White Papers

1. Data Security

1.1 Introduction

Data security refers to the protective measures employed to secure data against unapproved access and to preserve confidentiality, integrity, and availability. For the majority of our customers, axis diplomat lies at the heart of their business and any “down-time” during working hours or loss of data is a business critical issue. This document discusses mitigations against data loss or downtime from causes outside of the control of axis first. The causes for these incidents include Inadequate backup frequency. Insufficient backup copies (e.g. inadequate retension policy). Failing to check backup logs (and finding out too late that errors have been occurring). Using backup software which is either not up to the job, badly installed or incorrectly configured. Infection by malicious software (malware) or attack by hacker / 'bad actor'. Bugs in third party products.

1.2 axis diplomat Data Protection & Backup

1.2.1 Multiple & Automatic Checkpoints

The Data Protection facilities within axis diplomat (also referred to as “checkpointing”) should be your first line of defence in data protection. Using the standard facilities for multiple and automatic checkpoints, data loss in a disaster recovery situation can be minimised to a few minutes. axis diplomat automatically attempts to take a checkpoint whenever data has been entered. In the event of a system failure a checkpoint represents a “clean” point to which the system can be recovered. Where the system is not at a clean point (for example because another operator is in the middle of filing a batch of data), and a checkpoint cannot be taken, the system simply continues. The next time an operator completes an update, the system will try again, and so on. Manual checkpoints can also be taken by a user to mark a known point to which the user may wish to recover. axis diplomat holds many checkpoints (typically hundreds), allowing the user to select the point to which to recover (usually, but not necessarily, the most recent).

1.2.2 axis diplomat Backup Facilities

axis diplomat has built-in backup facilities which offer the following features: Multiple backups can be stored on your system. Specific backups (such as month end backups for example) can be flagged as being retained indefinitely, other backups are cleared automatically after a user defined retention period (typically 7 days). Backups are compressed. Compression technology means that the disk space required for an axis diplomat backup is minimised. Backups can also be archived to another storage destination, this allows you to utilise or other storage on your network (e.g. another Windows server or NAS), cloud storage (accessible via a UNC path), or removable media (such as external disk drives or memory sticks) . Backups can be automated. You can schedule a backup to happen automatically at a given time. For example, you could schedule an automatic backup to happen at 23:00 Monday to Saturday. Backups can include all the parameter and miscellaneous files associated with your axis diplomat system, not just the transactional database. This means that your system can be rebuilt precisely as it was before with just the backup file and the most recent axis diplomat release software. The backup facilities work in conjunction with the axis diplomat SoS service (Safe off-site Storage) to automatically backup your axis diplomat system to our web servers providing further peace of mind that your day’s data is protected and providing an important element in your business’ disaster recovery plan. Backups can be transmitted via the internet to axisfirst ad-hoc. This allows our support team to investigate any support query “off-line” without affecting the operation of your live system. axis diplomat backups utilise Windows VSS (Volume Shaddow copy Service) to snapshot the axis diplomat data meaning that backups can be taken whilst axis diplomat is in use. If Windows VSS is not available (i.e. it is in a failed state), a two-phase backup process reduces the time during which users are unable to access the system. During the first phase, the data is copied and, as soon as that has been done, users are allowed to continue updating the system. The backup function is then able to compress the copied data without time constraints (by being able to spend more time on the compression phase, the resultant backup file can be as small as possible). This achieves the best of both worlds where, as far as the users on the system are concerned, the backup happens very quickly but also the backup file is extremely compact. “Waiting for Supervisor Mode” operation waits for other operators to exit the system whilst preventing new users signing on until the backup has been completed You should schedule an axis diplomat backup overnight prior to the Windows system backup – the system backup then includes the axis diplomat backup file in addition to all of the files associated with axis diplomat – this makes it much easier to restore a system since you can reload that one backup file in the event of a failure. axis diplomat backups can also be archived to any location accessible via a UNC path (e.g. another server, a NAS device or cloud storage service).

1.2.3 Safe Off-site Storage (SOS)

SOS is a subscription-based service whereby the axis diplomat backup function can automatically transfer the backup to axisfirst’s servers. The three most recent backups are retained on those servers. Software running on those servers monitors arrivals of backups from each subscriber and raises an alert if backups are not received, or are incomplete. Regardless of whether your axis system runs on premise or in the cloud, storing your most recent axis diplomat backups at a secondary location provides you with the best security for that data since, even if your systems are compromised or destroyed, your data also resides elsewhere.

1.2.4 Windows system backups

None of axis diplomat's data protection facilities should be considered as a replacement for operating system level backups to a remote device on-site or cloud (or both). We recomend that all systems are backed up at the system level on a daily basis (normally automated overnight). These backups are your main defence against system or data loss. Your backup software should include the following facilities: Disaster Recovery (DR) – without Disaster Recovery (or “bare metal” disaster recovery) in order to restore a backup, it is necessary to rebuild a complete server first, then install the backup software to read the backup – this could, in extreme cases, involve several days of work for a systems technician, before being able to restore! Open File Backups – on Windows systems, and servers in particular, many of the Windows system files are open all of the time and, without a mechanism for backing up those open files, you cannot restore a complete system, only the parts of the system that were not open at the time (and an incomplete backup can be as bad as no backup at all!). If you are using removeable media as a backup solution, you should also endeavour to store your backups off-site and that media is brought back in before being next required in the rotation. When not off-site, media should be stored in a secure location, such as a fireproof safe.

1.3 File Security

Most server-based operating system environments (such as Microsoft Windows Server) provide the ability to restrict access to files according to the current logged-in user. axis diplomat utilises the security access rights assigned to Windows (Active Directory) user accounts and user groups to restrict access to the axis diplomat files (both programs and data). This can significantly limit the damage that malicious software (malware) can do to your axis diplomat system in the event of an infection by restricting or preventing access to key axis diplomat files. If you are running your axis diplomat system on a server that supports security (e.g. Microsoft Windows Server) you should install axis diplomat using the secure option within SETUP.

1.4 Conclusion

Whilst there may, on the surface, seem a thin line between Data Security Best Practice and paranoia, you should consider your procedures carefully. Data is virtually uninsurable and a significant loss of data often results in a business failure.

2. PCI DSS (Payment Card Industry Data Security Standard)

The Payment Card Industry (a forum including American Express, JCB, MasterCard and Visa) sets very high standards for data security for anyone handling details of customer's credit and debit cards and the standards only get more stringent with each new release of PCI DSS.

Arguably, this is as it should be since this is highly sensitive information and a very real threat - according to FFA UK, fraud losses on UK-issued cards totalled £567.5 million in 2015. In addition, the fines for data loss are punitive (in the region of €20,000 per loss).

The requirements, however, on the IT infrastructure of the typical SME are so onerous that the advice generally is that it is better to avoid any interaction with your customer's card details. This not only applies to the storage of them but implementing systems so that they do not pass through your hands in the first place. This is referred to in PCI DSS terminology as taking your systems out of scope.

In essence, this is dealing with the problem of card security by avoiding the need for it!

 

2.1 What is covered by PCI DSS?

Whilst some may think that PCI DSS is all about website security, it isn't! The requirements of PCI DSS apply to all of your business's interactions with customer's credit and debit cards, including:

• Payments via your website
• Payments over the phone
• Customers paying using a Chip & Pin terminal (wired, WiFi and Cellular)

PCI DSS is also not only about IT - it covers your internal processes should you have a manual (paper based) backup system for when your network, Internet connection or power supply is down.

 

2.2 Can axisfirst advise me on achieving PCI DSS compliance?

No! Advice, guidance and assessment for PCI DSS needs to be performed by a Qualified Security Assessor, or QSA, and axisfirst is not a QSA.

There are individuals working as QSA consultants and a number of specialist companies offering QSA services - one will probably have been recommended to you by your acquiring bank but a simple web search will identify many more.

QSAs exist to provide consultancy to companies on PCI DSS compliance and will charge commercial consultancy rates for their advice - and, because they are offering a highly specialist service that requires a very particular skill set, these services generally carry a significant premium. Daily rates are certainly within the 4 figure bracket and a PCI DSS assessment will invariably take a number of days.

 

2.3 Taking your systems out of scope

If you need to to be fully PCI DSS compliant, you will need to budget for an annual inspection by a QSA, subscribe to regular penetration tests of your website and network and then budget to implement their recommendations.

Alternatively, you can aim to put your ICT infrastucture and your website out of scope by ensuring that customer's card details never touch them! Assuming that you still want to accept card payments, there are a number of ways of addressing this.

 

2.3.1 Website

All axis vMerchant websites built by axisfirst will use hosted payment pages provided by the Payment Service provider (PSP); typically Opayo.

This means that, at the point your customer supplies their card details during the checkout process, they are not actually on your axis vMerchant website or web server but are actually on the Payment Service Provider's site.

You should ensure that you obtain a certificate of PCI compliance from the Payment Service Provider at least annually.

 

2.3.2 Telesales

Taking card details over the phone (known in the banking world as MOTO - Mail Order/Telephone Order) and processing them in a way that keeps your network out of scope is a more complex situation than your website.

If, for example, you record any telephone calls and those call recordings include people reading out their card details then (assuming those call recordings are accessible on your network) this brings your entire network under the requirements of PCI DSS.

Even if you do not record calls, if card details are spoken and your telephone calls use VoIP (Voice over IP), whether from a computer or dedicated phone system, then your phone system and all or a part of your ICT infrastructure may fall into the scope of PCI DSS.

Similarly, if you type customer's card details into software, even a web browser, and that software runs on a machine on your network then, again, a part or all of your network comes within the scope of PCI DSS.

There are a number of options for handling MOTO payments whilst avoiding the card details passing through your network - either by using a specialist 3rd party service (such as Aeriandi AgentPay) or by taking steps to reduce the number of occasions when you need to take payments over the phone. Any remaining situations can be processed manually using a payment terminal ("PDQ" machine) or a web browser not on your network (such as a tablet using the cellular 3G/4G network) to enter the payment via a PSP's payment portal.

Remember also that other company policies can help reduce the need for phone-based payments - for example, charging for delivery on telephone orders but offering free delivery on web orders.

 

2.3.2.1 Aeriandi Opayo

Aeriandi AgentPay sits between your telesales operator and your customer and masks the card details from the phone call whilst simultaneously passing those details to the PSP for processing. The payment transaction details are then passed to axis diplomat in the same way that web transactions would be.

Whilst on the phone, the customer is asked to enter their card details using their phone keypad (using touchtones or "DTMF"). Alternatively, they can read out their card details and Aeriandi will capture them using voice recognition. The card details are filtered from the call before it reaches your phone system or network. Your telesales operator stays on the line but cannot hear the card details and does not have to process the payment themselves.

axis diplomat can support Aeriandi AgentPay when used in conjunction with Opayo as the Payment Service Provider.

 

2.3.2.2 Tokens

Opayo offer a facility known as Opayo Tokens. This mechanism means that anyone using your website checkout has the ability to save their card details for future use. The card details are saved by Opayo and then simply referenced by a unique Token or ID, this allows returning visitors to pay using a saved card whilst still keeping your website out of scope for PCI DSS as card details are not stored.

Token details can be imported into axis diplomat from your axis vMerchant website (along with the sales order) and are then available for future telesales orders from the same customer. This means that you do not need to take card details from callers who are making repeat purchases provided that they want to re-use a card that they have previously used on your website.

 

2.3.2.3 Online Payments

axis diplomat can create an automatic email that is sent to your customer as part of the usual order entry process. That email contains a link to a payment page hosted by us (for example, on your axis vMerchant web site if you have one) where they make the payment in a similar manner to checking out on your website. In conjunction with the token mechanism described above, they would only need to do this once as future telephone or web orders could be paid using the saved card details.

 

2.3.2.4 Payment Portal

If you implement both processes above then you could find that the only payments you need to take over the phone are those for customers who don't have an email address, are not near a computer or do not like entering their card details into a website.

This remaining number may be small enough for you to manage the inconvenience of using a payment terminal. Alternatively, your card provider may permit the use a device with a web browser that is not attached to your network to enter a payment using your Payment Service Provider's online portal. If you do this with Opayo  (via their website) then axis diplomat can automatically import the payment details and match them to a sales order.

 

2.3.3 Which solution is best?

If you only ever take card payments on your axis vMerchant web site and not by any other means then the vMerchant PSP checkout should ensure that you remain out of scope.

If you take telephone orders but are happy to accept payment using only those cards which the customer has previously used for a payment on your axis vMerchant web site (and for which you therefore have a token) then consider implementing Opayo tokens.

If you take telephone orders and need to be able to accept payments using card(s) for which you have no token then consider an Online Payment portal and/or using Aeriandi AgentPay in conjunction with Opayo.

 

 

2.4 References

• Official PCI Security Standards Council - https://www.pcisecuritystandards.org/
• FFA - https://www.financialfraudaction.org.uk/
• Aeriandi AgentPay - https://www.aeriandi.com/
• Opayo - https://www.opayo.co.uk/

 

2.5 Disclaimer

The information, advice and opinions shown above represent our understanding at the time of publication (April 2017). axisfirst are not Qualified Security Assessors (QSA) or PCI DSS Consultants.

axisfirst always recommends that you consult the services of a QSA or qualified PCI DSS Consultant before making decisions regarding payment card security.

3. Options for B2C E-commerce Sales into Europe from 1st July 2021

3.1 Introduction

This white paper outlines the options available to businesses making online B2C sales into EU member states from outside of the EU.

From 1st July 2021 the rules for ecommerce distance selling (business-to-consumer, B2C) in the European Union change. These changes can be utilised by all businesses established inside and outside of the EU, including the UK, and are not directly related to Brexit.

The changes are commonly referred to as the EU VAT E-commerce Package and the two key components are One Stop Shop (OSS) and Import One Stop Shop (IOSS).

From 1st July 2021, the VAT exemption for sales below €22 into Europe is also removed and all goods imported into the EU are subject to VAT.

It should be noted from the start that neither OSS nor IOSS are mandatory and that these new VAT measures are limited to online sales to consumers in the EU. 

Business to business (B2B) sales from a business in the UK to a business in an EU country continue as they have following the end of the Brexit transition period on 1 January 2021. Exports of goods should be zero rated and are then subject to tax in the destination country through the application of import VAT.

 

 

3.2 Online Marketplaces

Starting 1 July 2021, online marketplaces/platforms such as Amazon and eBay will have new roles for VAT purposes in the EU:

• They may become “deemed suppliers”;
• They will have certain record keeping obligations.

Online marketplaces are considered a deemed supplier if they facilitate:

• Distance sales of goods imported to the EU with a value not exceeding EUR 150; and/or
• Supplies of goods to customers in the EU, irrespective of their value, when the underlying supplier/seller is not established in the EU (both domestic supplies and distance sales within the EU are covered).

Online marketplaces are not considered a deemed supplier for:

• Goods in consignments imported into the EU whose value is exceeding EUR 150, irrespective of where the actual supplier/seller is established;
• Goods supplied to customers in the EU, irrespective of their value, where the underlying supplier/seller is established in the EU.

For transactions where the online marketplace is the deemed supplier, the marketplace is treated for VAT purposes as if it is the actual supplier of the goods and will be liable to account for VAT on these sales. They will collect the VAT from the customer at the point of sale and remit it to the relevant tax authority, deducting the tax collected from the payment made to the underlying seller.

For those businesses selling into the EU via online marketplaces, they will despatch the goods using the Import One Stop Shop registration of the marketplace and their customers will receive the goods without the need to pay any further VAT. 

 

If you are currently selling goods into the EU via online marketplaces such as Amazon and eBay, ensure that you read any notifications that they send regarding the upcoming changes and carry out any actions they require to ensure that your account(s) with them are correctly configured.

 

3.3 Import One Stop Shop (IOSS)

The Import One Stop Shop was created to simplify VAT and to ensure that customers do not face unexpected fees when their goods are delivered.

It is designed only for relatively small transactions (up to €150) and allows a seller based outside of the EU to register for VAT in a single European country yet charge VAT at the rate for the particular country to which goods are being delivered.

Registering for IOSS is entirely optional - if sellers are not registered then any customers within the EU will pay the VAT and possibly other fees charged by the carrier, when the goods are imported.

If the seller elects to register for IOSS and makes an online sale of goods of a value of less than €150, they will need to apply the appropriate rate of VAT for the country where consumption of the goods takes place. The online seller will need to show/display the amount of VAT to be paid by the buyer in the EU, at the latest when the ordering process is finalised. If you have web sites selling B2C you will need to ensure that your sites have the capability to meet this obligation. 

The seller will also be required to:

• make sure that eligible goods are shipped in consignments not exceeding the EUR 150 threshold;
• to the best extent possible, show on the invoice the price paid by the buyer in EUR;
• submit an electronic monthly VAT return via the IOSS portal of the Member State where you are identified for IOSS;
• make a monthly payment of the VAT declared in the VAT return to the Member State where you are identified for IOSS;
• keep records of all eligible IOSS sales and/or sales facilitated over 10 years.

 

3.4 Delivered Duties Paid (DDP) Services from Delivery Service Providers

Your Delivery Service Provider(s) may offer 'Delivered Duties Paid' services.

These services allow sellers to collect additional amounts from their customers to cover the cost of both customs duty and import VAT. The carrier will then pay any customs duty and import VAT due on the consignment and charge it back to the seller, delivering the goods to the end customer with no further charges to them.

 

 

3.5 Delivered Duties Unpaid (DDU)

Since the UK left the EU 1st January 2021, the standard delivery service for both B2C and B2B sales of goods into the EU has been 'Delivered Duties Unpaid'. This is where the overseas post or parcel operator will collect the import VAT (and customs duty, if payable) from the EU buyer prior to delivery, alongside a handing fee.

This service will continue to be available.

 

 

3.6 Additional Information

Detailed information on the new EU VAT e-commerce rules is available at https://ec.europa.eu/taxation_customs/business/vat/vat-e-commerce_en

Information on the axis diplomat  IOSS module can be found at European Import One Stop Shop (IOSS)