I attended an interesting seminar on Online Security on Thursday last in Dublin. The seminar was organised by the IIA and had speakers from AIB Merchant Services, Realex, IPSO, MasterCard and TrustWave.
Rather than going through the presentations one by one, I’ll list the 3 main issues and topics I took away from the event.
1. PCI Data Security Standard (PCI-DSS)
PCI DSS is a security standard that lists requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The standard is intended to help organizations proactively protect customer account data. It is a standard that all online retailers need to educate themselves about as they will need to comply with the regulations in the near future.
There are 4 levels of online merchants – measured on the number of card transactions they process annually. We fall into level four. All retailers in levels one to three should be compliant by now, as the deadlines have passed. There is currently no deadline for level four merchants. But talking to experts at the seminar, the opinion is that the deadline will be set around September 2009. So it is the responsibility of online merchants to get to know about the standard and become compliant with it. My view is that it is better to be compliant sooner rather than later.
To become compliant the merchant needs to get assessed by a PCI Qualified Security Assessor (QSA). There are a number of QSA’s in Ireland – see here for the worldwide list and search on Ireland. Rather than wait for the deadline, we plan to get assessed and passed as soon as possible and publicise the fact that we are PCI-DSS compliant. This will give potential customers even more added assurance that we are a secure shopping site.
2. 3d Secure
3D Secure is an extra validation step in the customer’s purchase process that the card merchants are encouraging online retailers to implement. I have used it myself when shopping with some sites. The issue I see with 3D Secure is that it has some benefits for the retailer but very little for the online shopper. We were also told at the seminar that the extra step of inputting the 3D Secure password can cause up to 15% of customers to abandon their purchase – as they are confused by the extra requirements for further validation information. We (at PuddleDucks) simply cannot afford to lose 15% of our potential sales so we will not implement 3dSecure for the time being. We will wait until it becomes more widely available and an advertising/education campaign is undertaken by the card providers.
Chargebacks are reversals of credit card transactions back to the retailer e.g. if a fraudulent (e.g. stolen) card is used online, the transaction is approved and the merchant (like us) dispatches the goods. Once the card is reported to be stolen the card issuer (the bank!) then comes back to the merchant and will recoup the transaction amount along with a processing charge. Luckily we have never had a chargeback imposed on us. The main thing for online retailers is to be vigilant regarding unusually large orders, strange selection of items, overseas orders, orders at unusual times, an order where the card is issued by a bank in once country and the customer is located in another country, etc. The number one rule is to be very careful – even if the transaction is approved by the bank this is not a guarantee that you will get the funds. And I learned that you can get chargeback up to 180 days after the date of the transaction.
Overall an interesting and informative seminar. Thanks to Irene at the IIA for organising it.