Fraud Prevention

The PEC Review: CRE Secure Eases PCI Concerns

Protecting customer credit card data and then telling customers that you’re doing so should be a top priority for online retailers this year.

First, protecting your customers’ data is an ethical responsibility. If you’re selling products online and accepting credit card data, you should keep that data safe.

Second, you’ve agreed to do it. If you have a merchant account, read the fine print. As a merchant that accepts credit cards, you agreed to protect customer card information and comply with the Payment Card Industry’s (PCI) standards. You are contractually on the hook.

What’s more, when you do take steps to protect shoppers, you can tell them that in your onsite marketing, outbound promotion, or blog. Letting potential customers know that you’ve gone out of your way to protect their credit card data will help to build trust and boost sales.

So how do you do it? How do you keep customer card data secure? How do you meet PCI requirements?

One way is to work with trusted third parties that reduce your scope (responsibility) and ensure that card data is managed well. One such provider is CRE Secure. The company’s PCI-certified hosted checkout puts a premium on visual continuity and security, earning it four out of a possible five stars in this, “The PEC Review.”

“The PEC Review” is my weekly column to introduce you to the products or services I believe can help you improve your ecommerce operation. This week, meet CRE Secure.

For most pure-play online retailers, CRE Secure is an all-in-one PCI solution that both ensures your customers’ data is safe and helps you meet all of your PCI compliance requirements.

Functionally, when shoppers visit a store equipped with CRE Secure, they shop as normal, loading items into the store’s shopping cart or bag. When they are ready to make a purchase they click “checkout” and are redirected to a PCI-compliant, secure hosting environment at CRE Secure’s data center.

Quite literally, the shoppers have left the store they were on and have been redirected to CRE Secure.

Visually, almost nothing will have changed. CRE Secure goes out of its way (except in one area) to match a merchant’s site exactly. The retailer can even create a custom sub-domain so that the store’s name appears in the address bar.

Once the transaction is complete, an approval code is passed to the merchant’s ecommerce platform, and the shopper is seamlessly redirected back to the retailer’s site. Because the transaction took place on CRE Secure’s web servers, the merchant is not responsible for further PCI compliance and gets to market that it uses a PCI DSS certified checkout solution.

Even a multi-channel retailer can benefit, since CRE Secure takes all online transactions out of scope as far as PCI compliance is concerned. And since CRE Secure can be integrated into desktop or server-based applications, merchants with call centers can effectively limit scope to just an operator’s terminal, rather than having to certify an entire network.

Visual Continuity

One of the complaints about any kind of hosted checkout is that it doesn’t resemble the merchant’s website and that merchant loses control over the page content.

CRE Secure goes out of its way to imitate (clone is not too strong of a word) the merchant’s site, bringing in site navigation, graphics, sidebars, you name it. In fact, every example I saw was essentially identical to the retailer’s site in appearance.

Currently No JavaScript Support

When the CRE Secure system clones a retailer’s website, matching it visually, it strips out the JavaScript. The company claims that it is a security issue, but company personnel told me that they already had a workaround on their roadmap, which indicates that they recognize it is a major roadblock.

Until that workaround is in place, any merchant using JavaScript for, say, font replacement, an AJAX cart or for navigation features, is out of luck. Fortunately, this will not affect every merchant. But if your site relies on JavaScript, CRE Secure might not be the proper solution.

If my two cents matter, I would suggest that the CRE Secure folks simply keep a pristine copy of most leading JavaScript libraries and plug-ins on their secure servers. When a merchant’s page comes in with a call for the jQuery or Prototype JavaScript library, CRE Secure could simply replace that call with a link to their local, known-to-be-hacker-safe version. Customers could submit custom JavaScript files when they registered for the service, which CRE Secure could scan before using.

four stars

Price and Value

CRE Secure starts at $10 per month and 15 cents per transaction with a $20 setup fee. But this offering only allows for a meager 25 transactions per month, which means it is too limited for a serious merchant.

CRE Secure Pro, which runs $20 per month and 10 cents per transaction, gets you a little further with up to 250 monthly orders.

Busier merchants should contact CRE Secure directly to get price quotes. They could expect to pay $90 per month with no per transaction fees for 1,000 transactions; $170 per month for 2,000 transactions; or around $400 per month for 5,000 monthly transactions. Setup fees of $100 or more will apply, but integration should be more complete.

Compared to certifying an in-house network or using a secure host (shared hosting is almost never secure enough to meet PCI standards), CRE Secure is cost effective.


The company offers a secure and well-done application programming interface (API) so that nearly any retailer can enable the service.

Merchants using Magento, osCommerce, Zen Cart, XCart, or CRE Loaded (CRE Secure’s companion ecommerce platform) have near push-button integration that requires little technical skill.

Summing Up

CRE Secure is a compelling solution that can effectively solve all of an online merchant’s PCI concerns. The company does an exceptional job of cloning a merchant’s website to ensure visual continuity. And if a merchant is using a shared hosting environment, CRE Secure might just be the one of the best choices for meeting PCI requirements.

Unfortunately, it does not support JavaScript, which for a guy like me that uses a lot of JavaScript, is a big problem. But company personnel have promised to introduce a JavaScript solution. And I have no reason to doubt them. In fact, they indicated that this solution could be available in the next few months.

Bottom line, even with my concerns about JavaScript support, I did not hesitate to award CRE Secure four out of a possible five starts in this “The PEC Review.”

Armando Roggio
Armando Roggio
Bio   •   RSS Feed