Ordoro Blog

a practical blog for small business ecommerce merchants

Understanding PCI Compliance

July 21st, 2010 · No Comments · Uncategorized

What is PCI (PCI_DSS) compliance?

PCI stands for Payment Card Industry (Amex, Visa, Mastercard, Discover, etc). PCI_DSS stands for Payment Card Industry Data Security Standard.

The payment card industry requires anyone who deals with payment card information to be compliant. That is, the industry requires people who handle the customers’ credit card information to be responsible for the security of that information thus preventing credit card fraud. Sort of like how Sarbanes Oxley compliance makes big companies responsible for their accounting thus preventing white-collar fraud (Enron et al).

Who needs to be PCI_DSS compliant?

Any merchant who stores, processes or transmits credit card information needs to be compliant.

Why should I care about it?

How would you feel if you used your credit card to make an online purchase and your credit card information was stolen because the online vendor was careless in handling your credit card information? You would want any fraudulent transactions on your credit card to be removed right?

If you as a vendor are not PCI_DSS compliant then you have not done enough to be responsible for any customer credit card information you may have stored, processed or transmitted. And if some miscreant steals this information to make fraudulent transaction then:

  • You lose the goodwill of that customer (not to mention a really pissed off customer may go viral with the experience, causing much more damage)
  • The credit card company can hold you liable for all these fraudulent transactions (If several credit cards have been breached, this liability can add up and drive your company bankrupt)

You may be tempted to think that the likelihood for this theft from your web-store is low given that it has not happened before. But this scenario is comparable to identity theft: May not have happened to you yet, but when it does it is extremely frustrating and time consuming to secure it again. Not to mention that hackers are getting increasingly efficient in writing malicious code that automatically scans the internet for such vulnerabilities and attacks them.

When do I need to be compliant?

Compliance in general requires two activities:

  • Quarterly: Getting a vulnerability scan from an Approved Scan Vendor (ASV)
  • Annual: Self Audit or external audit by a QSA

Where do I go to get more info?

https://www.pcisecuritystandards.org/

How can I be compliant? (OR How to avoid it altogether!)

Let look at the easier way out first. If you wash your hands off (outsource) all credit card storing, processing and transmitting activities you can be spared of all this!

There are multiple services that will do this for you:

Of course there is no such thing as free lunch. You may have to give up on some user experience and/or incur some cost. For example sending your customer to another website, unable to offer one click checkout or simply paying the outsourcing service a cut of your revenues.

If you don’t want to make these trade-offs then here’s a cheat sheet to help you understand what “merchant level” you are and what you need to do to be compliant:

PCI DSS

*In addition, the credit card issuer/processor of “level 4 merchants” may ask for a summary compliance plan; which, in-turn will have to be consolidated by the issuer/processor and sent to the PCI.

Why this extra burden on low transaction merchants?

Apparently these merchants account for 99% of all credit card transactions and at the same time are the most vulnerable to hackers due to lack of IT security expertise. Credit card companies report

Jargon

PCI DSS

This is what the compliance is trying to achieve: (Of course if you love pdfs here’s the detailed version)

PCI DSS

Tags:

Keyword Search Economics 101

June 30th, 2010 · No Comments · Other

Ever wonder if you are spending money wisely on search advertising? I recently had to go through the exercise to understand terminology and analyze if the money we spent on search engine advertising was really worth it. I figured this would be useful to others looking to do similar analysis.

Let’s start with some of the basic terminology used by search engines such as Google, Bing, Yahoo, etc. These metrics are provided to you by the search engines based on your keyword.

Impressions: The number of times a target customer searching for a keyword sees your advertised link. This usually shows up as a sponsored link on top of a Google search page in a green background.

Clicks: The number of times the target customer actually clicks on the advertized link.

Cost per click (CPC): This is the amount you pay to Google when someone clicks on your sponsored link.

Conversions: The number of times a customer (who has clicked on your advertized link) buys your product or service.

Calculated metrics:

Using the numbers above we can easily create the metrics below that can be used to assess the efficiency and economics of your keywords.

Click through rate (CTR): The CTR is a measure of how relevant your advertisement is to the customer’s search phrase. This is calculated as the Clicks divided by the number of impressions.

Total Cost: This is the total dollar amount spent on search engine advertising. This is calculated by multiplying the CPC by the number of clicks.

Cost per conversion: This metric gives the average dollar amount you spent for making one sale. This number is calculated by dividing the total cost by the number of conversions.

Cost per revenue: This metric gives you the average cents you spent to earn one dollar. This number is simply calculated by dividing the total sales you had to customers (who clicked on the advertising link and bought your product or service) by the total cost.

Example:

The table below shows examples of these calculations for an imaginary business selling two widgets as well as the total costs, revenue and average advertising costs per dollar revenue. The numbers highlighted in blue can be obtained from the search engine. In this example the business spends 8 cents of every dollar earned on search engine advertising.

Keyword Economics

Tags:

How SaaS is greener

November 21st, 2009 · No Comments · Other, Webstore

Intuitively, you would expect SaaS based technology to drive efficient use of resources and utilities which in turn drives sustainability. Chris Thorman gives this intuition some credibility

Tags:···

Reducing IT costs

November 21st, 2009 · No Comments · Other, Webstore

It’s impossible to run a company these days without an investment in technology, which can take your operations to another level. But how do you do it economically and without wasting extra cash on needless tech services or products?

That’s a question many small businesses are asking, in a grim environment that’s wreaked havoc on firms’ financial stability. Done correctly, cutting your current tech spending may leave your company leaner, faster and bigger than before.

Try Web-based software for specific tech tasks. In industry parlance, it’s called virtualization, cloud computing, software-as-a-service or software-on-demand. For many companies, it’s cheaper to pay a monthly fee for a web-based service, such as data back-up or antivirus protection, than to make an upfront investment in the technology. Innovations International Inc., a workplace consulting firm in Salt Lake City and San Francisco, began using so many online services that in April 2008, the 25-year-old firm went completely virtual. The company has reduced its operating expenses by 20% to 30% as it now uses RingCentral.com for phone, Egnyte.com for database servers, Skype for internal and international calls and Google Apps for email. The company no longer pays $5,000 to $6,000 per month on office space, as its five employees now work at home. Many of the online services were free or cost $25 to $90 a month, says Danny Guillory, its chief executive.

Further, justifying subscription payments is easier compared to upfront investments as monthly payments come from operating expenses while huge upfront costs are in the form of capital investments.

Source: Wall Street Journal: Small Business

Tags:··