Online sales in the UK generated £58.8 billion in 2010, up eighteen percent year-over-year, according to the figures released by the UK online retail trade association IMRG.


In fact, December registered a seven percent increase over November and a twenty five percent growth, as compared to the same month in 2009. Indeed, Christmas proved to be a bountiful period for online merchants with shoppers spending an estimated £6.8 billion online*.

Despite this solid growth, e-retailers may face the risk of carefully timed cyber attacks if they are not appropriately protected. Unfortunately, cyber crime will not disappear soon. It may change in mode, it may increase or decrease in volume but one is unlikely to escape its presence.

Security is about balance. Merchants generally seek tools and features to confirm sales transactions as legitimate whilst also working through the myriad of PCI compliance obligations. Consumers want assurance that their account information is guarded and at the same time respond positively to a seamless shopping experience. So what can merchants do? How can merchants counter the threats of data breach and fraud?

PCI DSS is designed to protect cardholder data and to limit online fraud.  Different scales of activity must comply with different standards for each level assigned to different merchant types. Level 1, applies to merchants with over six million transactions annually, while the lowest, Level 4, applies to merchants with fewer than 20,000 e-commerce transactions annually.

There are twelve specific ‘requirements’, spread across the following six PCI DSS standards:

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

While some merchants understand their obligations, PCI compliance can be a complex process for many merchants to manage. A survey of one hundred retail, financial services and hospitality businesses, conducted by Redshift Research early last year showed that only eleven percent of companies were currently audited and certified as compliant. In addition, thirty five percent of respondents did not fully understand their PCI compliance requirements**. This non-compliance not only opens up businesses to potential data breaches, it can also result in financial penalties being imposed on merchants by the different card brands.  “At the end of the day, PCI compliance is a merchant responsibility - not a luxury,” states Shane Fitzpatrick, MD and President, Chase Paymentech Europe Limited. “Merchants that fail to be PCI DSS compliant could face - in the event of a compromise - significant fines and unquantifiable damage to their brand, reputation and financial performance.”

Easing the Pain for Online Merchants

Chase Paymentech, a PCI Security Standards Council Advisory Board member, dedicates itself to constant investment in new ways to remain one step ahead. “At Chase Paymentech we provide advice to merchants on how to achieve PCI compliance,” explains Fitzpatrick. “Our solutions assist merchants with their compliance needs in a cost efficient way whilst ensuring the checkout flow is not constantly interrupted by repeated security checks.”

Discussing the development of fraud, Fitzpatrick said: “Merchants need to remember that the nature of card crime and security is continually changing. As a global leader in payment processing and merchant acquiring, as well as a specialist in CNP transactions, Chase Paymentech invests a great deal of time and resources in preventing fraudulent activity. We recognise that the criminals are always looking for new and more sophisticated ways to breach security. There are some great products in the market (and others on the horizon) that may assist merchants in their pursuit to mitigate such risk. At Chase Paymentech, we see our role as a collaborative one, working with our merchants to help define their product set with solutions such as Tokenisation, Secure Card Number Masking, Account Updater and Managed Billing solutions.”

Chase Paymentech’s Tokenisation solution eliminates the need for merchants to store customer data. This has two advantages. Firstly, registered customers are not required to re-enter credit card details every time they make a purchase. Secondly, merchants are not required to store credit card details in their systems. Chase Paymentech believes that its Tokenisation solution may mitigate approximately 90% of a merchant’s PCI requirements. Customer information such as card numbers and other payment account information is securely stored and accessed by a unique token. Once created, a merchant can then process sales by simply using the assigned token. This process makes data theft extremely difficult.  

Account Updater is another tool that Chase Paymentech provides to its clients. This product provides merchants with updated Visa® and MasterCard® cardholder account information when issuing banks make changes to the card data. This feature is provided directly through Chase Paymentech systems and helps deliver a seamless customer checkout experience for recurring payments as well as for merchants who retain card data on file.

“The challenge is to make life as difficult as possible for fraudsters, while maintaining a positive shopping experience for the customer - a difficult balancing act,” concludes Fitzpatrick. “Unfortunately there is no ‘silver bullet’ that will entirely safeguard merchants. The answer represents a combination of parts and merchants are advised to work closely with their payment acquirer to ensure that they have the best solutions in place for their business.”

As ecommerce sales are set to top £69 billion this year***, merchants that can deliver a secure, seamless experience for their customers and meet all their PCI obligations will be in a good position to capitalise on the e-commerce opportunity in 2011.

Chase Paymentech

For further information please call 0845 399 1120 or visit

Chase Paymentech Europe Limited, trading as Chase Paymentech, is a subsidiary of JPMorgan Chase Bank, N.A. and is regulated by the Central Bank of Ireland.

The information herein does not take into account individual client circumstances, objectives or needs and is not intended as a recommendation of a particular product or strategy to particular clients and any recipient of this document shall make its own independent decision.