PCI and what it means for hosted e-commerce shopping carts

One day in 2004, online retailers in the United States and United Kingdom woke up to news that the five major credit card brands, including Visa, MasterCard and American Express were fed up with rising cases of cyber fraud and had began formulating plans to remove a clause called “safe harbor”, which had routinely protected online merchants from any liability during a credit card transaction.

This seismic shift in direction culminated in the official launch of the PCI Security Standards Council in 2005 and the establishment of 250 technological, security and procedural controls governing credit card transactions on the Internet.

These controls would form part of the Data Security Standard (PCI DSS) that’s sending seismic shockwaves through all international merchant sites that employ shopping carts and conduct credit card transactions online.

Traditionally banks were responsible for 100% of the monetary loss during a compromised credit card transaction – not the consumer or the merchant.

Banks were completely at the mercy of online merchants tasked with ensuring their databases were not hacked or credit cards stolen during the transaction.

Prior to the PCI DSS, merchants had absolutely no liability and banks were forced to carry the financial burden of cyber fraud. This merchant protection became known as safe harbor. Under the new standard, this get-out-of-jail-card has been torn in pieces, forcing merchants to quickly get in line with key tenants of this tough standard.

The stakes are high when one considers the rising tide of e-commerce transactions in the UK, which peaked at £350m online during Cyber Monday, which fell on Monday, 7 December 2010.

While e-commerce statistics are often contradictory, the latest industry reports indicated that December Christmas sales may we well have been above earlier forecasts of 16% growth on 2009.
The BBC website reported that well-known retailer, Argos, Internet sales were up 35% from the previous year.

Unfortunately, along with the financial windfalls came a surge in fraudulent transactions with CyberSource, a Visa company, reporting that this figure rose from 1.6% to 1.9% at the end of 2010. This is almost twice the number reported in the U.S.

UK shopping sites are thus slightly behind their American counterparts in combating increasing cases of online fraud that may cost the UK more than £27bn a year, if one is to believe a recent Guardian newspaper report.

It get’s scarier if one considers the 2013 prediction that Smartphones will be the principle web access point for international users by 2013. The Financial Times issued a recent report of cyber criminals adapting pieces of malware named “Zeus” to operate on phones and deploy spoofing attacks. The increasing popularity of app stores allows them further avenues to exploit downloaded software purchased online.

Thus, the International Standards Council pushed UK merchants to begin implementing the standard by the end of September 2010. However, only 10-20% of UK organisations that employ shopping carts on their site may have actually have been audited and certified PCI compliant since this directive was issued.

Merchants have been scrambling to assess which level of PCI compliance they fall under as indicated by this chart on the Visa website.
Any merchant with over 20,000 annual e-commerce transactions, Level 3, is required to provide an attestation of compliance, which needs to be updated every 12 months to maintain 100% compliance.

If a merchant falls out of compliance the repercussions are severe with U.S. penalties reaching $500,000 and monthly fees of $100,000, until the merchant complies. Failure to comply can result in expulsion from the payment processing network and the loss of ability to make sales.

Even if you’re a small merchant who only has a few transactions a year, you may still be penalized or effectively “shut down” by the Standards Council if you fail to comply to the regulatory demands of the standard.

If you plan to adopt a shopping cart on your site your best option is probably to select a hosting provider that’s PCI complaint. However, even this approach is risky if you do not do your homework. Request a proof of compliance annually from your hosting provider, which should be audited by a third party or a Qualified Security Assessor (QSA).

This step is critical since the hosting provider can choose which PCI components they wish audited. Thus, for example, they may be compliant in physical security and lacking in vulnerability management updates.

The new standards are not to be taken lightly by sites employing e-commerce shopping carts. While they may seem daunting they essentially call for good, basic security.
The council stresses that even if the standard did not exist the best practices for security behoove an online retailer to take these steps to protect the consumer.

Guest Blogger: Jason Stevens from jason-stevens.com / Freelance web developer, tech writer and follower of cloud computing trends. Follow him on Twitter @_jason_stevens_

*UK2.net reserve the right to agree or disagree with our guest bloggers. Call it freedom of speech, but our guest bloggers are entitled to have an opinion. If you wish to agree, disagree or even argue about it, then feel free to leave a comment. Thanks for visiting our blog! If you wish to become a Guest Blogger for UK2, please contact our marketing department.