SlideShare a Scribd company logo

PCI, ADA and COPPA - OH MY! Managing Regulatory Compliance - Magento Imagine 2017

Phillip Jackson
Phillip Jackson

There is a growing compliance burden for merchants. In 2016 digital commerce faced a number of compliance hurdles: ADA, PCI, COPPA, and SOX, to name a few. There are even more growing concerns with EU and Brexit on the horizon for a global economy. How will retailers in the digital age face these new challenges? This talk will look specifically at ADA compliance, global recognition and challenges of these regulations, and how these factors will impact digital commerce.

Retail
1 of 68
Download to read offline
Managing the Growing Array of Regulation for Online Retail
Phillip Jackson Ecommerce Evangelist - Something Digital
• Differences between compliance and regulation • Types of regulations and compliance burdens faced by digital commerce • How to plan and budget for growing burden • Case studies Overview
Is there a difference? Regulation vs Compliance
• Compliance usually is dictated by complying with a standard or non-legal set of requirements • Identified by a working group or standards body • Economic repercussions • In flux, evolving • Adapts to change, culture, technology • Less expensive “In general standards groups seek to create guidelines that outline best practice in order to prevent regulation by a governmental body.” Compliance
• A set of laws which has an oversight body, usually a governmental or NGO body which oversees enforcement • Legal repercussions • Long periods of time between revisions • Outmoded by technology, culture • More expensive Regulation
PCI Compliance
PCI Compliance • PCI (Payment Card Industry) • Standards body made up of worldwide banks and gateways • Effort to circumvent regulation by region • Requirement imposed at-will on premium, non-essential services • Combination of self-assessment and 3rd party • Risk mitigation
ADA Compliance
ADA Compliance • American Disability Act (1990) • Legislation overseen by DOJ, IRS • Increasingly websites under scrutiny • Large brands require higher levels of compliance
COPPA Compliance
COPPA • Child Online Privacy and Protection Act (2013) • Legislation overseen by FTC • Simple rules to follow • Don’t do business with children under 13 • Don’t collect data for children • Don’t primarily (or secondarily) market to children
COPPA • “Collect data” • Full name • Screen name or user name where it functions as online contact information • A persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, or a unique device identifier
EU Privacy Directive • Government regulation • Privacy and control of Personally Identifiable Information as a human right* • Requirement on all businesses for all people * source: http://ec.europa.eu/justice/data-protection/
• Differences between compliance and regulation • Types of regulations and compliance burdens faced by digital commerce • How to plan and budget for growing burden • Case studies Overview
How to plan and budget for growing burden
Start by saving • Employ across disciplines • Invest in training to save on hiring costs • Invest in automation • Limit unnecessary risk
Set expectations • Anticipate large expenditures with increased demand and market segments. E.g. investment in teen/tween goods or pushing above $6MM limit • Invest in areas with largest impact
Set expectations https://www.sans.org/reading-room/whitepapers/analyst/security-spending-trends-36697
Reasonable Expense Training 9% Audit 18% Security 14% Compliance 30% Infrastructure 29%
Reasonable Expense Infrastructure Compliance Security Audit Training $14,500.00 $15,000.00 $7,000.00 $8,800.00 $4,500.00 29% 30% 14% 18% 9%
Reasonable Expenses • Examples of spending: • Infrastructure: servers/hardware, CCTV, biometrics, 2FA, security, HA/DR, building access • Compliance: legal, HR, seminars, productivity • Audit: 3rd party services, scanners, hardware devices • Security: physical and digital, seminars, SME’s • Training: workforce education, hire for skill set
Costs: PCI Compliance
Costs: PCI Compliance • Variables that affect PCI Costs: • Business type • Size of organization • Level 1 (> $6MM in transactions -OR- > 1MM total transactions) • Level 2 or 3 (at discretion of acquiring bank)
Costs: PCI Compliance • Bottom line: costs scale significantly with your business: • $300-10,000 for Levels 2-3 per annum • $70,000 per audit for Level 1
Costs: PCI Levels 2 and 3 • Self-Assessment Questionnaire ~$50 - $200 • Vulnerability scanning ~ $100 - $150 per IP address • Training and policy development ~ $70 per employee • Remediation (software and hardware updates, etc.) • Productivity Costs http://blog.securitymetrics.com/2015/08/pci-compliance-cost.html
Costs: PCI Level 1 • Onsite audit ~ $40,000+ • Vulnerability scans ~ $800+ • Penetration testing ~ $5,000+ • Training and policy development ~ $5,000+ • Remediation (software and hardware updates, etc.) ~ Varies greatly based on where entity is today in relation to compliance and security http://blog.securitymetrics.com/2015/08/pci-compliance-cost.html
Costs: PCI Compliance • Cost of a breech: • Remediation: $25,000+ • Hosting Migration: $30-40,000 • Increase in rates from acquiring bank (or worse, blacklist) http://blog.securitymetrics.com/2015/08/pci-compliance-cost.html
Costs cont. IT Budget Regulation 63% IT Salary Regulation 76% https://www.sans.org/reading-room/whitepapers/analyst/security-spending-trends-36697
Costs: ADA Compliance
What is a Disability? Definitions
ADA Compliance: Definitions • No such thing as “ADA Compliance” • WCAG (Web Content Accessibility Guidelines) 2.0 • Accessibility • “Design with Equity” • The Persona Spectrum
The Persona Spectrum https://www.microsoft.com/en-us/design/inclusive
Resource
“In the context of health experience, a disability is any restriction or lack of ability (resulting from an impairment) to perform an activity in the manner or within the range considered normal for a human being.” –World Health Organization, 1980
“Disability is not just a health problem. It is a complex phenomenon, reflecting the interaction between features of a person’s body and features of the society in which he or she lives.” –World Health Organization, 2017
Business Costs: ADA Compliance • Variables that affect ADA Costs: • ADA predates the WWW (by 1 year) • New build vs retrofit • Certification vs “light accessibility” • Legal threats
User Costs: ADA Compliance • Everyday users are affected • Productivity increases • Accessibility exercises increase mobile conversion rate
Costs: ADA Compliance • Some incentives • “Empathetic design” (design with equity) increases mobile conversion rate • 8% of Americans suffer with color blindness • Tax implications: • Access Credit Expenditures must be for Compliance with the ADA • General Business Credit Limit
Costs: ADA Tax Incentives • General Business Credit Limit • Work Opportunity Credit • Access Credit CapEx • Strong indication applies to websites (IANAL): • DOJ broadened its interpretation of the ADA to websites stating “The Department has consistently interpreted the ADA to cover Web sites that are operated by public accommodations and stated that such sites must provide their services in an accessible manner or provide an accessible alternative to the Web site that is available 24 hours a day, seven days a week.” http://www.southwestada.org/html/publications/general/taxbulletin.html
Costs: ADA Compliance • Levels of Compliance: • WCAG (Web Content Accessibility Guidelines) 2.0 Levels A & AA are somewhat affordable • Layered costs by percentage addition during design-time • 6-16% increase in development and testing time • External audits may be required/requested • Retrofit can be very difficult • AAA is prohibitive http://www.accessiq.org/standardguideline/web-content-accessibility-guidelines-wcag
Costs: ADA Compliance • Example build: • 1400-hour Reference Site Build • 7% of budget was Accessibility • 32% of budget was PM / QA (compared at 30% nominal) http://www.accessiq.org/standardguideline/web-content-accessibility-guidelines-wcag
Costs: COPPA Compliance
Costs: COPPA Compliance • Build tools to cope with PII demands • Analytics woes/issues with cookie data collection • Purchasing challenges • Age gating • Sharing selections http://www.accessiq.org/standardguideline/web-content-accessibility-guidelines-wcag
Where Magento 2 Can Help
Where Magento 2 can Help • PCI compliance • Out of box lowest-level PCI risk (directpost/iframe only payment methods) • ADA Compliance • M2 has ARIA features, skip to content links, tab navigation, great support for alt text, does many things correctly out of the box • Some reasonable tradeoffs, some features require compromise • COPPA • Wishlist • Cookie policy
Where Magento 2 Needs Help • ADA Compliance • Return of focus • Repetition of spoken text/terms • COPPA • Age gating • Web chat, reviews, contact us
• Differences between compliance and regulation • Types of regulations and compliance burdens faced by digital commerce • How to plan and budget for growing burden • Case studies • Resources Overview
Case Studies
Maddie Case Study: COPPA • Age Gate • Share to Buy • Cookie / Data collection requirements • Privacy Policy which complies with COPPA • Marketing and photography consistent with demographic of target audience
Papyrus Case Study: ADA • WCAG 2.0 AA • Modals • Keyboard Navigation • Voice/Screen Reader
There Is Hope
Silver Linings • Community • Capabilities of Platform • Openness of Platform • Capabilities of Partners
• Differences between compliance and regulation • Types of regulations and compliance burdens faced by digital commerce • How to plan and budget for growing burden • Case studies • Resources Overview
Resources
Resources: PCI Secure Commerce Magento Imagine 2016 Wow Such PCI Compliance Meet Magento Spain 2015 https://www.youtube.com/watch?v=TkEGpQ0uz54 https://www.youtube.com/watch?v=RdBa3basd6o
Resources: Accessibility / ADA • Something Digital Thought Leadership Blog Series
Resources: Imagine • Imagine 2017 Dev Exchange
Resources • Salesforce UX Blog
Resources
Q&A
Thank You!

Recommended

ADA Web Accessibility Lawsuits
ADA Web Accessibility LawsuitsADA Web Accessibility Lawsuits
ADA Web Accessibility Lawsuits
UsableNet, Inc.
 
Issues with Online Marketing
Issues with Online MarketingIssues with Online Marketing
Issues with Online Marketing
Ace Institute of Management (Nepal), Institute of Management Studies (Nepal)
 
Electronic Environment
Electronic EnvironmentElectronic Environment
Electronic Environment
Ace Institute of Management (Nepal), Institute of Management Studies (Nepal)
 
Online terms & conditions
Online terms & conditionsOnline terms & conditions
Online terms & conditions
Prof. Jacques Folon (Ph.D)
 
CS7330 - Electronic Commerce - lecture (3)
CS7330 - Electronic Commerce - lecture (3)CS7330 - Electronic Commerce - lecture (3)
CS7330 - Electronic Commerce - lecture (3)
Dilawar Khan
 
IAM
IAMIAM
IAM
Prof. Jacques Folon (Ph.D)
 
E-discovery
E-discoveryE-discovery
E-discovery
Prof. Jacques Folon (Ph.D)
 
CS7330 Electronic Commerce Course Outline
CS7330 Electronic Commerce Course OutlineCS7330 Electronic Commerce Course Outline
CS7330 Electronic Commerce Course Outline
Dilawar Khan
 

Recommended

ADA Web Accessibility Lawsuits
ADA Web Accessibility LawsuitsADA Web Accessibility Lawsuits
ADA Web Accessibility Lawsuits
UsableNet, Inc.
 
Issues with Online Marketing
Issues with Online MarketingIssues with Online Marketing
Issues with Online Marketing
Ace Institute of Management (Nepal), Institute of Management Studies (Nepal)
 
Electronic Environment
Electronic EnvironmentElectronic Environment
Electronic Environment
Ace Institute of Management (Nepal), Institute of Management Studies (Nepal)
 
Online terms & conditions
Online terms & conditionsOnline terms & conditions
Online terms & conditions
Prof. Jacques Folon (Ph.D)
 
CS7330 - Electronic Commerce - lecture (3)
CS7330 - Electronic Commerce - lecture (3)CS7330 - Electronic Commerce - lecture (3)
CS7330 - Electronic Commerce - lecture (3)
Dilawar Khan
 
IAM
IAMIAM
IAM
Prof. Jacques Folon (Ph.D)
 
E-discovery
E-discoveryE-discovery
E-discovery
Prof. Jacques Folon (Ph.D)
 
CS7330 Electronic Commerce Course Outline
CS7330 Electronic Commerce Course OutlineCS7330 Electronic Commerce Course Outline
CS7330 Electronic Commerce Course Outline
Dilawar Khan
 
Pertemuan 4
Pertemuan 4Pertemuan 4
Pertemuan 4
AuliyaRahman9
 
Introductiontoecommerce 140321235351-phpapp02
Introductiontoecommerce 140321235351-phpapp02Introductiontoecommerce 140321235351-phpapp02
Introductiontoecommerce 140321235351-phpapp02
Saadat Rasool
 
Alhuda CIBE - Best Practices from e-insurance to e-takaful by Sami Guello
Alhuda CIBE - Best Practices from e-insurance to e-takaful by Sami GuelloAlhuda CIBE - Best Practices from e-insurance to e-takaful by Sami Guello
Alhuda CIBE - Best Practices from e-insurance to e-takaful by Sami Guello
Alhuda Centre of Islamic Banking & Economics
 
Software Development Lifecycle
Software Development LifecycleSoftware Development Lifecycle
Software Development LifecycleNicholas Davis
 
Introduction to Electronic Commerce
Introduction to Electronic CommerceIntroduction to Electronic Commerce
Introduction to Electronic Commerce
Ace Institute of Management (Nepal), Institute of Management Studies (Nepal)
 
Pertemuan 2 Teknologi dan Infrastruktur E-Business
Pertemuan 2 Teknologi dan Infrastruktur E-BusinessPertemuan 2 Teknologi dan Infrastruktur E-Business
Pertemuan 2 Teknologi dan Infrastruktur E-Business
AuliyaRahman9
 
Pertemuan 1 - Teknologi dan Infrastruktur E-business
Pertemuan 1 - Teknologi dan Infrastruktur E-businessPertemuan 1 - Teknologi dan Infrastruktur E-business
Pertemuan 1 - Teknologi dan Infrastruktur E-business
AuliyaRahman9
 
Chapter 4 5-6 - e commerce - m- commerce
Chapter 4 5-6 - e commerce - m- commerceChapter 4 5-6 - e commerce - m- commerce
Chapter 4 5-6 - e commerce - m- commerce
suman86
 
Unit 2 e commerce applications
Unit 2 e commerce applicationsUnit 2 e commerce applications
Unit 2 e commerce applicationsDr. C.V. Suresh Babu
 
Introduction to Mobile Commerce
Introduction to Mobile CommerceIntroduction to Mobile Commerce
Introduction to Mobile Commerce
Ace Institute of Management (Nepal), Institute of Management Studies (Nepal)
 
A realistic look at e commerce
A realistic look at e commerceA realistic look at e commerce
A realistic look at e commerceOnkar Sule
 
Ethical, Social, and Political Issues in E-commerce
Ethical, Social, and Political Issues in E-commerceEthical, Social, and Political Issues in E-commerce
Ethical, Social, and Political Issues in E-commerce
Nor Ayuzi Deraman
 
ECOMMERCE
ECOMMERCEECOMMERCE
ECOMMERCE
suxan tang
 
Chap04
Chap04Chap04
Chap04Fathur Rohman
 
IT Security through governance, compliance and risk
IT Security through governance, compliance and riskIT Security through governance, compliance and risk
IT Security through governance, compliance and risk
E Radar
 
Building & Running A Successful Identity Program
Building & Running A Successful Identity ProgramBuilding & Running A Successful Identity Program
Building & Running A Successful Identity Program
Dan Houser
 
E business and e-commerce
E business and e-commerceE business and e-commerce
E business and e-commerce
DIVINAMENDOZA5
 
Isaca csx2018-continuous assurance
Isaca csx2018-continuous assuranceIsaca csx2018-continuous assurance
Isaca csx2018-continuous assurance
François Samarcq
 
E Business Introduction
E Business IntroductionE Business Introduction
E Business Introduction
Mrirfan
 
Electronic Commerce
Electronic CommerceElectronic Commerce
Electronic Commerceellamee27
 
Introduction To E Commerce
Introduction To E CommerceIntroduction To E Commerce
Introduction To E CommerceNicholas Davis
 
Use of Advanced Technology in Procurement
Use of Advanced Technology in ProcurementUse of Advanced Technology in Procurement
Use of Advanced Technology in Procurement
Dr Mark Lovatt
 

More Related Content

What's hot

Pertemuan 4
Pertemuan 4Pertemuan 4
Pertemuan 4
AuliyaRahman9
 
Introductiontoecommerce 140321235351-phpapp02
Introductiontoecommerce 140321235351-phpapp02Introductiontoecommerce 140321235351-phpapp02
Introductiontoecommerce 140321235351-phpapp02
Saadat Rasool
 
Alhuda CIBE - Best Practices from e-insurance to e-takaful by Sami Guello
Alhuda CIBE - Best Practices from e-insurance to e-takaful by Sami GuelloAlhuda CIBE - Best Practices from e-insurance to e-takaful by Sami Guello
Alhuda CIBE - Best Practices from e-insurance to e-takaful by Sami Guello
Alhuda Centre of Islamic Banking & Economics
 
Software Development Lifecycle
Software Development LifecycleSoftware Development Lifecycle
Software Development LifecycleNicholas Davis
 
Introduction to Electronic Commerce
Introduction to Electronic CommerceIntroduction to Electronic Commerce
Introduction to Electronic Commerce
Ace Institute of Management (Nepal), Institute of Management Studies (Nepal)
 
Pertemuan 2 Teknologi dan Infrastruktur E-Business
Pertemuan 2 Teknologi dan Infrastruktur E-BusinessPertemuan 2 Teknologi dan Infrastruktur E-Business
Pertemuan 2 Teknologi dan Infrastruktur E-Business
AuliyaRahman9
 
Pertemuan 1 - Teknologi dan Infrastruktur E-business
Pertemuan 1 - Teknologi dan Infrastruktur E-businessPertemuan 1 - Teknologi dan Infrastruktur E-business
Pertemuan 1 - Teknologi dan Infrastruktur E-business
AuliyaRahman9
 
Chapter 4 5-6 - e commerce - m- commerce
Chapter 4 5-6 - e commerce - m- commerceChapter 4 5-6 - e commerce - m- commerce
Chapter 4 5-6 - e commerce - m- commerce
suman86
 
Introduction to Mobile Commerce
Introduction to Mobile CommerceIntroduction to Mobile Commerce
Introduction to Mobile Commerce
Ace Institute of Management (Nepal), Institute of Management Studies (Nepal)
 
A realistic look at e commerce
A realistic look at e commerceA realistic look at e commerce
A realistic look at e commerceOnkar Sule
 
Ethical, Social, and Political Issues in E-commerce
Ethical, Social, and Political Issues in E-commerceEthical, Social, and Political Issues in E-commerce
Ethical, Social, and Political Issues in E-commerce
Nor Ayuzi Deraman
 
ECOMMERCE
ECOMMERCEECOMMERCE
ECOMMERCE
suxan tang
 
IT Security through governance, compliance and risk
IT Security through governance, compliance and riskIT Security through governance, compliance and risk
IT Security through governance, compliance and risk
E Radar
 
Building & Running A Successful Identity Program
Building & Running A Successful Identity ProgramBuilding & Running A Successful Identity Program
Building & Running A Successful Identity Program
Dan Houser
 
E business and e-commerce
E business and e-commerceE business and e-commerce
E business and e-commerce
DIVINAMENDOZA5
 
Isaca csx2018-continuous assurance
Isaca csx2018-continuous assuranceIsaca csx2018-continuous assurance
Isaca csx2018-continuous assurance
François Samarcq
 
E Business Introduction
E Business IntroductionE Business Introduction
E Business Introduction
Mrirfan
 
Electronic Commerce
Electronic CommerceElectronic Commerce
Electronic Commerceellamee27
 

What's hot (20)

Pertemuan 4
Pertemuan 4Pertemuan 4
Pertemuan 4
 
Introductiontoecommerce 140321235351-phpapp02
Introductiontoecommerce 140321235351-phpapp02Introductiontoecommerce 140321235351-phpapp02
Introductiontoecommerce 140321235351-phpapp02
 
Alhuda CIBE - Best Practices from e-insurance to e-takaful by Sami Guello
Alhuda CIBE - Best Practices from e-insurance to e-takaful by Sami GuelloAlhuda CIBE - Best Practices from e-insurance to e-takaful by Sami Guello
Alhuda CIBE - Best Practices from e-insurance to e-takaful by Sami Guello
 
Software Development Lifecycle
Software Development LifecycleSoftware Development Lifecycle
Software Development Lifecycle
 
Introduction to Electronic Commerce
Introduction to Electronic CommerceIntroduction to Electronic Commerce
Introduction to Electronic Commerce
 
Pertemuan 2 Teknologi dan Infrastruktur E-Business
Pertemuan 2 Teknologi dan Infrastruktur E-BusinessPertemuan 2 Teknologi dan Infrastruktur E-Business
Pertemuan 2 Teknologi dan Infrastruktur E-Business
 
Pertemuan 1 - Teknologi dan Infrastruktur E-business
Pertemuan 1 - Teknologi dan Infrastruktur E-businessPertemuan 1 - Teknologi dan Infrastruktur E-business
Pertemuan 1 - Teknologi dan Infrastruktur E-business
 
Chapter 4 5-6 - e commerce - m- commerce
Chapter 4 5-6 - e commerce - m- commerceChapter 4 5-6 - e commerce - m- commerce
Chapter 4 5-6 - e commerce - m- commerce
 
Unit 2 e commerce applications
Unit 2 e commerce applicationsUnit 2 e commerce applications
Unit 2 e commerce applications
 
Introduction to Mobile Commerce
Introduction to Mobile CommerceIntroduction to Mobile Commerce
Introduction to Mobile Commerce
 
A realistic look at e commerce
A realistic look at e commerceA realistic look at e commerce
A realistic look at e commerce
 
Ethical, Social, and Political Issues in E-commerce
Ethical, Social, and Political Issues in E-commerceEthical, Social, and Political Issues in E-commerce
Ethical, Social, and Political Issues in E-commerce
 
ECOMMERCE
ECOMMERCEECOMMERCE
ECOMMERCE
 
Chap04
Chap04Chap04
Chap04
 
IT Security through governance, compliance and risk
IT Security through governance, compliance and riskIT Security through governance, compliance and risk
IT Security through governance, compliance and risk
 
Building & Running A Successful Identity Program
Building & Running A Successful Identity ProgramBuilding & Running A Successful Identity Program
Building & Running A Successful Identity Program
 
E business and e-commerce
E business and e-commerceE business and e-commerce
E business and e-commerce
 
Isaca csx2018-continuous assurance
Isaca csx2018-continuous assuranceIsaca csx2018-continuous assurance
Isaca csx2018-continuous assurance
 
E Business Introduction
E Business IntroductionE Business Introduction
E Business Introduction
 
Electronic Commerce
Electronic CommerceElectronic Commerce
Electronic Commerce
 

Similar to PCI, ADA and COPPA - OH MY! Managing Regulatory Compliance - Magento Imagine 2017

Introduction To E Commerce
Introduction To E CommerceIntroduction To E Commerce
Introduction To E CommerceNicholas Davis
 
Use of Advanced Technology in Procurement
Use of Advanced Technology in ProcurementUse of Advanced Technology in Procurement
Use of Advanced Technology in Procurement
Dr Mark Lovatt
 
Relying on Data for Strategic Decision-Making--Financial Services Experience
Relying on Data for Strategic Decision-Making--Financial Services ExperienceRelying on Data for Strategic Decision-Making--Financial Services Experience
Relying on Data for Strategic Decision-Making--Financial Services Experience
Cloudera, Inc.
 
The Human, Design & Legal Implications of Web Accessibility. Accessible360 + ...
The Human, Design & Legal Implications of Web Accessibility. Accessible360 + ...The Human, Design & Legal Implications of Web Accessibility. Accessible360 + ...
The Human, Design & Legal Implications of Web Accessibility. Accessible360 + ...
Jenna Christensen
 
Age Verification: Reaching a Tipping Point
Age Verification: Reaching a Tipping PointAge Verification: Reaching a Tipping Point
Age Verification: Reaching a Tipping Point
Dr Rachel O'Connell
 
Ekyc.xyz
Ekyc.xyzEkyc.xyz
Ekyc.xyz
Albert Rojas
 
Accessibility 101 for Financial Institutions
Accessibility 101 for Financial Institutions Accessibility 101 for Financial Institutions
Accessibility 101 for Financial Institutions
3Play Media
 
E business
E businessE business
E business
Aglaia Connect
 
Kantara Workshop at CIS
Kantara Workshop at CISKantara Workshop at CIS
Kantara Workshop at CIS
kantarainitiative
 
FinTech
FinTechFinTech
FinTech
Lee Schlenker
 
FinTech
FinTechFinTech
FinTech
Lee Schlenker
 
Your data is your business: Secure it or Lose it!
Your data is your business: Secure it or Lose it!Your data is your business: Secure it or Lose it!
Your data is your business: Secure it or Lose it!
Performance Tuning Corporation
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
Shanmugavel Sankaran
 
Trust exchange webinar nov 2020
Trust exchange webinar nov 2020Trust exchange webinar nov 2020
Trust exchange webinar nov 2020
Trust Exchange
 
impact of ecommerce on traditional means
impact of ecommerce on traditional means impact of ecommerce on traditional means
impact of ecommerce on traditional means
preetikapri1
 
Big Data? Big Deal, Barclaycard
Big Data? Big Deal, Barclaycard Big Data? Big Deal, Barclaycard
Big Data? Big Deal, Barclaycard
Innovation Enterprise
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASISDermot Clarke
 
e-business unit 1.pptx
e-business unit 1.pptxe-business unit 1.pptx
e-business unit 1.pptx
ssuser59cbb4
 
Basic E-Commerce Concepts.ppt
Basic E-Commerce Concepts.pptBasic E-Commerce Concepts.ppt
Basic E-Commerce Concepts.ppt
ssuser71aa7e
 
Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby
 

Similar to PCI, ADA and COPPA - OH MY! Managing Regulatory Compliance - Magento Imagine 2017 (20)

Introduction To E Commerce
Introduction To E CommerceIntroduction To E Commerce
Introduction To E Commerce
 
Use of Advanced Technology in Procurement
Use of Advanced Technology in ProcurementUse of Advanced Technology in Procurement
Use of Advanced Technology in Procurement
 
Relying on Data for Strategic Decision-Making--Financial Services Experience
Relying on Data for Strategic Decision-Making--Financial Services ExperienceRelying on Data for Strategic Decision-Making--Financial Services Experience
Relying on Data for Strategic Decision-Making--Financial Services Experience
 
The Human, Design & Legal Implications of Web Accessibility. Accessible360 + ...
The Human, Design & Legal Implications of Web Accessibility. Accessible360 + ...The Human, Design & Legal Implications of Web Accessibility. Accessible360 + ...
The Human, Design & Legal Implications of Web Accessibility. Accessible360 + ...
 
Age Verification: Reaching a Tipping Point
Age Verification: Reaching a Tipping PointAge Verification: Reaching a Tipping Point
Age Verification: Reaching a Tipping Point
 
Ekyc.xyz
Ekyc.xyzEkyc.xyz
Ekyc.xyz
 
Accessibility 101 for Financial Institutions
Accessibility 101 for Financial Institutions Accessibility 101 for Financial Institutions
Accessibility 101 for Financial Institutions
 
E business
E businessE business
E business
 
Kantara Workshop at CIS
Kantara Workshop at CISKantara Workshop at CIS
Kantara Workshop at CIS
 
FinTech
FinTechFinTech
FinTech
 
FinTech
FinTechFinTech
FinTech
 
Your data is your business: Secure it or Lose it!
Your data is your business: Secure it or Lose it!Your data is your business: Secure it or Lose it!
Your data is your business: Secure it or Lose it!
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
Trust exchange webinar nov 2020
Trust exchange webinar nov 2020Trust exchange webinar nov 2020
Trust exchange webinar nov 2020
 
impact of ecommerce on traditional means
impact of ecommerce on traditional means impact of ecommerce on traditional means
impact of ecommerce on traditional means
 
Big Data? Big Deal, Barclaycard
Big Data? Big Deal, Barclaycard Big Data? Big Deal, Barclaycard
Big Data? Big Deal, Barclaycard
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
 
e-business unit 1.pptx
e-business unit 1.pptxe-business unit 1.pptx
e-business unit 1.pptx
 
Basic E-Commerce Concepts.ppt
Basic E-Commerce Concepts.pptBasic E-Commerce Concepts.ppt
Basic E-Commerce Concepts.ppt
 
Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016
 

More from Phillip Jackson

"How to Start a Podcast" - Modern Content Marketing for Thought Leadership
"How to Start a Podcast" - Modern Content Marketing for Thought Leadership"How to Start a Podcast" - Modern Content Marketing for Thought Leadership
"How to Start a Podcast" - Modern Content Marketing for Thought Leadership
Phillip Jackson
 
Site search-bronto
Site search-brontoSite search-bronto
Site search-bronto
Phillip Jackson
 
Future of-commerce-2.0
Future of-commerce-2.0Future of-commerce-2.0
Future of-commerce-2.0
Phillip Jackson
 
Conversational Commerce and Magento 2: Breaking new ground with Facebook, Ale...
Conversational Commerce and Magento 2: Breaking new ground with Facebook, Ale...Conversational Commerce and Magento 2: Breaking new ground with Facebook, Ale...
Conversational Commerce and Magento 2: Breaking new ground with Facebook, Ale...
Phillip Jackson
 
How to Install Magento 2 Enterprise Edition
How to Install Magento 2 Enterprise EditionHow to Install Magento 2 Enterprise Edition
How to Install Magento 2 Enterprise Edition
Phillip Jackson
 
"The Shopping Cart is Dead" - The Future of Commerce
"The Shopping Cart is Dead" - The Future of Commerce"The Shopping Cart is Dead" - The Future of Commerce
"The Shopping Cart is Dead" - The Future of Commerce
Phillip Jackson
 
Beyond the Shopping Cart - Bronto Summit 2016
Beyond the Shopping Cart - Bronto Summit 2016Beyond the Shopping Cart - Bronto Summit 2016
Beyond the Shopping Cart - Bronto Summit 2016
Phillip Jackson
 
PCI Compliance for Hipsters
PCI Compliance for HipstersPCI Compliance for Hipsters
PCI Compliance for Hipsters
Phillip Jackson
 
Wow Such PCI Compliance
Wow Such PCI ComplianceWow Such PCI Compliance
Wow Such PCI Compliance
Phillip Jackson
 
Imagine Recap
Imagine RecapImagine Recap
Imagine Recap
Phillip Jackson
 
Virtues of platform development
Virtues of platform developmentVirtues of platform development
Virtues of platform development
Phillip Jackson
 

More from Phillip Jackson (11)

"How to Start a Podcast" - Modern Content Marketing for Thought Leadership
"How to Start a Podcast" - Modern Content Marketing for Thought Leadership"How to Start a Podcast" - Modern Content Marketing for Thought Leadership
"How to Start a Podcast" - Modern Content Marketing for Thought Leadership
 
Site search-bronto
Site search-brontoSite search-bronto
Site search-bronto
 
Future of-commerce-2.0
Future of-commerce-2.0Future of-commerce-2.0
Future of-commerce-2.0
 
Conversational Commerce and Magento 2: Breaking new ground with Facebook, Ale...
Conversational Commerce and Magento 2: Breaking new ground with Facebook, Ale...Conversational Commerce and Magento 2: Breaking new ground with Facebook, Ale...
Conversational Commerce and Magento 2: Breaking new ground with Facebook, Ale...
 
How to Install Magento 2 Enterprise Edition
How to Install Magento 2 Enterprise EditionHow to Install Magento 2 Enterprise Edition
How to Install Magento 2 Enterprise Edition
 
"The Shopping Cart is Dead" - The Future of Commerce
"The Shopping Cart is Dead" - The Future of Commerce"The Shopping Cart is Dead" - The Future of Commerce
"The Shopping Cart is Dead" - The Future of Commerce
 
Beyond the Shopping Cart - Bronto Summit 2016
Beyond the Shopping Cart - Bronto Summit 2016Beyond the Shopping Cart - Bronto Summit 2016
Beyond the Shopping Cart - Bronto Summit 2016
 
PCI Compliance for Hipsters
PCI Compliance for HipstersPCI Compliance for Hipsters
PCI Compliance for Hipsters
 
Wow Such PCI Compliance
Wow Such PCI ComplianceWow Such PCI Compliance
Wow Such PCI Compliance
 
Imagine Recap
Imagine RecapImagine Recap
Imagine Recap
 
Virtues of platform development
Virtues of platform developmentVirtues of platform development
Virtues of platform development
 

PCI, ADA and COPPA - OH MY! Managing Regulatory Compliance - Magento Imagine 2017

  • 1.
  • 2. Managing the Growing Array of Regulation for Online Retail
  • 4.
  • 5.
  • 6.
  • 7. • Differences between compliance and regulation • Types of regulations and compliance burdens faced by digital commerce • How to plan and budget for growing burden • Case studies Overview
  • 8. Is there a difference? Regulation vs Compliance
  • 9. • Compliance usually is dictated by complying with a standard or non-legal set of requirements • Identified by a working group or standards body • Economic repercussions • In flux, evolving • Adapts to change, culture, technology • Less expensive “In general standards groups seek to create guidelines that outline best practice in order to prevent regulation by a governmental body.” Compliance
  • 10. • A set of laws which has an oversight body, usually a governmental or NGO body which oversees enforcement • Legal repercussions • Long periods of time between revisions • Outmoded by technology, culture • More expensive Regulation
  • 12. PCI Compliance • PCI (Payment Card Industry) • Standards body made up of worldwide banks and gateways • Effort to circumvent regulation by region • Requirement imposed at-will on premium, non-essential services • Combination of self-assessment and 3rd party • Risk mitigation
  • 14. ADA Compliance • American Disability Act (1990) • Legislation overseen by DOJ, IRS • Increasingly websites under scrutiny • Large brands require higher levels of compliance
  • 16. COPPA • Child Online Privacy and Protection Act (2013) • Legislation overseen by FTC • Simple rules to follow • Don’t do business with children under 13 • Don’t collect data for children • Don’t primarily (or secondarily) market to children
  • 17. COPPA • “Collect data” • Full name • Screen name or user name where it functions as online contact information • A persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, or a unique device identifier
  • 18. EU Privacy Directive • Government regulation • Privacy and control of Personally Identifiable Information as a human right* • Requirement on all businesses for all people * source: http://ec.europa.eu/justice/data-protection/
  • 19. • Differences between compliance and regulation • Types of regulations and compliance burdens faced by digital commerce • How to plan and budget for growing burden • Case studies Overview
  • 20. How to plan and budget for growing burden
  • 21. Start by saving • Employ across disciplines • Invest in training to save on hiring costs • Invest in automation • Limit unnecessary risk
  • 22. Set expectations • Anticipate large expenditures with increased demand and market segments. E.g. investment in teen/tween goods or pushing above $6MM limit • Invest in areas with largest impact
  • 25. Reasonable Expense Infrastructure Compliance Security Audit Training $14,500.00 $15,000.00 $7,000.00 $8,800.00 $4,500.00 29% 30% 14% 18% 9%
  • 26. Reasonable Expenses • Examples of spending: • Infrastructure: servers/hardware, CCTV, biometrics, 2FA, security, HA/DR, building access • Compliance: legal, HR, seminars, productivity • Audit: 3rd party services, scanners, hardware devices • Security: physical and digital, seminars, SME’s • Training: workforce education, hire for skill set
  • 28. Costs: PCI Compliance • Variables that affect PCI Costs: • Business type • Size of organization • Level 1 (> $6MM in transactions -OR- > 1MM total transactions) • Level 2 or 3 (at discretion of acquiring bank)
  • 29. Costs: PCI Compliance • Bottom line: costs scale significantly with your business: • $300-10,000 for Levels 2-3 per annum • $70,000 per audit for Level 1
  • 30. Costs: PCI Levels 2 and 3 • Self-Assessment Questionnaire ~$50 - $200 • Vulnerability scanning ~ $100 - $150 per IP address • Training and policy development ~ $70 per employee • Remediation (software and hardware updates, etc.) • Productivity Costs http://blog.securitymetrics.com/2015/08/pci-compliance-cost.html
  • 31. Costs: PCI Level 1 • Onsite audit ~ $40,000+ • Vulnerability scans ~ $800+ • Penetration testing ~ $5,000+ • Training and policy development ~ $5,000+ • Remediation (software and hardware updates, etc.) ~ Varies greatly based on where entity is today in relation to compliance and security http://blog.securitymetrics.com/2015/08/pci-compliance-cost.html
  • 32. Costs: PCI Compliance • Cost of a breech: • Remediation: $25,000+ • Hosting Migration: $30-40,000 • Increase in rates from acquiring bank (or worse, blacklist) http://blog.securitymetrics.com/2015/08/pci-compliance-cost.html
  • 33. Costs cont. IT Budget Regulation 63% IT Salary Regulation 76% https://www.sans.org/reading-room/whitepapers/analyst/security-spending-trends-36697
  • 35. What is a Disability? Definitions
  • 36. ADA Compliance: Definitions • No such thing as “ADA Compliance” • WCAG (Web Content Accessibility Guidelines) 2.0 • Accessibility • “Design with Equity” • The Persona Spectrum
  • 39. “In the context of health experience, a disability is any restriction or lack of ability (resulting from an impairment) to perform an activity in the manner or within the range considered normal for a human being.” –World Health Organization, 1980
  • 40. “Disability is not just a health problem. It is a complex phenomenon, reflecting the interaction between features of a person’s body and features of the society in which he or she lives.” –World Health Organization, 2017
  • 41. Business Costs: ADA Compliance • Variables that affect ADA Costs: • ADA predates the WWW (by 1 year) • New build vs retrofit • Certification vs “light accessibility” • Legal threats
  • 42. User Costs: ADA Compliance • Everyday users are affected • Productivity increases • Accessibility exercises increase mobile conversion rate
  • 43. Costs: ADA Compliance • Some incentives • “Empathetic design” (design with equity) increases mobile conversion rate • 8% of Americans suffer with color blindness • Tax implications: • Access Credit Expenditures must be for Compliance with the ADA • General Business Credit Limit
  • 44. Costs: ADA Tax Incentives • General Business Credit Limit • Work Opportunity Credit • Access Credit CapEx • Strong indication applies to websites (IANAL): • DOJ broadened its interpretation of the ADA to websites stating “The Department has consistently interpreted the ADA to cover Web sites that are operated by public accommodations and stated that such sites must provide their services in an accessible manner or provide an accessible alternative to the Web site that is available 24 hours a day, seven days a week.” http://www.southwestada.org/html/publications/general/taxbulletin.html
  • 45. Costs: ADA Compliance • Levels of Compliance: • WCAG (Web Content Accessibility Guidelines) 2.0 Levels A & AA are somewhat affordable • Layered costs by percentage addition during design-time • 6-16% increase in development and testing time • External audits may be required/requested • Retrofit can be very difficult • AAA is prohibitive http://www.accessiq.org/standardguideline/web-content-accessibility-guidelines-wcag
  • 46. Costs: ADA Compliance • Example build: • 1400-hour Reference Site Build • 7% of budget was Accessibility • 32% of budget was PM / QA (compared at 30% nominal) http://www.accessiq.org/standardguideline/web-content-accessibility-guidelines-wcag
  • 48. Costs: COPPA Compliance • Build tools to cope with PII demands • Analytics woes/issues with cookie data collection • Purchasing challenges • Age gating • Sharing selections http://www.accessiq.org/standardguideline/web-content-accessibility-guidelines-wcag
  • 49. Where Magento 2 Can Help
  • 50. Where Magento 2 can Help • PCI compliance • Out of box lowest-level PCI risk (directpost/iframe only payment methods) • ADA Compliance • M2 has ARIA features, skip to content links, tab navigation, great support for alt text, does many things correctly out of the box • Some reasonable tradeoffs, some features require compromise • COPPA • Wishlist • Cookie policy
  • 51. Where Magento 2 Needs Help • ADA Compliance • Return of focus • Repetition of spoken text/terms • COPPA • Age gating • Web chat, reviews, contact us
  • 52. • Differences between compliance and regulation • Types of regulations and compliance burdens faced by digital commerce • How to plan and budget for growing burden • Case studies • Resources Overview
  • 54.
  • 55. Maddie Case Study: COPPA • Age Gate • Share to Buy • Cookie / Data collection requirements • Privacy Policy which complies with COPPA • Marketing and photography consistent with demographic of target audience
  • 56.
  • 57. Papyrus Case Study: ADA • WCAG 2.0 AA • Modals • Keyboard Navigation • Voice/Screen Reader
  • 59. Silver Linings • Community • Capabilities of Platform • Openness of Platform • Capabilities of Partners
  • 60. • Differences between compliance and regulation • Types of regulations and compliance burdens faced by digital commerce • How to plan and budget for growing burden • Case studies • Resources Overview
  • 62. Resources: PCI Secure Commerce Magento Imagine 2016 Wow Such PCI Compliance Meet Magento Spain 2015 https://www.youtube.com/watch?v=TkEGpQ0uz54 https://www.youtube.com/watch?v=RdBa3basd6o
  • 63. Resources: Accessibility / ADA • Something Digital Thought Leadership Blog Series
  • 64. Resources: Imagine • Imagine 2017 Dev Exchange
  • 67. Q&A