Ecommerce Business Laws: Payments & Privacy
While many of the laws regulating ecommerce are the same as those governing brick and mortar businesses, it’s important to gain an understanding of the rules and regulations before diving into the digital marketplace.
The proper handling of credit and debit payments is guided by the Payment Card Industry (PCI) Data Security Standards — a set of operational and technical requirements for processing transactions. These standards are meant to be followed by both the businesses accepting payments, and the developers and manufacturing building software and hardware used to collect payments.
The PCI Standards are as follows:
Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an Information Security Policy
- Maintain a policy that addresses information security for employees and contractors
The PCI Standards site offers a number of great tips for following the Standards:
- Buy and use only approved PIN entry devices at your points-of-sale.
- Buy and use only validated payment software at your POS or website shopping cart.
- Do not store any sensitive cardholder data in computers or on paper.
- Use a firewall on your network and PCs.
- Make sure your wireless router is password-protected and uses encryption.
- Use strong passwords. Be sure to change default passwords on hardware and software – most are unsafe.
- Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
- Teach your employees about security and protecting cardholder data.
A list of currently compliant payment software can be found here, if you’re building your site from scratch. Most hosted ecommerce platforms, such as Shopify, will already have practices in place to safeguard customer payment information.
Privacy & Spam
If you’re doing business with Canadian businesses or individuals, be careful when it comes to email marketing. Canadian Anti-Spam Legislation (CASL) is very restrictive when it comes to commercial electronic messages (CEMs), defined as electronic messages that encourage people to engage in commercial activity. This doesn’t just apply to email, but also to CEMs sent via text messaging or private messaging systems on social media sites, such as Facebook messenger or Twitter direct messaging.
While the CASL doesn’t ban these types of messages, thankfully, it does require that businesses obtain active consent from the recipients of these messages and that the messages contain certain types of information, including the name of the sender, their contact information, and information on how to unsubscribe.
So how can you obtain active consent? There are a few ways — collect email addresses via opt-in forms on your website, at trade shows or conferences, or in-store. You can be creative, as long as you disclose what you plan to do with the addresses and the recipients consent. Remember — it is the responsibility of the sender to prove consent, so keep records where necessary.
Note: Consent is not necessarily required when you’ve previously done business with the recipient.
Protection of Information
When you’re involved in ecommerce, your customers have to be able to trust you with their sensitive information, including addresses and credit card information. It’s a big responsibility, so there are (rightfully) a number of regulations surrounding it. The Personal Information Protection and Electronic Documents Act (PIPEDA) provides a solid framework for its collection and use.
PIPEDA covers the following information collected during the course of a commercial activity or period of employment:
- age, name, ID numbers, income, ethnic origin, or blood type;
- opinions, evaluations, comments, social status, or disciplinary actions; an
- employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs)
The basics of PIPEDA, in terms of ecommerce, can be broken down as follows:
(i) You need consent to collect, use or disclose personal information.
(ii) When using information, you must only do so for the purpose to which the individual has consented.
(iii) Regardless of consent, you have to limit the collection, use and disclosure of information to what “a reasonable person would consider appropriate in the circumstances.”
(iv) Individuals must have the ability to access the information they have provided and make changes or correct mistakes.
- What information will you collect?
- How will it be stored and for how long?
- How will it be used?
- How will it be shared and with whom?
- How will it be protected?