Online Payment Processing is an ever-changing industry. Ten years ago, when buying products online was far less prevalent, few could have foreseen the rapid growth of mobile and tablet shopping. It is more complicated than ever for merchants to prepare for all types of data breaches, but it is also more important, as credit card thieves have become increasingly creative.
A simple way to bypass storing credit card data is by using a third-party to process orders. For merchants who do not currently use third-party online payment services, these payment companies can ensure that clients pay on time and in full, but there are some downsides. The major services, which include Amazon Payments, Authorize.net, Google Checkout, and PayPal, all have their respective strengths and weaknesses. For example, Amazon Payments allows customers to pay through the information stored in their Amazon accounts, while PayPal allows the merchant to generate and track invoices online. Through all of these services, you can quickly and easily receive payment without having to store credit card data, and opening these accounts are often easier than setting up your own merchant account, which typically incurs higher fees. However, the fact that most sellers send customers to a third-party site can be a definite downside, as it does the last thing an online merchant wants, by taking visitors off the site.
One important factor for web merchants to be aware of is ensuring that they are in compliance with PCI Security Standards, which include the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS). A coalition of five global payment brands-American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.-developed the standards to make sure all credit card data is safely transmitted, so consumers can shop with confidence online, knowing their credit card information will not be compromised.
Compliance with data security programs can be highly beneficial for all types of businesses, as it will lead customers to trust and respect you. However, while PCI does not impose any consequences for non-compliance, though the individual credit card companies often do, not adhering to the standards can result in lawsuits, insurance claims, cancelled accounts, and fines that could put your business in serious peril. As the PCI notes, even one incident can do serious and potentially irreparable harm.
The PCI website gives detailed instructions and guidelines for merchants looking to make sure they are in compliance with the standards. The group provides a list of requirements and recommendations that continuously assess operations, fix vulnerabilities, and make required reports with the acquiring bank and card brands that each business works with. The group states, "The PCI DSS follows common sense steps that mirror security best practices. There are three steps for adhering to the PCI DSS, which is not a single event, but a continuous, ongoing process. First, assess: identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data. Second, remediate: fix vulnerabilities and do not store cardholder data unless you need it. Third, report: compile and submit required remediation validation records, if applicable, and submit compliance reports to the acquiring bank and card brands you do business with."
One of the top priorities for the PCI in 2012 is mobile security. As more consumers shop via their mobile devices, it is harder to keep the data secure. "The adoption of mobile is running rampant, and when it comes to using personal mobile devices, people have not thought about all of the security," PCI SCC general manager Bob Russo said earlier this year. "We have a task force looking at this, and in 2011 we issued some guidance. This year we will be issuing some best practices."
The importance of mobile shopping security is clear. As smartphones evolve into mini-computers, customers are using them at a higher rate. While most online sales are still placed through desktop computers, ecommerce software developer Ability Commerce noted that mobile shopping revenues on Android grew 173 percent in the 2011 holiday season year-over-year, while the iPad, despite generating only one-third of the traffic of the iPhone and Android, generated 33 percent more revenue than the two mobile platforms combined. Mobile commerce is clearly here to stay, as in 2011 both eBay and Amazon recorded more than $1 billion in sales originating from mobile devices, and research by Juniper Networks predicts that mobile payments will reach a total of $600 billion globally by 2013.
As Vangie Beal notes on ecommerce-guide.com, "Mayan prophesies aside, 2012 is all about mobile customers. If you're not mobile, you're simply not competitive. And your ecommerce business will suffer as you lose sales to competitors who provide a good shopping experience on mobile devices. Your customers do everything on mobile devices from accessing promotional coupons and scanning QR codes, to researching products, comparing prices, and making a purchase." She recommended numerous online store and hosting packages with mobile optimization features that all start at under $30 a month, including BigCommerce, Pinnacle Cart, ProStores, Shopify and Volusion. Most services offer a free trial and are optimized for most, if not all, major mobile device and tablet carriers.
Not only are more people viewing content on mobile devices, but many companies have reported that shoppers who do buy on mobile devices purchase at a higher rate than shoppers on computers. Jason Goldberg, CEO for design store Fab.com, reported on his blog that while only 16 percent of Fab's 1.6 million members have downloaded the company's mobile apps, they represent 30 percent of daily traffic, and mobile visitors are twice as likely to make a purchase than desktop shoppers. "We are investing a lot of resources into mobile, and a big eye opener for me is seeing how big the growth has been in mobile usage," he said. "The mobile business is over-indexing compared to the web for purchases. That's across all mobile. And the iPad itself has a significantly higher order value."
With more than 80 million people in the United States currently using smartphones, online merchants need to be prepared by developing and maintaining a mobile presence. Whether that is through a mobile-optimized site or via an app (or both) is debatable; most experts believe that a mobile website is a necessity, while an app is optional. This is primarily because mobile websites are used by all mobile phone carriers, but to reach the same amount of customers with an app, you would need to make three separate versions for iPhone, Android, and BlackBerry customers. Because it is triple the cost for the same reach, mobile apps may not be feasible for smaller operations. However, for a larger operation that really wants to extend their reach, an app is flashier and more visually attractive, and can potentially lead to a huge boost in business.
However, we still have a long way to go before mobile shopping becomes the norm. There are still many customers who feel uncomfortable sending their credit card information through their mobile phones. In a recent survey of U.K. consumers, 60 percent surveyed said they felt at risk when shopping via mobile, versus only 13 percent when using a home PC or laptop. In addition, 49 percent said they felt frustrated when shopping online using their smartphones, citing difficulty in navigating through websites. While mobile shopping may still be in its infancy, anybody who is not prepared is going to be left in the dust.