How the Right Hosted Payment Technologies Reduce Online Merchants’ PCI Scope

April 30, 2013 • Published Categories Best Practices Tags , , , , ,

The exponential growth associated with mobile device adoption is spurring a digital commerce disruption within most every facet of business. Small businesses have great benefit potential when they harness these new opportunities to sell online and via mobile devices, because today’s myriad cloud-based services can help them get started with minimal up-front investment. That being said, how does a small business owner make sure they are protecting themselves against payment fraud and security threats that can quickly sideline any profit—or worse, put them out of business?

Many business owners familiar with the ins and outs of brick-and-mortar style sales, where the consumer pays in person using cash or some form of credit, are also aware of the payment card industry (PCI) compliance issues that go along with accepting credit card payments. In the case of online sales, fraud and data security are of increased concern, because the ecommerce merchant is working with payment data from cards not physically swiped by a reader.   For example, if you need to verify someone’s identity at the checkout counter you ask to see a valid ID. In the online world, what’s the equivalent? And how do you securely manage that data so it isn’t unwittingly made available to data thieves?

Simplifying PCI Compliance and Payment Security
If you are a small or mid-sized business (SMB) owner, the process for evaluating your online business and becoming PCI compliant can seem impossible to follow—or at the very least, extremely daunting. Luckily, there are organizations that have made it their mission to fully understand the PCI Data Security Standard (DSS) guidelines so they can develop and/or implement solutions that simplify PCI compliance for the online merchant.

The ideal online payment solution is both produced and hosted by a PCI-compliant payment service provider. By “hosted,” I mean that the technology itself operates outside of what’s considered to be your IT environment. When the payment process is hosted outside of your online business’s “walls,” that part of your business is removed from the scope of the PCI DSS, making the annual attestation extremely quick and easy!

Enriching the Online Customer Experience
The traditional solution for secure online payments has been to re-route the customer to a third-party website in order to complete the payment process. While this is a secure option, it causes you give up control over the customer’s interaction with your business.

Here are a few things that can happen when you implement a third-party redirect:

  • The change in visual environment can confuse the customer, leading to greater instances of shopping cart abandonment;
  • There is a lost opportunity to reinforce your business’s brand with the customer, which could discourage repeat business; and
  • The third-party payment environment can create the need to track online and card-present payments differently, causing accounting and bookkeeping headaches.

Some newer, more technically advanced online payment services claim to effectively solve these problems and at the same time securely capture the credit card data your customer enters; however, a look “under the hood” can reveal surprising security flaws. For example, solutions that employ Direct Post Method (DPM) or Transparent Redirect have a vulnerability that allows hackers to place malware (e.g. keyloggers) directly onto your site and very easily steal private data while it’s being entered into the online form. This is much more common than most online merchants like to think about, and can even happen if you’re using “secure” Web hosting or a “secure” shopping cart.

So ask questions because when the payment process is visually integrated with your website—yet logistically separated for security, PCI compliance and streamlined payment processing—both you and the customer win. Creating a seamless, secure payment workflow from your website to the payment gateway(s) of your choice can be as easy as utilizing a hosted payment page (HPP) to function as an “online storefront” for the digital consumer.

The ideal HPP looks like any other page of your site, yet all the data it contains is securely stored by the payment service provider, giving your customers a seamless, easily repeated payment experience and keeping your network environment free of sensitive data. In addition, no form data is externally visible, regardless of the purchaser’s browser or platform (PC, smartphone, etc.). This is the critical security coverage you need for peace of mind and easy compliance.

Building a Thriving Online Business
As the advancement of mobile technology continues to reshape consumer purchasing behavior, hosted payment technologies such as HPP will keep your online business current and interactive. And, the invisible layer of security will protect you from hackers while making annual PCI compliance validation a snap.

If you’re considering an online business, or you already have an online business that could use a security and revenue-building boost, I encourage you to explore hosted payment services. You can learn more by clicking here or giving ControlScan a call at (toll free) 800-825-3301, ext. 2.

Leave a Comment