Why the change?
As a growing online business we were constantly faced with the uphill battle over PCI compliance due to the way that we processed card data. Every online business should maintain a certain level of PCI compliance and the lowest and easiest level to achieve is SAQ-A.
Depending on how you plan on passing data to your payment provider will determine the level of PCI compliance you require. Due to the way that card data passed through our servers on the way to our payment provider meant that we had to obtain a much higher level of compliance, this in turn had a major impact on our business. Not only did we have to change our entire hosting environment but we also had to learn, understand and implement a whole host of additional security features and standards.
Even though we never actually store card details or sensitive data on our servers, the fact that we wanted a seamless checkout experience meant that we had to become PCI SAQ-D compliant. Obtaining this level of compliancy as an SME added significant overheads and a burden that we no longer wanted to bear.
Whilst we have been more than happy with our current gateway – PayPal, their current solution (Direct Payment) does not offer a way to bypass the higher level of compliancy. They do have a hosted solution but this meant not being able to capture additional data or process reference transactions at a later stage (i.e. offer a ‘Save the card for future use’ feature).
There were a number of reasons why we decided to look for alternatives solutions including:
Expertise – Having to understand the entire PCI standards in order to pass certification meant that we had to spend a fair amount of time and effort on this per month as opposed to concentrating on our business activities. You could outsource this part of the work but this means an additional expense employing a QSA.
Technical – Having the low level technical experience to update and patch our server was something way beyond our in house technical expertise. We were fortunate enough that we obtained this level of support from our current hosting provider and worked closely with them to appeal any scan errors.
Hardware – As part of our compliancy we were required to move to dedicated hardware which saw our monthly hosting expenses rise almost 10 fold. It also meant losing the flexible scalability that VPS or cloud based solutions provide and to obtain resilience and redundancy meant having to purchase more hardware.
Maintenance – As part of maintaining this level of compliancy we had to pass quarterly scans and intrusion tests as well as make sure our code and framework kept up with the latest patches. This added another layer of complexity to the development life cycle as well as the additional time taken each month to prepare, run, fix and scan errors.
Employees – As our business has grown so has our workforce. As part of the compliancy meant having to train each new employee in the security policy as well as keeping others in the business informed of any changes or updates.
Mitigation – One of the largest burdens of PCI compliancy at our current level was the risk we exposed the business to in terms of fraud. If we were to become a victim of credit card fraud as a service provider we could potentially be liable of fines up to £100,000 for each incident.
Whilst we are not saying that any of the above are bad for an online business to know and understand, it seemed sensible to us to look for a provider that could not only remove the risk but also lighten the workload in terms of our PCI status. Why run the risk, create additional work, restrict the environment when there are providers that specialise solely in this?
We looked at a number of different solutions including Braintree, PayPoint and Paymill but ultimately we decided to go with Stripe. Whilst all the solutions that we looked at provided all the features that we wanted (Saved Cards, 3DSecure, Subscriptions, CVV) it was down to Stripe’s speed, documentation and technical implementation that meant it was a clear winner for us. They have 2 solutions that can be integrated rapidly and we decided to go with their more advanced solution named Stripe.js.
The use of Stripe.js meant we would be automatically be PCI compliant (although we were still required to obtain SAQ-A status) it also meant a number of additional bonuses:
Cloud Based – Since we are no longer required to run our site on dedicated servers we can now move to a cloud based solution where redundancy, resilience and scalability are all provided at hugely competitive prices meaning our monthly hosting expenditure will reduce.
Seamless Checkout – Using this solution meant that we could have ultimate control over the look and feel of the credit card page so that it fit seamlessly in to the checkout process without the user ever leaving our site or be faced with a form that looked completely different. It also meant that we could collect additional data on the credit card screen and provide a much better user experience to our users.
Risk – We have now mitigated the risk of PCI from our business and placed this safely in the hands of the experts. Due to the technical implementation means that no sensitive data ever reaches our servers and so we have completely removed this burden.
Development – We can now use the time and resource saved by not having to worry about a high level of PCI be used to develop our site and features further for our customers. Integrating with Stripe’s was an absolute breeze and has even reduced the amount of code we need to maintain!
Every online company should be concerned with fraud and understanding the PCI standards but not all ecommerce businesses should have to concern themselves with the details when there are multiple solutions in the marketplace. Considering all the immediate and additional benefits it will bring to our business it made commercial and technical sense to change.