The online world is probably the ultimate place for freedom. You can say pretty much what you want behind a wall of nicknames and/or anonymous posts. This power allowed people to freely expose their ideas and even organize big manifestations against dictatorships.

But some people take improper advantage of this freedom. A couple of months ago, Tom Macmaster, a 40-year-old American pretended to be a young Syrian lesbian blogger causing commotion and revolt. Everyday, thousands of people are powerless victims of cyber-bullying. At online market places, such as ebay and Airbnb, fraud is a major problem. Moreover, bad sellers can easily change usernames and start over again. Fake profiles at Facebook and Twitter cause a lot of troubles, as well.

The “real” world has a lot of control systems that mitigate the pitfalls of anonymity. For instance, newspapers are not required to disclosure the name of the article writers, but at least an offended person can easily go to court to seek for reparation on damages caused. Brick and mortar stores cannot quickly change location and names when their reputation is damaged by a fraudulent sale. Our society usually requires proper identification of the parts for most of the interaction that exist.

A “certified online ID” attesting the real name of a user could bring a lot of benefits. At online market places, the benefits are obvious: the risk of reputational bankruptcy would create great incentives to a better behavior, improving the quality of the services, and reducing the cost of transactions. At AirBnB, tenants and hosts would know the real name of each other increasing confidence and decreasing the importance of time-demanding reviews. The same concept is also applicable to ebay. In social networks, the benefits would also be enormous, not only avoiding fake profiles, but also allowing real profiles owners to get their account back in case of stolen passwords. A safer era of internet would begin. It would be a place where people would be more careful before offending or cheating others.

No, I do not think that the online world should migrate right away to a policy of strict identification. If this sort of identification was required since the beginning, the online world and specially the web 2.0 would be much smaller, or would not even exist. New users mobilitilization would have been much harder. However, one day internet usage will stop growing (or at least will grow only with population). Maybe on that day, the damage caused by this “excess” of freedom might overcome the benefits, and society might have to make a tough choice.

Generally speaking, the goal of any online business is to make money. To do so effectively often requires the business to accept credit cards. However, when a business signs a merchant agreement with a credit card network they also agree (often unknowingly) to maintain compliance with the Payment Card Industry Data Security Standards (PCI DSS). PCI is an industry group made up of the major credit card companies that regulates the usage of credit cards. They created and enforce the PCI DSS, which is a set of standards aimed at securing customer credit cards against theft and fraud. These standards require any company that processes, stores, or transmits credit cards to maintain a secure environment for these transactions to take place. This includes everything from installing a firewall and anti-virus software to ensuring the doors to the server room are locked at all times.

When most small businesses sign their merchant agreement with a credit card company, they do not read the fine print of the agreement, and do not realize that they must be compliant with PCI DSS. Often the PCI DSS clause is only a sentence or two long and if the business does not have a lawyer who is familiar with this clause, they are likely to miss it. This leads to the unfortunate result that if the business ever suffers a security breach where customer credit card information is lost, and the business is found to be non-compliant with PCI DSS, they are subject to heavy fines. These fines can be anywhere from $1 to $100 per card that is compromised partially due to the fact that it costs the credit card companies up to $25 to replace a lost or stolen card. One of the most costly credit card breaches was that of TJX Companies Inc., the parent company of T.J.Maxx, where over 40 million credit cards were compromised and the total cost of investigation and PCI fines was over $200 million.

For smaller online businesses, it is unlikely that they would lose this many cards and would generally be subject to much lower fines. However, considering how cheap it can be to comply with PCI DSS, it would be foolish to not do so even if the business only processes a few transactions a month. PCI DSS classifies merchants based on the number of transactions they have, and companies with the lowest transaction rates only need to submit a self-assessment questionnaire and have a quarterly vulnerability scan of their environment to maintain compliance. Compared to the potential fines they would face if a breach occurred, maintaining compliance is very cheap.

When forming an online business, founders should be aware of, and maintain compliance with, PCI DSS requirements from the very beginning to avoid massive fines if they are breached. Alternatively, online businesses could consider not handling credit cards at all, and either only accept payment via services such as PayPal, or outsource credit card processing to a third party. Although outsourcing to a third party will result in an additional processing fee on top of the credit card companies’ interchange fee, the business will no longer be subject to PCI fines as they effectively transfer the risk of compromise and the burden of protecting the credit cards to another company. In the end, when an online business makes the decision to accept payment for the goods or services they provide, they must weigh the tradeoffs between the added expense of outsourcing and the added expense of maintaining PCI DSS compliance.

By: Frank Nagle