A payments security startup is trying to minimize compliance headaches for small online retailers through cloning — of webpages, that is.
CRE Secure Payments LLC's technology duplicates merchants' payments pages, including logos, pictures, text and other design elements.
Greg McGraw, the Atlanta company's president and chief executive, said that, unlike other hosted payment products, CRE's service lets retailers fully control the look and feel of their websites to prevent shoppers from backing out of purchases. It also meets the Payment Card Industry Data Security Standard, he said.
"The biggest challenge for any merchant, large or small, is protecting the environment," McGraw said. "They like the convenience and continuity of accepting credit cards in their own environment, but that's where the vulnerability exists."
PCI standards require merchants and other parties that collect cardholder data to take steps to secure the information.
CRE, a subsidiary of Chain Reaction Ecommerce Inc., is one of several companies that offer online retailers "hosted payment pages," which let them accept payments without having to actually handle card data — or take on the burden of PCI compliance. Some of these companies direct shoppers to hosted checkout pages that look significantly different from a merchant's main website, which can be jarring for customers.
Other companies allow merchants to maintain the appearance of their site by inserting hosted data-entry forms into their checkout pages. Such services have become popular among midsize and larger retailers, but integrating these forms into existing payments pages can be difficult for smaller merchants, experts said.
Merchants "don't like to be connected to someone else's payment pages, because they lose control and they lose continuity and in many times it confuses the shopper," McGraw said. "They want the flexibility of owning that end-user experience. That's what we do. We give them … total control over the end-user experience."
While hosted payments pages are not a new idea, CRE's strategy is distinct, security experts said.
"It's their approach to how they create and maintain the page that's unique. I'm not aware of others that are using CRE Secure's approach," said Allen Weinberg, a managing partner with Glenbrook Partners LLC, a payments research firm in Menlo Park, Calif.
To a merchant's customers it would appear they are still on the retailer's site when in fact they are not. CRE generates a duplicate page each time a retailer's customer goes to make a purchase.
"We are cloning that website on demand every time, so there's no special templates or special programming" that a merchant needs to create, McGraw said.
CRE's service, which has been available since June 2009, has gained the most traction with small online merchants that are doing less than a thousand transactions per month. But it is also generating interest from medium and larger merchants looking to simplify website maintenance.
Currently, its smaller customers average 200 transactions a month, while its enterprise customers average about 5,000 transactions a month, according to McGraw. About 95% of CRE's clients are small or midsize, he said.
The company has more than a thousand customers and added 175 new ones in the last month.
For small and midsize merchants, CRE charges $20 per month if they have 250 or fewer card transactions per month. A merchant who goes above that is charged 10 cents per additional transaction, McGraw said.
For enterprise clients, CRE negotiates a per-transaction fee based on volume that averages 9 cents to 12 cents, he said.
Aaron McPherson, a practice director with IDC Financial Insights in Framingham, Mass., said using an outsourced payment page is a "straightforward way to avoid PCI compliance issues," especially for small merchants that don't want to send customers to a different website, with a different appearance, when they are ready to make a purchase.
"The issue here was more one of branding," McPherson said. "You want it to look like it's in your domain. You want it to look like it's one of your sites."
The ability to control branding was "one of the things we really liked" about CRE's service, said Jeff Whitmore, the information technology manager for Ernie Ball Inc. Ernie Ball, which makes guitar strings and other components for musical instruments, uses CRE Secure's technology for a site it operates that sells grills, BigPoppaSmokers.com.
"It looks just like your store," Whitmore said. "You don't notice that you've gone" to a new site.
The company wanted to minimize hassles around PCI compliance for the site, which has been active since February, he said. "It just saved us a lot of time as far as having to get" PCI-compliant.
While CRE's approach to hosted payments is unique, it is competing in a crowded space, Weinberg noted.
CyberSource Corp., a Mountain View, Calif., e-commerce processor that Visa Inc. is acquiring, offers both hosted payment pages and hosted payment forms that can be embedded into a merchant's checkout page.
The company's hosted page product redirects a shopper to an outsourced page. The hosted field option is for merchants who are "wary of … letting their customer know they've been redirected," said Lisa Anderson, the product manager for payments security at CyberSource.
CyberSource also operates Authorize.Net, a payment gateway that offers its own hosted payment page for online merchants.
Authorize.Net is one of several payment gateways with which CRE has integrated.
When a merchant signs up with CRE, it passes along its gateway credentials to the company. This allows CRE to "take payment information on the merchant's behalf," McGraw said.
"We insert ourselves between the insecure merchant environment and the gateway," he said.