ControlScan Inc. says it has developed a way to eliminate the technology and security challenges merchants face when trying to expand into mobile or online commerce.
The Atlanta-based data security and compliance provider on April 30 unveiled Instant eCommerce, a system for Web and shopping cart hosting and online payment acceptance, at the Electronic Transactions Association's annual meeting in New Orleans.
Instant eCommerce, a cloud-based service, includes technology that allows merchants to validate compliance with the Payment Card Industry data security standard, which sets rules on how to protect card data.
Payment service providers and independent sales organizations can attach Instant eCommerce to their payment gateways, providing the white-label service as a value-added offer for small and mid-size merchants, says Kevin Lee, president of hosted payment solutions for ControlScan.
ControlScan's purchase of CRE Secure in May of 2012 paved the way to product advancements such as Instant eCommerce, Lee says.
"With CRE Secure, we brought in some extra technology, but it was not just a secure hosted payment page," Lee says. "We turned that technology into a shopping cart plug-in that removes the cart from PCI compliance because the card data will never make its way into the cart."
Rather, the merchant has access only to the data needed for customer service or record keeping, such as the card's expiration date or its last four digits, Lee says.
Ultimately, ControlScan hopes to work with partners to roll out new technology in a way that "when a merchant adopts it, he will have no more PCI fees," Lee says.
Merchants are definitely seeking technology that will make e-commerce and PCI compliance easier, but they have to complete their due diligence regardless of the vendor, says security consultant and PCI expert Walter Conway of Milwaukee-based 403 Labs LLC.
"As a qualified security assessor for PCI, I have to tell merchants to do their research," Conway says. "I am a big fan of outsourcing payment processing, but merchants can't outsource liability for fraud."
ControlScan is offering a product that can reduce PCI scope and "help merchants do what they do, and that's selling stuff," Conway says. But merchants must still do their homework, regardless of whether it is ControlScan, First Data or Chase Paymentech offering services, he adds.
Payments providers and ISOs offering Instant eCommerce will target merchants who primarily sell products online, but are looking to upgrade their shopping carts or mobile offerings, Lee says. Another likely candidate for the system is the brick-and-mortar merchant who wants to add e-commerce as if it were its "next store," Lee says.
Online security takes on even more meaning during the EMV smart-card migration at point of sale terminals in the U.S.
"We've all seen what happened in Europe with EMV, with fraud moving to online, and we all understand that," Lee says. "But merchants here have yet to experience it."
Even though no company can claim to have the "silver bullet" to stop all fraud, many products available to merchants go a long way toward reducing PCI scope, Conway says.