If you are selling anything on your site, chances are you accept credit cards. With credit card fraud and identity theft abound, how do you protect your e-commerce business and still offer your customers the convenience of purchasing with credit?
Your responsibilities as a merchant are governed by the laws and regulations in your state, federal laws and regulations, and the specific requirements of the particular card entity (i.e. American Express, Discover, etc.). Many of the major cards have also come together to create the PCI Standards Council. They’ve created a series of requirements that merchants must adhere to when agreeing to accept credit cards.
So, why does all of this matter, you ask? You’re only running a small online store. Well, when you agree to accept credit cards, you enter into an agreement with the major cards. As such, you agree to comply with all of these requirements.
Plus, dealing with fraud, chargebacks (amounts charged back to the credit card) and other breach hassles can be both costly (think thousands of dollars) and time consuming.
As you’re setting up your online venture, here are a few steps you can take to better protect your site and ultimately your business.
Use a Third-Party Gateway
Payment gateways are a bridge between your site and the actual payment processing that takes place. That means that you don’t have to personally handle anyone’s credit card information. If I purchase from your site and you use a payment gateway, I enter my information and you never see it. The card is authorized via the payment gateway. From a data breach perspective, that’s really important. You don’t have to store anyone’s sensitive cardholder information which could help protect you from some liability.
Select a Reputable Merchant Account Provider
A merchant account provider is a company that processes your card transactions and deposits the funds from the cards into your business bank account. Beware. Not all merchant account providers are created equal. Some have seemingly excessive fees. Others try to bind you to a contract term of 36 or more months. Read the fine print of the agreements carefully, and once you’ve narrowed down your choices, sit down with your attorney to make sure you fully understand the terms of your particular contract. The terms are legally binding, so you don’t want to enter into the agreement until it is clear to you.
Set the Strictest Possible Verification Measures
Some payment gateways give the merchant a little leeway to determine what information will be required to process the transaction. For instance, will the cardholder be required to give the three-digit code on the back of the card? What if the address for the cardholder does not match the billing address the online customer provides? Will you refuse to process the purchase? These are all decisions that you will have to make as a merchant. The more steps you require, the greater protection you provide yourself and the cardholder. Stricter controls may seem cumbersome, but it pays off with fewer chargebacks and identity theft claims.
Make Sure Your Site Has a Security Certificate
Most merchant account providers and payment gateway providers require the site holder to have certain security certificates in place that encrypt data that flows over the internet. This certificate can usually be purchased from the same company that hosts your site. For example hosting companies like GoDaddy and Blue Host offer security certificates. Even if your provider does not require it, it is a good idea to take the extra step to add a security certificate to your site, particularly the store portion of your site.
Verify that Your Business Insurance Covers Online Transactions
Some insurers deem online behavior to risky and specifically exclude it from coverage. When you’re deciding on a policy to cover your business activities, read the exclusions carefully to verify that your online transactions will be covered under your existing insurance policy. Having to address fraud claims and other possible security breaches without insurance can endanger your business and definitely lessen its profitability.
Limit Access to Sensitive Information
If for some reason you do maintain certain cardholder information, limit access to only those individuals that absolutely need to know this highly private information. Set measures that can track when and how those individuals access this private information.
Carefully Review the Data Security Standards and All Individual Card Requirements
The PCI Standards Council issues the Data Security Standards to which every merchant must adhere. Review them carefully. Ask questions. Consult with an IT person to ensure that your systems meet the requirements.
Finally, as with all agreements you enter into as a business owner, invest in a consultation with a licensed attorney in your area. The peace of mind that comes from knowing that you’ve covered your bases will be invaluable and better equip you in the unfortunate event that you do have to defend against claims of security breach.
For additional information, visit the PCI Standards Council site.
Here’s to your business success!