Decline of the high street- the rise of Ecommerce…and payment card breaches
The Office for National Statistics reported that online sales for December 2018 accounted for 20% of total retailing and we are reading in the news that the High Street is facing a challenging time with shop closures including M&S, House of Fraser and HMV.
In Exeter we are, in fact, fortunate to be the only city in the country where the number of business closures fell last year.
There is now a huge opportunity for retailers to sell their wares online without the massive overheads of a retail unit and corresponding costs. Whilst the traditional ‘bricks and mortar’ retailers are taking advantage and moving into a digital space, new retailers are also popping up with their online shops outside of the huge Amazons and Ebays. But where there is money, there is an opportunity for crime. A new trend is emerging with the increase in online shopping however – a significant increase in data and credit card breaches.
Payment card breaches are costing Ecommerce their businesses
Outside of the high profile breaches of British Airways, Dixons Carphone warehouse, Ticketmaster and Tescos there are many unreported breaches involving smaller Ecommerce sites which are being hit hard, and in some cases this is costing them their businesses.
Many Ecommerce sites will have been set up a website using a template to facilitate the taking of payments through acquirers such as SagePay, Worldpay, Stripe etc , and will not have given much thought to the security controls which are actually mandated to be in place.
Ecommerce merchants agree to adhere to the Payment Card Industry Data Security Standard – what does this mean?
Often, the first indication that there is a problem will be from their acquiring bank, notifying them that they have experienced a breach and insisting on a PCI forensic investigation, remediation and then assessment by a PCI QSA (Payment Card Industry Qualified Security Assessor) company. The fines and associated costs of a breach can be eye watering. Normally at this point the business will start to understand that, when they signed the merchant agreement, they also signed that they would comply with the Payment Card Industry Data Security Standard, and the realisation of what this means starts to sink in.
Though they sign up to this, there are many Ecommerce businesses who only become aware of the mandated standard at this point, and start to understand the controls that should be in place. Often these can take quite a few weeks to implement, and there may be further impending fines levied if this is not completed in the required timescale.
What can Ecommerce companies do?
We would urge E-commerce sites to
- make themselves familiar with and follow the Payment Card Industry Data Security Standard.
- Secure your site with a security certificate (TLS 1.2 is currently required) and have it tested regularly, and after any changes
- Consult with a PCI QSA company who can help you implement appropriate security if this is beyond your knowledge base.
- Do not rely on the assurances of your payment acquirer, this is your responsibility and your business. They are selling a solution to you, but often have limited understanding of your environment. In our experience, in the event of a breach, they can be less than supportive.
Consider the need to factor in the following costs
If you want to put this off until your business takes off, and sales have reached a certain amount, you will need to factor in the following:
If you experience a payment card breach
- a PCI forensic investigation would often be in the region of £5,000 upwards,
- the fines we have seen in the last year for Ecommerce sites who have experienced a payment card have been in the region of £50,000 to £160,000.
- A PCI QSA to assess your environment and report on your compliance would normally be from £2,500 upwards (depending on your scope)
The costs of seeking the advice of a PCI QSA as a starting point rather than having this imposed on you if you have a breach could save you significant costs, if not your business.