Continued from Page One.
MasterCard merchants
MasterCard has requirements also, but a different approach. The card association's Site Data Protection Program (SDP) sets a security standard but also offers evaluation tools, access to various vendor solutions, and insurance for financial protection in the event of a compromise.
MasterCard's security standards for merchants can be seen here. It requires merchants to take an e-commerce infrastructure self-assessment test, to check for potential vulnerabilities.
The self-assessment must be completed annually for merchants doing less than 1,000 transactions per month, or $50,000 or less in monthly gross dollar volume. Larger merchants must complete the assessment every quarter. Those that don't meet MasterCard's technical standards during the self-assessment risk fines or other penalties from their account provider (who also faces fines if any merchants are not in compliance).
A MasterCard spokesman told me that both "merchants that process MasterCard transactions [basically any business that accepts credit cards] as well as any third party that stores data on behalf of these merchants are responsible for meeting the standards."
And as with Visa, MasterCard has imposed deadlines to ensure compliance. Most of its merchants must be compliant by June 30.
"MasterCard has implemented a phased-in mandate for SDP that requires high-volume e-commerce merchants as well as all third parties that store data on behalf of these merchants to be compliant with the SDP Security standards beginning June 2004," the spokesman said. "This mandate will then extend to a second tier of merchants [lower-volume merchants] and associated third parties as of June 2005."
One important way that merchants can boost their compliance is through the MasterCard SecureCode for Guaranteed Payments on the Internet tool. The application runs on your Web site and interacts with both the customer and their card issuer. When a customer is checking out, a simple pop-up box appears asking them to enter a private code that has been registered with their bank. The bank then validates that code and provides you with a means of achieving a fully guaranteed transaction.
MasterCard says that 70 percent of e-commerce chargebacks are "cardholder unauthorized," due to cardholders essentially saying, "I didn't do it." SecureCode gives you a way to reduce chargeback and fraud costs, the company says. They also have a helpful Guide to Best Practices for online merchants.
PayPal merchants
With our business, we use PayPal's payment mechanism for all of our online customers (both on eBay and at our main Web site) who want to pay with a Visa or MasterCard or Discover card. That way, the online consumer provides credit card data to and interacts with PayPal, not us -- limiting our exposure to the new requirements.
The Visa spokesman said that "if a PayPal user does not store, process, or transmit Visa account numbers, they should not be impacted" by the new regulations.
Clearly, if you are taking payments directly via a third party's shopping cart technology, one thing you can do is begin to be aware of whether your vendor is compliant with the new regulations. In fact, don't be afraid to ask -- you're probably liable.
Fortunately, some online shopping infrastructure companies are already highlighting their compliance, such as LaGarde's StoreFront about its use of ClearCommerce's Hardened Commerce.
Other vendors with a variety of secure online payment processing mechanisms include VeriSign, which has all kinds of white papers and guides for e-businesses of all sizes, and CyberSource (which offers a small business center and a downloadable guide to Verified by Visa, a CISP component, and MasterCard SecureCode).
My advice is to always do all you can to avoid nasty surprises in business -- they usually come with an unpleasant little price tag attached, and no one enjoys realizing late at night that they could thousands of dollars in unexpected fees.
So when it comes to ensuring credit card processing compliance, be smart, don't panic, perform a little due diligence with your account providers and you'll be fine.
And if you find all the arcane terminology a little too confusing, the Credit Research Foundation has a nice refresher on the language of credit card processing here.
Beth Cox is a contributor to eCommerce-Guide.com.
IE 7
Firefox 2.0
