Merchants, just how familiar are you with website compliance? From PCI compliance to privacy and shipping policies to terms and conditions to pricing disclosures. These are a few enforcements that come to mind when setting up an online business.
A lack of knowledge about website compliance can cost you a lot of money. It can also be time consuming and confusing to adhere to these types of policies. Worse, your merchant application could be declined, because your website is not compliant or secure.
Payment processors conduct periodic reviews of merchant websites. Thus, merchants can face penalties for not adhering to the latest standards. For example, a processor may freeze your account or terminate your agreement.
In this blog post, we’ll review full-proof ways to ensure your website is compliant. We will also help you avoid common mistakes that can cost you dearly. Website compliance should be top of mind to ensure you’re operating legally and within the norms expected by your payment provider. It doesn’t matter if you’re a start-up or a seasoned online seller.
PCI DSS compliance is a big deal! Of utmost importance is ensuring you’re protecting customer data. And, coupled with an SSL certificate for your finished website. Data leaks occur during a breach or ignoring crucial security patches in your software or WordPress platform. You are responsible for customers data leaks. This is regardless of your intention.
Thus, take every measure to ensure your network infrastructure. Additionally, update all software to prevent vulnerabilities. Encrypt hosted checkout pages with a minimum 256-bit encryption standard. Also, check that your checkout page is using TLS 1.2 or higher, particularly to guard any data sent to your gateway.
Does this all sound Greek to you? Contact your payment or gateway service provider for requirements on your checkout page. If you prefer not to deal with this, you can decide to use a hosted page provided by your payment processor.
Most merchants avoid this. It tends to lead to lower conversions, because buyers get redirected to another page to enter payment info. Building a secure order page will serve you well. It will also ensure access to your customers’ data for future marketing purposes.
ASV scans and SAQ questionnaires
While building your website, you can use an approved ASV scanner. This will scan your website. I can list all potential vulnerabilities you can fix before going live. A quarterly scan will ensure you are doing your best to stop data breach threats. The PCI council has a list of approved vendors.
Scans are inexpensive and fast. Performing one shouldn’t be an issue for your business. The PCI council offers self-assessment questionnaires based on a merchant’s exact business case. They can serve as a guide for what’s needed to ensure your website is secure and compliant according to most recent data standards. At first, each questionnaire asks a few simple questions to learn which PCI self-assessment questionnaire is right for you. In our experience, most merchants providing goods or services online use the SAQ-A or SAQ-A-EP questionnaires. A full list of questionnaires are available here.
Website Compliance Cheat Sheet
So, you apply for a merchant account. But, as you’re ready to start trading and gearing to go live, your application is declined. Payment providers often reject applications due to website compliance issues without further explanation. Most of the larger third-party providers like Stripe and PayPal decline applicants with little information.
Ensure your website is fully compliant. Acquirers or payment facilitators like Stripe go through a rigorous compliance checklist to ensure your website is secure. Use the following as a reference before applying for your next merchant account.
Your page footer should remain static through the customer experience to ensure customers can navigate to legal and regulatory facts about your website and business at any time. As such, ensure to have the following five elements in your website’s footer.
1. Terms and conditions
Gone are the days of copying another website’s terms and making them your own. Underwriters review and read these to ensure they make sense and are applicable to your website and business model. This doesn’t have to cost you thousands. Many legal websites can provide a quick and personalized terms sheet for your business. It’s important to include product pricing, company name and address as well as legal jurisdiction within your terms and conditions.
Your customers’ data is valuable and important. Ensuring its security and not sharing it with external parties should be imperative for you. Shared information should be limited to parties fulfilling customer orders. Outline steps you take to ensure your customers’ privacy is protected and explain the laws you are following depending on your jurisdiction. Remember, if you have European customers, the laws are stricter than North American ones and you will need to abide by GDPR for all your European customers even if your company is not within the EU. Here’s a quick guide to GDPR standards
3. Customer support
Having a link that can easily allow your customers to reach out to you will build loyalty and lower your risk of chargebacks. A win-win! Make sure your customers can find how to reach out to you easily and through various communication methods such as phone, email, chat, Skype or even what’s app!
4. Shipping policy and returns
Give consumers confidence in knowing that buying from you is safe and their satisfaction is important to you. Providing a minimum of 30 days to return a product should be standard practice. Customers need time to receive, try out and return your product. In fact, longer return periods help in increasing consumer loyalty and sales. This is because customers feel less pressured to make a decision and may eventually forget to return the item. It’s important to include the standard delays your customers should expect to receive their package, whether you’re shipping locally or internationally. Test your fulfillment channel to avoid surprises that trigger chargebacks should customers not receive their products in the delays you quote.
5. Company name and mailing address
In every website footer always display your company name and mailing address at the bottom of your page. This information should match your company’s registration information.
Your checkout page should include the following elements:
- Clear and descriptive pricing above the buy now button.
- Ensure you detail all terms of purchase. And, if you have any recurring charges be very clear on when and how much the customer will be charged. Visa is updating its policies for free or discounted trial subscription merchants. So, read more from our previous post on how to prepare.
- State the currency for international sales. Chargebacks can occur because of a misunderstanding as simple as a specific dollar amount. The $ sign is commonly used in the US, Australia and Canada. But, $60 in USD is not the same CAD.
- A checkbox, as customers must click to accept the terms and conditions, and price of your product.
- A descriptor that states what customers will expect to see on their credit card statement. Make sure there is no confusion upon seeing a charge.
- Credit card network logos, security badges and other trust symbols.
Once your customer buys your product, you’re done with the sale process, right? Nope! After-sales support and communication is part of your compliance requirements. This includes the following:
- Provide customers with a transaction receipt by email. Include all important details they need including tracking numbers, shipping delays and, of course, a link to your contact information. As of April 2020, Visa will enforce merchants with a subscription product or service to provide customers a link where they can easily cancel. A merchant must communicate to their customer at least seven days prior to charging the subscription fee. This is regardless of whether you’re selling supplements, a digital info product or a dating membership, for example.
- Ensure your customers can call and talk to a support agent most hours of the day. If you’re located in the US, but most of your customers are European, adjust your hours of operation. Also, offer email and chat support with reasonable delays for responses.
No matter how big or small your business is, data breaches can be costly, because of potential fines and loss of customer trust. Follow the tips above and work with a reputable merchant account provider such as DirectPayNet.