E-commerce — it’s a buzzword so old it can hardly be called a buzzword anymore, and something everybody thinks they understand. I’ve talked to countless startup founders and CEOs who talk about doing business online like it’s the easiest thing in the world to set up a web site, advertise a product, and start collecting money hand over fist. Simple as that. Nothing to it.
As these business newbies find out, there actually are quite a lot of somethings to it. First, there’s the array of online payment processors out there, from apps like Square that will let you accept card payment on an iPad, to well-established web payment tools like PayPal and Google Checkout, to obtaining a merchant account and hosting your own payment processing solution. The mechanics of accepting payment online are not easy, and there are a number of protocols that need to be followed to ensure the security of your online payment solution.
If you’re advising clients in this sector, it’s important to be aware of some of the standards and protocols that apply to processing of payments online, so your clients can ensure their solution complies. These standards are mostly industry self-regulation that create best practices for the prevention and detection of security incidents, but compliance is becoming essential to remaining competitive in e-commerce as consumers become more concerned about the security of their data online.
The most important standards are undoubtedly those set by the Payment Cards Industry Council. The PCI Data Security Standards set out a number of actions a business accepting card payments will want to take (or ensure its service provider takes) in order to enhance customer security.
A business can then be assessed, either by completing a self-assessment or engaging a PCI approved third-party assessor, and then be added to the roster of PCI-approved companies and service providers on PCI’s web site.
Decisions that need to be made in order to become PCI compliant will touch on all areas of the business, not just technology. It will apply to firewalls, yes, but also to processes for accessing company information, data encryption, restricting access to facilities and computers, and developing IT policies to educate employees and contractors.
For your clients, familiarity with standards such as PCI will be important to them in establishing their business practices, and this is where you can add value as an adviser. The cost of complying as a merchant may be too high for a company to undertake on its own, and so instead of setting up its own payment processing (which may initially seem like the cheapest and easiest option), it may want to route payments through a PCI-compliant third-party vendor. Being aware of the issue and being able to structure a business appropriately from the beginning will ultimately be a much more pleasant experience than ignoring compliance issues in the planning stages of a business, and then having to sink extra money into an existing solution in order to bring it into compliance.