Posts Tagged ‘PCI compliance’

Launching A Digital Business – PCI

Tuesday, June 14th, 2011

Launching a digital business involves many decisions, but one of, if not the most critical decision that merchants must make is the process by which they become compliant with the Payment Card Industry Data Security Standards (PCI DSS), PCI DSS are in place to minimize credit card fraud via exposure.  The PCI standards outline how digital merchants need to protect personal information and secure payment transactions, no matter how small or large the merchant is.  It covers six key areas, with multiple requirements in each area.

The Six Categories of PCI Standards

Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security

Equally important as the actual security policies in place is instilling a corporate culture that augments and supports the PCI DSS standard to minimize incidents like the Sony PlayStation Network security breach.

The Latest PCI Data Security Rules

Despite all the literature, PCI remains an opaque issue, yet fundamental to every company that takes some form of credit and debit card payment for their service.  New guidance and clarifications in PCI compliance – known as PCI DSS 2.0 – is now upon us, and while the changes aren’t huge from the previous version, understanding them and their impact to your online business is critical.

PCI Compliance Enforcement

There are numerous costs – with financial and business implications – associated with non-compliance, ranging from fees from your acquiring bank to the actual liability of putting cardholder data at risk.  There are various levels of PCI DSS compliance and Vindicia, as a Level 1 Service Provider, goes through the highest audit bar every year, as we’ve done for the past six.  Learn more about how PCI compliance is enforced.

Sanjay SarathyTags: , , ,
Posted by Sanjay Sarathy in Best Practices, Marketing Fury, Payments 101.201.301 | 1 Comment »

Subscription Billing’s Opposing Forces

Monday, December 6th, 2010

When going to market using subscription billing there are three diametrically opposed forces fighting you, the person who owns the active subscriber count as you try to acquire and retain the most customers possible. These forces are PCI, Account Updater, and customer data ownership. I want to focus on the balancing act between the first two.

These days, one of the primary mechanisms (other than using something like HOA on CashBox) to lowering the compliance burden and the actual risk of card disclosures is to use tokenization of those cards from your merchant acquirer, or gateway. Tokenization is simply an infrastructure at, for example, your gateway that will take the card you obtain from your customer on your checkout page, encrypt it for storage in their database, and hand you back a ‘handle’ to that card for future use. It doesn’t remove much of the compliance burden as credit cards still flow through your webserver and thus you still have to fully comply with PCI, but it does lower the risks of actual disclosure and shrinks the scope of your compliance efforts.

A surprising number of merchants are unaware of or don’t implement Account Updater, which is available from Visa and Mastercard in North America and some of Europe (Visa’s overview.) Account Updater functions in two ways. The primary way will automatically send card changes for customers that you’ve billed in the last six months to you so that you can seamlessly update their card before a billing event. The alternative way is for you to either proactively or after a billing failure ask if there has been an update on any given card. We’ve found that the absolute best result is to run Account Updater in both modes and spend time optimizing the latter mode for specific billing plan frequencies.

Unfortunately, the requirements of Account Updater and its impact on customer retention are at odds with the requirements of tokenization in support of PCI. Most of the tokenization projects at the various vendors do not take the product requirements of Account Updater into consideration. How does one query the Account Updater service for the new card that may have replaced the one that failed when all you have is a handle to the old card? Unless your vendor has specifically added this to their tokenization implementation you are hostage to their product roadmap to save some significant percentage of subscriber churn. When you recall that few vendors are focused on the challenges of digital content and services with subscriptions, and instead get the bulk of their revenue from one time purchase physical goods merchants it makes sense that these tokenization projects have usually not addressed Account Updater functionality.

At Vindicia, we’ve built CashBox to both take you completely out of the PCI compliance burden with HOA and to directly and richly implement Account Updater with our merchant acquirer partners. We’ve also made the commitment to you that your customer data is yours should you want to move on. Once you experience the revenue increase we deliver through increased customer retention, we doubt you will. But that commitment is there to help end the tension between customer data ownership and tokenization as well – which is something I’ll touch on in a later post.

Gene HoffmanTags: , , , , , , , , , , , , , ,
Posted by Gene Hoffman in Best Practices, CEO Blog | 1 Comment »

Sharing is Only for Kids

Monday, August 23rd, 2010

I received an interesting email from Visa recently, and it bears wider dissemmination.  The crux of the message was a reminder that it violates Visa regulations to share card numbers between merchants.  This is probably obvious in some contexts (i.e. if you sell your customer list to another company, you better not pass along their card numbers).  In other cases, though, folks may not realize they’re breaking the rules.

Assume you run an online video service.  You have an affiliate that sells pizza.  They allow someone to buy their pizza, then ask the pizza-buyer if they’d also like to rent a movie online.  If so, they route the user to your site.

So far, so good… but this is also where people get into trouble.  If the affiliate passes in basic information (their affiliate ID, the genre of movie in the advertisement, etc.) that’s OK.  However, the affiliate is explicitly prohibited from passing along the payment information.  Would it be more convenient for the customer if the payment info passed in?  Probably.  However, it’s against the Visa regulations.  It’s also a violation of rules with the FTC, unless you have explicit permission to do so from the customer.

Just a friendly reminder to be careful about passing this sort of information between affiliates.

http://www.paymentsnews.com/2010/04/visa-prohibits-web-merchants-from-passing-along-cardholder-info.html

and

http://www.retailing.org/advanced_consent_marketing_guidelines

Doug SmithTags: , ,
Posted by Doug Smith in Best Practices, Client Services | No Comments »

Eliminate PCI Compliance With Hosted Order Automation

Tuesday, April 20th, 2010

An article in Internet Retailer Magazine discusses the cost burden Payment Card Industry (PCI) regulations place on merchants of various sizes.  Mind-bogglingly, the effort to maintain compliance and pass the annual audit can easily reach $1 million.  To help merchants eliminate this burden altogether, we at Vindicia announced today a new capability in CashBox called Hosted Order Automation (HOA), whereby merchants can completely offload their PCI cost to Vindicia.

Before explaining how HOA works, we’ll briefly describe the background. In a typical online CashBox transaction that’s paid by credit card, a customer who clicks the Buy or Checkout button on a merchant’s site sends his or her credit-card information–securely–to Vindicia for billing.  During that process is a moment in time when the transaction passes through the merchant’s server.  Even if the merchant immediately deletes that credit-card information, the very fact that it touched the merchant’s server requires that the merchant comply with PCI.  That’s true even if the merchant is working with a PCI Level 1 Service Provider in Vindicia.

With HOA, PCI regulations do not apply to merchants who use CashBox because, instead of passing through the merchants’ servers, all credit-card transactions go directly to CashBox.  Not only can those merchants continue to enjoy the other inherent capabilities of CashBox, they still retain control of their customer experience, that is, the look and feel and other user-interface components of the checkout page. Yes, having one’s cake and eating it, too, is actually possible in this situation.

To learn the details about HOA, read its data sheet. Feel free to contact Vindicia for more information or post questions to our community forum.

Sanjay SarathyTags: , , , ,
Posted by Sanjay Sarathy in Best Practices, Marketing Fury | No Comments »

$40 Million

Wednesday, March 17th, 2010

In my previous post, I alluded to statistics that highlight how Vindicia CashBox helps clients retain customers and thus lift revenue streams.  In a press release issued at the Game Developers Conference in San Francisco in early March, we mentioned these numbers:

  • Over the past year, thanks to our retry logic, Account Updater, and other retention capabilities, our clients gained 10-25 percent more of the customers who failed in their initial attempts to renew subscriptions.  We have seen this trend across all the vertical markets we serve.
  • Take those percentages and aggregate the dollars across our client base over the past year, you get a total of $40 million.  More importantly, this number grows every day as we add clients and as our existing clients’ business expands.
  • Our transaction volume has risen by about 45 percent over the past year: We now handle about 250,000 transactions every day while remaining PCI-compliant at the highest levels for the fifth year.

Speaking of PCI compliance, its juxtaposition with cloud computing is catching more and more attention.  If you’re attending Cloud Computing Expo in NYC in April, check out our CTO Brett Thomas’s presentation.  You’ll hear something very novel that will radically change your thinking about PCI compliance in the cloud.  I promise.  Don’t miss that talk!

Sanjay SarathyTags: , ,
Posted by Sanjay Sarathy in Best Practices, Marketing Fury | No Comments »