By making online purchasing safer for the consumer, it should be welcomed by online retailers, even if it does cause extra complications and cost.

In the early days of internet retailing, it seemed quite acceptable for customers credit card details to be downloaded and stored in the clear on a PC  either in a shop, or often in a spare room at home.  No one gave much thought to card security beyond using SSL (to provide the Golden Padlock) for secure connection and encoded transmission from the web site to the PC.

Sales would often be put through the retailers’ credit card terminal in the same way as telephone orders or mail orders (remember mail order?). The difference of course is that with a telephone order, thae card details, if written down at all, would most probably be on a scrap of paper which would the be thrown away. Storing mounting numbers of credit card details including security information on a PC in an easily accessible and stealable form was obviously going to have to stop.

PCI-DSS Requirements

PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data. It consists of common sense steps that mirror security best practices.

Much of what is necessary for PCI compliance is outside of the expertise/ability of small retailers or home based businesses;  for instance under point 9 above:

9.3 Ensure all visitors are authorized before entering areas where cardholder data is processed or maintained; given a physical token that expires and that identifies visitors as not onsite personnel; and are asked to surrender the physical token before leaving the facility or at the date of expiration.

or under point 11:

11.5 Deploy file integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files or content files. Configure the software to perform critical file comparisons at least weekly.

Obviously, there is far more to PCI compliance than  can be put in a blog post, for more information about PCI-DSS Compliance, you should visit the PCI Security Standards website

But doesn’t this make it impossible to start up a web business?

Absolutely NOT!

The whole point about PCI-DSS compliance is that it is the processing of credit card data that must be secure. For most small and start-up businesses, there is no need to process the data yourself, and so no need for all these measures – see Taking Card Payments Online.

By handing over the processing of card payments to a Payment Service Provider, such as HSBC or SagePay, or a Payment Processing Company like PayPal or Google Checkout, you avoid all of this. They have the secure systems in place to handle all of the card verification and processing and transfer of the payment to your bank  – you never need to worry about the customers’ credit card details.

photo credit: natloans

These days, an increasing number if different devices are being used to access websites – smartphones, tablets, and netbooks as well as traditional PCs and laptops. This means that web sites need to be useable on a variety of screen sizes.

Responsive design is the answer to this problem – the website automatically responds to the screen size of the device on which it is being viewed. A few years ago, before the advent of smartphones and tablets, “fluid design” became the in thing, with the width of web pages stretching automatically to fit the width of the monitor. However, as monitors became bigger and bigger, this caused more problems than it solved, with ridiculously long lines of tesxt making reading difficult and breaking the layout and flow of the page.

As a result of this, web designers largely went back to designing fixed width webpages, usually optimised for a 1024 pixel width screen. 800 pixel wide monitors had largely disappeared and 640 px had completely gone out of use, so a web page at around 980px would fit nicely on a 1024px monitor allowing room for a border and the scroll bar. With the page centred in wider monitors, this left room for a bit of creativity off the side of the page.

Now with the introduction of smartphones and tablets, small screen sizes that we thought had disappeared forever are back and assuming greater importance (although of course we don’t know what will happen to screen sizes in the future).

Fortunately, modern web browsers and web technology allow us to overcome the limitations of fluid design – resposive design is the job done properly. With responsive design, the screen size is determined “on the fly” and selective page elements can be altered to maintain readability. For instance, images can automatically be resized, column widths changed, or sidebars can be moved from alongside to underneath the content on smaller screens.

Modern devices have modern web browsers already, and most laptop and desktop users are regularly encouraged to upgrade their browsers, so for all new sites and re-designs, responsive design shoul be considered important. E-Commerce sites remain a bit more problematic, as many are based on legacy software which may take a bit more modification. However, increasing use of smartphones for ordering will make this vital. According to a recent study published by digital market research firm eDigitalResearch, approximately 50 percent of smartphone owners have used their devices for an ecommerce transaction.

This site is responsive – if you resize your browser window, then drag the window narrower, you can see how it responds at different screen widths.

Image: FreeDigitalPhotos.net

For most online retailers, the first basic requirement of any online shop is to be able to accept credit/debit card payments.

Internet Merchant Accounts

Except in the simplest of circumstances, you will need to have an Internet Merchant Account (IMA) with one of the main acquiring banks (such as Barclaycard Merchant Services, Bank of Scotland, HSBC, Streamline) in order to receive payments into your bank. Internet Merchant Accounts from the main banks are not always easy to come by – they may want evidence of your trading history, for example, making it difficult for new businesses to get started in e-commerce. Fortunately there are other options which make it relatively easy to get started (see PSPs below).

By the way, even if you already have a Merchant Account for either telephone/mail order Card not Present transactions, or have an instore payment terminal, you will still need a separate IMA.  A few years ago, people could, and did, get away with downloading customers credit card information onto their PC and processing it through their CNP account. You can’t get away with that now. It could lead to fines from your Bank and/or having your credit card processing facility removed. Do Not Do It.

Payment Service Providers

In addition to an IMA, you will need a Payment Service Provider (PSP) to process payments for you. While it is still technically possible to process the payments yourself through your IMA, it is no longer wise to do so. For most small businesses, the requirement  to comply with the Payment Card Industry Data Security Standard (PCI-DSS) guidelines makes it not worthwhile. Instead it is better to hand the actual processing of card payments over to a Payment Service Provider.

PSPs,  also called payment gateways, offer various packages and rates to suit different merchants. Some are more appropriate to merchants processing a high number of transactions, some are better for start up businesses who will initially have a low number of transactions.

When Using a PSP, the customer is transferred automatically to the PSPs secure payment area before entering  any credit card details. They handle the approval process, and pass on the payment and order details back to you. This way, you never see any credit card details, so you don’t have any security problems to think about.

You should also be aware that some PSPs also provide IMAs, and some acquiring banks provide PSP services – so it’s worth checking what services you bank provides.

Payment Processing Companies

An easier and quicker alternative to the above approaches is to use a payment processing company.  This option removes the need for a separate IMA and PSP, and the application process is usually quicker and easier which is particularly helpful if you have little or no trading history.

Two of the most popular are PayPal and Google Checkout and using either of these can be especially helpful to new or small companies, as they  remit payment to you immediately in most cases –  as soon as the payment is made by your customer, the money is deposited into your merchant account.

Of course, these are by no means the only two, and it is worth checking the rates of several options – some may be better for small numbers of large value transactions, some better for a large number of small transactions.

Image: nuttakit / FreeDigitalPhotos.net

Selling goods over the internet, like any other form of selling, is covered by legislation regarding Sale of Goods and Misleading Advertising. In addition, Internet sales in the UK are covered by the Consumer Protection (Distance Selling) Regulations 2000. These regulations also apply to other forms of distance selling such as digital TV, mail order (including catalogues), phone and fax.

The Distance Selling Regulations do not apply to financial services, sales of land, products bought from vending machines and contracts for goods or services concluded at auctions. Nor do they apply to business to business transactions

As an online trader you must provide clear, understandable information before the customer decides to buy about:

• your name and postal address
• a description of the goods or services
• the price including all taxes
• delivery costs where they apply
• arrangements for payment
• arrangements and date for delivery
• the right to cancel the order
• how long the offer or the price remains valid

When a customer places an order you must provide confirmation of the above information in a form that is durableeg writing, e-mail, fax (verbal confirmation is not sufficient).

This should include information on how the right to cancel can be exercised and any details of after sales service and guarantees.

If you are selling goods, this must be provided at the latest by the time the goods are delivered.

If you are selling a service, it must be provided before or in “good time” during the performance of the service. Where the service is open-ended, e.g a mobile phone contract, the customer must be provided with details about how and when they can terminate the contract.

If you do not provide this information, the customer’s right to cancel the order can be extended by 3 months

Fortunately, most e-commerce packages come with the ability to send automatic confirmation emails on receipt of an order – however, you should make sure that this feature is enabled. Bear in mind that much e-commerce software originates in, or is aimed at the US market, so you will need to be able to configure the confirmation emails to meet the legal requirements.

No Contracting Out

You cannot insert into the contract any terms which attempt to remove the customers right under the regulations, e.g. a term like “you must return the goods within 7 days in order to obtain a refund” would have no legal standing.

Cooling off period – the customers right to cancel

Because the customer has not had the chance to physically examine the goods before the sale is made, the distance selling regulations allow a cooling off period of 7 days in which the customer has the unconditional right to cancel the contract. Note this is 7 working days, so excludes Saturdays, Sundays and Bank Holidays (even though your e-commerce site is working 24×7!)

In the case of services, the 7 days begins as soon as the order is made; in the case of sale of goods, it begins when the customer receives the goods.

If you delay in providing the required written confirmation of the order including details of the right to cancel and how to exercise that right, the cooling off period is extended by up to 3 months, and ends 7 days after the customer receives the confirmation. If you fail to provide the information at all, the cooling off period is extended to the full 3 months, plus the 7 days.

If the customer decides to cancel the contract, they must notify you in writing, including fax or email; a telephone call will not do. The date of the cancellation is the date when the notice was sent to you, not when you receive it, so a customer could decide to cancel on the 7th day, even though you may not receive the notice until a day or two later.

Some goods and services are excluded from the right to cancel. These include:

• Food, drinks or other goods for everyday consumption delivered to the consumer’s home or workplace by regular roundsmen. Deliveries by supermarkets of orders made over the internet are not excluded from the right to cancel.
• Accommodation, transport, catering or leisure services where the supplier agrees to provide the service on a specific date or within a specific period.
• Goods or services whose price depends on fluctuations in the financial market which cannot be controlled by the supplier.
• Goods made to the customer’s specifications or clearly personalized.
• Goods which by reason of their nature cannot be returned or are liable to deteriorate or expire rapidly, such as perishable foods.
• Audio or video recordings or computer software if they are unsealed by the consumer.
• Newspapers, periodicals or magazines.
• Gaming, betting or lottery services.

When a consumer cancels the order all money paid must be returned within 30 days of the date the notice of cancellation is given. Normally this will mean re-crediting the consumer’s credit card (or other payment card) account if that was the method of payment used.

If the customer has paid a delivery charge, you must also refund that, unless it is the subject of a separate contract.

You can specify as part of the contract that goods must be returned at the customers expense, however, this must be made clear in the written confirmation

When a customer exercises their right to cancel, ownership of the goods reverts to you; the customer then has a duty to take “reasonable care” of the goods so that they can be sold again as new, and to make them available for collection, or return them if that is specified in the contract. You must inform the custome within 21 days when you will collect the goods from them

If it is the customers duty to return the goods and they do not do so, you are entitled to deduct the cost of collecting them from the amount of the refund, but only the actual cost, whether it be the cost of postage, or the cost of sending a van to collect them.

If the customer unreasonably fails to return the goods or make them available for collection, the duty to take reasonable care of the goods is open ended until they are restored to you – if they do not take care of the goods, you are entitled to claim for the loss in value.