Palantir.net's Guide to Digital Governance: eCommerce
This is the thirteenth installment of Palantir.net’s Guide to Digital Governance, a comprehensive guide intended to help get you started when developing a governance plan for your institution’s digital communications.
Strict federal laws govern the transmission, collection, and retention of credit and debit card data, whether those interactions occur through the web, by phone, or in person. Any organization involved in collecting payments via credit or debit cards should ensure that all staff involved in a payment collection process are appropriately trained and fluent in the organization’s policies regarding the collection and retention of credit and debit card data. And obviously, those policies should adhere to federal and state laws (and international laws, if your reach extends that far).
Minimum Requirements for Collecting Online Payments
Bank Account
Any organization intending to collect credit or debit card payments first needs a bank account in order to receive those payments. The bank account is where the money goes once a payment transaction is completed.
eMerchant & Payment Gateway
Once you have a bank account where money can be deposited, you will then need to establish accounts with an eMerchant and Payment Gateway provider. Some eMerchant and Payment Gateway services are provided by the same organization. For example, PayPal will handle both the eMerchant and Payment Gateway functions of eCommerce, so all you need to use a service like PayPal is a bank account.
Some organizations have existing payment relationships with companies that serve as eMerchants. It may be more cost-effective to use a company with whom you already have a relationship, in which case there are various Payment Gateway providers that could be used to facilitate the transaction between purchaser and the banks involved in the payment process.
Secure (Encrypted) Online Form
In order to collect the payment details from users, you then will need a secure (meaning encrypted) online form for your website. This is the registration form users will complete with their credit or debit card information to make a payment. The form must be served over a secure and encrypted protocol (i.e. https).
Secure Data Storage
Encryption on the online form is not the last step in security, however. Payment transactions also create customer data, specifically their credit card data, which is highly sensitive and must be handled carefully. Using a reliable payment gateway service eliminates this concern because the entire payment transaction is handled on their secure servers.
Organizations that want to store custom credit card and financial data must undergo a PCI compliance audit and certification. This process is lengthy and expensive, and requires yearly renewals and constant monitoring. We don’t recommend doing this yourself, unless the volume of payments are so large that the cost of PCI compliance is less than the fees you will pay a gateway for the service, which is exceedingly rare for the majority of eCommerce websites.
For complex transactions, such as recurring payments, using a reliable gateway service is the only cost-effective option. But even for simple transactions, the general rule is to never store customer payment data. For most organizations, the risks are too high and the costs too great.
Creating a Policy
The minimum requirements for collecting payments online only scratches at the surface of the issues you may need to consider in terms of governing the use of online payment collection for your organization. Here are some additional things to consider:
- Who may have eCommerce capabilities?
- What is the process for initiating eCommerce on the site?
- What is the process for being added to the existing eCommerce solution?
- How many parts of your organization need to collect payments online?
- Do they each need their own implementation of an eCommerce solution? Or can they share?
- Do they each need their own bank account? (This is often the case when reporting of online payments, especially charitable contributions, requires separation between departments or budget lines for accounting purposes.)
- Who is responsible for ensuring that federal and organizational guidelines are followed?
- Where will credit card and user data be saved or stored throughout the payment process?
- Who will have access to any credit card and user data?
- What security practices need to be followed to protect credit card information?
Decisions surrounding eCommerce will invariably involve key decision-makers, stakeholders, and gatekeepers within the Finance department (or correlated function) and IT department within your organization. You are likely to need their cooperation in determining a governance plan for eCommerce.