Tag: PCI compliance

  • Website Compliance: The Secret To Getting Approved For Payments

    Website Compliance: The Secret To Getting Approved For Payments

    Merchants, just how familiar are you with website compliance? From PCI compliance to privacy and shipping policies to terms and conditions to pricing disclosures. These are a few enforcements that come to mind when setting up an online business.

    A lack of knowledge about website compliance can cost you a lot of money. It can also be time consuming and confusing to adhere to these types of policies. Worse, your merchant application could be declined, because your website is not compliant or secure.

    Payment processors conduct periodic reviews of merchant websites. Thus, merchants can face penalties for not adhering to the latest standards. For example, a processor may freeze your account or terminate your agreement.

    In this blog post, we’ll review full-proof ways to ensure your website is compliant. We will also help you avoid common mistakes that can cost you dearly. Website compliance should be top of mind to ensure you’re operating legally and within the norms expected by your payment provider. It doesn’t matter if you’re a start-up or a seasoned online seller.

     

    PCI Compliance

    PCI DSS compliance is a big deal! Of utmost importance is ensuring you’re protecting customer data. And, coupled with an SSL certificate for your finished website. Data leaks occur during a breach or ignoring crucial security patches in your software or WordPress platform. You are responsible for customers data leaks. This is regardless of your intention.

    Thus, take every measure to ensure your network infrastructure. Additionally, update all software to prevent vulnerabilities. Encrypt hosted checkout pages with a minimum 256-bit encryption standard. Also, check that your checkout page is using TLS 1.2 or higher, particularly to guard any data sent to your gateway.

    Does this all sound Greek to you? Contact your payment or gateway service provider for requirements on your checkout page. If you prefer not to deal with this, you can decide to use a hosted page provided by your payment processor.

    Most merchants avoid this. It tends to lead to lower conversions, because buyers get redirected to another page to enter payment info. Building a secure order page will serve you well. It will also ensure access to your customers’ data for future marketing purposes.

    ASV scans and SAQ questionnaires

    While building your website, you can use an approved ASV scanner. This will scan your website. I can list all potential vulnerabilities you can fix before going live. A quarterly scan will ensure you are doing your best to stop data breach threats. The PCI council has a list of approved vendors.

    Scans are inexpensive and fast. Performing one shouldn’t be an issue for your business. The PCI council offers self-assessment questionnaires based on a merchant’s exact business case. They can serve as a guide for what’s needed to ensure your website is secure and compliant according to most recent data standards. At first, each questionnaire asks a few simple questions to learn which PCI self-assessment questionnaire is right for you.  In our experience, most merchants providing goods or services online use the SAQ-A or SAQ-A-EP questionnaires. A full list of questionnaires are available here.

    website compliance checklist

    Website Compliance Cheat Sheet

    So, you apply for a merchant account. But, as you’re ready to start trading and gearing to go live, your application is declined. Payment providers often reject applications due to website compliance issues without further explanation. Most of the larger third-party providers like Stripe and PayPal decline applicants with little information.

    Ensure your website is fully compliant. Acquirers or payment facilitators like Stripe go through a rigorous compliance checklist to ensure your website is secure. Use the following as a reference before applying for your next merchant account.

     

    Page footer

    Your page footer should remain static through the customer experience to ensure customers can navigate to legal and regulatory facts about your website and business at any time. As such, ensure to have the following five elements in your website’s footer.

    1. Terms and conditions

    Gone are the days of copying another website’s terms and making them your own. Underwriters review and read these to ensure they make sense and are applicable to your website and business model. This doesn’t have to cost you thousands. Many legal websites can provide a quick and personalized terms sheet for your business. It’s important to include product pricing, company name and address as well as legal jurisdiction within your terms and conditions.

    2. Privacy policy

    Your customers’ data is valuable and important. Ensuring its security and not sharing it with external parties should be imperative for you. Shared information should be limited to parties fulfilling customer orders. Outline steps you take to ensure your customers’ privacy is protected and explain the laws you are following depending on your jurisdiction. Remember, if you have European customers, the laws are stricter than North American ones and you will need to abide by GDPR for all your European customers even if your company is not within the EU. Here’s a quick guide to GDPR standards

    3. Customer support

    Having a link that can easily allow your customers to reach out to you will build loyalty and lower your risk of chargebacks. A win-win! Make sure your customers can find how to reach out to you easily and through various communication methods such as phone, email, chat, Skype or even what’s app!

    4. Shipping policy and returns

    Give consumers confidence in knowing that buying from you is safe and their satisfaction is important to you. Providing a minimum of 30 days to return a product should be standard practice. Customers need time to receive, try out and return your product. In fact, longer return periods help in increasing consumer loyalty and sales. This is because customers feel less pressured to make a decision and may eventually forget to return the item. It’s important to include the standard delays your customers should expect to receive their package, whether you’re shipping locally or internationally. Test your fulfillment channel to avoid surprises that trigger chargebacks should customers not receive their products in the delays you quote.

    5. Company name and mailing address

    In every website footer always display your company name and mailing address at the bottom of your page. This information should match your company’s registration information.

     

    Checkout Page

    Your checkout page should include the following elements:

    • Clear and descriptive pricing above the buy now button.
    • Ensure you detail all terms of purchase. And, if you have any recurring charges be very clear on when and how much the customer will be charged. Visa is updating its policies for free or discounted trial subscription merchants. So, read more from our previous post on how to prepare.
    • State the currency for international sales. Chargebacks can occur because of a misunderstanding as simple as a specific dollar amount. The $ sign is commonly used in the US, Australia and Canada. But, $60 in USD is not the same CAD.
    • A checkbox, as customers must click to accept the terms and conditions, and price of your product.
    • A descriptor that states what customers will expect to see on their credit card statement. Make sure there is no confusion upon seeing a charge.
    • Credit card network logos, security badges and other trust symbols.

     

    After-sales support

    Once your customer buys your product, you’re done with the sale process, right? Nope! After-sales support and communication is part of your compliance requirements. This includes the following:

    • Provide customers with a transaction receipt by email. Include all important details they need including tracking numbers, shipping delays and, of course, a link to your contact information. As of April 2020, Visa will enforce merchants with a subscription product or service to provide customers a link where they can easily cancel. A merchant must communicate to their customer at least seven days prior to charging the subscription fee. This is regardless of whether you’re selling supplements, a digital info product or a dating membership, for example.
    • Ensure your customers can call and talk to a support agent most hours of the day. If you’re located in the US, but most of your customers are European, adjust your hours of operation. Also, offer email and chat support with reasonable delays for responses.

    No matter how big or small your business is, data breaches can be costly, because of potential fines and loss of customer trust. Follow the tips above and work with a reputable merchant account provider such as DirectPayNet.

    As experts, we help ensure you’re adhering to website compliance standards. You will receive invaluable advice to keep your business safe. Contact us today to discuss PCI and website compliance.

  • PCI Compliance: Don’t Risk Your Business Ignoring This Important Protocol

    PCI Compliance: Don’t Risk Your Business Ignoring This Important Protocol

    Not adhering to PCI compliance security guidelines is putting your company at increased risk of a credit card data breach. This is a critical topic that all online businesses — especially high-risk merchants with large enterprises — need to follow. So, what are you doing about it?

    PCI compliance remains a major issue due to a series of cyber security incidents in recent years. Corporations like Verizon, Home Depot, Equifax, and Kmart have all been affected by cyber breaches of customers’ payment information. Consequently, protecting customers’ online security has never been more important for card-not-present merchants, big or small.

    Now is the time to become PCI compliant if you are not already. If you are uncertain about your own web security, DirectPayNet will provide some guidance.

     

    PCI compliance explained

    The Payment Card Industry Data Security Standard (PCI DSS) is an information security framework applicable to all businesses accepting credit card payments. If your company stores and transmits cardholder data, PCI compliance is essential. Non-compliance fees from card providers are not the only risk factor but shouldn’t be the sole reason for complying. Concerns over basic non-compliance risks alone tends to motivate firms to institute PCI-DSS or other security controls to at least a minimum level.

     

    The current state of PCI compliance

    Despite significant business risks, few companies are in full compliance with PCI DSS. Verizon recently released a 2018 Payment Security Report. It was reported that nearly half (47.5%) of all companies assessed for compliance validation had faulty DSS controls. Simultaneously, the number of businesses adhering to PCI compliance appears to be decreasing year-on-year from 2016 to 2017.

     

    (Source: Verizon 2018 Payment Security Report)

     

    Moreover, Verizon found that the degree to which companies are failing their PCI compliance tests has been growing. Trends show it is back to levels seen in 2012 when familiarity with PCI DSS was less common and compliance was merely 11.1%.

     

    (Source: Verizon 2018 Payment Security Report)

     

    For the most part companies are largely doing the bare minimum data security protocols rather than thoroughly maximizing their cybersecurity protections. Fewer than one in five enterprises (18%) measure their PCI-DSS controls more often than the practice requires.

     

    Liabilities associated with lack of PCI compliance

    Acquiring banks and processors could impose more penalties on companies for nonconformance, including charges linked to insufficient data security controls. The goal is to prod businesses to become PCI compliant. PCI compliance fees are commonly around $8 per month, while non-compliance fees average $20 monthly. Not complying can be costlier should your business suffer a breach as you would be subject to hefty fines and may lose your merchant account if you were negligent. These types of fines (in addition to chargeback fees) ought to be prevented, so they do not reduce revenue.

    Applicable rules and fees depend on the card network, your acquiring bank, geographical location of your business, and transaction volume. Fines hinge on the level of forensic research and recovery required by financial institutions. On top of that, the fallout from data breaches can cause severe financial stress or even bankruptcy. How much is your company willing to shell out on legal obligations and public relations?

     

    The long-term effects of data breach

    IBM’s 2017 Cost of Data Breach Study found the average total cost to businesses with a data breach was $3.62 million. The average cost per stolen record to a business was $141 as well as bad publicity and lost revenue. Additionally, the report found that one data breach increases the risk of another incident by 27.7% over the next two years.

    The ongoing impact to your organization can be substantial should inadequate security result in a breach. This includes loss of customer loyalty, termination of bank and merchant accounts, and even placement on MATCH list. As a high-risk merchant you probably rely heavily on credit card processing for high volume and high-ticket items. PCI compliance is mandatory to protect your customers’ invaluable personal, confidential data.

    Moreover, businesses large and small don’t realize that data has been compromised until weeks or even months after the violation. Smaller and mid-sized merchants are commonly targeted by cybercriminals, because security tends to be weaker in these companies.

    In the US, PCI DSS is unenforced at the federal level, but many individual state laws do apply this policy. Merchants are responsible for ensuring they are compliant with the relevant laws in each jurisdiction where they conduct business.

     

    What are your next steps for PCI compliance?

    PCI compliance is routine for all online vendors. It is designed to implement and preserve a secure network, safeguard cardholder data, and establish strong access control measures. It is also meant to strengthen information security policy and uphold a vulnerability management program.

    The PCI Security Standards Council offers a variety of assessment questionnaires to organizations. Only one requires completion, but the type will depend on how your company handles sensitive payment information. If you are currently processing orders from online buyers, chances are you passed a PCI compliance check when issued a merchant account. However, it is critical to review annually as payment and security technology changes very rapidly.

     

    How secure is your checkout page?

    Checkout page encryption is a vital aspect of PCI compliance. It is vital to the long-term trust of customers who enter highly sensitive information on your order page. Ensure all shoppers are notified of the required fields of information. If possible use one page to collect all data. Ensure your SSL certificate is renewed yearly and you are using the highest level of encryption possible. Update all versions of any software vital to your checkout process. Old editions can compromise your environment as hackers may have gained access through vulnerabilities. New software upgrades address vulnerabilities already taken advantage of by hackers.

    PCI compliance and cyber security start with your checkout cart or CRM. The software platform you use to facilitate online purchases should be reliable and robust, with a proven track record for safe and secure buying capabilities. Additionally, most merchants do not consider if their CRM can synchronize with gateways and processors. Ensure the entire transaction flow from website to merchant account is uncompromised. All vendors handling collection of customer data or processing payments must possess a certain level of PCI compliance. Be prepared to present proof of security certificate(s) if requested by an acquiring bank.

     

    Upgrade from HTTP to HTTPS

    HTTPS encryption can only enhance the security environment of your company. If you have not done so already, upgrade from HTTP to HTTPS by acquiring an SSL certificate from your hosting provider. This encryption is one layer of protection against malware across major web browsers and other vulnerabilities. High-risk merchants can conduct monthly quality assurance by deploying select staff members (e.g. programmers) to test the buying funnel from CRM to thank you page.

    Organizations should be self-motivated to maximize cyber defences and ensure data is safe, especially as online security is becoming increasingly precarious. Medium- to large-sized businesses often struggle to effectively manage their IT security, payments, risk and compliance in-house. Having a knowledgeable team of payment experts available is invaluable for day-to-day credit card processing. It is equally worthwhile for properly overseeing technology, risk, and compliance tasks associated with credit card acquiring. If you are experiencing these challenges in-house, it is time to connect with an expert.

    DirectPayNet has a wealth of experience in payment processing. Our team will help you with PCI compliance and strategy development to secure all aspects of your high-risk organization. Email us to get one-on-one attention for your ecommerce business today.