If your company is violating compliance standards for online payments, even in a minor capacity, you can lose your credit card contracts – and your business could be hit with catastrophic fines.
cleverbridge removes this burden by taking over responsibility for compliance of cleverbridge-hosted and operated payment pages with the General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS), and the Revised Payment Services Directive (PSD2). As a result, we also save you substantial time and money.
The General Data Protection Regulation (GDPR) is a regulation sponsored by the European Commission that impacts how businesses collect and store customers’ personal data. This legislation took effect on May 25, 2018. It replaced the existing European data protection directive and touches nearly every company selling online, including cleverbridge clients.
As a Germany-based company that has maintained a steadfast commitment to protecting the data of clients and customers throughout its history, cleverbridge instituted some major changes to our platform and processes to ensure your ecommerce operations are compliant with GDPR:
- We moved to secure-only channels for data transfers. This change greatly enhances security and primarily affects order notifications, which are now transferred via SFTP, HTTPS, or encrypted email. For more information, see Manage Notifications in the Commerce Assistant.
We de-personalized customer IP addresses in notifications and key generation calls (i.e., the last number of the IP address is always replaced by .0). We also removed the ability to search for IP addresses in the Commerce Assistant (CA).
These measures satisfy the GDPR requirement that only necessary personal information should be transferred during a purchase. Per the GDPR, full IP addresses are considered personally identifiable information (PII). However, the remaining numbers of an IP address still provide useful information for common analytics functions, including geographic location.
- We configured transfers of customer street address, city (if collected), and postal code to clients on a per-client or per-product basis. Again, this is to ensure that only necessary PII is transferred to our clients.
We reviewed tracking and analytics tools to determine whether they comply with GDPR. While cleverbridge clients want to build detailed online profiles of customers and visitors, the GDPR is very strict regarding what information businesses can and cannot collect about website users.
Fortunately, the GDPR’s requirements in this area are similar to the already stringent requirements of current German law, and cleverbridge has been compliant with the latter since our inception. Achieving the right balance between your needs and regulatory requirements will be an ongoing process.
The GDPR is here to stay, but cleverbridge clients can count on our Compliance Team to ensure a compliant ecommerce and subscription experience.
However, be aware that once a customer completes an order and you receive our order notification and/or a key generation call, you become data owner of that customers’ information and must treat it with the same scrutiny as we do to ensure full compliance with the law.
If you have questions about GDPR and the steps we’ve taken to ensure compliance, contact Client Experience.
Strict PCI DSS compliance is necessary for any business processing credit card payments. Therefore, cleverbridge has maintained a PCI DSS compliant environment, and we are constantly checking to make sure that processes and scope remain compliant.
We do so by only accepting credit card orders submitted according to PCI DSS standards. Our platform supports submission of orders via state-of-the-art secure encryption layers, and we process all transaction requests and results via HTTPS. Cryptographic controls also provide effective mechanisms for protecting the confidentiality, authenticity and integrity of information – and our policies include the use of encryption and key management.
Our services also provide you with the following freedoms and benefits:
When you use cleverbridge-hosted and operated payment pages, all credit card information is sent directly to cleverbridge. This means that sensitive cardholder data never passes through your system. As a result, your company does not need to implement many of the strictest PCI DSS standards.
Following PCI DSS regulations is absolutely necessary for accepting credit card payments, but compliance does not come cheap. When you partner with cleverbridge, we cover the following PCI DSS compliance costs:
As estimated by Gartner for level 1 merchants (processing in excess of 6 million transactions of a single card type per year), implementation costs include:
- 200,000 USD for assessing the scope of required PCI DSS work (scope assessment during initial implementation)
- 600,000 - 1.1 million USD to meet the requirements
Recurring auditing fees
These hinge on a variety of factors – company size, number of transactions processed annually, existing infrastructure, credit card data scope, etc. Initial implementation is quite costly. For level 1 merchants, the average annual audit cost is 225,000 USD.
We protect you from potentially catastrophic PCI DSS non-compliance fines, including:
- Up to 90 USD fine per cardholder data compromised
- Suspension of credit card acceptance
- Loss of brand reputation
- The cost of a PCI Qualified Forensic Investigator (130-200 USD per hour for a one- to two-year project)
PSD2 is the Revised Payment Services Directive, a new EU regulation for electronic and non-cash payments. This new version of the directive introduces the technical requirement for implementing Strong Customer Authentication (SCA) to make online payments more secure and reduce fraud.
To accept payments once SCA goes into effect, merchants must build additional two-factor authentication into their checkout flow. It requires two of the following
- Knowledge – Something the Customer KNOWS (such as a password)
- Possession – Something the Customer HAS (such as a pre-registered smart phone)
- Inherence – Something the Customer IS (such as a fingerprint)
Starting September 14, 2019, banks will decline payments that require SCA and don’t meet these criteria.
While the first generation 3D Secure 1.X added friction to the transaction process, 3D Secure 2.X was specifically designed to reduce that friction and help improve conversion. Instead of entering a password, the cardholder can authenticate a payment through the banking app by just using their fingerprint, for example.
SCA is required when both the acquirer and issuer are located within the European Economic Area (EEA): Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Monaco, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK.
There are, however, some out-of-scope transactions and exemptions to this mandate. Here are the most relevant:
- Merchant-initiated transactions (MIT): A merchant-initiated transaction is a payment that is taken on an agreed upon date with the payer’s consent, and is initiated by the merchant collecting the payment. If a transaction is merchant-initiated, both fixed and variable payments will be exempt from SCA.
- Inter-regional transactions (one-leg-out transactions): A transaction where either the issuer or acquirer is located outside of Europe.
- Anonymous cards: A transaction processed by using an anonymous card can only be identified by the issuing bank, not by the customer.
- Low value transaction: Transactions under €30 are exempt from SCA. If the total amount attempted on the card without strong authentication is higher than €100, or after five consecutive transactions without SCA, SCA is required.
- Low risk transaction/transaction risk analysis (TRA): The ability for a payment to be considered low risk is based on the average fraud levels of the card issuer and acquirer processing the transaction:
- 0.13% to exempt transactions below €100
- 0.06% to exempt transactions below €250
- 0.01% to exempt transactions below €500
- Subscription or recurring transactions: Subscription or recurring transactions with a fixed amount are exempt from the second transaction onwards. Only the initial transaction requires SCA.
- Trusted beneficiaries: Customers can assign businesses to a whitelist of trusted beneficiaries. Whitelisted merchants are exempt from SCA.
- Secure corporate payments: When the transaction is initiated by a legal person, for example, a business rather than a consumer, and it is processed through a secured dedicated payment protocol.
As your ecommerce and payment partner, cleverbridge takes over responsibility for compliance with the new directive. We made some major changes to our platform and processes to ensure transactions are compliant:
- We have implemented a Cardholder-Initiated Transactions (CIT)/Merchant-Initiated Transactions (MIT) framework so that recurring transactions are out-of-scope and no SCA is required.
- We are utilizing an up-to-date Bank Identification Number (BIN) database to identify the cards where the issuer is based outside of the EEA or anonymous cards, where obviously no SCA mandate is required.
- We use preferred acquirers with low fraud rates to utilize TRA exemption for transactions below €100.
- We will continue to track any changes in requirements for SCA exemptions to ensure that customers can still enjoy easy shopping experiences by applying these exemptions in the best way.
We can’t foresee that because it is ultimately the cardholder’s bank that will decide whether to challenge a transaction. But 3D Secure 2.0 introduces a better user experience that will help minimize some of the friction that authentication adds into the checkout flow.
cleverbridge will flag the transaction as merchant-initiated and will endeavor to "grandfather" these subscriptions so that they don't require SCA when they come up for renewal on or after September 14, 2019.
As long as the transaction is merchant-initiated and is appropriately flagged as such, subsequent charges should in most cases not require SCA, even if the amount varies. cleverbridge will take care of flagging subsequent re-billings as MIT.
As long as the transaction is merchant-initiated and is appropriately flagged as such, subsequent transactions do not require SCA, no matter how the amount changes. cleverbridge will take care of flagging subsequent re-billings as MIT.
This process is not considered to be part of the checkout process. It is part of the app or online banking system provided by the issuing bank that will allow you to whitelist specific merchants.
As a full-service ecommerce provider, cleverbridge ensures compliance with the new regulation, saving our clients substantial time and money. You don’t need to do anything. We’ve got it all covered.
SCA is required when both the acquirer and issuer are located within the EEA (all EU member countries plus Norway, Iceland and Liechtenstein) and it applies to “customer-initiated” online payments.