Managing online risk


Anti-fraud measures such as the 2005 chip and PIN initiative have been introduced and whilst this has helped in reducing fraud in traditional retail outlet environments, it has meant that criminals have turned their focus to online retailers.

For online transactions, address and security code checking is now common place, along with 3D Secure, which encompasses both Verified by Visa and MasterCard Secure Code. It requires additional online user password authentication and has been designed specifically for website customer not present transactions.

In an attempt to raise the baseline security practices of online merchants and payment processing firms, card payment companies joined forces to create the Payment Card Industry Data Security Standard (PCI DSS). The result of collaboration between Visa and MasterCard – the PCI standard has the support of other card companies, including American Express, Discover, JCB and Diners Club, and affects every company that deals with card payment transactions. The PCI DSS is a set of 12 requirements that aim to reduce credit card fraud and increase data security.

Merchant Responsibility

If you are an online retailer, payment service provider or any other organisation that stores, transmits or processes credit card transactions, you are required to comply with this standard.

Failure to comply with the standards can result in fines of up to£250,000 for each instance of breach, or a ban on processing credit card transactions. But beyond compliance, an organisation is placing their brand, customer loyalty and company valuation at risk if they do not manage payment data securely.

Does PCI DSS Apply to Me?

PCI DSS applies to you if you are involved in storing, processing or transmitting any cardholder data. What’s more, the standard doesn’t just apply to storing data electronically; it also covers manual processing and storage.

Servebase, a Global Card Solutions provider of EFTPOS and Card Processing Software process over £8bn of transactions per annum and have developed a number of PCI compliant on-line card payment solutions; Portrait, Axis and Advance. Servebase is a member of the PCI security standards council and is certified to PCI-DSS Level 1(the highest level).The Servebase PCI accreditation only covers the environment where we operate our own Hosted Services. If you process cards locally, you will need to get accreditation in your own right as it is YOUR responsibility to protect the card data held on your site.


Portrait is the Servebase  e-commerce payment page, where everything is designed to get you started quickly, easily and cost effectively. To make things as simple as possible, a hyperlink is provided from the merchant’s website to the hosted Portrait payment page – so no technical skills are required and the customer doesn’t have to worry about creating payment pages or secure links. Portrait is fully customisable, so it can have the same look and feel as the rest of the website.

Alternatively, Axis is a hosted, interfaced card payment solution. It provides secure socket connectivity over the Internet to Servebase’s powerful host for processing any type of card payment. It is seamlessly interfaced with the customers own application, providing communication with the Servebase host via an SSL connection over the Internet, with authorisations routed to the acquirer for overnight settlement. It offers full transaction reconciliation, with reporting and data mining facilities provided through an online reporting tool. Advance is a virtual point of sale accessible via the internet 24 hours a day. As it is a web hosted application, set up is quick and simple with complete management information provided.

If however, your payment system is such that you do capture the data in your back office system or in your website then you will need to take further actions to ensure you are compliant. Your payment provider should be able to guide and help you in taking the correct steps. There are also plenty of companies whose sole purpose is to help you become PCI compliant.

Cardholder data security should now be paramount to any business. If your system is attacked and customer stored data is stolen, the card schemes have the power to levy charges upon you and remove your acquiring facilities and this in effect could be very damaging to your business.

The Servebase website gives up to date status reports of their own PCI certification and provides further information on their payment solutions.

Comments are closed.