps beyond working with a responsible gateway or payment processor. Consider adding written policies that describe how customer data is handled (i.e., how long credit card numbers are stored after a transaction); ensure that your network is encrypted and secure; use a firewall; monitor employee access to customer data; and get help accessing transaction fraud risks.
Legislation Is Coming
Right now, PCI DSS compliance is an industry standard. But formal legislation that requires specific means of protecting or notifying customers and avoiding fraud is already in the works. In Massachusetts law takes effect in 2010 that will expedite customer notification in the event that data is compromised. It is the first of a new breed of law that could make it a crime to lose customer information or inadvertently accept a stolen card number.
What's more, U.S. President Barak Obama has announced that he will appoint a National Cyber Advisor. While the advisor will certainly focus on government security breaches and cyber terrorism, there will also be new emphasis on ecommerce transaction security.
Getting Your Customers Involved
One piece of the PCI DSS/ecommerce transaction security puzzle that seems to be missing is customer involvement. Again, according to one of the Visa Summit Panels, only 26 percent of shoppers believe they can play a role in credit card security. This is a surprisingly low percentage, since there are many things that customers can do to both protect themselves and mitigate everyone's risk of loss.
In my own stores, I am adding cyber security statements that clearly explain what my operations are doing for PCI DSS compliance, and offering advice to customers about how to safeguard their credit card data. Letting your customers know what you're doing and what they can do further helps to mitigate fraud.
- The PCI Security Standards Council
- Massachusetts Bill No. 4144 PDF
- "About the PCI Data Security Standard"
- CyberSource Resources
- Elimor MIlls' article "What's your identity fraud risk level?
- "Visa's 2009 Global Security Summit Summary Report" PDF
- Visa's PCI "Compliance validation details for merchants"
- Visa Canada's "Merchant Levels Defined"
- Network Security Consulting Blog's "PCI-DSS Compliance: Part 1"