Published: January 25 2009
E-Commerce isn't as easy as it seems, and there are some really big liability issues when taking credit cards online. See below for 5 common misconceptions accepting credit cards online.
- IT'S SAFE TO SEND THE CREDIT CARD INFORMATION THROUGH A SECURE EMAIL
So, you have a product you sell online. You believe everything is as it should be. Your company receives the orders with credit card details in a "secure email". Once the "secure email" has been received, you manually process the credit card and ship the order. If this sounds like your company you may be in a heap of trouble. Guess what? There is no such thing as sending credit cards through a "secure email".
- THE CREDIT CARD INFORMATION IS SAFE BECAUSE I HAVE AN SSL CERTIFICATE
You have an SSL (secure sockets layer) Certificate. You think all the information transmitted is safe and secure. Sorry this will not do, it alone is not enough. The SSL certificate merely tells your customers an independent trusted third party has verified that the website belongs to you or your business. The purpose of the certificates is that they give customers confidence that they are sending personal information "securely" and to the right place. This is not on its own enough to protect credit card holder data.
- THE CREDIT CARD INFORMATION IS SAFE BECAUSE IT IS SAVED IN A PASSWORD-PROTECTED AREA
Your company has purchased an off-the-shelf ecommerce shopping cart system or even possibly had a custom solution developed. The solution allows customers to shop for products, add items to the cart and proceed to a checkout. At this point you and your developers send the consumer to a page on your website where they enter all their personal data, billing information, shipping information and payment details (a.k.a. credit card number). Instead of the system sending you a "secure email" with the card holders data, you have wised up and know that is a big no no. Now you and your developer have the information transmitting from your hosting account and saving in your "secure" administration menu within your website. All you need to do is login, get the order details, process the card and ship the goods. Right? Wrong! Again storing credit card data is not possible unless you have become PCI Compliant.
- THE CREDIT CARD INFORMATION IS SAFE BECAUSE IT WAS ENCRYPTED BEFORE IT WAS SAVED ON THE SERVER
You think you have a solution all figured out. This time you create a shopping cart system, have the consumer visit a page on your website where they enter all their personal data, billing information, shipping information and payment details (credit card number). You receive an email stating an order has been received (with no credit card details this time), you login to your admin panel to get the order details in addition to the credit card information. This time you are having the credit card numbers store in your "safe" administration panel because you think they are safe this time as the credit card numbers are now encrypted. Safe you think? Sorry, still not safe.Having these numbers encrypted or not store on your hosting is just not possible unless you have become PCI Compliant and is dependant upon the level you are compliant for. (Sound like a broken record yet?)
- THE CREDIT CARD INFORMATION IS SAFE BECAUSE IT ISN'T BEING SAVED ON THE SERVER
You are getting smarter... This time you do not have your developer create you a shopping cart system that stores the credit card number from your customer orders as you have finally learned this is not possible without spending tens of thousands of dollars to satisfy the security requirements as outlined by the Payment Card Industry (PCI). Instead you develop a shopping cart system where the customer enters all their personal data, billing information, shipping information and credit card number. The credit card number does not store on your website in any shape or form including encryption. This time the shopping experience all takes place on your website. You connect to a payment gateway that process the payment for you and direct deposits into your bank account. All you need to do is ship the product. Right? Wrong again. Even though you are connecting to a payment gateway to process the charge to the card, you are still sending or transmitting the card number from your website. Unless you have gone through the process of being PCI compliant you can not even transmit the numbers from your website.
Ignorance will not help you in any of these situations. You need to make informed decisions. The penalties and fines for failure to comply with the requirements or rectify a security issue are severe. Fines range from $10,000 to $500,000 per incident depending on the severity of the situation and the magnitude of the compromise. In addition, should a security breach occur in your environment, you will be liable for the cost of any required forensic investigations, any fraudulent purchases, the cost of re-issuing cards, and you may be subject to the loss of credit card acceptance privileges.
Ecommerce is an excellent way to do business in this day and age. It is not difficult or costly to become PCI compliant. Implementation of a few processes to properly process credit card data will have a PCI Certificate in your hand, compliant with payment standards and have you sleeping like a baby.
Call DotCom Media to learn how we can help you or feel free to email us your questions.
Experience... We got it.