E-commerce privacy from the merchant’s perspective

Do you store all of your customer’s personal data and habits? It’s a risky thing to do for a few reasons. First, you have the potential of letting all of that data become available to hackers and other nefarious online entities. Also, it might not be legal, depending on where you do business. Lastly, the storing of actual cardholder data requires specific and attentive PCI compliance procedures and scans. You may also want to check out this article from one of our partners, Shopify; it details some of the legalities and data management responsibilities that come with being an online merchant.

A few opinions on how to handle sensitive data.

With more and more people getting worried about their personal data being stolen and used against them, the best policy we have found is a straightforward one. If you want to collect customer data, ask them for permission, and then ask what information they are willing to volunteer; you may find it even easier and more complete than trying to collect their information discretely. One big problem people have with data collection is that they don’t know how it is used. By spelling out your intentions to them, you give them a sense of security. A clear privacy policy is essential for all websites, especially e-commerce sites.
If you wanted to use a customer’s purchase history and area of residence to help target specific products you think they will buy, make a short form that pops up when they make their first purchase, explain the benefits and ask permission to gather that data. If your client agrees, store and use the data, if not, discard the information.

Cardholder Data

Long gone are the days when an e-commerce merchant could build their own payment form and simply have it email cardholder data to them and store card numbers on their laptop “in case they need them again”. PCI compliance is incredibly important and merchants who experience a breach, especially a careless breach are going to be really on the hook for the cost of card replacement, forensic accounting, research, and the actual cost of fraud perpetrated on the stolen cards. Step one should be storing cardholder data on a secure PCI compliant server hosted by a certified shopping cart, or payment gateway such as NMI. If you have any questions and would like to “bend our ear” for some friendly advice on secure payment gateways and cardholder data options for one-time or subscription / recurring billing programs, please contact us anytime.