New CyberSource system designed to take the worry out of PCI compliance

CyberSource Corp.’s new Payment Data Management system lets e-retailers process online payments under the credit card industry’s PCI security standards without having to directly handle or even store their customers’ credit card accounts and other payment transaction data, the company says.

When customers hit the buy button on a retail site using the PDM system, the payment data, including credit card account information, is immediately captured by CyberSource servers, leaving the retailer free of risk related to storing and processing that data, says Dave Glaser, vice president of professional services for CyberSource. The credit card industry’s PCI standards require retailers to protect credit card data from theft or other forms of outside intrusion; failure to comply can lead to fines and an eventual loss of the ability to accept credit card purchases.

Avivah Litan, an online payments security expert from research and consulting firm Gartner Inc., has reviewed the PDM system and says it appears to be the only one of its kind offered by payment gateway companies. “I haven’t checked it out yet with due diligence, but this should be very attractive to any merchant that wants to outsource their security management,” she says.

Litan adds that she has seen an increase in the number of retailers wanting to outsource their payment security management, but that Visa and MasterCard have not been clear about the remaining security responsibilities retailers have under outsourcing arrangements. “If a retailer does outsourcing, it still has to transmit payment data to the outsourcer, and the rules are unclear about their responsibilities,” she says.

The CyberSource PDM system, she says, is designed to remove that ambiguity by directly capturing payment data without the need for retailers to transfer it. As long as CyberSource maintains its own PCI compliance certificates, retailers using the PDM system shouldn’t have to worry about their own PCI compliance, she adds.

“PDM reduces merchants’ risks of storing, processing and transmitting data, because we take care of those tasks in our PCI-certified data centers,” Glaser says.

Retailers using the new PDM system were unavailable for comment, but Mark Reardon, director of security for the Georgia Technology Authority, says the state’s agencies that accept online payments have used the PDM system to process hundreds of thousands of transactions without ever having to directly handle or store confidential credit card account data.

Merchants have two options in how they use the PDM system: They can use it to only store payment account data on CyberSource servers while continuing to accept account data on their own customer payment data entry forms; or they can use a payment data entry form hosted by CyberSource on the PDM system as well as use PDM to store that data. Retailers also have the option of displaying the hosted payment form under their own branded imaging or as a CyberSource-branded page. The PDM system can handle installment and recurring payments as well as single payment transactions.

The payment data storage service costs within a range of about $1,000 to $5,000 per month, but retailers don’t have to use CyberSource as their payment processor, a CyberSource spokesman says. The hosted payment form is only available to CyberSource processing clients, who pay no extra fees above their usual 5 to 10 cents per transaction processing fees.

Merchants can access their stored payment data by referencing a unique transaction identifier that CyberSource maintains, the company says.