Heading into 2015, merchants weary from data breach fallout and worried about stricter PCI guidance will likely turn to third parties for payment security over a do-it-yourself approach.
The move toward hosted pages, or offloading payments acceptance and risk management work, is being influenced by the PCI council's 3.0 guidelines which take effect January 1. The guidelines mandate merchants that choose to use client-side encryption and housing payment card data must fill out a new questionnaire that's more than 60 pages long. Merchants that use hosted pages provided by third parties will only need to fill out a couple pages.
Merchants that are already processing payments with client-side encryption will be grandfathered in, giving these merchants a year before they must fill out the self-assessment questionnaire.
This load of paperwork "will drive merchants, especially smaller merchants to hosted pages," said Ralph Dangelmaier, BlueSnap's chief executive. BlueSnap is a global e-commerce payment gateway that offers its merchants hosted pages.
Many merchants, Dangelmaier said, don't know that this extra paperwork is coming. BlueSnap is partnering with Security Metrics to help merchants comply with the new PCI rules free of charge.
"The paperwork is certainly a pain for these merchants, and one factor, but I don't see it as the primary driver" to hosted pages, said Julie Conroy, senior analyst and fraud expert at Aite Group. "The primary attraction of hosted pages is the ability to remove a big chunk of your infrastructure from PCI scope and the ability to outsource your security to a vendor who in theory has much more expertise and scalability."
With hosted pages no consumer information or payment credentials go through the merchant. Many industry experts believe using hosted pages is more secure since merchants rely on professional payments firms with higher PCI certifications for storage and security.
Merchants using client-side encryption actually build the checkout page for themselves. Implementing this solution can be timely and costly for merchants.
BlueSnap doesn't currently charge merchants that use its hosted pages, but because the company is saving merchant's time, money and compliance burden, its thinking about charging for the service in the future.
Most payment gateways in the space today, such as Braintree and Stripe use their hosted pages as key differentiators, Conroy said. She has seen no indication that payment gateways, which charge per transaction fees, will monetize hosted pages.
In BlueSnap's pool of merchant customers, most use hosted pages, said Dangelmaier. About 80% of the company's merchant clients which account for 20% of its volume use hosted pages, and approximately 80% of BlueSnap's volume comes from 20% of clients that use its APIs, and, he said.
Before merchants make the decision to use hosted pages, Conroy said they should consider the responsiveness of the vendor when they want to make changes to the look, feel and layout of the page.
The most important question though: How is the outsourced provider guaranteeing security?
"Third-party vendor risk in general has been a big subject of concern," said Conroy.
Several of this year's headline data breaches were the result of merchant's third party vendors. The fraudsters responsible for Target's data breach during the holiday season last year used the password of a heating, ventilation and air conditioning vendor, Fazio Mechanical Services to infiltrate the retailing company's network. And more recently, Charge Anywhere LLC informed its merchants that it found malware with the ability to steal card data in its network that initially entered five years ago.
While the fault doesn't fall on the merchant, it's still harmful for merchants to be associated with a data breach. Data breaches tarnish the reputation of a brand and have made consumers fearful, causing them to spend less.
The new PCI guidelines have also put more security scrutiny on merchant's obligations to manage third-party vendor risk.
"Client-side encryption, properly applied, is a great way to reduce exposure to data breaches, by protecting the data in transit from the point of sale all the way to the acquirer or network," said Conroy.