Do you process credit cards online? Be Scared!
Posted on 14/02/2008 in eCommerce

Just heard about something extremely scary! If you already process credit cards online (ie your customer types their credit card no directly into your website) OR you are trying to decide what sort of credit card processing system to use online, then you REALLY NEED TO KNOW about this.

There is now a $10,000 minimum fine for small online merchants in Australia who do NOT adhere to the new PCI-DSS standards introduced in September 2007 by the Security Standards Council (SSC). Standards? What Standards?

You can download the standards here:

PCI- Data Security Standards v1.1

The upshot of this document is that there are a whole bunch of minimum requirements that an ecommerce that receives credit cards numbers (called PANs – Primary Account Numbers) MUST have in place. These requirements are:

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other
    security parameters
  • Requirement 3: Protect stored cardholder data (ie encryption)
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Requirement 5: Use and regularly update anti-virus software or programs
  • Requirement 6: Develop and maintain secure systems and applications
  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
  • Requirement 12: Maintain a policy that addresses information security for employees and contractors

If you are already doing all this. Wow! Great job! If you are not, then you might want to look for an alternative way of processing online credit transactions!

Here are some options:

1. Use a bank’s merchant facility that DOES NOT require the card no to be given on your website. In other words, the credit card details are given “off-site”. If the customer wants to pay by credit card, when they click on the “Pay Now” button (or equivalent), they are taken to the Bank’s Merchant Facility to enter their credit card details. At no stage are you, the merchant, in possession of or responsible for the customer’s PAN (ie credit card number). So, the PCI-DSS requirements do NOT apply to you! Examples of merchant facilities that fall into this category are:

  • ANZ eGate
  • Commonwealth’s COMMWEB

2. Use a third-party processor. Paypal is the most popular example of a third-party gateway in Australia. It is secure, it is free to set up and WebCare integrates PayPal into all of our ecommerce websites – free of charge! The only cost is the roughly 2.5% transaction fee. Yes, this is higher than you pay with a bank, but there are no other fees! So could be saving many hundreds of dollars in the first year alone (depending on the volume of transactions that go through your ecommerce site). Paymate is another example of this type of processor but their fees are significantly higher than PayPal (if you include the 3% fee they automatically charge your client!).

3 . If you have manual credit card processing facilities and you are authorised (or can get authorised) for “no-card present transactions” (including phone and fax), then you can use e-Path to gather the credit card details from your customer and to make them securely available for you to process manually. e-Path looks like a third party processor to the customer, but it does not actually process the card. Rather, it captures the details on your behalf. You then retrieve the credit card details from your e-Path account and process in the usual way. Because your website is NOT receiving the customer’s credit card number, you are not subject to the PCi-DSS requirements. Of course, you still need to treat those credit card details in accordance with your merchant agreement.

The other great advantage of e-Path is that you can then investigate the legitimacy of each order before processing the card (eg check country, delivery address, valid phone number, non-free email address (hotmail, yahoo, gmail etc)). This should reduce significantly the amount of credit card fraud that you are subject to. Yay!

4. Stick with non-credit card forms of payment – cheque, money order, direct deposit to your bank account. You won’t have to worry about any of these issues, and there are virutally no transaction costs. Any (or all) of these forms of payment can easily be added to your e-Commerce system but…and it’s a pretty big but…this form of payment is manual – your ecommerce system will not know that a payment has been made until you record it in the admin system.

If you are not sure which type of approach is best suited to your business, give us a call on 1300 656 902 to discuss. We will happily talk you through the advantages and disadvantages.

Tags: , ,

Comments are closed.