Credit cards are fast becoming the standard form of payment as cash falls out of favour. According to the UK Cards Association, 32.6 million payments were made by card last year – that’s twice the number of payments seen a decade ago.
Furthermore, IMRG reports that a record £104 billion was spent online last year in the UK and that figure is predicted to grow by a further 12% this year.
All the more reason, then, for card payments to become more secure – time is fast approaching for the latest industry standard to be fully introduced.
With PCI 3.0 already in effect, the latest milestone release from the Payment Card Industry will have far reaching implications for UK merchants.
This latest Payment Card Industry Data Security Standard (PCI DSS) has been introduced in response to the challenging front presented by cybercriminals and attackers, who are using increasingly sophisticated means to try to gain access to protected personal and financial data.
It means that the process of evaluating merchants that handle payments is becoming tougher and requires a lot more of a business’s resources to be evaluated.
The wider implication is that it could affect the look and feel of a website’s shopping portal, which could be hugely problematic for companies that pride themselves on a slick, easy-to-use and visually appealing shopping experience.
And with Adobe stating that repeat customers are nine times more likely to complete a purchase than first time shoppers, it’s important to maintain a good user interface and customer experience to build loyalty.
Let’s look at the evaluation changes brought about as part of PCI 3.0 last year. Under previous standards, merchants that didn’t store data on their own servers and outsourced that responsibility to a third party didn’t have much red tape to worry about.
For most businesses, their only requirement was that they filled out a self-assessment questionnaire (SAQ) and the rest of the work was completed by their outsourced PCI compliant partners.
With PCI 3.0, however, the merchant itself is required to do a lot more and it needs the specialist resources of the in-house team to do it.
Compliance can no longer be isolated under the new standards. Whereas before a non-technical merchant employee could complete the SAQ-A in a matter of hours, the newer and more in-depth SAQ A-EP requires the expertise of an entire technology team.
This is because they’re deemed to have an impact on the security of a transaction and therefore their technical infrastructure comes under just as much scrutiny as that of their outsourced partner.
Even if the merchant website only briefly touches the data in the short space of time between the information being entered on their website and being transmitted to a partner, it’s still enough for the merchant to now be evaluated much more closely.
The good news is that these measures will ultimately help to make card transactions more secure, but the bad news for businesses is that many don’t currently have the resources in-house to respond to the demands of the SAQ A-EP, and it could put them in danger of non-compliance.
One alternative is to embed an Inline Frame (iFrame) into the merchant’s site, which is actually hosted by a PCI compliant provider. And because the customer then doesn’t complete the transaction on the merchant’s site but via the partner’s site, this removes the need for the merchant to comply with the SAQ A-EP requirement.
The downside of this solution, though, is that it dictates the custom user interface that the website currently employs. And having noted that this visual element of a site is so important for merchants to drive sales, it can be burdensome.
We’re entering an era where merely paying lip service to compliance is no longer acceptable. The scope of the new PCI standards shows the extent to which merchants must make their transactions – whether carried out online via a browser or in-app – more secure.
It’s true to say that as an industry, improvements are being made to increase security but all it takes is a large-scale breach to lay bare the concerns that some shoppers may still have around placing their trust in online payment platforms, and it could even impact a brand’s long-term reputation.
In the future, the PCI standards will continue to evolve to keep pace with not only the payments landscape, which is changing much quicker than ever before, but those attacking it.
And with new services and products demanding new and unconventional payment methods, the industry will have to react quickly to address any potential vulnerability proactively.
Sourced from John Downey, security lead, Braintree (part of PayPal)