The central pillar to the growth of E-Commerce is based on trust. To be a successful e-tailer you need to be completely transparent about being a good company to do business with. A lot of this is down to the design of your site. Reassurances include satisfaction guarantees, clear delivery times, a returns policy, contact details, a company history and displaying logos of industry bodies you belong to. Use your own experience as a customer to make sure your site is up to scratch and conveying the simple message that you can be trusted.
However you must also comply with data security regulations.
The compliance challenge
In 2008 the retailer Cotton Traders suffered an attack on its online operation. It lost thousands of customers' details including their credit card data. Cotton Traders, like many other traditional high street brands, has used the online channel to support its existing retail and mail order businesses. However when a company with a turnover of £50m suffers an attack of this magnitude, it's easy to wonder what chance the smaller guy has.
The answer to the problem came from the banks (who are of course ultimately responsible) in the form of the Payment Card Industry Data Security Standard (PCI DSS).
According to the Security Standards Council, PCI DSS is "a set of 12 requirements designed to secure and protect customer payment data". Complying with PCI is a fairly complex procedure, the rule book is huge and understanding it correctly is no easy task. However to take online card data you have to be compliant, so how does an online merchant achieve this? Thankfully there is a simple answer: make it someone else's problem.
The UK has a number of Payment Service Providers (PSPs). I am sure everyone has heard of PayPal and WorldPay, my company also has one, Sellerdeck Payments. To become PCI-legal a merchant simply has to use a compliant PSP. This way, when a customer purchases from your online store they are transparently forwarded to the PSP who takes the payment. This means the all important card data is held on an ultra-secure and most importantly compliant infrastructure. None of the payment card data is held on your server. If you get hacked, at least you won't be giving any payment data away.
Make sure that your PSP supports 3D Secure, AVS (address verification), CV2 (3 digits on back of a card), preferably one of the independent fraud checking services, as well as being PCI compliant. Once you have security in operation, mention it on your website to give extra reassurance to customers.
You can help yourself too. Look out for these fraud indicators:
In addition you can check whether an order is fraudulent by asking for a fax of a copy of the back strip of the credit card; asking for proof of name and address to be faxed; or you can telephone to make sure that the number is genuine. Most fraudsters give up at the first hurdle.
Cyber crime, like E-Commerce, is a growing industry And today it is the preserve of highly competent and mostly foreign criminals motivated by financial gain. Securing your online store and complying with regulation isn't a nice to have, it's essential.
The article was written by Ben Dyer, director of product development at Sellerdeck. Originally published on The IT Donut.