Strict federal laws govern the transmission, collection, and retention of credit and debit card data, whether those interactions occur through the web, by phone, or in person. Any organization involved in collecting payments via credit or debit cards should ensure that all staff involved in a payment collection process are appropriately trained and fluent in the organization’s policies regarding the collection and retention of credit and debit card data. And obviously, those policies should adhere to federal and state laws (and international laws, if your reach extends that far).
Minimum Requirements for Collecting Online Payments
Any organization intending to collect credit or debit card payments first needs a bank account in order to receive those payments. The bank account is where the money goes once a payment transaction is completed.
eMerchant & Payment Gateway
Once you have a bank account where money can be deposited, you will then need to establish accounts with an eMerchant and Payment Gateway provider. Some eMerchant and Payment Gateway services are provided by the same organization. For example, PayPal will handle both the eMerchant and Payment Gateway functions of eCommerce, so all you need to use a service like PayPal is a bank account.
Some organizations have existing payment relationships with companies that serve as eMerchants. It may be more cost-effective to use a company with whom you already have a relationship, in which case there are various Payment Gateway providers that could be used to facilitate the transaction between purchaser and the banks involved in the payment process.
Secure (Encrypted) Online Form
In order to collect the payment details from users, you then will need a secure (meaning encrypted) online form for your website. This is the registration form users will complete with their credit or debit card information to make a payment. The form must be served over a secure and encrypted protocol (i.e. https).
Secure Data Storage
Encryption on the online form is not the last step in security, however. Payment transactions also create customer data, specifically their credit card data, which is highly sensitive and must be handled carefully. Using a reliable payment gateway service eliminates this concern because the entire payment transaction is handled on their secure servers.
Organizations that want to store custom credit card and financial data must undergo a PCI compliance audit and certification. This process is lengthy and expensive, and requires yearly renewals and constant monitoring. We don’t recommend doing this yourself, unless the volume of payments are so large that the cost of PCI compliance is less than the fees you will pay a gateway for the service, which is exceedingly rare for the majority of eCommerce websites.
For complex transactions, such as recurring payments, using a reliable gateway service is the only cost-effective option. But even for simple transactions, the general rule is to never store customer payment data. For most organizations, the risks are too high and the costs too great.
Creating a Policy
The minimum requirements for collecting payments online only scratches at the surface of the issues you may need to consider in terms of governing the use of online payment collection for your organization. Here are some additional things to consider:
- Who may have eCommerce capabilities?
- What is the process for initiating eCommerce on the site?
- What is the process for being added to the existing eCommerce solution?
- How many parts of your organization need to collect payments online?
- Do they each need their own implementation of an eCommerce solution? Or can they share?
- Do they each need their own bank account? (This is often the case when reporting of online payments, especially charitable contributions, requires separation between departments or budget lines for accounting purposes.)
- Who is responsible for ensuring that federal and organizational guidelines are followed?
- Where will credit card and user data be saved or stored throughout the payment process?
- Who will have access to any credit card and user data?
- What security practices need to be followed to protect credit card information?
Decisions surrounding eCommerce will invariably involve key decision-makers, stakeholders, and gatekeepers within the Finance department (or correlated function) and IT department within your organization. You are likely to need their cooperation in determining a governance plan for eCommerce.
This post is part of a larger series of posts, which make up a Guide to Digital Governance Planning. The sections follow a specific order intended to help you start at a high-level of thinking and then focus on greater and greater levels of detail. The sections of the guide are as follows:
- Starting at the 10,000ft View – Define the digital ecosystem your governance planning will encompass.
- Properties and Platforms – Define all the sites, applications and tools that live in your digital ecosystem.
- Ownership – Consider who ultimately owns and is responsible for each site, application and tool.
- Intended Use – Establish the fundamental purpose for the use of each site, application and tool.
- Roles and Permissions – Define who should be able to do what in each system.
- Content – Understand how ownership and permissions should apply to content.
- Organization – Establish how the content in your digital properties should be organized and structured.
- URL Naming Conventions – Define how URL patterns should be structured in your websites.
- Design – Determine who owns and is responsible for the many aspects design plays in digital communications and properties.
- Personal Websites – Consider the relationship your organization should have with personal websites of members of your organization.
- Private Websites, Intranets and Portals – Determine the policies that should govern site which are not available to the public.
- Web-Based Applications – Consider use and ownership of web-based tools and applications.
- E-Commerce – Determine the role of e-commerce in your website.
- Broadcast Email – Establish guidelines for the use of broadcast email to constituents and customers.
- Social Media – Set standards for the establishment and use of social media tools within the organization.
- Digital Communications Governance – Keep the guidelines you create updated and relevant.