Credit card processing online can be a scary business. For most of my web development and SEO/SEM clients, I suggest a simple solution: Use Paypal. The initial reaction is Why? Hasn't Paypal been getting some bad press lately?
"Well, yeah," I usually say. "eBay was criticized for switching to Paypal as its only credit card and payment platform. That was criticism about eBay, rather than Paypal; and eBay made this move because there were too many who found ways to avoid the eBay commissions. - They loved the eBay service, and didn't want to have to pay for it."
" --All that shows about Paypal is it is a valuable business resource."
And further, "One of the most significant reasons is good for your online business too. "
"If you use Paypal, you don't have to keep credit card information. It's kept on Paypal. If someone hacks your leased hosting, they won't be able to steal from your customers."
Don't keep the informationOne long term client argues that he has to get the credit card information from his clients because they don't know how, or simply don't want to learn how, to use Paypal or any other payment gateway.
He just tells them to give him the credit card data, and he'll fix them right up. "Leave it with me," he'll say. -- Every time I hear it, I want to cringe.
"If someone hacks your server (where he has only so much control over the security on leased server space), gets a hold of your address book (where he it all down); or even finds one of your scrawled-on-the-back-of-an-envelope notes," I tend to look at his eyes about here." --you could be criminally liable for the results."
He just looks at me and repeats how he usually does it.
His clients and customers aren't computer literate. They don't want to be. And he likes the idea that they trust him.
It's not just a small business problemSmall business has a simple, effective solution to an issue that has yet to be resolved around the globe. A lot of large companies are learning this lesson the hard way.
In light of recent data breaches that have compromised consumer information, such as the potentially massive 2008 Heartland Payment Systems breach, some congressmen are questioning whether the Payment Card Industry Data Security Standards, created and regulated by credit card companies, are sufficiently protecting information.
...
"I have no doubt that compliance to PCI standards are the best line of defense," said Robert Russo, director of the PCI Data Security Standards Council. "We have never found a breached entity to be in full compliance at the time of breach."(CNET)
This has become a very active debate across the Net in the United States.
"I'm concerned that as long as the payment card industry is writing the standards, we'll never see a more secure system," Thompson said. "We in Congress must consider whether we can continue to rely on industry-created standards, particularly if they're inadequate to address the ongoing threat." (comment on Forbes)
NRF Calls PCI Standards ‘Elaborate Patch,’ Tells Congress Retailers Should Not Be Required to Keep Credit Card Numbers (
AOL Money)
“All of us – merchants, banks, credit card companies and our customers – want to eliminate credit card fraud,” NRF (National Retail Federation in the US) Senior Vice President and Chief Information Officer David Hogan said. “But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place. The bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them.”(ibid)
There is no National Retail Federation in Australia, unfortunately. Retailers instead rely on the government to provide information, and that is commonly inadequate.
More bad news in the world of data security: Companies aren't just losing more of their customers' private information than ever before. Customers are also losing patience with those increasingly common breaches. (Forbes)
In Pictures: 23 Tech Security Terms You Should Know(Forbes)You've got to do your part, too
As an online retailer, you can protect your customers on your own site.
First make sure your payment gateway doesn't require any information to be passed in plain text. If your payment gateway doesn't allow your customers to log into their site to make payments, -- as Paypal does--, then don't use that gateway. It's really that simple. There's no reason to expose your customers information to the store-and-forward series of servers across the Net.
Second, use a secure page for your ordering. You never know what a customer will put in the Notes section of an order.
If you don't have the $2500-$5500 to purchase a certificate from a company like Thawte, use the free SSL certificate provided on any reputable hosting.
A free, unregistered security certificate can be obtained on from most servers. It's nearly as secure as a registered certificate since you'll still be using the same encryption routines.
In some cases, hosting companies will lease you access to a shared certificate. It's a small price to pay for offering your customers a lot of security.
My clients can't be botheredThat's the final word on using secure ordering on a website and a secure payment gateway in Australia: "My clients can't be bothered."
I've got to admit it's a hard one to argue. Australians came late to the Internet and computing. The Howard administration sought persistently to dissuade Australians from using the Internet for personal and business. There's a lot to overcome in this country.
One thing I did note though, the guy never sends his credit card information via email.
SEO/SEM in Australia is a special issue for so many reasons. Join me was we explore. It will be a fascinating and informative journey.
Sphere: Related Content
