By Greg McGraw, email@example.com
In 2008, approximately 212 million online records breaches occurred as a result of malware designed by hackers to harvest sensitive information, namely credit-card numbers, according to a study conducted by Verizon Business. Findings indicated that 81% of organizations that were victims to these breaches were non-compliant with Payment Card Industry (PCI) Data Security Standards, or PCI DSS. These standards were created by the PCI Council, a global group of credit-card issuing brands, including Visa, MasterCard, American Express, and Discover, to protect their cardholders from fraudulent credit-card use, loss, and theft.
Mandatory PCI DSS compliance
Regardless of size, all retailers are at risk of fraud through a potential point of vulnerability in their online checkouts. Traditionally, when a consumer makes a purchase through an online retailer’s payment page, that consumer’s credit-card data is processed within the merchant’s online environment briefly before being passed to a secure gateway. In that instant, data is vulnerable to hackers.
To combat such rampant instances of online fraud, which costs merchants approximately $4 billion in losses per year, according to online fraud reports, the PCI council will be releasing a set of mandatory data security standards in October. There will be a 14-month grace period before merchants of all sizes must be able to prove that their online payments network complies with the newly mandated PCI DSS standards. According to the PCI Standards Council, those that are found to be non-compliant following this timeframe risk fines, legal fees, decreases in stock equity, and the ability to accept credit-card payments.
Weighing the options
As October approaches, retailers are beginning to evaluate different measures to ensure that their payment systems will be compliant with the upcoming regulations. Retailers have two choices: either completely outsource their payments acceptance using hosted payment pages or maintain an in-house payments system.
Choosing between both options is proving to be difficult for merchants because of significant differences in terms of higher costs for in-house systems and customer confusion associated with hosted payment pages as a result of customers being re-routed to a third-party payments site.
Customizing an in-house payments system would help to validate PCI compliance while keeping retailers’ branding intact during the checkout process as customers would come to a proprietary payments page that exhibits branding (colors, themes and logos) that is consistent with the rest of the site. However, the amount of internal and monetary resources needed for this method is significant, especially for small- to mid-sized merchants.
In-house payments systems require merchants to earn their PCI certification, a process that could take at least six months to complete in addition to the time it would take to customize the system itself. Plus, the monthly costs of maintaining of an in-house system can range between $2,000 to $10,000 in terms of technology, including PCI scans and secure servers, and personnel. These figures do not even include ancillary costs associated with regular PCI audits.
Outsourcing online payment systems presents a much more viable option for two primary reasons:
1. Cost: Cloud based payment security solutions are more affordable and scalable than in-house systems. Typically, fees range between 10 cents to 20 cents per online transaction along with a nominal monthly service fee.
2. Ease of use: Hosted payment acceptance solutions shift the burden and scope of PCI compliance away from merchants altogether, allowing them to focus on their business instead of being preoccupied with audits, maintaining their payment systems and other headaches associated with PCI.
Unfortunately, outsourcing online payment systems, while secure, does have its drawbacks when it comes to an end-user’s experience. Historically, hosted payment solutions have negatively impacted the customer experience, even sales. Traditionally, when customers decide to checkout on a website that uses an outsourced payments system, they are brought to a third-party payments page that is aesthetically inconsistent with the branding and feel of the retailer’s website.
The perceived disconnect between the payments page and the retailer’s website can confuse customers or make them feel that their information is vulnerable to hackers. Such concerns over being re-routed to a third party site is a significant contributor to the number of shopping carts that are abandoned by customers before check out. In fact, a recent PayPal survey found that more than 20% of respondents indicated that concerns over the security of credit-card data was