What this new payment security update means for retailersby
Credit cards are fast becoming the standard form of payment as cash falls out of favour. According to the UK Cards Association, 32.6 million payments were made by card last year – that’s twice the number of payments seen a decade ago. Furthermore, IMRG reports that a record £104 billion was spent online last year in the UK and that figure is predicted to grow by a further 12% this year.
All the more reason that card payments need to become more secure. Recently the Payment Card Industry council released an updated Data Security Standard (PCI DSS) 3.1 to provide guidelines for retailers to face the challenging front presented by cybercriminals and attackers who are using increasingly sophisticated means to gain access to protected personal and financial data. So what does this mean for UK businesses and what does the future hold for online businesses that take payments?
Maintaining a positive customer experience
As a merchant, one of the most important aspects to running a successful e-commerce website hangs in the final step – the payment process. With Adobe stating that repeat customers are nine times more likely to complete a purchase than first time shoppers, it’s vital to maintain a good user interface and customer experience to build loyalty. Customer loyalty stems from familiarity, which relies upon consistent branding and feel.
The wider implication for UK merchants with the latest PCI DSS requirements is that in some cases it could affect the look and feel of a website’s shopping portal, which could be hugely problematic for companies that pride themselves on a slick, easy to use and visually appealing shopping experience.
Let’s look at the changes brought by the PCI last year. Under previous standards, retailers that didn’t store data in-house and outsourced that responsibility to a third party didn’t have much red tape to worry about. For most businesses, their only requirement was that they filled out a self-assessment questionnaire and the rest of the work was completed by their outsourced PCI compliant partners. Now, however, the retailer itself is required to do a lot more and it needs specialist resources to do so.
Whereas before, a non-technical merchant employee could complete the compliance questionnaire in a few hours, the newer and more in-depth version requires the expertise of an entire technology team. This is because they’re deemed to have an impact on the security of a transaction and therefore their technical infrastructure comes under just as much scrutiny as that of their outsourced partner.
The good news is that these new measures will ultimately help to make card transactions more secure, but the bad news for businesses is that many merchants don’t have the resources in-house to respond to the demands of the latest standards.
One alternative is to embed an Inline Frame (iFrame) into the ecommerce site which is actually hosted by a PCI compliant provider. The iFrame is embedded in the website, and inserts content from another source, usually another website. In this case, the iFrame would transfer the customer to a partner’s side to complete the transaction there, instead of on the actual merchant’s side, therefore removing the compliance burden for the retailer.
The downside of this solution, however, is that it dictates the custom user interface that the website currently employs. And having noted that this visual element of a site is so important for merchants to drive sales, it can be burdensome.
The other option is what we at Braintree call ‘hosted fields’. Using hosted fields keeps merchant PCI requirements to a minimum but still allows the freedom to design the user interface. This uses individual iFrames for each data entry field and so only these fields are hosted by the solution provider. The rest of the page is still controlled by the merchant and so the design remains completely within their control, ensuring customers are kept within the one website they wish to browse, surrounded by familiar branding.
Paying lip service to compliance is no longer acceptable
We’re entering an era where merely paying lip service to compliance is no longer adequate. The scope of the new PCI standards shows the extent to which merchants must make their transactions – whether carried out online via a browser or in-app – more secure. It’s true to say that as an industry, improvements are being made to increase security but all it takes is a large scale breach to lay bare the concerns that some shoppers may still have around placing their trust in online payment platforms, and it could even impact a brand’s long-term reputation. But we remain confident, so long as all retailers take their responsibility seriously.
In the future, we’ll see the PCI standards continue to evolve to keep pace with not only the payments landscape, which is changing much quicker than ever before, but those attacking it. And with new services and products demanding new and unconventional payment methods, the industry will have to react quickly to address any potential vulnerability proactively.
John Downey is security lead, at Braintree (a division of PayPal).