“If you store, transmit or process any kind of credit or debit card information, it is your job as the merchant to protect it,” he says. “If cardholder data is stolen and you are responsible, you could face fines, penalties and even lose the right to accept payment cards. The card associations are getting more and more strict about this.”
Harvey says there are three important steps e-commerce businesses can take to make sure they and their customers are protected:
1. Hire reputable professionals for your web development
The days when you could ask your neighbour’s son or a just-qualified graphic design student to build a website on the cheap are long over, says Harvey. “Make sure your web developer has specific experience in building e-commerce sites. Ask them what shopping carts and payment gateways they prefer and why, and to explain to you in detail how the process works. If they can’t explain it to your satisfaction, you need to wonder whether they really understand it themselves – and in that case, can you accept their recommendations?”
This is an area where it’s worth investing in professionalism, adds Harvey. “If the online channel is important to your business, the checkout and payment process can make or break it. This is the last place you should be stingy with your budget.”
2. Choose your payment service provider carefully
“Price is important, but don’t fall for false economies,” says Harvey. “The very first questions you ask should be about security – how does the gateway protect your customers’ card information? Ask for proof that they are PCI compliant, that is that they comply with the standards laid down by the global PCI Security Standards Council.”
Secondly, says Harvey, ask for information about reliability and availability: “It’s no good having a cheap payment gateway if they’re down one day out of seven and your customers get turned away at the till. Ask about their downtime, and contact some other customers to ask about their experience. Once you’re satisfied that your security and reliability needs are met, then is the right time to let price be the deciding factor – not before.”
3. Use a payment page hosted by the gateway provider, or consider tokenisation
One very safe option is to let your gateway handle the entire payment process via a page on their own server. “This means that when a customer clicks “Pay” or “Check Out” on their shopping basket, they get taken to a secure page that’s isolated from your own website,” explains Harvey. “This means that you never store, transmit or process their card information in any form – your PCI-compliant payment gateway does it all for you.”
Some online merchants prefer to control the user experience from beginning to end, including the payment process. In this case, says Harvey, merchants should use tokenisation. “This means that instead of actual card information, you just store an encrypted token provided by the payment gateway. Next time you need to process a transaction on that same card, you just send the token. This is a simple but highly effective way to make sure you never need to store card numbers.”