Free eBook

Business stupidity strikes again – online payment folly

Written by Chris Barling
Wednesday, 12 October 2011 00:00

When I was a kid Guy Fawkes’ Day was a big deal. But the cost in human terms was horrific. Every year, thousands were badly burnt by fireworks, topped up by a few deaths. There was a campaign to emphasise safety – and storing fireworks carefully was one of the cardinal rules.

Wind the clock on a few years, and there is an issue just as incendiary as fireworks – the storing of payment card details, especially for ecommerce merchants. It may be less threatening to human life but certainly presents a big issue to business survival.

There are three problems here:

  • The first is that there are some very nasty, very skilled people out there whose sole occupation in life is to break into websites and steal card information.
  • The second is that the card payment industry has a nasty big baseball bat which they use to whack people with fines that break their rules (PCI DSS) or let hackers in.
  • Finally, the media are ready to demonise any company that loses personal details, particular about cards, and especially if there are a big brand. Just ask Sony.

Given this background, you would have thought that every ecommerce supplier in the world would be advising their merchants not to store card details on their servers, wouldn’t you? That’s certainly what my company, Actinic, has been doing for years.

But no, it was only a couple of years ago that one leading UK ecommerce supplier had to announce to its merchants that they had less than a day to comply with an order from the banks to do things by the book or cease trading. Although the deadline was subsequently eased, it beggars belief that it should get into that position.

And even today, many merchants still take cards directly on their own websites and a large proportion store the details. Given the risks, they would do better to send buyers to pay by card on a specialist payment service provider site and just receive a call back that indicates whether the payment was successful. The only exception is larger companies willing to take the risk and who have the resources to tackle the problem properly.

Would you store fireworks in an open box near a fire? Neither would I. The parallel is not to accept card details directly on your own website. Doing anything else has the smack of stupidity.

By Chris Barling, is CEO of ecommerce specialist, Actinic. Originally published on BusinessZone.

Bookmark and Share