PCI (payment card industry) compliance will be mandatory, and the deadline for all merchants and processors to be PCI compliant is July 1, 2010.  PCI compliance is required if you are receiving, storing or processing the Primary Account Number (PAN) or the main credit card number of the customer, which is usually no longer than 19 and no less than 16 digits in length.  In addition, a merchant or acquirer must remember that if a PAN is being stored or processed, the other information such as CVV/CVC and card holder information must be protected as well.

A common misconception is that PCI Compliance is a law, it is not a law yet.  It is a security standard set by the five major credit card companies Visa, MC, Amex, Discover and JCB.  The official name for the group is the PCI Security Standards Council.  Prior to the councils formation, each credit card company had its own set of security standards, now with the unity of the five credit card companies forming PCI SSC there is one set of security standards instead of five.     

There are 4 different merchant levels along with requirements for PCI DSS Compliance:

Level 1 – a merchant that transacts over 6,000,000 per year.  The merchant will be required to bring an assessor on-site called a QSA to evaluate the security and create an in-depth report on compliance.  Quarterly PCI Scans will also be mandatory.

Level 2 – a merchant that transacts between 1,000,000 – 6,000,000 per year.  Instead of a full report on compliance, the PCI Council will allow Level 2 merchants to complete a PCI Self-Assessment Questionnaire (SAQ).  Quarterly PCI Scans are mandatory.  Level 2 merchants will also need to complete a one page document that states that they don’t store certain card data information on file.

Level 3 – a merchant that transacts between 20,000 – 1,000,000 per year.  In place of a full report on compliance, the PCI Council will allow Level 3 merchants to complete a Self-Assessment Questionnaire (SAQ).  Quarterly PCI Scans are also required.

Level 4 – a merchant that does between 1 and 20,000 transactions a year.  Instead of a full Report On Compliance, the PCI Council will allow Level 4 merchants to complete a Self-Assessment Questionnaire (SAQ).  Quarterly PCI Scans are mandatory.

If you are a merchant that does not understand what PCI compliance means to you, check with your merchant service provider or website programmer so they can guide you through what you will need to do to become PCI compliant before July 1^st.

Like any business, online commerce has its own obstacles. Though they may present themselves differently than a brick and mortar establishment, many of these challenges are rooted in the same fundamental issues of trust, communication, and convenience. Creating a profitable eCommerce business with a positive reputation depends on your ability to navigate these challenges and provide customers with the best online shopping experience available.

The first thing to realize as an online business owner is that the vast majority of visitors to your site will not trust what they see. Customers are unimpressed with stylish layouts and amazing graphics when it comes down actually spending money. Most people want to see legitimacy. This can be displayed in many ways. Start by including a physical address and phone number, along with several contact emails and company bios. These things can go a long way in establishing legitimacy, but don’t stop there. Partnering up with other valued websites and becoming a member of organizations such as the Better Business Bureau are other proven ways to build trust. Beyond that, you must be good at answering the phones and responding quickly to customer inquiries. Some customers will even call just to see how quickly you respond, looking for comfort in the fact that your business is active and on top of things.

Product presentation is the second most important obstacle to overcome in online business. Unlike in a real world store, customers cannot touch and feel the product under consideration, and for this reason, the level of product showcasing must be very high. Provide several image views, elaborate descriptions, customer reviews, as well as links for other information. Most successful ecommerce sites provide at least five pictures of each product. Descriptions should be unique to your business and as clear as possible. If you or your team is not comfortable writing attractive product descriptions, hiring a writer is well worth the expense.

The last major issue in online business is security. The security of your website determines a customer’s willingness to enter their personal payment information. Part of establishing trust in your security is in having an online merchant account. A credit card merchant account will allow you to accept card payments while keeping shoppers within your website. Moving from your site to a third party processor’s site can be quite unsettling for potential buyers and can also cause a host of other problems. Once a merchant account is in place, making sure your site has adequate encryption will also reassure your customers in the level of informational security employed by your business.

The challenges of online sales are easily overcome with the investment of some time and thought. Without tackling these obstacles, the probability of sales will be very low. Of course, it doesn’t stop there. There are an infinite number of improvements you should continue to make as your business grows and develops. These major obstacles are merely the roadblocks that have a tendency to shut businesses down before they even get started.

Merchant accounts make it possible for businesses to provide online credit card processing. For more information on credit card processing visit www.stradafee.com.

With all of the preparation, problem solving, and management involved in having an eCommerce store, there is one precaution that is grossly overlooked which has the potential of creating huge problems. Credit card chargebacks were created to protect cardholders from unauthorized transactions, and they make it possible for customers to refuse payment for goods or services based on the claim that the services were not received or goods were never delivered. Credit card institutions may also approve chargebacks based on damaged items and items that are not what they were claimed to be, even if the items were never returned to the vendor. As a result, a few customers regularly abuse the system in hopes of receiving products for free. Naturally, this greatly impacts those in the business of online sales by suddenly removing funds that are already collected, thus these entities must take care to utilize certain protocol to prevent as many chargebacks as possible.

It is extremely important for an eCommerce website to exercise extreme clarity in regards to shipping information, products, and checkout. It is imperative that the customer is aware of how the charge will appear on their card statement. Some customers mistakenly submit a fraudulent charge claim because they did not recognize the charge. Another way to prevent such confusion is to send automatic follow-up emails reminding customers that their card will be charged. These emails are also an appropriate time to reiterate to the customer that they are welcome to call you with any questions concerning this order. The business telephone number should appear clearly on the website as well as on the actual credit card charge. This allows customers to easily call to verify the charge without having to research what the charge might have been.

Pre-ordered items should not be charged to credit cards in advance. The time in which it takes to receive the item in stock may give the customer time to change their mind or simply claim a false charge on the grounds that no items were shipped. Instead, wait until the item is in stock and ready to be shipped before charging a customer’s credit card.

Getting rid of mistaken charges quickly is also a valuable policy for eCommerce. Not only does this avoid confusion and assure the customer that you will not be keeping the money, but it will also build your reputation as a professional and organized establishment. If a mistaken charge is not quickly voided, the customer is likely to take matters into their own hands by simply requesting a chargeback. If a customer reports a mistaken charge, you must never put off responding. It is imperative that you send an immediate response at least to let the customer know you are looking into the matter and will correct it as soon as possible.

The basic idea of preventing chargebacks is to have professional quality control and customer service policies that deal with the problem before a customer has time to consider disputing the charge with their credit card institution. It is much better to deal with these issues with customers directly, both for your future business and for your credit and legal integrity.

Merchant accounts make it possible for businesses to provide online credit card processing. For more information on credit card processing visit www.stradafee.com.

Approximately 85% of online shoppers are concerned with their security, as well they should be. Credit card fraud and identity theft is at an all time high following the explosion credit card transactions made through the Internet. This is why it is extremely important for online retailers and businesses to gain the trust of customers, helping them to believe in the security of your eCommerce system. According to recent research by TNS, 65% of purchases are lost when the customer reaches the check-out area. This is largely due to doubt in the security of the credit card form, which can be avoided by making sure your website displays proper security measures.

Many eCommerce savvy shoppers have learned to look for certain signs of security before entering their credit card information. Some of the most typical security signs are “https” and the padlock graphic found in the URL of the website. The padlock graphic is a VeriSign Secured Seal, one of many companies providing secure transaction online. Almost four out of five Americans recognize the VeriSign Secured Seal, making it an extremely effective security mark. Newer browsers make it possible for authenticated certificates to be detected, displaying the address bar in green. However, most people do not have this feature to help them along and are looking for other signs.

Most reputable companies providing online transaction security utilize SSL technology. SSL, or Secure Sockets Layer, is a military grade encryption that protects customer credit card information as it is transferred on the Internet. This type of information encryption authenticates identity information in association with the credit card data by an authority, verifying the identity of the owner of that certificate. Thought SSL is not a required element for shopping cart security, it certainly shows your commitment to the level of security customers will experience.

The use of these online security measures not only provides protection, it also helps to demonstrate the authenticity of your business. Some customers may still be wary to enter their credit card information online, but the demonstration of such security measure may help them in deciding to make a transaction over the phone, or perhaps contact you for further information. Online retailers see an increase in sales on an average of ten percent after installing some form of security system on the payment pages of their website. This should be a sign to retailers that customers are really looking for ways to make sure their credit card information is safe. Earn the trust of online shoppers by providing the professional security people want.

Merchant accounts make it possible for businesses to provide credit card processing for card present and card-not-present transactions. For more information on credit card processing visit http://www.stradafee.com

Before a merchant or acquirer ponders PCI compliance, it is important to understand which entities PCI compliance applies to. While it is very likely that for each merchant or acquirer, PCI compliance will be mandatory, it is important to remember that it is only required if you are receiving, storing or processing the Primary Account Number (PAN) or the main credit card number of the customer, which is usually no longer than 19 and no less than 16 digits in length.  In addition, a merchant or acquirer must remember that if a PAN is being stored or processed, the other information such as CVV/CVC and card holder information must be protected as well.

For a merchant to become PCI compliant, the merchant has to assess the merchant level relevant for the PCI guidelines, as each different merchant level will have different requirements. In addition, both VISA and MasterCard have certain PCI guidelines in addition to the PCI DSS standard, which need to be adhered to. Discover and American Express follow the PCI DSS standard in addition to a ‘good practices’ handbook, while there are no specific additional requirements. However, in general, the process will begin with the merchant or service provider assessing the validation level, as each different level will involve different audit, questionnaire and network scan requirements.

It would seem obvious that Level 1 merchants occupy the bulge bracket of hacker activity, but it’s actually Level 4, since there merchants tend to be smaller and occupy around 99% of the total market share of credit card transactions, as per estimates by VISA. These merchants tend to be more prone to hacker attacks primarily because they are small and usually do not possess the high end technical infrastructure as mandated by the PCI DSS. To that end, VISA requires that all Level 4 merchants submit a PCI compliance plan. In addition, the level 4 merchant must ensure that in case they are using a point of sale terminal, the terminal must be compatible with PABP and PIN requirements.

Validation levels apply to service providers as well. Service provider levels are categorized differently by MasterCard and Visa, though the emphasis in both cases is on the volume of transactions. For instance, for a Level 2 service provider, VISA prescribes the number of transactions transmitted as more than 100,000 annually, PLUS those who are not in Level 1. MasterCard simply prescribes that Service Providers who transmit on behalf of Level 1 merchants are Level 1 service providers.

The merchant or service provider must build an infrastructure in terms of firewalls, access control systems and data encryption that comply with the PCI DSS. The 1.1 standard issues the following directives for merchants to ensure that they are in compliance with the PCI standards<!–[if !supportFootnotes]–>[1]<!–[endif]–>:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor supplied defaults of system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for employees and contractors.

Once the technical infrastructure is in place, the merchant or service provider must locate an Approved Scanning Vendor (ASV), who will conduct a network scan to ensure that the safety requirements highlighted above are actually functional and not just placeholders in the self-assessment questionnaire required for Level 2, 3 and 4 merchants and service providers. The purpose of the scan is to locate vulnerabilities in the system that can lead to data breaches and diagnose & recommend measures to fix these problems. The ASV submits a report to the PCI highlighting the potential security holes and the level of vulnerability from 1-5 (but this time, a Level 5 is the highest point of vulnerability). In case of a level 1 merchant, an on site assessment is also mandated by the PCI, to be conducted by a Qualified Security Assessors (QSAs).

Finally, a self-assessment questionnaire on a prescribed format needs to be submitted to the acquiring bank by the processor &/or merchant service provider, which acts as a checklist to ensure that the 12 requirements outlined above have been addressed and met. Some experts believe that PCI compliance has less to do with network and information security, than it has to do with compliance. For one thing, a merchant only needs to be 100% compliant at the time of the review- this loophole can make a merchant lax throughout the year, and only fix up the security holes during the time of the review or audit. That won’t solve any security crises, only make them worse.

<!–[if !supportFootnotes]–>

For more information on how to become PCI Compliant please vist http://www.stradafee.com!