If your company is violating compliance standards for online payments, even in a minor capacity, you can lose your credit card contracts – and your business could be hit with catastrophic fines.
cleverbridge removes this burden by taking over responsibility for compliance of cleverbridge hosted and operated payment pages with the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS). As a result, we also save you substantial time and money.
The General Data Protection Regulation (GDPR) is a new regulation sponsored by the European Commission that will impact how businesses collect and store customers’ personal data. When this legislation takes effect on May 25, 2018, it will replace the existing European data protection directive and touch nearly every company selling online, including cleverbridge clients.
As a Germany-based company that has maintained a steadfast commitment to protecting the data of clients and customers throughout its history, cleverbridge is ready.
Here are some of the major changes we’ve made to our platform and processes to ensure your ecommerce operations are compliant with GDPR when the law is enforced:
- We have moved to secure-only channels for data transfers. This change greatly enhances security and primarily affects order notifications, which are now transferred via SFTP, HTTPS, or encrypted email. For more information, see Manage Automated Notifications.
We de-personalized customer IP addresses in notifications and key generation calls (i.e., the last number of the IP address is always replaced by .0). We also removed the ability to search for IP addresses in the Commerce Assistant (CA).
These measures satisfy the GDPR requirement that only necessary personal information should be transferred during a purchase. Per the GDPR, full IP addresses are considered personally identifiable information (PII). However, the remaining numbers of an IP address still provide useful information for common analytics functions, including geographic location.
- We configured transfers of customer street address, city (if collected), and postal code to clients on a per-client or per-product basis. Again, this is to ensure that only necessary PII is transferred to our clients.
We reviewed tracking and analytics tools to determine whether they comply with GDPR. While cleverbridge clients want to build detailed online profiles of customers and visitors, the GDPR is very strict regarding what information businesses can and cannot collect about website users.
Fortunately, the GDPR’s requirements in this area are similar to the already stringent requirements of current German law, and cleverbridge has been compliant with the latter since our inception. Achieving the right balance between your needs and regulatory requirements will be an ongoing process.
The GDPR is here to stay, but cleverbridge clients can count on our Compliance Team to ensure a compliant ecommerce and subscription experience on and after May 25, 2018.
However, please be aware that once a customer completes an order and you receive our order notification and/or a key generation call, you become data owner of that customers’ information and must treat it with the same scrutiny as we do to ensure full compliance with the law.
If you have questions about GDPR and the steps we’ve taken to ensure compliance, please contact Client Experience.
Strict PCI DSS compliance is necessary for any business processing credit card payments. Therefore, cleverbridge has maintained a PCI DSS compliant environment, and we are constantly checking to make sure that processes and scope remain compliant.
We do so by only accepting credit card orders submitted according to PCI DSS standards. Our platform supports submission of orders via state-of-the-art secure encryption layers, and we process all transaction requests and results via HTTPS. Cryptographic controls also provide effective mechanisms for protecting the confidentiality, authenticity and integrity of information – and our policies include the use of encryption and key management.
Our services also provide you with the following freedoms and benefits:
When you use cleverbridge hosted and operated payment pages, all credit card information is sent directly to cleverbridge. This means that sensitive cardholder data never passes through your system. As a result, your company does not need to implement many of the strictest PCI DSS standards.
Following PCI DSS regulations is absolutely necessary for accepting credit card payments, but compliance does not come cheap. When you partner with cleverbridge, we cover the following PCI DSS compliance costs:
As estimated by Gartner for level 1 merchants (processing in excess of 6 million transactions of a single card type per year), implementation costs include:
- 200,000 USD for assessing the scope of required PCI DSS work (scope assessment during initial implementation)
- 600,000 - 1.1 million USD to meet the requirements
Recurring auditing fees
These hinge on a variety of factors – company size, number of transactions processed annually, existing infrastructure, credit card data scope, etc. Initial implementation is quite costly. For level 1 merchants, the average annual audit cost is 225,000 USD.
We protect you from potentially catastrophic PCI DSS non-compliance fines, including:
- Up to 90 USD fine per cardholder data compromised
- Suspension of credit card acceptance
- Loss of brand reputation
- The cost of a PCI Qualified Forensic Investigator (130-200 USD per hour for a one to two year project)