PCI DSS

The ability to accept payments online is the backbone of your subscription business. The first rule of online business is to be compliant with the Payment Card Industry Data Security Standards (PCI DSS). What does this mean?

PCI DSS provides a comprehensive road-map to help organizations ensure the safe handling of cardholder information. This road-map comprises technical and operational requirements set by the PCI Security Standards Council (PCI SSC) that rule over the entire payment process and data storage organization.

PCI DSS is organized by six overarching goals/domains:

• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

Customers are increasingly aware of the need to guard their personal information and demand a high level of data security around any electronic transaction they make. PCI DSS compliance allows organizations to stay ahead of security vulnerabilities, prevent fines, and increase overall security levels. This not only allows them to be compliant but also makes them more trustworthy and competitive.

PCI DSS compliance helps protect your business, but your data security vulnerabilities are not limited to the credit card payment information stored on your servers. To fully protect your business, you must widen your scope and make sure that you comply with the body of standards for information technology which falls under the rubric of the ISO27k family.

ISO

The body of standards for information technology security falls under the rubric of the ISO27k family. In the ISO27k scope, each company defines its own assets and assigns each asset a value which results in a hierarchy of importance for all of your company’s assets. Assets include not only credit card information, but all your other payment data.

Additionally, according to the ISO, your assets include data related to “intellectual property, employee details or information entrusted to you by third parties.” Each asset is then assessed for risks that determine what kind of loss would ensue if these assets became threatened by hackers. Implementing security requirements to counter those risks is then determined through the lens of the ISO27k standards.

GDPR

With the recent and continuing data privacy scandals, European governments are revisiting their data governance laws. The General Data Protection Regulation (GDPR), which will be binding on all EU member states, goes into effect in 2018, leaving little time for companies to get compliant.

What GDPR Means for US Companies

US companies don’t fully understand how seriously Europeans value their privacy or even what Europeans consider to be personal information. It’s not just social security numbers and credit card information. Europeans consider their names, addresses and email addresses to be personal information that companies do not have automatic rights to collect and use.

When the GDPR goes into effect in 2018, it will be applicable to every organization in the EU. Not only that, it is applicable whenever you are collecting data from a natural person in the EU, related to offering them goods or services or monitoring their behavior.

Other Key Changes Data Privacy Changes:

DPO

U.S. companies must have a data protection office (DPO). This is already required under German law.

Privacy by design

Privacy must be considered during product development. How do you implement this? How do you train developers? You might need privacy engineers, and that means hiring more employees. US companies don’t have this mindset of even paying attention to these issues. And, of course, these issues slow down the time to market. In other words: costs, costs, and more costs.

Privacy risk assessment

Whenever you implement a new process or product, you need to document how it affects the risk to personal data. This is another resource intensive rule in terms of time and cost to your business, especially when it comes to time to market.

One stop shop — Data Protection Agency (DPA)

In the past, depending on your business, you had to comply with separate regulations in different countries (UK, Germany, France, etc.). With GDPR, you have to choose one country standard (they will all be the same anyway) and establish a relationship with a local data protection authority. Every member state will have a DPA to field complaints from consumers, audit your business, answer your questions, and whom you would have to notify in the event of a security breach.

Data transfers

The GDPR limits data transfers from outside EU/EEA (European economic area). An agreement between the EU and the US called Safe Harbor used to govern data transfers between the US and the EU, but that provision was struck down in 2015. As of August 2016, companies can apply for the Privacy Shield. Based in part on the rules of GDPR, the requirements for achieving the Privacy Shield are more robust than what was required under Safe Harbor.

Data portability

Whenever a consumer wants to change to a different provider, she can ask the provider to supply the data to the new provider or ask them to delete her data.

Fines and penalties

If you’re not persuaded to revisit your data governance practices yet, consider the steep penalties. Fines for collecting or using data in a forbidden way under the new GDPR can reach €20 million or 4 percent of annual revenue. That’s not to mention the damage a violation can do to your reputation. As we said before, it’s not just an issue of breaking the law; it’s also about eroding customer confidence.

Keystone

If the growth of your primary customer base is stagnating, it’s solid business advice to say that you should look for other markets in which to trade. Knowing how to protect your business will ensure that your efforts at improving your market share in key target markets will lead to more subscribers, more recurring revenue and greater customer lifetime value. Your alternative is plunging into uncharted territory without guidance, a good way to inflict your business with rising customer complaints, lawsuits and regulatory fines.

Daniela Hagen and Vincent Schwarz contributed to this blog post.

The post Three Frameworks for Data Privacy and Information Security appeared first on cleverbridge.

According to Wikipedia, a single market is, “A type of trade bloc in which most trade barriers have been removed (for goods) with some common policies on product regulation.”

It is further stated on the European Commission’s website that, “The single market is all about bringing down barriers and simplifying existing rules to enable everyone in the EU – individuals, consumers and businesses – to make the most of the opportunities offered to them by having direct access to 28 countries and 503 million people.”

Simply put, the EU is trying to simplify trade between consumers and businesses in member states.

Digital Single Market and geo-blocking

Remember when Orbitz was found displaying more expensive hotels to Apple users? Apparently, it is problematic for the EU when companies sell items at different prices to consumers in different countries. The term for this practice is often called geo-blocking, and it is affecting the EU’s ability to complete its goal of a Digital Single Market.

But not all businesses consider the EU’s attempt to curtail geo-blocking a good thing.

As I searched through Twitter’s #geoblocking stream, I found a link to this article arguing that the EC’s desire for a unified digital market will actually restrict the market’s freedom to thrive competitively.

How will it affect your software business?

Consider, for example, a situation where you can only display one price for a product to all consumers. Without the ability to display different prices in different locations, businesses will find it difficult to maximize profits from countries with higher GDP per capita because they will be prevented from extracting as much value from their products. They will also be unsuccessful in converting consumers from countries with lower GDP per capita because they will not convert at the same rate as they would with a lower price. Specifically, consumers in a country with a relatively high GDP per capita like Luxembourg will convert at a higher rate because they are getting a pretty good deal (while your business leaves money on the table), while consumers in a country like Romania will not be able to afford the product (thus damming a potential revenue stream for you).

Another hardship that arises with this idea revolves around exchange rates. Will businesses be forced to update their websites every day with the current exchange rates for countries that do not use the euro? Solving the complexity around this issue will require additional tools and people at a cost to your business.

Watch the rest of the video to find out about:

• Global online consumer demographics
• The Russian ecommerce market
• Privacy issues with cookies in the EU

The post Ecommerce Eye Candy – European Ecommerce News [Video] appeared first on cleverbridge.

2003 VAT Rules

The interesting thing about the 2003 EU VAT directive is that it made calculating VAT rates a source-based system. A source-based system means a VAT rate is determined by the seller’s location. For example, if a business is headquartered in Paris, all their online store transactions with European consumers would include France’s 19.6 percent VAT rate in the price.

While these 2003 regulations simplified VAT calculations for online merchants selling in the EU, they created a loophole for businesses looking to charge the lowest VAT rate. Some companies set up shop in a country with a lower VAT rate to allow the legal transaction to occur in that country. For a company in Luxembourg the VAT rate is 14 percent, thus lowering the cost of a digital product when compared to countries with higher VAT rates, like Hungary or Denmark.

2015 VAT Rules

To combat companies setting up dummy corporations for tax sheltering purposes, the EU created new rules that changed VAT assessment to a destination-based tax structure. Starting in January 2015, VAT rates will be based on where the customer resides, not on where the legal entity selling the product is located. This change eliminates corporate tax gymnastics while likely providing EU governments with higher revenue.

So how does this change impact your online store? We have identified several pricing issues we believe will affect your online store’s performance.

Pricing Challenges

When a European customer sees a price on a product page, they assume they are looking at the gross price with taxes included. This contrasts with US consumers who assume the price on a product page is the net price and that taxes will be added on to the price later.

With the 2003 regulations, as long as you presented gross prices to EU consumers, the net price in your cart was static because you were only assessing VAT according to a single rate. The 2015 VAT rules make pricing your product more complicated. There is now an inherent conflict between making things simpler for the business or the consumer.

If you want to make things easier for the consumer, the solution is to configure every single cart to always display a single VAT inclusive price to European shoppers, say 22,95€. This price is displayed on the product page, when the customer enters the shopping cart and after the customer fills out all their billing information.

So, if you’re selling to a German customer, they are paying 22,95€ and when you sell to an Danish customer, they are also paying 22,95€. The difference is in how much actual income you are collecting and how much VAT you are collecting.

With the German customer you are collecting 19,29€ in revenue and 3,66€ in VAT, and with the Danish customer you are collecting 18,36€ in revenue and 4,59€ in VAT. You can see why this could be problematic for merchants trying to maximize profit.

The alternative approach is an abrasive customer journey that create ugly price displays, but maximizes merchant revenues. It means that you as a seller are looking to generate the exact same net revenue on every single transaction. With this approach, different consumers from different countries are paying different gross prices in your shopping cart.

For example, a merchant wants to generate 20€ of net income on every transaction. When a German consumer buys from this merchant, they will end up paying 19 percent VAT and a gross price of 23,80€. When a Danish consumer buys the exact same product, they will end up paying a 25 percent VAT and a gross price of 25,00€.

Every business must make the decision regarding which direction they want to take. The choice falls into a decision of whether to make business operations easier for the merchant or make the checkout process easier for the consumer.

Keystone

Make sure your ecommerce partner is keeping your business compliant in Europe. While most of the complications from VAT rules in Europe will be handled through your ecommerce partner, you, as a merchant have to begin rethinking how you display prices to European visitors.

Please note: This blog post contains no actual legal advice. This is our interpretation of the impact of the 2015 VAT regulations. However, you should still contact your tax adviser for any questions you have about the impact of new VAT rules on your business.

The post Know the VAT Rules? Think Again, They Are Changing appeared first on cleverbridge.

Tax prices are presented in a variety of different ways depending on which country buyers are from. And you must present the taxes in the way buyers are used to seeing them, so as not to raise suspicion and risk abandonment.

Customers want to make sure they are buying from a legitimate source. Presenting taxes incorrectly raises a red flag in their minds. Think about it, would you purchase a product from a site that displayed your local tax in a way you have never seen before?

In the U.S., sales tax is added onto the marketed price. Customers who go to a brick-and-mortar store are used to seeing a price of $99 knowing they will pay more than that for the product. In Illinois, the sales tax is 9.75 percent, which means that the tax on a $99 product is $9.65. So, on a website, the product would be advertised for a price of $99. However, once the U.S. customer enters the shopping cart, the tax is displayed and added to the price. This is how U.S. customers are used to seeing prices, so this is how they expect it will be displayed in the cart.

In the U.S., sales tax is set at the state, county and city levels, so the rate varies widely across the country and within individual states. For example, the sales tax in the state of Indiana, which shares a border with Illinois, is between 8 percent and 9 percent.

In the European Union, however, Value Added Tax (VAT) is a tax on the perceived value of a product and is marketed as a component of the final price. Customers who see an advertised price of €99 will pay exactly 99€ at the register. Often times, an additional note on the marketed price indicates how much of that marketed price is actually the VAT.

For example, a €99 product for sale in Germany appears with a disclaimer that €19 of that amount is due to the 19 percent VAT in Germany. EU VAT varies by country. For example, the UK VAT is set at 17.5 percent, Germany at 19 percent and Denmark at 25 percent. There are a few exceptions to these flat, country wide rates for restaurants and food, but these are accurate for most products.

Keystone

As you can see, it’s important to be aware of not only what the tax rate is for a country when selling globally, but also how to present it to customers. Make sure your ecommerce store supports these small details; they make a huge difference in abandonment rates.

The post Selling Globally? Tax Tips You Need Now appeared first on cleverbridge.