We've been in the ecommerce business for four years now. We've gone to great lengths to provide a safe and reliable environment on our site for our customers.

I received notification today that American Express (AMEX) will now require 'oversite' review of our site to insure security compliance so that we may continue to use AMEX as a method of payment. AMEX only offers one company from which the 'oversite' may be obtained. The company is called Security Metrics (http://www.securitymetrics.com). Successful site reviews result in site certification. Site reviews are performed quarterly, and get this, I can have all this for the mere cost of $699/year.

What's happening to the last frontier? I'll be the first one to line up to prevent credit card fraud, but don't lay this one on the back of the small business person. I've already told AMEX they take a hike.

Oman
Myfootshop.com (http://www.myfootshop.com).

I can understand that they want only the best security for their customer but I agree that's a little extreme.

When you called AmEx - did you tell them why you were cancelling? It seems like a scam actually. We have not received any word yet about it ourselves.

Very clearly. In several emails with AMEX, it was made clear to me either a) stop accepting credit cards from AMEX or b) submit to the security certification process.

Guys, I am quintessential small business. If this is the trend of the future, I think there's a significant change on the horizon for small business on the web.

When we first started in ecommerce, we had eTrust review our site to insure that our privacy and security was up to snuff. Since their inception, eTrust has gone from $300/year to over $700/year. We shopped around and found that the old reliable, BBB was ther with a much more affordable ecommerce solution. I mention this for sake of example to show that our site and most sites are sincerely interested in security. I also used this example with AMEX; give me an alternative and I'll work with you....went right over their heads.

The security of a transaction is imperative to the success of ecommerce. I'm all for pursuing secure commerce. But for AMEX to mandate security oversite....we're in for a whole new ecommerce experience her in the near future.

Oman
Myfootshop.com (http://www.myfootshop.com)

I agree with you 100%. I cannot see them doing this. Maybe if enough merchants drop their services they will re-consider. We are actually callying them in morning to learn more about this.

The other thing I am curiuos about - a lot of e-commerce site rely 100% on the payment gateway. So I wonder how they are determining which ones are going to be those.

Corey, Did you get a chance to call AMEX? I called today and the customer service rep confirmed that all ecommerce site now must comply.

I guess what I don't understand is the fact that the merchant is actually the customer for AMEX. You can't carry a balance on an AMEX card so they can't charge a finance fee. So AMEX's income comes from the merchant based upon transaction fees. You alienate your customer (merchant) and you loose your income. Obviously they're not all to concerned about loosing my account.

An alternative? Why can't AMEX use the same company to determine site security of their merchants. Give the merchant 30 days to comply with any security breaches. If they don't comply, terminate the merchants account.

Oman
Myfootshop.com (http://www.myfootshop.com)

I called first my sales & support at Cardservice. They never heard of it. But due to communication breakdowns, I got the 800# from them to call AmEx: 800-528-5200 & spoke to Reggie Parker. I told him that there was this company out there. He said he never heard of it. What number did you call? I would be interested in knowing if this is a scam or not. He requested that you fax him the letter to 602-744-9307 with your merchant number, your name & your call back number.

When you are first approved for a merchant account with AmEx, they do review your site but that is about it.

And actually there are some AmEx cards that do allow you to carry a balance these days. I have never been a big fan of AmEx & a lot of merchants are not because of they way they pay & their discount rate so I wonder if this company (Security Metrics) is trying to cash in on that?

Corey,

I called AMEX Oline Merchant Services at 800-374-2639. It appears that they have a group that focuses on just online merchants. One of their team members confirmed the use of Security Metrics and that this was only for online accounts.

I called back (same number) on Saturday and spoke to a real nice gal at AMEX named Julie Strand. She knew nothing about the program but said to call back on Monday when the Online Merchant Team would be in the office. So it seems this is new policy at AMEX.

Is it just you and I that have a concern about this? Maybe this is just small change to most businesses.

Oman
Myfootshop.com (http://www.myfootshop.com)

None of my clients (people who I have set up with merchant accounts) have contacted me yet re: this. It seems that no one really knows what is going on? I will try to call again on Monday & see what I am told then. I wonder how they are choosing as well to notify their customers re: this change.

Corey,

I spoke to Authorize.net today who helped explain something to me. CID doesn't stand for 'credit card information data' but rather 'card information digits' also known as CVV, CV2 and CVS. You and I may know them as the pin number on the back of most credit cards....you know, the last three digits of the card off on the side.

We capture CID information on Discover Cards. Without CID information there's an upcharge of (don't quote me on this one) $0.50/transaction. What AMEX wants is site security for those sites capturing CID information. Without CID capture, I think you're OK.

We'll have to see what their policy is for the way our site is structured.

Oman
Myfootshop.com (http://www.myfootshop.com)

OK - the CID makes more sense. The CID, CVV, etc need a bit more security than the CC number. You are actually not suppose to save the CVV on your database web site.

You should still be able to capture it & transfer it to the gateway but not save it on your database