Computers in Business :: Ireland's Leading Business IT Magazine

Build a better mousetrap and the world will beat a path to your door. Or that’s the conventional business wisdom. But building an e-commerce website won’t necessarily cause a similar stampede. Before persuading anyone to part with their money on your website, the first thing you must sell to potential customers is a sense of security.
For any small business thinking of making this step and selling in the domestic market over the internet, there is some good news:most Irish customers seem predisposed to trusting online transactions.

According to a recent survey from the internet consultancy Amas, 70 per cent of Irish people believe transactions over the web are” completely safe’‘ or “rather safe’‘.

This ranks Ireland sixth highest out of 27 EU countries. All the same, that still leaves almost one in five people (18 per cent) who think it’s “not really safe’‘ and a further 6 per cent who don’t think it’s safe at all.

Fiachra O’Marcaigh, a director with Amas, expressed his surprise at the findings.

“Until quite recently, people would have been very cagey about using their credit cards to shop online,” said O’Marcaigh.

“Normally, countries where trust was highest were places where most online shopping was done but in Ireland, usage is not as high as elsewhere.”

“In some cases, Irish people are too trusting. Seven per cent had given personal information to people running phishing scams – that’s the second highest rate in the eurozone.”

On the supply side, figures show that the online marketplace is buoyant, despite the recession.

In September, the Dublin-based firm Realex Payments processed payments of more than €726m, its highest monthly rate ever.

That figure includes many non-Irish businesses. But a more accurate gauge of indigenous activity is the 130 new firms that signed up for an account with Realex in October. That compares to an average of 80 per month last year.

Tracy Glynn, Realex’s head of business development for the global SME sector, said the level of security awareness among small businesses can vary.

“The majority of the new SME clients we sign up may not have traded online before, so they are new to the e-commerce arena and so they will tend to require more advice,” she said.

“There is definitely more media coverage these days about data security, so many SMEs will ask us for advice on how best to process payments securely online and what is it they need to do to minimise risk.”

O’Marcaigh said building up trust with prospective buyers involves a layered approach to website design.

“We’re very attuned to it online because we don’t have the same cues that we would have in a face-toface transaction,” he said.” It starts with the quality of design and the look of the site. Sites that are upfront about their terms and conditions, their shipping charges and so on build up a sense that they have nothing to hide.

“Some people have briefed themselves and look for assistance in what they know they need to do, but with others you have to go through the fundamentals, although there are fewer of those around now. I see fewer and fewer sites where people simply don’t do the basics.”

Richard Bowden, who heads up the Irish Internet Association’s web development working group, said that e-commerce sites should have their terms and conditions clearly displayed and this should be written in” customer friendly’‘ language.

“Rather than treating security as some sort of bolt on, you need to have it built into the site from the start,” he said.

This extends to the wording a company uses to describe itself on its site, Bowden added.

“If someone finds your site through a search they’re not necessarily going to come in via the homepage, so it’s a good idea to include some related text such as ‘secure online payment for quality Irish hampers’,” he said.

Using Secure Sockets Layer (SSL) technology to encrypt the pages is good practice, added Bowden. Many sites only apply this after a customer moves into the payment area of the site, but this isn’t the only place it could be applied.

“Credit card information is one key part of the information a customer provides, but the other key information that you as a merchant need to be careful with is the person’s name and address – you have to protect that as well, and not just pass over to a secure server when taking payment details,” he said.

Not everyone gets the message, and O’Marcaigh said he has come across sites that asked people to e-mail their credit card details. Having a secure page for the checkout and entering credit card details is essential, and businesses can opt for extra levels of security such as using a recognised payment processor like Realex, Worldpay or Google Checkout or a system like PayPal. Further measures such as attaining Verified by Visa’ certification shows people you have gone to considerable trouble to make the site as secure as possible.

One question for many sites is whether to keep credit card information after the purchase has been processed and the goods despatched. While this can save customers hassle the next time they shop, there is a considerable cost and labour overhead in doing so.

The Data Protection Commissioner has issued eight principles around collecting credit card data. The business must obtain and process the information fairly; it must keep the data only for one or more specified, explicit and lawful purpose and then use or disclose it only in ways compatible with these purposes.

Any online store is also obliged to store the data safely and securely; to keep it accurate, complete and up-to-date; to ensure that it is adequate, relevant and not excessive and to retain it for no longer than is necessary. Lastly, the company must be able to give a copy of all the data it holds about a customer on request. More detailed information on each of these rules is available at the DPC’s website: www.dataprotection.ie/docs/A-Guide-for-Data-Controllers/696.htm

Lately, many sites have started asking customers for the three-digit CVV number on the back of the credit card as an extra way of verifying the buyer’s authenticity and as a deterrent against fraud, but web developers have warned that many SMEs aren’t aware that retailers are not allowed to retain this data.

What’s more, any retailer that keeps the 16-digit credit card number is obliged to comply with the Payment Card Industry Digital Security Standard (PCI DSS).This is an initiative from Visa and Mastercard to ensure that merchants accepting and storing cards do so in a way that ensures their customers’ card details never become compromised.

“Should a merchant wish to store a customer’s card details for the purposes of future transaction processing, they will find that they are required to comply with a very stringent and comprehensive security accreditation,” said Glynn.

This process carries a cost for ongoing maintenance and annual audit which may well be beyond the appetite of most SMEs, she said.” Should a merchant select the first option and store details on their own infrastructure they must comply with a very detailed level of PCI DSS and ensure that every piece of technology that touches the card details is fully hardened and secure and that all internal processes comply with the required PCI DSS levels. In addition, they must pass their PCI audit annually – this represents a significant overhead to businesses.”

An alternative to storing card details on the merchant’s own web server is to use a PCI-compliant payment gateway to store the card numbers for them, Glynn said.” In this instance, the merchant only stores a card reference or token that can then be used to initiate future transactions through that gateway,” she said.

That means the retailer doesn’t have to sacrifice good service, as the customer will still be recognised and their details recalled when they log back into the site to make a repeat purchase.

According to Glynn, outsourcing reduces the PCI DSS work a retailer needs to do, since their internal systems no longer touch or store any card details. This option has become more popular over the last 18 months.

“The simplest option is for the merchant to use a hosted payment page with a payment service provider,” said Glynn.” Consumers want to know that they site they are buying from is secure and their credit/debit card details will be safe and often when they see that a professional payment service provider is managing the payment process it alleviates their fears.”

According to Bowden, the pricing for these services typically works on a tiered basis depending on the number of transactions per month.” Some might have a setup cost, but that’s down to negotiation,” he said.

Outsourcing can also remove much of the security risk around accepting payments online, added Bowden.” A lot of payment service providers market themselves on how secure they are, such as offering address verification. Most sophisticated payment processors will have a trust scoring regime that will depend on whether the card is being used in the country of issue, for example, he added.

The Irish Payment Services Organisation has issued guidance for online retailers around guarding against possible frauds.

For high-value goods in particular, it warns stores to be wary of payment by cheque or draft where the amount is more than the price of the item the’ customer’ is supposed to be buying.

“Fraudsters may claim that this extra money is to pay a handling agent or to cover shipping costs. Do not transfer funds from your own account in order to refund the’ surplus’ money,” ISPO advised.

Any payment should be cleared before the retailer releases the product to be shipped to the customer, and any cheque or draft for a suspicious transaction should be reported to the bank before being lodged.

The level of care an online store took in relation to fraud risk would depend on the type of product it sold and the nature of the transaction, said O’Marcaigh.

“If you’re selling some thing that can be downloaded, it’s high-risk. If you ship after the buyer has submitted their credit card details, there’s a time lag so if the credit card turns out to have been stolen, you can take action.”

In reality, the risk appetite will play a huge part in determining lots of aspects of how a small business starts selling online. The question, instead, is not whether to buy a lock for the store, but how big.