PCI DSS

The ability to accept payments online is the backbone of your subscription business. The first rule of online business is to be compliant with the Payment Card Industry Data Security Standards (PCI DSS). What does this mean?

PCI DSS provides a comprehensive road-map to help organizations ensure the safe handling of cardholder information. This road-map comprises technical and operational requirements set by the PCI Security Standards Council (PCI SSC) that rule over the entire payment process and data storage organization.

PCI DSS is organized by six overarching goals/domains:

• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

Customers are increasingly aware of the need to guard their personal information and demand a high level of data security around any electronic transaction they make. PCI DSS compliance allows organizations to stay ahead of security vulnerabilities, prevent fines, and increase overall security levels. This not only allows them to be compliant but also makes them more trustworthy and competitive.

PCI DSS compliance helps protect your business, but your data security vulnerabilities are not limited to the credit card payment information stored on your servers. To fully protect your business, you must widen your scope and make sure that you comply with the body of standards for information technology which falls under the rubric of the ISO27k family.

ISO

The body of standards for information technology security falls under the rubric of the ISO27k family. In the ISO27k scope, each company defines its own assets and assigns each asset a value which results in a hierarchy of importance for all of your company’s assets. Assets include not only credit card information, but all your other payment data.

Additionally, according to the ISO, your assets include data related to “intellectual property, employee details or information entrusted to you by third parties.” Each asset is then assessed for risks that determine what kind of loss would ensue if these assets became threatened by hackers. Implementing security requirements to counter those risks is then determined through the lens of the ISO27k standards.

GDPR

With the recent and continuing data privacy scandals, European governments are revisiting their data governance laws. The General Data Protection Regulation (GDPR), which will be binding on all EU member states, goes into effect in 2018, leaving little time for companies to get compliant.

What GDPR Means for US Companies

US companies don’t fully understand how seriously Europeans value their privacy or even what Europeans consider to be personal information. It’s not just social security numbers and credit card information. Europeans consider their names, addresses and email addresses to be personal information that companies do not have automatic rights to collect and use.

When the GDPR goes into effect in 2018, it will be applicable to every organization in the EU. Not only that, it is applicable whenever you are collecting data from a natural person in the EU, related to offering them goods or services or monitoring their behavior.

Other Key Changes Data Privacy Changes:

DPO

U.S. companies must have a data protection office (DPO). This is already required under German law.

Privacy by design

Privacy must be considered during product development. How do you implement this? How do you train developers? You might need privacy engineers, and that means hiring more employees. US companies don’t have this mindset of even paying attention to these issues. And, of course, these issues slow down the time to market. In other words: costs, costs, and more costs.

Privacy risk assessment

Whenever you implement a new process or product, you need to document how it affects the risk to personal data. This is another resource intensive rule in terms of time and cost to your business, especially when it comes to time to market.

One stop shop — Data Protection Agency (DPA)

In the past, depending on your business, you had to comply with separate regulations in different countries (UK, Germany, France, etc.). With GDPR, you have to choose one country standard (they will all be the same anyway) and establish a relationship with a local data protection authority. Every member state will have a DPA to field complaints from consumers, audit your business, answer your questions, and whom you would have to notify in the event of a security breach.

Data transfers

The GDPR limits data transfers from outside EU/EEA (European economic area). An agreement between the EU and the US called Safe Harbor used to govern data transfers between the US and the EU, but that provision was struck down in 2015. As of August 2016, companies can apply for the Privacy Shield. Based in part on the rules of GDPR, the requirements for achieving the Privacy Shield are more robust than what was required under Safe Harbor.

Data portability

Whenever a consumer wants to change to a different provider, she can ask the provider to supply the data to the new provider or ask them to delete her data.

Fines and penalties

If you’re not persuaded to revisit your data governance practices yet, consider the steep penalties. Fines for collecting or using data in a forbidden way under the new GDPR can reach €20 million or 4 percent of annual revenue. That’s not to mention the damage a violation can do to your reputation. As we said before, it’s not just an issue of breaking the law; it’s also about eroding customer confidence.

Keystone

If the growth of your primary customer base is stagnating, it’s solid business advice to say that you should look for other markets in which to trade. Knowing how to protect your business will ensure that your efforts at improving your market share in key target markets will lead to more subscribers, more recurring revenue and greater customer lifetime value. Your alternative is plunging into uncharted territory without guidance, a good way to inflict your business with rising customer complaints, lawsuits and regulatory fines.

Daniela Hagen and Vincent Schwarz contributed to this blog post.

The post Three Frameworks for Data Privacy and Information Security appeared first on cleverbridge.

Subscription Billing

Uber pilots subscription pricing to lift loyalty | The San Diego Union-Tribune
There are lots of ways to slice and dice subscription pricing and billing. As Craig noted in our video on subscription billing last week, it was only a matter of time before Uber disrupted their own business model by looking at alternative ways to generate recurring revenue. Uber traditionally used on-demand, usage-based billing to monetize their service, but according to this article from the San Diego Union-Tribune by Jennifer Van Grove, Uber is piloting pricing and billing that is based on a regularly-scheduled flat-rate model. Begin asking yourself if there are any opportunities to provide more value to both your business and customers by experimenting with your pricing and billing models. Disrupting your business model might mean the difference between growth and stagnation.

Customer Experience

From Brand to Buy: Build Everything Around the Customer’s Experience | Advertising Week
To increase recurring revenue, you need to nurture customers through the entire customer journey from attract, engage and acquire to retain and grow. This article from Advertising Week uses an excellent metaphor of a bowl of spaghetti to explain that journey. Your buyers take a long and winding road toward becoming loyal subscribers, and it’s an eternal struggle for marketers to figure out what message results in a mutually beneficial long-term relationship between buyer and seller. That struggle is compounded by trying to figure out where and when to deliver that message. To reduce costs and the burden on your IT team, it’s necessary to create a network of connected data sources including your CRM, email marketing tool, payment platform and subscription engine.

Once your infrastructure is aligned, your job is to focus on what your customers need and what value you can provide. That value isn’t just about the user experience in the product. It’s about convenience at every stage of the journey. As the article says, it’s more than likely you don’t have the resources to approach each and every customer individually. That means you have to use your resources wisely.

Segment your customer database to support different needs at different times. You have free trial users, super users who need to upgrade plans, casual users who need to renew, and expired or canceled subscribers who you want to win back to your business. Each type of customer needs a different type of message. Your goal should be to increase customer satisfaction by providing a consistent brand experience from subscribe to renew.

Global Compliance

Data privacy and information security

PCI DSS – It Takes a Village | CSO
Do security standards like PCI DSS hinder or facilitate business growth? On the one hand, complying with these standards places a significant burden on merchants who rely on credit card payments for their revenue. On the other hand, without these standards in place, these businesses would be at greater risk from hackers and cybercriminals. This article from CSO makes the latter argument. While acknowledging PCI DSS as a work in progress, the author explains the different ways it protects businesses. The author also shows how PCI SSC works with businesses to reduce the burden of compliance.

Online sales tax

Goodlatte’s Internet Sales Tax Plan Is Better, but Still Falls Short | The Daily Signal
One of the major headaches for online businesses is staying current on constantly changing tax laws. Your tax exposure depends on the location of your business and customers, the type of product or service you provide and other variables. The debate in the U.S. has been going on for a while. Congress has tried several times to pass legislation to address the disadvantage brick-and-mortar retailers have traditionally felt against online businesses, but those bills tended to die along the way. Now it looks like a new bill will be introduced to establish “simple” federal rules for how online businesses calculate, collect and remit sales tax. This is clearly just the beginning of a long debate, but stay tuned for how it impacts your business.

If you are interested in learning more about the connection between subscription billing, customer experience and global compliance, check out our Resources section.

The post August Subscription Digest appeared first on cleverbridge.

For this year’s January Ecommerce Digest, we’ve curated some informative blog posts centered on content marketing, different traffic sources, compliance management and how to appeal to consumers in Canada.

Content Marketing

Getting Started With Content Marketing | HubSpot
This blog post addresses a key concern of online businesses everywhere: how to stand out from the competition and generate leads for one’s business. Content marketing is increasingly seen as an effective medium for achieving both of those goals. With content marketing, you’re not just explaining your product features, or even that your business is an expert in its field. Compelling content marketing actually educates and assists your audience. It is a an excellent way to start conversations with prospects and those whose business you are trying to retain. With the advances in semantic search capabilities, content marketing is also an investment in SEO which increases the chances of prospective buyers finding your site.

This blog post teaches us nine important lessons that the author gained on the way to using content marketing to generate market qualified leads (MQL).

Traffic Sources

7 Ways to Get Traffic and Leads When Google Won’t Send Them | Moz

Though the YouMoz blog usually features content about SEO and improving your results on search engines, this post atypically, but helpfully, offers us guidance on generating traffic from channels other than search. As a follow up to the previous entry that discussed some of the why and how of content marketing, this post emphasizes using your content to generate traffic through social media, affiliate marketing, and incredibly, iTunes.

PCI and Compliance Management

Maintaining PCI Compliance a Showstopper for Many Retailers | Verizon

“Of all the data breaches studied, Verizon’s findings clearly show that not a single company was fully PCI-compliant at the time of the breach.” – Verizon’s PCI Report

A new PCI report from Verizon divulges two startling pieces of information. The first is that not one company named in the report who experienced a data breach was PCI compliant: In fact, according to the report, less than one third of companies maintain their PCI compliance for an entire year. And, as we noted in an earlier blog post, PCI standards alone are not enough to protect all of your information assets from illicit exposure.

Canadian Customer Experiences

Brand Loyalty, Trust Keys to Canadian Consumers
This post sheds some light on the concerns of Canadian consumers. It explains that while consumers in the U.S. are typically motivated by finding the best deal, their neighbors to the north are more concerned with finding the best relationship. And this understanding ties in very well with a focus on providing better customer experiences. The goal then, is not to focus on mere transactions, but on your customers’ needs as a whole.

For further advice on improving your ecommerce performance check out our Six Guides on Ecommerce Essentials

The post January Ecommerce Digest appeared first on cleverbridge.

This type of information is extremely important for independent software vendors. In our Safety First: Security Standards for Ecommerce post, Hagen noted that your, “Customers are increasingly aware of the need to guard their personal information and demand a high level of data security around any electronic transaction they make.” Furthermore, “PCI DSS compliance allows organizations to stay ahead of security vulnerabilities, prevent fines, and increase overall security levels; this not only allows them to be compliant but also makes them more trustworthy and competitive.”

Suffice to say, data security has a significant impact on your bottom line: not just in terms of the costs of compliance, but also in terms of the revenue that customers provide your business.

The difference between PCI compliance and PCI certification

PCI compliance simply means that merchants and service providers who process or store credit card information must adhere to the standards set forth in the 112 pages of the current Requirements and Security Assessment Procedures produced by the PCI SSC (security standards council).

PCI certification, on the other hand, is required for those merchants who reach a certain threshold of processed transactions; something like six million per year. According to the PCI SSC, that volume of activity places those companies in a different category than those who process a smaller amount of transactions, because of the former’s greater level of risk.

Companies who process the lesser amount of transactions still require PCI compliance, but compliance in this case is achieved primarily through self-assessment. This self-assessment is less rigorous than acquiring certification, as it does not require an external audit and its veracity is rarely investigated. The effectiveness of the assessment can also be undermined when it is performed by an internal security expert. This is problematic because those experts are employees of the companies they are assessing. They are often beholden to the company’s business processes, or the executive team’s opinions, which can trump actual security requirements. However, as we mentioned above, PCI certification is much more rigorous, and requires an outside audit from a qualified security assessor.

Now, even if you are certified PCI compliant by an external assessor, does it mean that your business is completely secure? Nope. Rippleshot’s Evaluating PCI Standards in the Wake of High-Profile Security Breaches blog post concludes that, “Even if a retailer is PCI compliant, said retailer can still fall victim to a data breach.” With all the brouhaha surrounding PCI compliance we’ll need to understand why it isn’t enough to protect your entire business, and what you can do to strengthen your information security.

We all remember what happened when companies like Home Depot and Target suffered data breaches. They were PCI compliant, but it didn’t protect them from a massive security breach. They relied on the minimum amount of requirements instead of making an effort to plug every hole, so to speak. What went wrong?

The fact is that PCI DSS requirements are much too limited in scope to protect your entire business according to Hagen. Think about all the other payment methods your customers use to complete their orders through your online shopping cart. If you want to see success in today’s global ecommerce market, it’s not enough to rely entirely on credit card payments. Many regional preferences for payments, like direct debit in Germany, Konbini in Japan or Boleto in Brazil, are not taken into account when it comes to protecting your data and securing your customers’ trust.

So, the first rule of ecommerce is be PCI compliant.

Rule number two is broaden your horizons; widen your scope.

International Organization for Standardization (ISO)

The ISO predates PCI and covers a wider range of issues. For example, the standards of quality assurance for products is defined by ISO standards in the 9000 category; food safety: 2200. The body of standards for information technology falls under the rubric of ISO 27001. As their website notes, “Like other ISO management system standards, certification to ISO/IEC 27001 is possible but not obligatory. Some organizations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed. ISO does not perform certification.”

In the ISO scope, each company defines its own assets and assigns each asset a value which results in a hierarchy of importance for all of your company’s assets. Assets include not only credit card information but all your other payment data. Additionally, your assets include data related to “intellectual property, employee details or information entrusted to you by third parties.” Each asset is then assessed for risks that determine what kind of loss would ensue if these assets became threatened by hackers? Implementing security requirements to counter those risks is then determined through the lens of the ISO 27001 standards.

The PCI SSC essentially took the ISO procedures and framed them exclusively around credit card information. Hagen, therefore, recommends that when you’re trying to determine your information security requirements you should not limit your scope to PCI standards; rather, you should incorporate those from ISO as well.

Protect yourself, but be prepared

The only 100 percent, surefire way to protect your customer data is to stop processing payments completely – but then you won’t have a business. And still, even with all the compliance standards in place, a savvy hacker may one day infiltrate the bunker that stores your data. You need to have a strategy in place for this event. The last thing you need is to be caught off guard by a security breach. Now is the time to decide what information you need to communicate, to whom you need to communicate it to, and how you are going to communicate it.

An information security breach will be painful no matter how much you prepare; your strategy should be to minimize the consequences as much as possible. Explain what happened, and how you are fixing it. The main thing is to not run around like a chicken with its head cut off.

Keystone

PCI DSS compliance helps protect your business, but your data security vulnerabilities are not limited to the credit card payment information stored on your servers. Ensure that you are protecting all your business assets, and establish procedures for limiting the fallout of a data breach .

The post Data Security: Why PCI DSS Alone Doesn’t Cut It appeared first on cleverbridge.

For those conducting business online, complying with these standards is crucial to protecting your organization and your customers.

“Customers are increasingly aware of the need to guard their personal information and demand a high level of data security around any electronic transaction they make,” says Daniela Hagen, a compliance manager at cleverbridge, a global ecommerce provider for digital products. “PCI DSS compliance allows organizations to stay ahead of security vulnerabilities, prevent fines, and increase overall security levels; this not only allows them to be compliant but also makes them more trustworthy and competitive.”

In this post, we highlight three prominent security standards and explain why you should strive for compliance as soon as possible.

PCI DSS

In 2005-2006, hackers stole more than 90 million customer credit and debit card numbers from TJX Companies. Investigators discovered that TJX did not adequately follow PCI standards, and as a result, the U.S. government estimated that companies, banks and insurers lost close to $200 million.

PCI DSS provides a comprehensive road-map to help organizations ensure the safe handling of cardholder information. This road-map comprises technical and operational requirements set by the PCI Security Standards Council (PCI SSC) that rule over the entire payment process and data storage organization. Merchants and service providers are classified by transaction volume over a 12-month period to determine the level of PCI guidelines to follow.

PCI is organized by six overarching steps:

• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

In 2011, PCI SSC implemented version 2.0, enhancing standards to reflect changes in technology and emerging security pitfalls. This latest version provides even more guidance and clarification on the earlier edition of the regulations.

If your ecommerce system is maintained internally, your organization should comply with PCI DSS. If you outsource your ecommerce solution, make sure your ecommerce provider does. Visit PCI’s website and take the Self-Assement Questionnaire to determine your security readiness.

SAS 70

The American Institute of Certified Public Accounts (AICPA) developed the Statement on Auditing Standards No. 70 (SAS 70) to act as a resource for independent certified public accountants (CPAs).

Specifically designed as a guide to auditors, SAS 70 requires that hosts of data centers and service organizations demonstrate extensive controls and safeguards against security threats. The review is conducted by an independent auditor, and companies must demonstrate that they have designed control objectives effectively. By passing the audit, an organization makes customers aware that the appropriate security defenses are present where customer data is held.

This June, the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) replaced SAS 70. The SSAE 16 will update the reporting standard so that it complies with international reporting standards. Is your company ready for a SSAE 16review? Take Deloitte’s SSAE 16 Readiness Assessment to evaluate your company.

Safe Harbor

US-EU Safe Harbor is an adaptation of the European Union Directive 95/46/EC code that protects personal data. Though the U.S. and Europe take a different approach to privacy, the Safe Harbor framework is a streamlined way for U.S. organizations to comply with U.S. Department of Commerce and European Commission regulations. Compliance with Safe Harbor is essential for companies doing business in Europe. Safe Harbor adherence ensures that your organization follows the European Union Directive on Data Protection, allowing your business to establish credibility with European customers.

The governing elements of these standards, the Safe Harbor Principles, were developed to prevent accidental information disclosure or loss. There are seven elements that participants must adhere to:

• Notice – Individuals must be informed that their data is being collected and how it will be used.
• Choice – Individuals must have the ability to choose whether their personal information will be disclosed to a third party.
• Onward Transfer – To disclose customer information with a third party, organizations must apply notice and choice principles.
• Security – Reasonable efforts must be made to prevent loss of collected information.
• Data Integrity – Data must be relevant and reliable for the purpose it was collected.
• Access – Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
• Enforcement – There must be effective means of enforcing these rules

Visit the US – EU Safe Harbor guidelines to learn more.

Commitment to Security

All three classifications require that followers re-apply every 12 months. Though they all come with cost, compliance with these three data security standards is an invaluable reputation builder. These organizations have done the hard work for you and following their rules indicates that you have set a high standard of security.

Keystone

Commit to data protection, improve your security standards and combat customer fear of identity theft by complying with objective security standards like PCI DSS, SAS 70, and US-EU Safe Harbor.

Samantha Vizer contributed to this blog post.

The post Safety First: Security Standards for Ecommerce Solutions appeared first on cleverbridge.

The Internet Retailer cites a Javelin Strategy & Research report that 71% of online purchases in 2009 were made directly with credit and debit cards, “and the 16% that Javelin says went through alternative systems like PayPal, Google Checkout and Amazon Payments mostly end up charged to credit and debit cards.”

Credit-card based payment methods, such as Visa, MasterCard, American Express, JCB, Carte Bleue and Maestro, usually result in instantaneous acknowledgment of payment acceptance. The customer enters his credit or debit card number in an online Web form or software application, submits his personal info and and waits less than 10 seconds for a response, which is usually positive. Obviously, from an instant gratification perspective, this is the best outcome for both the customer and the seller. The following graphic illustrates this process.

When considering the all-in financial costs of credit and debit cards, effective rates of 3%-6% are the normal in the online, card-not-present world. These rates vary based upon card type (Visa/MC, Amex, JCB, etc), average transaction volume, total transaction volume, return/refund rate and a merchant’s transaction history. If that’s all that there was to it, credit and debit cards would be a cost effective way of accepting global, online payments.

Unfortunately, there are risks associated with credit and debit card based payment methods and they appear after the transaction is approved.

First of all, remittance of the collected money is delayed anywhere from 2-28 days before arriving in the merchant’s bank account. Although payment service providers receive the transaction’s funds within a day or two, remittance to the merchant is delayed and can cause cash flow problems for companies with small cash reserves. American Express notoriously has one of the longest delays between payment collection and remittance to the merchant.

Secondly, companies often offer liberal return policies designed to ease customer concerns during the purchase process. The negative effect is that anywhere from 0.5% to 5% of orders result in a refund. Payment processors retain their fees even though companies issue a full refund to the customer. On top of the effort of resolving the customer’s issue, the merchant also loses the payment processor’s fee. The graphic below illustrates both sides of the transaction.

Merchant’s also need to store the card numbers in order to provide a refund of the purchase. By storing credit card numbers, merchants become targets for hackers attempting to steal credit card numbers, which results in a potential public relations nightmare. Furthermore, merchants come under the scrutiny of the Payment Card Industry (PCI) standards for handling credit card numbers. Improper practices can result in higher fees or even revocation of a merchant’s ability to accept credit cards!

Thirdly, accepting credit cards online is an invitation to frauders, who attempt to use stolen card numbers to receive digital products. Due to the instantaneous delivery of digital products, ecommerce platforms that sell digital products must be equipped with tools to identify and stop potentially fraudulent order attempts.

For a few hundred dollars, frauders acquire batches of stolen credit card numbers online. They use these card numbers as frequently and as soon as possible because stolen card numbers are typically identified and disabled within a few days. If you’ve ever had your credit card number compromised, you’ve probably seen three or more transactions within two days for this very reason.

Additionally these credit card purchases can be charged back to the merchant, resulting in additional chargeback costs of up to $30 for each event. Once a chargeback rate (the total chargebacks divided by total orders) exceeds approximately 1%, you may lose the ability to process credit cards, which obviously impacts your business greatly.

One of the benefits of out-sourced e-commerce platform companies is that they see transactions from many different merchants and information about fraudulent attempts are shared between all companies utilizing that platform company. This results in a broader and deeper understanding and ability to manage risk.

Keystone

Credit and debit cards are ideal payment methods for customers buying digital products, but be aware of the risks of accepting cards are before jeopardizing your online business.

Have you had any horror stories with accepting credit or debit cards? What have you learned about accepting cards that surprised you?

The post Three Reasons Why Credit Card Transactions Are Risky appeared first on cleverbridge.