A compelling call to action is - the key ingredient in every marketing plan. In post card and email campaigns, you’re limited in scope to a very small space in which to reinforce interest and tip prospects over the edge to buy. So what makes for an effective call to action?

Location Location Location
When my wife and I were writing the business plan for our Salon, she told me our success depended heavily on location. In fact, she repeated location, location, location over and over. Why? In the hair styling industry, you need a constant flow of walk-in traffic to augment your existing clientele – if you want to maximize your growth. It’s not much different cross-industry.

You need to capture your prospects attention immediately
In an email broadcast, positioning your call to action above the scroll puts your message where? In the preview pane ! Lots of folks never scan beyond their preview panes. In a world dominated by immediate gratification, this compares to being in the top ten of search engine results. You need to capture your prospects attention immediately. How? Location ! You want them to be able to simply glance at the preview and click.

Multiple calls to action
Is just one call to action enough? Strategists reason by giving multiple calls to the same action, in different sections of your broadcast, you lend weight to the call. The first call to action may be intriguing, prompting your prospect to read further (benefits/solutions), followed by second call to action that puts them over the top – they’re convinced. If you change up the wording or offer different solutions in multiple calls to action, you risk confusing your viewers.

Words and Emotions
Sales are emotional transactions. Setting the right tone puts your prospect in a buying posture. Using power words that demonstrate force (in your face) and personality make a strong impact. You’re looking to prompt specific reactions from their point of view. And it isn’t just the words – it’s their perception of the words. What’s more appealing to you (on the same product) – 20% off or $150 off? My guess would be $150 off. Why? Because 20% is an unknown quantity – it sounds good, but requires some calculation. I understand $150 off immediately.

Text or Images?
The goal is to draw attention to your call to action. Extensive testing has shown that what works for some doesn’t work for everyone – and changing up between text and images works better than locking into one or the other. A word of caution when using images for your call to action – some readers may have images disabled, so always add ALT text attributes to your images.

Does size and color matter?
In testing, it’s been reported that bright colors outperform other colors, and orange, in particular, does very well. I’ve seen a lot of red calls to action, but subconsciously, red means STOP. A good test to determine if your call to action is the proper size and color is to stand about 10 feet away from your ad and see how easy it is to pick out.

My Recommendation to Increase Click Throughs
Wording is key. Instead of using Buy Now, Buy, Order, Order Now or any similar wording, change your call to action to ADD TO CART. Put it where it’s easily seen and your conversion rates will increase.

Always provide value - The psychology of selling transcends to the psychology of writing online content for revenue producing websites. Essentially, every prospect is searching for what’s important to them and their organization.

Whereas in person, you can tailor - your pitch to their personality traits, like number crunchers or socialites – online it’s impossible to know who has found your site. The common denominator is always VALUE to the end user.

Tell them what’s in it for them - Reaching across a broad spectrum of personality types means touching as many of their senses as possible; sound, taste, touch, sight and smell (or the perception of those). Rarely does selling on price alone work.

Ok, so we can’t taste a dedicated server or smell shared hosting - but wording can sway a prospect’s motivation. Conor Treacy gave a great example in a thread on Hosting Discussion – instead of, “we sell lawn mowers,” use “buy a mower that will make your neighbour @#*^ themselves with envy.” Be descriptive without going over the top, addressing the basics of how, who, why and what. Show how your solution has helped other businesses or organizations just like theirs. Tell them what’s in it for them.

Marketing is critically important - to jump-start any new business. Broad access to cutting edge technology has made it increasingly possible for start-ups to compete with established brick and mortar establishments.

Understanding your market - What niche do your competitors own? Would you fare better competing for that niche or creating your own? What will make you remember-able in your prospects eyes? What value could you add to entice them to go with your firm or organization?

Constantly refine your strategy - Once you’ve settled on your initial marketing strategy, tracking and measuring its success is essential. You can’t grow your business on a marginally successful strategy. Marketing strategies need to be refined, to eliminate what doesn’t work from what shows promise.

New businesses are created every day – that could use your products or service - Every new business has to procure products and services somewhere, and if not from you, certainly from your competitor. If you’re not reaching out to every newly registered business in your local community, you’re missing out on a huge sector of the market. And it’s so easy to find them. Every new business in the U.S. has to register with their respective Secretary of State. These registrations are farmed by local chambers of commerce and directory services. I’ve seen lists that sell for as low as fourteen cents per contact. In many cases, one new client from that list could pay for an entire campaign.

Once you’ve established your niche - tweak your approach and close techniques, identify what works and repeat that over and over and over and over. Persistence is key.

Seems like more and more entrepreneurs are – tying their hand at web design, hosting and eCommerce. Obliviously, each demands its own expertise to be successful. The most misunderstood, globally, is eCommerce – at least from the threads I’ve read over the years. There’s a common theme between them that goes something like this, “I want to sell (a product or service) online. Please advise how to do this.”

I recently read an excellent response to this query, written by e-onlinedata, the nation’s fastest-growing and most trusted provider of online payment solutions and the largest reseller for Authorize.net payment gateway. It follows:

There are three vital components that make – online shopping possible: the shopping cart, payment gateway and payment processor. Each is critical to ensuring successful implementation of e-commerce functionality.

Shopping Cart

* The shopping cart acts quite literally as a virtual shopping basket. It holds the items customers select from a Web site until they are ready to proceed to the checkout stage, where their credit card information will be processed.
* Keeps track of items until they are purchased
* Automatically totals the amount of a customer’s order, including shipping and tax
* Allows shoppers to securely enter address and credit card information

Payment gateway

In order to accept credit cards through the Internet, a payment gateway is critical to transport the credit card information from the shopping cart to the payment processor once the consumer clicks the “Buy” button. In most cases, this transaction happens almost instantaneously. The payment gateway receives encrypted transactions from the merchant’s shopping cart. An encrypted transaction simply means that credit card numbers can’t be read by people who are not supposed to read those numbers. Authentication is provided, then the decrypted payment.

Payment Gateway Functionality

When information is transmitted for authorization, the payment gateway:

* Fulfills the same function as a point-of-sale (card swipe) terminal at a physical retail location.
* Takes information provided through a shopping cart and transmits it electronically and securely to a payment processor to be routed for authorization of payment.

Payment Processor

* The payment processor transmits a customer’s credit card information via the Internet to the merchant bank for authorization. It also sends data back to the merchant’s bank to approve payment or the transfer of funds. Specifically, a payment processor:
* Acts as a link from the merchant to the acquiring bank or merchant bank
* Receives information from the merchant through the payment gateway and packages the information for delivery to the acquirer, ensuring that all necessary transactional data is present and valid
* Later transmits information back from the acquirer for delivery to the merchant to settle the transaction

With the shopping cart, payment gateway and payment processor in place, merchants have all they need to offer convenient e-commerce solutions that deliver superior security and service.

With a little research, you can find the best merchant provider to accommodate your business needs.

Think about all the advertisements you’ve ever seen. Do they share any common ingredients? Successful ads focus on a specific niche, revolving around an emotion. Why? – Because sales are extremely emotional transactions. I know when I have to pull my wallet out to buy anything, I cry.

What kinds of emotions work in advertising?

Here’s where your creative juices need to start flowing. The range of positive and negative emotions is endless, but I’ve included a few to consider.

On the positive side:

• Comfort
• Excited
• Glamorous
• Inspired
• Superior
• Interested
• Thrilled

On the negative side:

• Annoyed
• Exasperated
• Frustrated
• Anxiety
• Impatient
• Apprehensive
• Concerned
• Pressured
• Stress
• Disappointed

Analyze the emotions your competitors are marketing to

As you browse the Internet, start looking for indicators of emotions that your competitors are using to target prospects. What emotion would “No contracts or hidden fees” target? What about “100% Uptime Guarantee?” Or “Self Healing Technology?”

I see ads all the time touting Internet speed, broadband versus DSL. The emotion targeted there is frustration – over sloooooooooooooooooow downloads. I know if I have to wait too long for a site to download, I move on, and I’m on a 10 Meg connection.

Advertisements, proposals and quotes devoid of emotion rarely perform as well as those that do. Even CFO’s have SOME sense of emotion.

You expend considerable resources in terms of time and money attracting visitors to your website, so why stop there? Conversion ratios are the measure of a successful eCommerce venture.

Security
At the top of the list is security. How secure do your prospects feel placing an online transaction with your organization?  I think the majority of prospects shop with ‘branded’ companies – meaning those companies that are already highly recognizable. Seriously, if you’re shopping at Amazon or Barnes & Noble, there’s a heightened perception of security, but what if you’re shopping at xyaz2f.com?

If your site is backed by a brick and mortar presence, that also helps – I think because it demonstrates financial stability. At least the prospect knows that you’re not a one man show operating out of your Mom’s basement. Factor in TRUST.

Is your site secured with an SSL certificate (lock icon)? I’m still amazed how many sites I see selling products or services without this. No lock icon = no sales.

Value
Does the product or service you offer provide value to the prospect? You obliviously think so, but how is that value presented online? It begins with a professionally designed site. Nothing will send prospects packing faster than a poorly designed or difficult to navigate website. Getting from point A to point BUY has to be easy, fast and COMPELLING.

Reachability
Does your site have contact information? I mean like an address and a phone number. Business identity is important, especially if you’re not highly branded. No contact info = no sales.

Increasing Conversion Ratios
There’s no real secret here – demonstrate security, promote trust, project value and be reachable.

Within the web hosting industry
Competition is fierce, with everyone from on-vacation high schoolers to laid off factory workers trying their hand at hosting. Many are here today – gone tomorrow, or soon will be.

SSL is a technology that protects confidential transactions between a website and its visitors/shoppers. As a protocol, it uses a third party Certificate Authority (CA) to identify one or both ends of transactions. This enables you to collect sensitive information using an encrypted channel (transparently). In the URL, you’ll notice the http switches to https. Using an SSL Certificate increases your prospects trust factor – an important ingredient in promoting your products and services.

When do you need SSL?

If you accept online orders and process credit card information on your site, however you do NOT need SSL if you use PayPal Standard and credit card transactions are handled on their servers.

Obviously, if you’re required to comply with privacy and security requirements.

If you need to secure email servers (POP, IMAP & SMTP), VPN or FTP Servers, Control Panels, WebMail or any other web applications.

If you offer a login or sign in on your site.

Types of SSL
The most common type of SSL is a domain validated certificate. This is used to establish an encrypted communication channel between a website and its visitors. Another type identifies you are who you say you are. It validates identity at different  levels, protecting the data flow to/from your website.

Going Green
If you’ve ever used PayPal’s order system, you may have noticed your browser’s address bar had turned green. This type of SSL Certificate is called Extended Validation SSL. Most financial institutions use this type of SSL.

Some trusted Certificate Authorities
Some of the trusted Certificate Authorities are RapidSSL, VeriSign, Thawte and GeoTrust.

A lot of work goes into shaping a business, but the shaping doesn’t end when you open your doors to the public. Businesses that survive and strive are those that abandon what doesn’t work and use that knowledge to reshape their business going forward. With online businesses, this could be as simple as changing domain names.

I just read an interesting article this morning about one online business that changed their web site five times in five years. This particular business was launched with an investment of  $100,000, but now grosses nearly $3 million in revenue. What I found interesting was that, over the years, they abandoned 60 percent of what they originally came up with. That’s huge, but it reshaped their business into the success they enjoy today.

Why would changing your domain name make any difference?
I think there are two angles to changing domain names. The first is perception. The second deals with Search Engine Optimization.

The Trust Factor
In the first (perception), the key is TRUST. Successful eCommerce ventures start and end with a strong trust factor. Let’s face it – what do prospects see when they search for info on Google, Bing and Yahoo? They essentially see two things – your domain name and a short description of your site. For example, which domain name conveys more (global) trust to you - Steve’sAirTransport.com or AviationTransportationServicesInc.com? Seems obvious to me. The second has a corporate, global feel to it that lends favorably to the perception of trust.

The SEO Factor
Although Google doesn’t disclose its search algorithms, it’s widely perceived in SEO circles that targeted keywords in your domain name weigh heavily on Search Engine Results Pages (SERPS).  When searching for Aviation Transportation Services, two of the top four results have the targeted keywords, aviation and trasnsportation, in their domain names. Would being in the top four results help drive targeted traffic and potential clients to your site? Absolutely!

The Real Challenge
Reevaluatiing your domain name is a starting point, but the real challenge entails staying current with ever evolving technologies like Twitter and Facebook, AND keeping up to date with search engine trends and changes in their algorithms.

Does your brick and mortar store depend on referrals or walk-in traffic to sell your product or service? Online stores allow businesses to reach a wider range of prospects than they could ever imagine reaching on-site. Let’s face it, the majority of prospects today begin their shopping experience doing research online – comparing companies, products, prices – the works.

The Good News
And the good news is that you don’t need a huge server or an $80,000/year IT guy to make an online store work. The majority of eCommerce stores are Mom & Pop shops, selling everything from diet supplements to shoes, and processing their payments through PayPal – on a shared hosting account that probably costs less than $35/month. Compare that to ONE ad (five lines) in a local newspaper that runs 3 days in print and 30 days online – for a whopping $395.00 !!

The Nuts and Bolts of eCommerce
It all starts with a professional website, meaning its design is attractive to the eye, it’s easy to navigate, there are no spelling errors or broken links, and the solution you propose (along with its price) is relevant AND compelling. Beyond that, you’ll need a shopping cart and a payment processor. If you’re collecting credit card information on your site (directly), you’ll also need an SSL certificate, gateway and merchant account AND be PCI compliant. If you use a service like PayPal standard, and are not processing credit card information on your site – meaning your clients are passed off to PayPal’s servers to process the actual order, these don’t apply.

Attracting Visitors
Ok, sales begin with prospects. If no one walks through the door, it’s tough to move inventory. Online, if no one visits your site, the end result is duplicated. Building a site and hoping prospects will flock to your store overnight doesn’t work. Getting them there requires implementing a mix of online and offline marketing. The tried and true stuff still works – word of mouth, referrals, networking & direct sales staff. The new stuff could be Google Adwords, advertisements in forums or social media networks, Search Engine Optimization (SEO), podcasts and so on.

The Importance of Niche Marketing
Let’s start with the prospect as they enter a search query on Google, Bing or Yahoo. If that query is too broad, for example, recipes – the results returned will number in the gazillions, leaving them to find you somewhere among the masses. Aside from the benefit of branding, narrowing your focus on what makes your product or service (in this case – recipes) different is key. If you specialize in cupcake recipes, your competition in search queries for “cupcake recipes” will narrow their search results considerably. Taking this one step further, keying in on specific cupcake recipes, like strawberry cupcake recipes or apricot cupcake recipes, will help define your niche and FINDABILITY. This online marketing principle applies cross industry. Extended keyword PHRASES help narrow and funnel your prospects search to YOU.

RSA keys are an essential crpytologic ingredient for providing TSL/SSL security in eCommerce.

The security of the RSA cryptosystem is based on two mathematical problems: the problem of factoring large numbers and the RSA problem (see below). Full decryption of an RSA ciphertext is thought to be infeasible on the assumption that both of these problems are hard, i.e., no efficient algorithm exists for solving them.

The RSA problem is defined as the task of taking eth roots modulo a composite n: recovering a value m such that c = m^emod n, where (n,e) is an RSA public key and c is an RSA ciphertext. Currently the most promising approach to solving the RSA problem is to factor the modulus n. With the ability to recover prime factors, an attacker can compute the secret exponent d from a public key (n,e), then decrypt c using the standard procedure. To accomplish this, an attacker factors n into p and q, and computes (p – 1)(q – 1) which allows the determination of d from e. No polynomial-time method for factoring large integers on a classical computer has yet been found, but it has not been proven that none exists.

RSA keys are typically 1024-2048 bits long. Some experts believe that 1024-bit keys may become breakable in the near term. Few see any way that 4096-bit keys could be broken in the foreseeable future. Therefore, it is generally presumed that RSA is secure if n is sufficiently large. If n is 300 bits or shorter, it can be factored in a few hours on a personal computer, using software already freely available.

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide security and data integrity for communications over TCP/IP networks such as the Internet.

The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communications confidentiality over the Internet using cryptography.

In typical end-user/browser usage, TLS authentication is unilateral: only the server is authenticated (the client knows the server’s identity), but not vice versa (the client remains unauthenticated or anonymous). More strictly speaking, server authentication means different things to the browser (software) and to the end-user (human). At the browser level, it only means that the browser has validated the server’s certificate, i.e. checked the digital signatures of the server certificate’s issuing CA-chain (chain of Certification Authorities, e.g. Verisign, Thawte, and GeoTrust, that guarantee bindings of identification information to public keys. Once validated, the browser is justified in displaying a security icon (such as “closed padlock“). But mere validation does NOT “identify” the server to the end-user. For true identification, it is incumbent on the end-user to be diligent in scrutinizing the identification information contained in the server’s certificate (and indeed its whole issuing CA-chain). The “locked padlock” icon has no relationship to the URL, DNS name or IP address of the server) This is the only way for the end-user to know the “identity” of the server.. Such a binding can only be securely established if the URL, name or address is specified in the server’s certificate itself.

Malicious websites can’t use the valid certificate of another website because they have no means to encrypt the transmission such that it can be decrypted with the valid certificate. Since only a trusted CA can embed a URL in the certificate, this ensures that checking the apparent URL with the URL specified in the certificate is a valid way of identifying the true site.

One of the most misunderstood requirements as a merchant offering any type of credit or debit card services are the new security standards released by the Payment Card Industry.

Essentially, the PCI DSS (Payment Card Industry Data Security Standard) must be met by all organizations (merchants and service providers) that transmit, process or store credit card data. The PCI DSS (sometimes referred to as a compliance standard) is not a law, rather a contractual obligation applied and enforced (by means of fines or other restrictions) directly by the payment providers (e.g., Visa & MasterCard) themselves. See a list of validated service providers here.

PCI security standards are technical and operational requirements that were created to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats.
The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Compliance requirements are dependent on a merchant’s activity level.

There are four activity levels, based on the annual number of credit/debit card transactions.

In general:

Level 1 Criteria
Merchants with over 6 million transactions a year, or merchants whose data has previously been compromised
Level 1 Validation Requirements
Annual Onsite Security Audit (reviewed by a QSA or Internal Audit if signed by officer of merchant company and pre-approved by acquirer) and quarterly network security scan

Level 2 Criteria
Merchants with 1,000,000 to 6 million transactions a year
Level 2 Validation Requirements
Annual Self Assessment Questionnaire
Quarterly Scan by an Approved Scanning Vendor (ASV)

Level 3 Criteria
Merchants with 20,000 to 1,000,000 transactions a year
Level 3 Validation Requirements
Quarterly Scan by an Approved Scanning Vendor (ASV)
Annual Self Assessment Questionnaire

Level 4 Criteria
Merchants with less than 20,000 transactions
Level 4 Validation Requirements
Annual Self Assessment Questionnaire

Quarterly Scan by an Approved Scanning Vendor (may be recommended or required, depending on acquirer compliance criteria)

For further information

For comprehensive information about eCommerce and PCI DSS requirements, please visit the PCI Security Standards Council website.

Extended Validation (EV) SSL Certificates meet the highest standard in the Internet security industry for Web site authentication. EV SSL Certificates give high-security Web browsers information to clearly display a Web site’s organizational identity. The high-security Web browser’s address bar turns GREEN and reveals the name of the organization that owns the SSL Certificate and the SSL Certificate Authority that issued it. Why is this important? It gives Web site visitors an easy and reliable way to establish trust online.

I’ve started noticing more and more green EV SSL certificates lately, but I was on a local Credit Union’s site yesterday afternoon and noticed their SSL didn’t even show that the site was encrypted. I was stunned. I’ve been in that Credit Union a number of times and know their IT security to be first rate.  Their site was recently revamped, so I suspect their new host cut costs by installing a cheap SSL certificate, as they can be found online for less than ten dollars.

Secure Sockets Layer (SSL) technology protects your Web site and makes it easy for your Web site visitors to trust you in three essential ways:

• 1. An SSL Certificate enables encryption of sensitive information during online transactions.
• 2. Each SSL Certificate contains unique, authenticated information about the certificate owner.
• 3. A Certificate Authority verifies the identity of the certificate owner when it is issued.

You need SSL if…

• You have an online store or accept online orders and credit cards
• You offer a login or sign in on your site
• You process sensitive data such as address, birth date, license or ID numbers
• You need to comply with privacy and security requirements
• You value privacy and expect others to trust you.

Extended Validation SSL Certificates give high-security Web browsers information to clearly identify a Web site’s organizational identity. For example, if you use Microsoft® Internet Explorer 7 to go to a Web site secured with an SSL Certificate that meets the Extended Validation Standard, IE7 will cause the URL address bar to turn green. A display next to the green bar will toggle between the organization name listed in the certificate and the Certificate Authority (VeriSign, for example). Firefox 3 also supports Extended Validation SSL.

There seems to be a great deal of confusion about PCI compliance, on the part of merchants and hosting providers. Who’s responsible for what?

First, the merchant (web host) always remains responsible for compliance – to be certified. Their hosting provider (data center) is responsible within the scope of the infrastructure and services they provide to the merchant – for example, real estate (floor, electricity and controlled physical access). If a hosting provider also manages the merchant’s network, then they’re responsible for that specific scope of compliance.

Having said that, the merchant is required to monitor compliance of their service providers and manage any non-compliant risks, but a hosting provider’s PCI compliance isn’t mandatory for merchants to use that provider.  As a merchant who accepts card payments for products or services, you are obligated to be PCI compliant – but not for the environment in it’s entirety, rather limited to the processing of the credit cards, storage of that data and their respective transmission gateways. To that end, PCI is technology neutral, meaning you don’t have to build out with specific infrastructure.

So what are the minimum requirements? A couple of servers. a firewall, logging, monitoring and IDS / IPS (intrusion detection and intrusion prevention systems) capabilities.

Go to any financial institution’s website, then find the lock icon on your browser and click on it. Does anyone ever do that before typing in their credit card information when shopping online – click on the lock icon? Lock icons can be forged. By clicking on the icon instead of just relying on its presence to validate the vendor, you’ll see an SSL security report. My bank shows Verisign Class 3 Primary CA, identified the URL of the site itself and verified the site was encrypted.

All SSL certificates are NOT created equally.

As a vendor, if you purchase one of the less expensive SSL certificates, you will be able to use the lock icon. To the unsuspecting prospect, for all intents and purposes, they believe they’re placing a secure transaction online. Validation of the vendor is the differentiation between the types of certificates issued.

VeriSign, Thawte or GeoTrust are solid choices for extended validation (EV) certificates. They’re more expensive, but highly recognizable and trusted.  The issue is, if you’re running eCommerce, to minimize abandoned shopping carts by converting more prospects. People buy from reps they know, like and trust. On the Internet, one very important trust level is your SSL certificate.

There is a CISP list of providers that have been validated as PCI compliant. That list doesn’t include all providers that have been validated though. To be listed, those providers must also pay VISA an additional fee every year to remain on that list – sort of an advertising fee. That fee can run into the thousands of dollars.  

On the Self Assessment Questionnaire that providers must submit, there are countless items of concern. Just a brief scan of this PDF from the PCI Security Standards Council validates the concerns many vendors face concerning their liability.  

PCI compliance is requires so much more than servers and a firewall.

Following is a brief list of requirements:  

• Establish firewall configuration standards that include the following:
• A formal process for approving and testing all external network connections and changes to the firewall configuration
• A current network diagram with all connections to cardholder data, including any wireless networks
• Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone

The list of requirements goes on and on addressing intrusion detection, internal and external penetration testing, etc.

 I read an interesting thread this morning about PCI compliance. As a merchant, I have some knowledge of PCI regulations, but not as much as I should. I leave that to more knowledgeable members of our staff (COO, legal and accounting departments). It seems the rules are constantly changing, so much so that I wonder how many small hosts keep up with all these changes and new requirements. In the posts that followed this thread, misconceptions ran rampid. One member even posted he was proud to be non-compliant. OUCH! I don’t think I’ll go there.  The fines for being non-compliant are astronomical!

With so many breaches of credit card security lately, it was inevitable change was forthcoming. I’m certainly not an expert on the topic, so I leave you with some links to sites that clarify PCI compliance. Enjoy!

Industry Links:

• pcisecuritystandards.org
• pcisecuritystandards.org/saq/instructions.shtml
• pcisecuritystandards.org/security_standards/ped/index.shtml
• pcisecuritystandards.org/security_standards/pa_dss.shtml
• usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf
• mastercard.com/us/sdp/index.htmlPayment Card Industry Data Security Standard – Wikipedia, the free encyclopedia
• Approved Scanning Vendorsamericanexpress.com/merchant
• Society of Payment Security Professionals – Payment Security Blog wikipedia.org/wiki/PCI_DSSTreasury Institute PCI/DSS Blog Redirect
• pcisecuritystandards.org/pdfs/pci_qsa_list.pdf
• pcisecuritystandards.org/pdfs/asv_report.html