The vast majority of online transactions are paid for by credit or debit card. If your business has the right to take cards, known as “merchant status”, then you must comply with various rules. Failure to comply can lead to increases in transaction charges, large fines or loss of merchant status. All of these can threaten the very survival of a web business. So here are ten tips for complying with the payment rules.
If you are a brand new start up, then it can be hard to achieve merchant status, which you need to accept card payments on your own behalf. So a great way is to accept credit and debit card payments through Paypal.
As soon as you are able to, get your own merchant status from the bank. It is normally considerably cheaper to have merchant status yourself than to take payments through Paypal.
In an e-store.PCIDSS (which stands for Payment Card Industry Data Security Standard) is the single security standard for processing card payments and is supported by all banks, Visa, American Express and Mastercard. If your business accepts payment cards then it is compulsory to comply with PCIDSS, and you risk severe fines if you don’t. You can familiarize yourself with the standard at https://www.pcisecuritystandards.org. The increase in online scams has prompted the card industry to start more rigorous enforcement of PCI DSS. This spells danger for small and medium sized online merchants. The problem with PCIDSS is that it takes a seventy-page document to describe it and although the regime for checking compliance is different based on the size of the merchant, the actual standard is the same.
For small businesses, the only feasible answer for proper compliance is to outsource the problem by letting a third party payment service provider (PSP) capture and store the card details. Perhaps surprisingly, this approach is relatively cheap and easy to implement, and a number of helpful services already exist, obviously including Paypal.
Visa and Mastercard have introduced a security standard for online payments called 3D Secure, which is also known as Verified by Visa and Mastercard SecureCode. This standard has now been made compulsory for some card types and usage is growing. You need to ensure that the payment technology that you supply is able to support 3D Secure.
The CV2 (also known as CVC or “three digits on the strip on the back of your card”) was introduced a few years ago to make phone and web payments more secure. The banks are trying to make the use of CV2 compulsory in all cases. It is also an iron rule that the CV2 cannot be stored on any computer system once the payment has been taken. Make sure that the payment solution that you adopt can obey these rules, as there are heavy fines for failing to comply.
Without getting too boring about further card rules, they state that you must clearly identify the type of card transaction – face to face, mail order or telephone (MOTO), or E-Commerce. Payment service providers (PSPs) will do this for you. Keying E-Commerce transactions into a PDQ terminal will break this rule.
Generally, the cheapest way of processing cards is to obtain merchant status. Unfortunately, the first time that you obtain an account the rates are generally very high. To compound this, even if your business grows substantially, no-one will ever contact you from the bank to review your rates. The solution is to put a reminder in your diary to have a conversation with the bank. Before this, try to find out from a few other businesses what they are paying. Things will go much better if they are along the lines of “my friend in the same business pays x%, while I’m paying y%. Please match this rate or I will be forced to move.” One company that we were advising made a sixty thousand pound saving per annum from a single phone call.
If you take the cards, why not show them on your site? It looks professional and adds credibility. Of course, you should follow any restrictions placed on the display of logos, or at least do so if they are pointed out to you.
It is important that your E-Commerce software is designed to work seamlessly in co-operation with whatever payment gateway (PSP) that you choose. The key is a tight integration that will allow your software to instruct the PSP to make charges against the card, refund payments and so on. Not only does this integration make the merchant’s life considerably easier, it also guarantees a safe transaction as the card can only be transacted against the individual merchant against whom the cardholder made an original payment.