Friday , March 29, 2024

CyberSource Bids to Relieve Online Retailers’ PCI Headaches

In a bid to meet what appears to be a clear market demand for services to help online merchants satisfy card-data security rules, CyberSource Corp. Tuesday launched a product that removes merchants from the business of handling and storing payment data. The move comes as merchants and processors increasingly find themselves the targets of hackers looking for vulnerabilities to exploit to gain sensitive card data. It also comes amid increasing concern over the slow pace at which merchants generally are adopting the card-data security rules, known as the Payment Card Industry data-security standard (PCI), which is sponsored by the major card networks. In some cases, at least, sluggish compliance stems from confusion over the standard's requirements and concern over its costs, observers say. The new service, which CyberSource calls payment data management, eases and merchant compliance with PCI, the Mountain View, Calif.-based company says. “This service is a direct result of customer input,” said David Glaser, vice president of professional services at CyberSource, a transaction gateway for 13,000 e-commerce merchants (including 900 for which it acts as acquirer), in a statement. “Our merchants are now increasingly aware of the risks an intrusion could pose to their customers' trust and even to their brand's value. Many are also deeply concerned with PCI certification.” Still, Authorize.net Corp., a CyberSource competitor, says its rival gateway is late to market. “Welcome to the party,” says David Schwartz, director of marketing for the American Fork, Utah-based company. “I'm surprised they didn't have this already.” Schwartz says Authorize.net, which tends to serve smaller e-commerce merchants than CyberSource, has been offering a similar service for years. Schwartz sees the new service as an effort by CyberSource to “move downstream,” that is, to appeal to smaller e-commerce clients. A CyberSource spokesman says, however, that far from aiming at small businesses, the new service is meant to appeal to large and mid-sized enterprises, those that do $5 million or more a year in online sales. “PCI compliance is challenging for all levels, but the concerns we're for the most part hearing are from the largest organizations,” the spokesman says. “They're so diverse [in terms of data-collection points] that it's been especially challenging for them to achieve PCI compliance.” CyberSource says it has at least one client signed up for the service. The Georgia Technology Authority, which is the manager of information technology for the state's agencies, has already processed “hundreds of thousands” of transactions through the service, according to a statement. “Our [PCI] certification efforts have been accelerated and we are very happy about the level of security being provided to the state's e-commerce customers,” said Mark Reardon, director of security for the authority, in the statement. With payment data management, e-commerce sites can turn over to the hosting of their checkout pages or the storage of transaction data, or both. The hosted payment acceptance option, which is offered to CyberSource clients and comes at no cost, works by linking customers from a client site's checkout process to a payment page hosted by CyberSource. The secure storage option, which is available to any e-commerce company and is also part of the hosted payment acceptance option, lets clients run their own pages but takes over card-data storage in CyberSource data centers. Instead, clients receive from CyberSource a so-called payment token, or unique transaction identifier, that merchants can use to retrieve data for later use. The price for this service depends on the volume of files stored; on the upper end of the scale, the fee runs $5,000 per month for 1 million files, the spokesman says. On occasions when clients need to retrieve data for permanent restoration to their own data centers, the fee is 5 cents per record. Many of the requirements of PCI have to do with the way data are stored and accessed. For example, the standard requires data encryption, firewalls, anti-virus regimes, and frequent changes of passwords.

Check Also

Buying Groups Might—or Might Not—Give Merchants More Negotiating Power with the Card Networks

Card-acceptance costs and network rules weren’t the only subjects covered by the sweeping settlement revealed …

Digital Transactions