Here’s a fact that’s not-so-surprising: more than half of Americans (51%) prefer to shop online rather than in stores. If we’re talking about Millennials, that number reaches 67%.
The (somewhat obvious) thing to note about e-commerce, is that the customer payments are card-not-present transactions. That means, customers aren’t swiping or dipping their cards; they’re inputing sensitive information like their card number, billing address, etc. If more than half of shoppers are spending their time purchasing products and services from their phones, tablets and computers, they need to have a certain level of trust in the businesses they’re buying from that the sensitive information they're providing is going to be kept safe.
Just this week, the PCI Security Standards Council released their Best Practices for Securing E-Commerce, an informational supplement to earlier guidelines published in 2013 "meant to educate merchants on accepting payments securely online."
It’s a long document (64 pages to be exact), so we’ve reviewed it and taken a few easy-to-digest highlights. First, they’ve laid out the types of e-commerce solutions to consider:
TYPES OF E-COMMERCE IMPLEMENTATIONS
URL Redirects (Shared-Management E-Commerce)
This is when a customer is redirected from a merchant’s website to a third-party page.
This is a method of embedding a web page within another web page, while isolating the embedded frame from the parent web page so information cannot be manipulated.
Direct Post Method (DPM)
This is typically used by larger merchants that would like more control over the look and feel of their platform. The DPM uses the merchant’s website to create a shopping cart and payment page. When a customer enters their information in the payment form, it’s sent directly to the payment processor rather than the merchant’s system.
Application Programming Interface (API)
This is a method of system-to-system data transmission where the merchant is in complete control, by creating a payment page and hosting the payment information before transmitting the data to the payment processor. This type of e-commerce solutions is generally used by larger organizations with specific processing needs.
Wholly Outsource Solutions
These solutions include those those that are hosted entirely on a service provider’s technological infrastructure, like a hosted shopping cart. This type of solution can reduce the number of responsibilities associated with managing PCI compliance.
Now that you’ve seen the options, the PCI Council laid them out in the chart below to demonstrate the risks and benefits of each:
When selecting the best e-commerce solution for you, the PCI Council has provided a few elements of security to consider:
Encryption + Temporary Storage
PCI Council standards require that cardholder data must be encrypted across open, public networks, both in transit and in storage. Make sure the solution you choose protects your customers’ information at the very instant it’s shared.
In addition to requesting the security code on the back of a credit card (or front of an American Express), you can use other verification methods like 3D Secure, which uses a customer pre-defined password to verify payments.
Suspicious Activity Protection
The use of fraud-detection tools such as transaction monitoring and alerting services like Kount, can help track any attempts at fraudulent charges.
Data Caching Avoidance Mechanisms
It is recommended that web forms disable autocomplete particularly for the fields that request payment information, so that copies of sensitive information are not stored within browsers.
Third-Party Content in Payment Forms
If third-party content like images are included on a payment form, that’s a vulnerability for the merchant and opportunity for a potential hacker to steal sensitive information.
Tokenization is the process of replacing card data with tokens, so that in the event of a data breach, hackers would have no use with the accessed tokens.
Here are a few other tips we pulled that will be useful when determining and managing your best e-commerce solution:
While it may seem daunting, securing e-commerce transactions shouldn’t be difficult if you’re using the right technologies. If you’d like more details on anything mentioned here, let us know in the comments section below.