Selecting a Payment Gateway for Indian E-commerce

I recently noticed some Google search traffic coming my Blog’s way with people looking for “payment gateways used by Flipkart and other e-commerce players in India”. So I thought I could talk about this topic for the benefit of folks trying to work with a gateway or researching a gateway to plug into their e-commerce website.

I did a tad bit of research while trying to identify which payment gateway is best for an e-commerce business when I was responsible for integrating them at Jabong.com. I used good old Google to find places seldom visited. I scoured blogs and forums where people discussed such topics. I was trying to understand who the players are, what they offer and finally, who is better. I shall talk about how you can understand these gateways better, what they do and how to evaluate them for your company. There is a lot more information to consider when picking a payment gateway, but I hope this information will be helpful for someone trying to pick and chose a payment gateway provider.

The following are the parameters that I think are very important in identifying a good payment gateway for your business. While the answers to some of these questions will not come directly from the payment gateway, there are industry sources (friends, competitors etc.) who can throw some light on it during your research.

    • Transaction rate or processing rate or fee
      • Yes, while I it isn’t the single reason for choosing a gateway, it is a fairly important parameter to look at. You don’t want to end up paying a significant portion of your sales to a 3rd party processor especially in a low-margin e-commerce business.
      • the lowest I have seen is 1.5% (there is no point mentioning who offers this as all rates are on a per-case basis in this muddled business). The highest I have seen is 3%. Like fine-print, there are some hidden assumptions around what card (Visa vs Amex) or bank (Citi vs HDFC) we are talking about when the rates are being offered.
    • Gateway unannounced down-time
      • While gateways that frequently announce down-time cannot be spared either, unannounced down-times kill an e-commerce business irrespective of the lame but valid reason as to why it happened – bank server down, maintenance issues, connectivity with bank lost but it’s not our fault etc.
      • While gateways always give a rosy picture on this front (obviously!), it is good to check from friends or contacts in other places who have used the different gateways. CCavenue has been accused of not doing a great job here while none of the other aggregators are exemplary either.
    • Transaction success rate (%)
      • The success rate of transactions that were transferred from the merchant website to the gateway is an indication of how effective the gateway is in completing the sale for the merchant. Low rates here are indicative of the poor quality of the payment gateway.
      • This is also an elusive data to get directly from the payment gateway. CCavenue and Tpsl bear the brunt of negative reviews with their success rate somewhere between 60-65%. However, claims made by other gateways that they are better and around 75-80% has also been refuted by companies that have used them. EBS and PayU seem to be relatively better in this area, but overall the best way to measure this sometimes is to unfortunately integrate and test the gateway out.
      • Another variation of this parameter is to look at how many customers have dropped while they are transferred from a website to a payment gateway to begin with. Surprisingly enough, there is a drop off rate even at this stage before the transaction reaches the gateway. The problem is that this loss is in no man’s land as the gateway does not consider this in their success/failure rate calculations and neither can they. As a result, the e-commerce merchant should devise a way to capture such failures and re-invite the customer to transact again by saving their cart or session. A smart team member of mine was able to identify this loss and come up with a simple and clean solution to invite customers to transact again on the website.
    • Retry option for failed payments (works better in a redirect option)
      • Transactions at a payment gateway fail for various reasons. In some cases  it is prudent to allow the customer to retry the transaction rather than make them exit the checkout experience. This feature can be provided either by the e-commerce merchant (on the website when checkout fails) or by the payment gateway on their page (in a non-API integration scenario or if better even with API integration).
      • PayU and EBS are capable of providing the retry option to customers when such an issue occurs during payment. A retry option in itself does not guarantee a successful transaction as the payment may fail again. But, at least providing that option can capture a small percentage of the previously failed transaction.
    • T+1 or T+2 or T+n days for transfer of funds
      • Payments gateways take a little time before they transfer captured funds to the merchant’s bank account. This may or may nor matter depending on the number of transactions you generate as a merchant.
      • ICICI can process payments in T+1 days whereas most other aggregators do it in T+2 days.
    • Real-time fraud detection
      • Real-time fraud detection is very important to the success of an e-commerce business. Suspicious transactions have to be flagged immediately by a payment gateway so that necessary action can be taken to prevent an order from being shipped out or being unrecoverable.
      • While an e-commerce business can invest in its own fraud detection mechanism either through internally developed features or a separate 3rd party integration, a start-up firm cannot afford the high cost of setting up a robust fraud handling mechanism. Manual review of fraud issues is necessary to take meaningful decisions and this in turn means additional costs for the company.
      • Payment gateways like EBS provide the best available fraud detection and alert mechanisms by leveraging the benefits offered by its standalone RMS (Risk Management System) that uses velocity checks, device fingerprinting, Nexus network, blacklist database and so on to trap fraudulent or suspect transactions. They also do it in near real-time. Most other gateways mostly offer only velocity checks or limited set of fraud detection capabilities. CCavenue and ICICI don’t have real-time capabilities although they do get back to the customer in a 6hr to 48 hr window.
    • Reports or dashboards for viewing payment success/failure analytics
      • While all payment gateways have a dashboard for general maintenance of transactions, very few offer some good reports or charts that depict where transactions are failing or at what point the customer is lost while completing a transaction. This is tremendously valuable information to help an e-commerce merchant determine where the leakage is in and how it can be plugged to not lose customers.
      • EBS and PayU offer such capabilities while most other gateways don’t have this information (never collected) or cannot share this information (no way to present or share).
    • Netbanking banks offered
      • Surprisingly, not all payment gateways offer the same number or list of banks as part of the netbanking option. Netbanking can represent about 20-30% of prepaid sales for an e-commerce business as the payment transaction is within a bank’s four walls (online banking) and hence deemed safe and convenient by some customers.
      • CCavenue and Billdesk have the most banks (about 40-50 or so) while EBS, PayU are catching up. ICICI offers netbanking exclusively through Citrus payments but the number of banks is not high enough. However, having a high number of banks isn’t a deal breaker as SBI, ICICI, HDFC, Citibank, Standard Chartered and Axis bank are offered by most and probably cover about 90% of all netbanking transactions.
    • Add-on benefits like EMI (monthly installments) or other packaged offerings provided by the payment gateway  + Support
      • ICICI offers the largest suite of EMI option with multiple banks (outside of a 3rd party player Innoviti that seems to be exclusively the best option for all EMI under a single roof). The rest of the payment gateways offer one or more banks as EMI options plugged into a single gateway offering.
      • Most aggregators have a good support infrastructure for handling issues although things may vary on a case-case basis based on complexity of issue and solution provided. EBS, PayU, BillDesk are all good on the support front.

There is a lot more to the payment gateways business in India and to the selection of the optimum gateway. But, a balanced decision can be made if all these parameters are also evaluated to arrive at the best choice. I’ve seen some well-heeled and well-educated (IIM/IIT pedigree) salesmen from payment gateways draw a rosy picture of what they offer compared to the competition. Going prepared for meetings with the gateway representatives is highly necessary to understand and identify the real stuff from the bluff.

Many Indian e-commerce companies prefer to go with multiple payment gateways primarily due to the confusion and dissatisfaction that each option provides. Many companies use industry references like the IRCTC database to build an in-house payment gateway algorithm that switches between multiple gateways based on payment type (netbanking vs card payments), payment transaction costs (transaction % rate) and payment gateway performance (success rate with a certain card-type, downtime etc.). With PCI certification in place, an e-commerce merchant will all the more see less use for an aggregator (or at least more than one aggregator) integrated with the website.

0Shares

What is a Payment Gateway?

What is a payment gateway?

A payment gateway is a 3rd party entity (or software) that processes payment information entered by a customer on an e-commerce website. The gateway processes these payments on behalf of the e-commerce merchant. When a customer pays for merchandise using a credit/debit card, netbanking or any other prepaid mechanism (a.k.a non-COD payment in the Indian context), the payment gateway identifies the issuing bank of the card or connects directly with the online bank (in case of netbanking) to complete the payment. Once successful, they take the customer back to the e-commerce website.

Is it that simple?

No, it isn’t. Actually speaking, a payment gateway doesn’t do all this. A payment gateway is just a software (webpage or API) used to collect payment information details from a merchant (e-commerce entity) when a customer has placed an order. The gateway then transfers this information to a payment processor. The payment processor identifies the card network (visa, mastercard, Amex etc.) and then communicates with the card issuer bank to complete the payment. In order to get this done, the payment processor creates a merchant account on behalf of the e-commerce merchant. The payment processor enables the flow of funds between these various entities on the successful completion of a transaction. A merchant account is created by the payment processor with the acquirer bank on behalf of the e-commerce merchant. Payments are collected from the issuer bank and passed along to the merchant’s bank account. End of day, money flows from the customer’s bank account (identified in the credit card bill) to the e-commerce merchant’s bank account (identified as payments flowing from a payment processor). In today’s world, a payment gateway and payment processor are usually one and the same entity (or they are masked to the point that the difference is difficult to tell). Hence, for most practical purposes one can assume that what a payment processor does is done by a payment gateway. Hence, integration of an e-commerce merchant with a payment gateway is equivalent to integration with a payment processor.

The payment processor charges a certain % value per transaction (1.5% to 2.1%) as processing fees and pays only the net difference to the merchant. For example, a customer uses a citibank visa credit card to make an online payment of Rs. 1000 on xyz.com. A payment processor (with a 1% transaction fee) completes the payment on behalf of the customer. The payment is cleared by the payment processor via the acquirer bank and funds of Rs.990 is transferred to the e-commerce merchant’s bank account.

Any e-commerce player (in the World) requires some kind of connectivity with an acquiring bank so that when a customer enters credit card information on the website to make a payment, the acquiring bank processes the payment by working with the card issuing bank via a payment processor.

Is there anything more to it?

Yes, in the Indian context (and pretty much also for other countries) there are two types of payment gateways (or processors) that exist. One is a direct payment processor associated with an acquirer bank (e.g. ICICI payseal from ICICI merchant services, HDFC bank). The other is an aggregator (e.g. CCavenue, EBS, PayU). The aggregator is a provider of a basket of payment and associated services to the customer. This includes not just the ability to process credit and debit cards, but also the ability to process netbanking transactions, cash cards and other alternate payment methods. This is achieved by the aggregator as they enter into multiple tie ups with acquirer banks and other payment providers and build a common interface to provide all these options under one roof. An aggregator has multiple pricing options  based on the transaction type and size of the merchant (e-commerce) business.

So, am I better off working with an aggregator rather than a direct payment processor?

This is not an easy question to answer. If you are a young startup firm with not much transactions to boast of, players like ICICI, HDFC and even the aggregators may not consider working with you. There will be huge delays in getting to talk to someone in their organization and the paperwork will be daunting.

The aggregator does good for an e-commerce startup by providing all payment options under one roof. The problem is that none of the payment gateways have a strong credibility when it comes to successfully processing transactions and/or providing optimum customer service. Fraud detection as a service is also not provided in an optimum manner by some of the payment gateways. It is also not prudent to put all your eggs in one basket. The challenge with a single payment gateway integration is that we are locked into having all our prepaid transactions tied to a single entity. If the gateway is down or unavailable or plain not efficient, the e-commerce business will face the brunt of it in terms of lost sales in checkout.

The challenge with the direct payment processors is that they don’t offer netbanking (unless with a separate integration like the way ICICI does with Citrus payments) and other payment options like cash cards etc. They are however good for credit/debit card transactions and also have a fairly good transaction monitoring system for fraud or chargeback issues.

Is there anything more to payment gateways?

Yes, indeed. Now, the question is how to integrate with a payment gateway? is it through a redirect to a webpage hosted and maintained by the gateway or is it through a seamless direct API integration. The answer is simple, direct API is the best. The problem is that in India, direct API integration is not clean and offered by all gateways. Many aggregators like CCavenue provide a seamless integration that cannot necessarily be called as API-based although they are good and work better than redirecting a customer to the gateway’s custom built web page for completing a payment. Another constraint is that in order to do direct integration, an e-commerce merchant is required to be PCI DSS certified. This is a long drawn process and many startup firms are better off just redirecting customers to the gateway’s payment page where all the options are displayed.

Now, many aggregators allow their webpage to be customized so that the look and feel is as per the merchant’s desire. But, many of these customization are hardly worth noting and don’t give any edge to the merchant. To see what the challenge is with PCI DSS certification, see my other post on this topic at http://ecommerceproductmanager.wordpress.com/2012/06/04/pci-dss-certification-for-e-commerce-websites-in-india/

Please continue…

Well, I don’t know why I added that line above, but to talk more about payment gateways, I would like to bring to attention the fact that a better transaction rate (% fee applied on every transaction) should not and cannot be the single motivation for choosing between various payment gateway options. I have seen several websites where the discussions around gateways begin and end with either the number of banks being offered by the gateway or who is offering the cheapest transaction rates. While they are all useful, they are not completely important to making the right decision in terms of selecting a gateway.

In my next post,  I shall talk about what parameters to look for when making a decision to choose a payment gateway.

0Shares

Digital Wallet Service by Flipkart.com

As any serious Product Manager in Indian e-commerce may have noticed, Flipkart.com, the best online player in India as of today, had introduced a feature called “digital wallet”. Now, the concept of a digital wallet is nothing new in itself. Paypal has one of its own. So does Google have one. Check this article to see what Paypal is up to with the concept of “money”- http://venturebeat.com/2012/03/09/paypal-wallet/. I am not particularly sure who pioneered digital wallet in the first place, but I don’t care much about that. What I do care for is that the team at Flipkart (hopefully a smart Product guy) figured out how valuable and important it is to have a digital wallet system in the Indian e-commerce scenario. The wallet that Flipkart offers is a bit different from the so-called wallet offering of others, but it has definitely been tweaked to benefit the Indian consumer.

Flipkart.com themselves have defined the benefits of a Wallet as the following:

  • Make one payment and shop multiple times
  • Simpler and faster check-out process
  • No more worries of failed payment transactions

While the first benefit is not something that Indian consumers will drool over, the third benefit is in my experience, a very big deal for both the consumer and the company. The first benefit is obvious to the consumer once they understand the basics of what a wallet is used for. The good thing going for Flipkart.com is that it has a music download service called “flyte” that works really well with a wallet. Nobody would care to make repeated purchases of Rs. 6 each for purchasing a music title. A wallet stores funds that can then be released for making these one-off payments. If flyte didn’t exist, the first benefit would rather be an aggressive MBA-trained marketing guy’s sales pitch for corporate glory than anything meaningful from a customer standpoint. Indians take pride in making a profit out of every penny they hold, whether in a bank or through tax savings (or evasions) to avoid paying too much to the government. They wouldn’t be happy parting with their money even before they make a purchase with the satisfaction that flipkart has it with them. Yes, it is true that the above points will be refuted once Flipkart turns into a giant e-commerce player and becomes a household name like Amazon.

Another reason why consumers will not like the idea shared in the first benefit is that the amount that you store in your digital wallet cannot be refunded by flipkart.com in case you no longer want to purchase anything on the website or just plain want your funds back. Flipkart.com is not a bank and RBI regulations does not allow it to function as one unless it applies to become one. It is possible that flipkart.com is currently working towards getting the needed RBI approvals to become one but it would only make sense if the digital wallet in its current sense is really taking off for them and this issue is constantly turning out to be a customer painpoint that needs to be addressed. A look at the digital wallet FAQ on Flipkart.com indicates something very interesting. It has a question that says – What is the change in the refunds policy of the digital wallet?. The answer is “As of 2nd February 2012, the Refunds Policy for the Wallet has been slightly modified. As per the earlier policy, the entire balance in the wallet was fully refundable. Under the updated policy, the Topped-Up balance in the Wallet will not be refundable starting 2nd February 2012.” The top up balance is basically funds that a customer directly puts into the wallet to make future payments and it is not refundable due to the regulations mentioned earlier. The fact that it was changed effective 2nd February indicates that Flipkart.com probably was not aware of the regulations that were meant to be followed and then had to correct their actions after the fact. This single issue with the functioning of a digital wallet turns against the overall benefits of offering one.

Now, coming to the third benefit, the challenge of facing failed payment transactions is very real in the Indian context due to the over-dependence of e-commerce retailers on a third-party gateway run by either an aggregator (CCavenue, EBS, PayU) or a bank supported entity (HDFC, ICICI pay seal). An e-commerce retailer can see about 30-40% of its customers lost at that point after having taken pains to carefully hold their hands and take them through the checkout stages. This is a very painful loss especially for Indian e-commerce retailers. It is not easy getting a customer that far only to see him drop. None of the payment gateways in India have a foolproof method of preventing such issues. The best success rates boasted by the best in the industry comes to about 78%-80%. Gateways like EBS and PayU offer a retry option for helping a customer try a payment again when things fail, but this doesn’t solve the issue 100%. In this context, having funds in a digital wallet ensures that a customer need not go back looking for his credit card, netbanking bank details or debit card and start entering all information in a 3rd party payment gateway only to see that things are slow due to the internet, the banks are not processing their payments or the payment gateway is down for maintenance. For an e-commerce site, on a per transaction basis, we no longer have to deal with bad payment gateways, good payment gateways who still can’t control issues and fickle minded or busy customers who may drop out at the last stage.

The digital wallet system should however evolve to provide more incentives and benefits to the customer to influence them to use the wallet and park funds there. These could be in the form of discounts at the checkout stage for using the wallet or as Paypal is doing, help the customer chose how the funds are used. The question of why build this service in-house when someone like a Paypal or Google may eventually do it better in India is however worth thinking about. Ideally the link with a 3rd party like Google or Paypal would turn out to be more reliable payment instruments in the mind of the consumer and also provide additional benefits that are not easy to replicate. As of now, given the aggressive pace with which Indian e-commerce retailers are racing against each other, waiting for something better to happen may not be a wise option. Getting things out the door and then re-adjusting (like the change in refund policy that Flipkart did) is the way the game needs to be played.

0Shares

PCI DSS Certification for E-commerce Websites in India

I recently worked on the PCI DSS certification process and did some research, vendor analysis, contract negotiation and technology task integration for getting certified through an audit (it is still a WIP). It was a daunting task that highlighted some interesting lessons that I thought can be shared for the benefit of the community. As a Product Manager, my role was limited after a certain extent as pure technical tasks around software and hardware took over and I merely worked on coordinating things to successfully work towards certification. All this is being presented largely in the context of an Indian e-commerce setup.

The Payment Card Industry is an interesting game changer in a World of money-driven over-consumption. First, they introduced the addiction with credit through plastic cards and their heavy abuse. Then, they got all merchants (non-consumers) to play along with the high fees and cost structure required as a prerequisite to forcibly do business with them. Unhappy with all this, they then introduced the concept of a data security standard (DSS) and the subsequent audit that follows it. This last change was surprisingly done finally for the benefit of the consumer! That benefit is now being reaped by a host of boutique IT firms around the World selling their version of PCI rules and certification as a service to merchants who cannot get it done on their own.

So, what is PCI DSS certification and why am I angry with it?

Well, for starters, I am not angry with anything although I have a very cynical tone. It is just that there is a website called the PCI security standards council (www.pcisecuritystandards.org) where a bunch of people employed to write wonderful content have baked up a set of rules and regulations around PCI DSS certification and why we need it. The problem is none of that is useful although everything written in it is very helpful. The website tries to address every question you may have in your mind about PCI certification to the point where you no longer understand what the certification is needed for.

Frustration apart, PCI certification was mandated by the payment card industry as a set of security rules required to keep customer data safe within the environment in which you as a merchant is doing business. It covers all aspects of an IT and company set up where customer credit card information is captured, stored or transmitted internally or externally within a networked environment- both physical and virtual. It has about 12 or so mandatory checks that need to be satisfied by a merchant so that they are considered as security compliant in the eyes of the PCI. The only problem is that it is the merchant’s headache to make sure that they are compliant in every manner possible and the PCI never signs up for any risk that the merchant is exposed to post getting certified. Getting the certification, maintaining the certification and protecting consumer data is all the merchant’s problem with PCI nowhere in the picture except for levying fines in case a “noticeable” security breach has occurred at the merchant’s end.

So, why is this important in the context of the e-commerce industry in India?

The answer is obvious. E-commerce as a business transacts on the internet and thanks to very smart hackers who love the internet, an e-commerce business is prone to severe security issues where customer data can be compromised. While several e-commerce players in the developed world have just taken this up as yet another target in a yearly roadmap of technical tasks, the upcoming players in the Indian e-commerce space have been slow in working towards PCI certification.

One big impediment is the cost associated with getting a full audit done and getting certified. The cost can run from anywhere between Rs. 8-12 lakhs depending on the level of technical expertise or consulting help you take from a PCI certification vendor. This is followed by quarterly scans and yearly audits that soon add up to the costs. Just so that money is not lost in this unique business model of conducting audits for PCI, scans are done by an approved scan vendor a.k.a ASV. The ASVs are approved by the PCI to conduct scans. Why? Who knows! Those scans can as well be done by a good engineer in a merchan’ts technology team too. Much more painful than the cost of getting the initial certification though is the investment that needs to be made in hardware, software and network infrastructure to get things right for the PCI audit. This can be a huge dent on resources and cost depending on how big an e-commerce player you are and what are your data needs around customer card information.

So, how do I know if I am not complying with PCI security standards?

If you are not certified, then you are largely in violation of some rule or the other around DSS and hence run the risk of being hacked and as a result penalized. A quick check as a merchant can be done by one-talking to your payment processor or two-checking the checkout stage on your website.

Talking to your payment processor or payment gateway (CCavenue, TPSL, EBS, ICICI Payseal, HDFC, PayU etc.) is needed in the case you have your checkout integrated with a payment gateway to process customers payments and finalize the transaction. This is needed as the payment gateway (which is always PCI DSS certified) shares the risk of non-compliance in case there is a security breach on the merchant’s side due to an improper security practice that led to a hack. Hence, the gateway usually mandates and ensures that the merchant is PCI DSS certified in order to process customer transactions. The rumor (!) is that gateways and banks are rewarded for enforcing PCI DSS certification mandates on merchants (Hmm…). However, the point to note is that the actual compliance need or mandate comes from the merchant acquiring bank rather than a payment gateway. However, the process works in tandem and hence talking to your payment gateway helps get an answer.

Looking at the checkout stage on your website by far is a quick and dirty check when it comes to realizing whether PCI DSS certification is necessary or not. Many Indian e-commerce websites do not collect any credit card information of the customer. If a customer chooses “credit card” as a payment option and proceeds to complete checkout, they are redirected to a payment gateway’s payment page (e.g. CCavenue) where a customer completes a transaction by entering all the card details. In this scenario, the e-commerce merchant is not really bearing any risk of being hacked nor running into any PCI risks. A basic PCI certification (will be explained later) is recommended but is not really necessary (the unofficial opinion!).

If the checkout stage has a provision for allowing customers to enter their credit card number following which you are directly integrating with a payment gateway to process the customer transaction, then you fall under the purview of a PCI audit. You are required to be PCI DSS certified in order to collect credit card information even if you are merely holding it in temporary memory and not storing it after the transaction is complete. Direct integration is the method by which a seamless checkout experience is created for the customer by not taking him away from the merchant e-commerce site to a payment gateway site to complete the payment. This can be achieved through a special custom integration with payment gateways/banks or through a proper API-based integration with them.

I am still confused?

Great, because if you weren’t then you understood nothing. Having a seamless checkout experience is usually the desired experience an e-commerce merchant likes to provide to a customer. Also, holding on to a reasonable amount of customer credit card information helps you with building a one-click checkout experience wherein a customer who comes back again to make a purchase on a website already has his basic credit card information stored and made available for quick selection. Drop out rates in checkout hurt an e-commerce business especially if the reason is due to a transaction completion process that a customer is not comfortable with. In order to do all these things for the customer, one has to be compliant with PCI DSS.

So, what should I do to get certified?

There are two different ways in which you can get PCI DSS certified depending on the annual number of transactions you generate on your website. The transaction limits are defined individually by the credit card companies into four levels of classification. Level 1 for VISA is considered as any merchant generating 6 million or more in annual transactions on the website using the VISA card. Check this link to get the scoop on how VISA looks at merchant levels – http://usa.visa.com/merchants/risk_management/cisp_merchants.html#anchor_2

As a merchant in the Indian e-commerce scene, you may have not crossed as many transactions to get to a level 1 classification just yet. This could mean that merchants are possibly under level 2, 3 or 4. This brings in an interesting twist to the audit process. The choice of going for a full onsite audit (expensive) or for an internal self audit (painful).

What is the difference and which audit option should I go for?

A vendor in the business of running PCI scans will always recommend an onsite audit. A merchant is better off doing an onsite audit as internal resources need not be pulled into tasks that are not necessary for the daily running of the website. An onsite audit needs to happen if the merchant is a level 1 business. They need to get an annual audit done along with quarterly scans and certifications. For all other levels (including level 4 where things are optional), you can go for filling something called a self assessment questionnaire a.k.a. SAQ. Going for an onsite audit is still recommended as the DSS checks that one needs to comply with is the same (except for a few exceptions) irrespective of whether you go for an onsite audit or a self-assessment. The onus is on the merchant to get all the compliance checks completed in both cases and based on a conversation with a technology expert I worked with, filling up the SAQ and being compliant with its needs isn’t pretty either. In fact, it amounts to getting the same things done that one would have completed with an onsite audit in place. The convenience factor is lost with the SAQ.

Now, the SAQ is still a viable and cost-effective option for a merchant. In fact, it is an option, which if executed well with a strong technology team, can get you on the road to PCI DSS certification much more faster than a regular onsite audit. In fact, there are tools in the market that do full-network scans (similar to what your onsite auditor will do) and let you know what is missing from a compliance standpoint and what needs to be fixed. However, the reality leans more towards leaving all the pain of compliance research  to a 3rd party vendor. Coming back to the SAQ, there are four different types of SAQs – A, B, C and D. Each one of them are tailored towards a certain business model or business practice that you adhere to as an e-commerce merchant. The problem is that the definition for the SAQ classifications could get confusing. It almost makes you nervous that you don’t choose the wrong option like in filling out a job application. I’ve had a payment gateway provider ask me to fill a SAQ A to a bank asking me to fill a SAQ D. End of day, the technology team said, “let’s go with the onsite stuff”.

Is this for sure the way PCI DSS audit and certification works?

A very good question. In fact, several people have asked me this question and I’ve even asked myself this question time and again. There is no straightforward answer. The Standards Council has given such a vague definition of the various compliance rules that there are people fighting out daily on the nuances of the pseudo-legal rules that PCI has come up with. See the comments section of this article for example: http://developer.practicalecommerce.com/articles/2893-Eliminating-PCI-Scope-with-Authorize-Net-s-Direct-Post-Method

Every vendor who has made a business out of PCI scans, audits and certifications have further tweaked the interpretation of rules to their business advantage and seldom give a satisfying picture to the merchants who hire them. In fact, even the banks and payment gateway providers who are ideally PCI DSS certified, don’t know why and how they got certified. They give answers, but they don’t give answers that make complete sense. A high profile Country Head of a leading payment gateway once proposed that we can get a level-4 PCI certification in lightning speed if we go with his product. When I said that levels are not a certification option that you can pick and choose from to go with, he put his high-paying top notch job on the line and swore this is how PCI certification works. When I pushed further, he eventually asked me to go talk to his PCI vendor team and strongly cautioned me as to how his job expertise lies in this specific area of work. His team eventually accepted that they used the “level” language to make things simple for clients. The last I heard of, he didn’t resign from his job yet. It is fine though, as, after all, I was only taunting him on the technical understanding of what levels meant. Eventually, if you are identified as a level 4 merchant, you get PCI certified for whatever is needed at that level.

What if I get penalized for violation of PCI DSS?

Well, there is no straightforward answer yet again. It depends on the level of security breach and what amount of customer data was lost. End of day, nobody closes your shop. You pay a fine (could be heavy) and you need to go through a full audit to resume business the same way as you were doing “before”.

For good or bad, PCI DSS certification helps all e-commerce merchants be on a level footing when it comes to security and protection of customer data. It also helps as a cool marketing tool to build TRUST with customers by tagging oneself as a PCI compliant business (similar to the Verisign trust seal that gives some nice fuzzy feeling supposedly to the shopper!). Getting certified also clears the way for an e-commerce merchant to build some useful features for its customers as Product Managers. Last but not the least, all these measures don’t necessarily prevent an e-commerce website from being hacked as hackers don’t look for PCI certification to not attack. A strong technology team with strong network security is needed to save a business and its customer’s private information.

[polldaddy poll=6288035]

0Shares