How to do Business Online – Securely

I attended an interesting seminar on Online Security on Thursday last in Dublin. The seminar was organised by the IIA and had speakers from AIB Merchant Services, Realex, IPSO, MasterCard and TrustWave.

Rather than going through the presentations one by one, I’ll list the 3 main issues and topics I took away from the event.

1. PCI Data Security Standard (PCI-DSS)

PCI DSS is a security standard that lists requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The standard is intended to help organizations proactively protect customer account data. It is a standard that all online retailers need to educate themselves about as they will need to comply with the regulations in the near future.

There are 4 levels of online merchants – measured on the number of card transactions they process annually. We fall into level four.  All retailers in levels one to three should be compliant by now, as the deadlines have passed. There is currently no deadline for level four merchants. But talking to experts at the seminar, the opinion is that the deadline will be set around September 2009. So it is the responsibility of online merchants to get to know about the standard and become compliant with it. My view is that it is better to be compliant sooner rather than later.

To become compliant the merchant needs to get assessed by a PCI Qualified Security Assessor (QSA). There are a number of QSA’s in Ireland – see here for the worldwide list and search on Ireland. Rather than wait for the deadline, we plan to get assessed and passed as soon as possible and publicise the fact that we are PCI-DSS compliant. This will give potential customers even more added assurance that we are a secure shopping site.

combination-lock

2. 3d Secure

3D Secure is an extra validation step in the customer’s purchase process that the card merchants are encouraging online retailers to implement. I have used it myself when shopping with some sites. The issue I see with 3D Secure is that it has some benefits for the retailer but very little for the online shopper. We were also told at the seminar that the extra step of inputting the 3D Secure password can cause up to 15% of customers to abandon their purchase – as they are confused by the extra requirements for further validation information. We (at PuddleDucks) simply cannot afford to lose 15% of our potential sales so we will not implement 3dSecure for the time being. We will wait until it becomes more widely available and an advertising/education campaign is undertaken by the card providers.

shopping_cart

3. Chargebacks

Chargebacks are reversals of credit card transactions back to the retailer e.g. if a fraudulent (e.g. stolen) card is used online, the transaction is approved and the merchant (like us) dispatches the goods. Once the card is reported to be stolen the card issuer (the bank!) then comes back to the merchant and will recoup the transaction amount along with a processing charge. Luckily we have never had a chargeback imposed on us. The main thing for online retailers is to be vigilant regarding unusually large orders, strange selection of items, overseas orders, orders at unusual times, an order where the card is issued by a bank in once country and the customer is located in another country, etc. The number one rule is to be very careful – even if the transaction is approved by the bank this is not a guarantee that you will get the funds. And I learned that you can get chargeback up to 180 days after the date of the transaction.

Overall an interesting and informative seminar. Thanks to Irene at the IIA for organising it.

8 Comments »

  1. […] How to do Business Online – Securely « PuddleDucks Blog. […]

  2. Did they say that it is going to be compulsory for all websites to have 3d Secure installed on their sites by the end of this year?

    Sian

  3. Hi Sian — I didn’t hear any of any definite deadline to get 3d Secure installed. I understand it’s been heavily rolled out in the UK but in Ireland the take-up has been low. I am in no hurry to install it as the stats say it turns some customers off — Aedan

  4. Hi Aedan,
    I am in the process of getting it setup. I was told it was going to be compulsory. Drop me an email and I will tell you why!
    Sian

  5. Aedan

    Just to clarify, the PCI DSS standard applies to all credit card transactions and not just to online ones.

    See https://www.pcisecuritystandards.org/ for more info

    Brian

  6. @Brian – thanks for the clarification.

  7. David Rook said

    Hi Aedan,

    It is always nice to see more people talking about online security. I’m a security person from Realex 🙂

    If you ever want any additional information on any of these issues then feel free to contact me or visit my blog.

    Dave

  8. Hi Dave,

    Cheers for the comment. I’ll be in touch in the future if I need any further info. In the meantime I’ve added your blog to my blogroll.

    All the best,
    Aedan

RSS feed for comments on this post · TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: