Putting aside comments about only accepting cookies if they are double chocolate chip and associated with a cup of hot coffee, the EU Cookie Law which comes into force on 26 May is a significant change for online businesses, impacting user experience across the majority of websites on the Internet. The Law originated from amendments to the EU Privacy and Electronic Communications Directive made in 2009 and was imported into UK law in May 2011. UK companies were given one year to comply. The aim is to ensure that any organisation collecting information from a web user must request their consent first. With a recent KPMG study indicating that 95% of websites are not yet compliant with the new law, how should organisations approach this challenge and what issues need to be addressed? Companies face fines potentially as high as £500,000 therefore how much time and resources should be invested in achieving compliance?

Cookies are simple text files which are down loaded to your computer when you visit a website. They usually contain information such as the website reference and a unique ID. Once stored on your computer the cookie can be used to identify you and customise the experience and information presented to you when you visit that website again. Websites use cookies for a wide range of purposes including auto-filling forms, personalising content, targeting advertising and authentication. A study by Trust-e found that websites have an average of 14 cookies per page therefore the impact of this law on web design and the overall web experience is considerable.

Qubit has reported that the law will cost the UK Internet economy as much as £10 billion if compliance is implemented poorly or incorrectly. With the Information Commissioner’s Office (ICO) introducing a level of flexibility into their guidance and many issues open to interpretation, there does seem to be a requirement for clarification, especially around the nature and timing of consent. A cookie associated with core website features eg related to the shopping basket within an ecommerce site will likely to be compliant without changes since the user has made an explicit request. However a cookie utilised to present a selection of online adverts to a user based on their previous browsing history would require provable, informed consent. Organisations will have to consider the impact of such a break in the flow of the user journey through the site on brand experience and, subsequently, revenue. As an example ICO have been trialling such an explicit ‘accept cookies’ feature on their own site (http://www.ico.gov.uk/) with just a 10% opt-in rate. However ICO’s guidance does muddy the waters slightly by stating that in some cases inferred consent is acceptable; further that consent does not necessarily have to happen prior to placing the cookie on the user’s computer, it can happen at a point soon after.

Organisations will need to work with their web developers and designers to decide on a strategy towards compliance. Activities such as cookie audits are beneficial and demonstrate a practical and constructive attitude. If a business utilises cookies for targeted advertising or personal recommendations to its online users then they will need to identify a solution which both satisfies the ICO but does not negatively affect their customer base. Affiliate marketing, which relies on cookies to record where users see specific brand promotions, may be another area heavily impacted by the law. Large organisations may have the resources to assign to such projects, however smaller online businesses may not.

With this level of uncertainty it’s no wonder most organisations are expected to take a wait and see approach. It is probable initial enforcement by ICO will focus on situations where no attempt has been made to notify users and that even then reasonable timescales in which to take remedial action will be applied. Regardless of the exact nature of the changes applied to websites under the new law, Internet users can expect to be hearing and having to understand a lot more about cookies in the future.

There is much public discussion around whether a shared platform can meet the standards set out by PCI DSS. A merchant choosing a hosting provider that has demonstrated compliance to the Payment Card Industry Data Security Standard is taking the first step towards protecting the security of the data it stores within the hosting environment. Whether completing an SAQ or being audited by a QSA, it is important to understand that level of responsibility for PCI compliance varies greatly between hosting providers. A merchant will ultimately be certified based on the security of their data centres, procedures in employing and training staff as well as the maintenance & infrastructure of the network. As a merchant or a service provider, if you are aiming towards compliance, it is important that roles and responsibilities are well defined with your chosen service partners. It is worth checking the new VISA “merchant agent” website (www.visamerchantagentslist.com/) to see if your chosen supplier is listed and in what capacity. Altogether, there are 12 major PCI requirements to comply with. NetBenefit is an established Level 1 service provider.

A PCI compliant hosting provider offering a merchant a virtual ‘secure’ platform will actually only be as secure as the weakest application on them. Even if a merchant’s website is believed to comply with the standard, a merchant could still be found at risk of fines/levees if hackers are able to exploit one of the other websites or an applications that is shared on the virtual platform.

It is recommended by the card schemes and acquiring banks that merchants and their agents reduce/remove scope for PCI DSS wherever possible, there are a number of ways to do this. Choosing the right partners and understanding your scope and liability is key to this process. There are a number of solutions on the market that can de-scope entire network segments, functions and even entire corporate environments, potentially shifting all liability for compliance back to the acquirer or to a validated third party. SAQ D merchants can become SAQ A merchants, almost seamlessly, even in large complicated environments such as airlines, the hospitality industry and contact centers. Cardholder data would never enter customer premises and possibly never been seen or touched by the merchant. Click this link to see how this process works. Introduction to PeepSafe http://www.exois.com/ Look for partners with ‘Compliance Toolkits’ or who advocate scope reduction for ideas and assistance.

In the cloud, a bad implementation can cause a big (not to mention expensive) headache but with the right approach this can be avoided and it need be no less secure than a dedicated physical environment. By replacing the PCI or other sensitive data with tokens, cloud implementations can use standard security controls and leverage the cost savings and elasticity, without the expense and worry of breach notifications and expensive fines.

There appears to be a significant number of myths and misconceptions surrounding the area of PCI DSS and, as a PCI accredited organisation, we wanted to address this by raising awareness of the issues relevant to our digital agency clients. As part of our VIP Agency Lounge program we held an education day at The Hospital Club in central London and invited a range of speakers; merchants, acquiring banks, digital agencies and QSAs. Our objective was to bring together experts from the differing organisations involved with the PCI DSS standard and offer digital agencies guidance in their role and responsibilities.

After an introduction from NetBenefit’s MD, Colin Bell, Jonathan Cook from Valtech and Richard Beaton from App55 started off the day with an overview of the challenges facing digital consultancies with the growth of social media surrounding online payments and branding. Michelle Tolbay from ASOS then detailed how this major online retailer approached security and ensured they met PCI standards in the face of dynamic technical and business requirements. Developing a responsive IT security environment behind your online presence is no easy task and ASOS clearly understand the importance of getting this right to the value of their brand. Next on the floor was Ian Mann from ECSG who demonstrated how partnering with a QSA can greatly ease the pain of gaining PCI compliance certification. The process can be less problematic by seeking the appropriate support early on, methodically assessing scope and being aware of your organisation’s responsibilities. Following on, Phil Jones from Barclaycard and Eamonn Skyrme from VISA presented PCI from the viewpoint of the acquiring banks and how those banks are working together to control and protect both card holder and personal data. Phil and Eamonn explained that merchant agents are now in the position of being unable to ignore compliance and, as a result, those agents such as digital agencies and hosting providers are being assisted by the banks through schemes such as VISA’s merchant agent registration. Wrapping up the day NetBenefit’s CTO Gerry Lawrence described the benefits of digital agencies working in partnership with their hosting provider. By utilising the combined expertise of an accredited hosting provider and a QSA, the agency can play a significant role in ensuring the security of their client’s online presence.

This was a comprehensive series of talks covering everything from choosing the right QSA to general good security practice. PCI DSS is a technical / operational standard but it is imperative that agencies understand the associated issues. A well-informed agency will be confident they have a secure framework for website and application development and can reassure their client that PCI standards are met; this then allows the agency the freedom to be imaginative and inspired in their creative work for their clients. Through our VIP Program digital agencies have access to the important technical and business resources to position themselves as creative thinkers with a real appreciation of their clients’ ecommerce needs.