The PCI DSS is a set of minimum requirements that are designed to reduce the likelihood of a data breach occurring. The emphasis being on 'minimum set of requirements' and 'reduce the likelihood'. In order to prevent attacks from sophisticated attackers a much higher standard of security is needed. In our recent blog post surrounding the Heartland Court filing documents we gained an insight into how PCI Compliance was viewed by Heartland. Since publishing this post two reports have emerged that give further insight into how PCI DSS is viewed by the wider community.

Imperva, specialists in data security and the Ponemon Institute carried out a survey across more than 500 U.S. and multinational IT organisations. I will not go into detail on the survey findings as you can read a detailed analysis of the findings at darkreading.com or the iTWire. Importantly, the survey findings reveal that roughly 30 percent take PCI security seriously and the others see it as a check box. Had this survey taken place prior to the Heartland data breach then I suspect Heartland would have been included in the 70% of organisations that viewed PCI DSS as a checkbox routine.

 

The Web Application Security Consortium has published their Web Application Security Statistics report for 2008. The report includes data about 12,186 web applications with 97,554 detected vulnerabilities of different risk levels. The report has some interesting findings but the one relevant to this discussion is that that 99% of web applications were not compliant with PCI DSS standard requirements. We do not have any information on the nature of the web applications included in the survey i.e. were they in the financial services industry but even so this is still a rather shocking statistic.

 

PCI DSS is a minimum set of requirements but realistically a much higher level of security is required to protect cardholder information. If the industry continues to struggle to implement a minimum set of requirements then the data breaches occurrence will continue to increase.

Dave

--

If you liked this article then you can:

• Subscribe to our Blog RSS feed
• Become a fan of webpayments.ie on Facebook
• Follow us on Twitter

Related Blog Posts:

• PCI Compliance is not a big deal?

Related Articles:

• PCI Compliance Resources
• PCI DSS Forum
• PCI DSS Guide

The findings of a UK survey carried out by YouGov and commissioned by ClickAndBuy were released earlier this week. Normally I do not pay too much attention to these types of surveys as it is difficult to know if they were carried out in an independent environment as it is unusual for the details of how the survey was conducted to be published alongside it. These types of surveys also tend to be a marketing exercise for the company who commissions them. I had not heard of ClickandBuy before this survey was published so it is working.

The findings of the survey have been reported on a number of sites this week. Some of the findings directly relate to the recent discussion on our forum about providing multiple payment options to your customers. The survey findings indicate that online retailers are losing potential customers due to their choice of payments methods.

Here are the two findings that I am referring to:

 

 

50% of the people surveyed said they would cancel their purchase if their preferred method of payment is not available. I think it would have useful if the survey had included a question to determine the preferred method of payment for each person surveyed.

 

 

31% of people surveyed said they would feel more comfortable purchasing from an online retailer who offers a wide range of payment methods than a retailer who offers one payment option. This is the figure that has been reported on in the media but I think the figure of 42% of people who neither agreed or disagreed is also relevant.

 

These findings are in line with the general consensus arrived at with our forum discussion:

• You should know your target audience and provide payment options that suit their needs.
• Merchants will move up the "food chain" of payment platforms.

I think the idea of a payment platform "food chain" is particularly relevant in today's market and it is an area that is often overlooked by those running online shops. As sales increase you will evolve the traditional areas of your business to deal with this. Typically you will upgrade your internal processes to handle the increased orders, focus on managing stock levels and possibly make performance improvements to the web site. Your payments platform is an integral part of your business and it must also grow and evolve along with the rest of your business.

From my experience start up companies are reluctant to go down the route of a Payments Service Provider (PSP) and Internet Merchant Account (IMA). The main reason is that they do not want to commit to the monthly fees or they are unable to get an IMA. As a result they opt for PayPal or a similar payments bureau. The key selling point being no setup costs, no monthly fees and you only pay when you make a sale.

Offering PayPal or a competing Payments Bureau alone does not create the best impression for your business, personally I feel using PayPal as the sole payment method for a web site does not give a professional impression for the business. I see it as along the same lines as providing an email address and mobile phone number as the only contact details on a site.

With PayPal you will not be able to accept laser cards and you will also have delays in accessing your funds. Accepting Laser cards is very important if your client base is Irish and the time it takes to access to your funds is particularly important in the early days of any business. In the very early days of a business cash may be very tight so PayPal maybe the only option even with the negatives that I have outlined above. The key point I want to make is that once your site starts getting traffic and you start making sales then your immediate next step should be to get an IMA and start using the services of a PSP.

If you are serious about your online business in Ireland then you should be aiming to be offering the following methods of payments.

• Credit/Debit Card
• PayPal

As your business continues to grow and you learn more about your customers you can continue to evolve your payments platform by adding items such as:

• Offline Payment
• Local Payment Methods
• Dynamic Currency Conversion (DCC)
• Gift Vouchers
• Direct Integration for Credit/Debit Card i.e. customer does not go offsite to enter their card details.

Some questions:

• Do you agree on the concept of evolving your payments platform?
• How many payment methods do you offer on your site?
• Do you have high cart abandonment rates?
• Does anyone  know of any surveys that have been carried out on the Irish market?

 

Dave

--

If you liked this article then you should subscribe to our Blog RSS feed.