Whether it’s design aesthetics, user experience, or the transaction processes, the ecommerce space is a rapidly-changing realm that can be difficult to keep tabs on effectively, even for the most savvy technological users. As challenging as this may be, however, the most successful digital enterprises always position themselves to be ready to tackle any new obstacles head-on. This is no different when it comes to compliance and taxation – two critical aspects that can make or break an ecommerce business. Those who fail to adapt quickly to new rules pose a serious risk of facing dire consequences that could completely sink their business, particularly when venturing into new markets.
Should You Be Outsourcing?
Before we get any further on these two topics, you must first ask yourself if this is something you’re ready to take on in-house. Depending on where you’re at with your business, it may be the most cost-efficient thing to simply leave this to the professionals.
If you haven’t already done so, we recommend that you read the first two parts of our “Building vs Buying” series, which will help you understand if your growing ecommerce business is ready to tackle this head on.
In part one , we gave a high-level overview of some of the most important things you need to think about if you’re scaling your ecommerce business and trying to decide whether or not it’s more economic to use a third party payment processing solution, or to build in-house. This factored in a variety of elements such as transaction fees, resources, ability to scale, and other hidden costs that you may not be on your radar.
In short – the more revenue your ecommerce business is generating, the less practical in becomes to be relying on an outsourced ecommerce platform. We’ll break this down in detail near the end of this article.
Our second part of this series is designed to equip ecommerce businesses with the foundation they need to move away from a third-party offering and construct a custom, in-house platform of their own, which can be an arduous task if you’re not properly staffed. This process includes the merchant approval process, and monitoring contract terms and fees, which are often very complex and require a dedicated team to manage.
We also explored some of the key building blocks required to successfully get your own payment processing engine up and running, like design requirements, integrations with payment gateways and business applications, and laying out a strategy for maintaining uptime and reliability.
With that knowledge in mind, it’s now time to dive into some of the last – but important – considerations you need to make when it comes to building your own payments platform: international taxes and regulatory standards.
Global Regulatory Compliance
Ensuring your digital business is maintaining regulatory compliance in one state or country can be challenging enough, but when expanding into new international regions, this becomes a much more challenging (and costly) challenge to manage responsibly. Those who are taking the DIY approach to payment processing are on the hook for making sure legal requirements are constantly being met.
There are four key elements to be mindful of when it comes to compliance: payments security, personal data privacy, combating fraud, and managing international taxes.
When building a payment processing engine, security around how people are paying and how you’re protecting that information is of vital importance. It’s the cornerstone of ecommerce, and if you do not have proper safety mechanisms in place, you’re putting yourself in a very financially vulnerable situation.
This is where the Payment Card Industry Data Security Standard (PCI-DSS) comes in. The PCI-DSS is a set of security standards designed to govern how payments are collected, stored, processed, and maintained.
Becoming PCI compliant is an on-going process, but it can be broken down into three important steps. First, companies must evaluate their assets and current processes for handling payment card information, then analyzing them for any vulnerabilities. From there, companies then need to remediate and fix any red flags that may be uncovered. The final step is to compile, report and submit the remediation records and compliance reports to the acquiring bank and card brands you do business with.
We recommend you familiarize yourself with PCI-DSS, but to summarize the core requirements you must meet to be compliant with their standards, there are twelve rules you must follow:
- Install and maintain a firewall to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update antivirus software
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that address information security
While PCI is not an official rule of law, merchants that do not comply may be subject to stiff fines from the major card brands, card replacement costs, costly forensic audits, a suspension of processing privileges, or brand damage should there be a breach.
It is imperative that your business is conducting audits of internal processes and infrastructure on a regular basis, in order to ensure your continued compliance and avoid a costly blow to your ecommerce operations.
Personal Data Privacy
In a time where we are experiencing an unprecedented amount of consumer data collection, breaches and exploitation are happening more frequently, and in a more damaging way. Because of this, jurisdictions around the world are concentrating their efforts on establishing proper mitigation strategies to keep user data safe and hold businesses more accountable when these incidents occur.
A major example of this is the EU General Data Protection Regulation (GDPR), which 90% of companies consider to be the most stringent data compliance framework in the world, essentially making it the new gold standard for global data security.
Unlike PCI-DSS, GDPR is a rule of law, meaning that companies in violation could see themselves facing a fine of up to either €20,000,000 or 4% of its global revenue.
When expanding your ecommerce business into European markets, you’ll need to ensure you’re meeting the following requirements:
- Providing clear consent for data collection
- Giving users the ability to easily withdraw, transfer and delete personal information
- Establishing stronger data accountability and security practices
- Appointing a data protection officer
- Documenting data breach procedures
- Reporting data leaks to regulators and consumers within 72 hours of the leak occurring
It’s important to note that GDPR – while massive – isn’t the only set of strict privacy laws that has materialized in recent years. More are posed to follow, like the recent Consumer Privacy Act in California, which gives consumers the right to know what information companies are collecting about them, and who they are sharing that data with. Consumers in this jurisdiction who find their data being shared or collected without their consent can sue businesses for $750 for each violation, with the California attorney general being able to sue for an additional $7,500 for each violation.
As we move forward, we’re only going to see more laws like these that protect the digital community, so it’s imperative that your business is resourced adequately to meet both existing requirements and those that may become law in the future.
We’ve touched on the impact improper fraud failsafes can have on your ecommerce business in the first two articles of this series, and how smaller ecommerce businesses would be wise to simply outsource this process entirely due to the costs associated with doing this in-house. Assuming you’ve reached a certain size however (as you’ll soon see below), it starts to become a necessity to move this internally.
Properly managing fraud requires an entire team – not simply one or two staff members designated to this responsibility. Typically, this team would look something like this:
- Fraud investigators that are tasked with manually reviewing orders that are too ambiguous to evaluate via automation
- Analysts dedicated to optimizing and reviewing rules and algorithms within your payment processor
- IT staff responsible for handling maintenance, data quality and system security
- Chargeback specialists that investigate and resolve customer disputes
- Customer service agents who can handle dealing with the actual communications back and forth with customers
Additionally, when doing business on a global scale, you’ll also want to make sure that your fraud team is able to respond to issues quickly, meaning you will need to have representatives working on different time zones to resolve matters efficiently.
With respect to maintaining your merchant account , you should also be wary of “friendly fraud,” which can deal a fatal blow to your status if not properly managed. Friendly fraud results when a customer has knowingly purchased the item but called their bank and initiated a chargeback anyways. As we mentioned in the second part of this series, if you exceed a certain threshold, you could see your account suspended or even terminated, making it absolutely vital that you have an experienced team in place to distinguish malicious fraud from friendly fraud.
On top of all of this, you’ll also want to ensure your team is tasked with implementing the proper mitigation strategies we’ve previously discussed.
It can be challenging enough to try and stay on top of new tax regulations in your jurisdiction of origin, but when expanding your ecommerce business to international markets, managing all of the different jurisdictional taxes can become an extremely complex process. We highly recommend bringing on an international tax lawyer who can oversee this part of your business, but at the very least – you should be consulting with one on a regular basis.
To try and simplify this for ecommerce businesses, you need to be aware of two primary tax categories that you’ll be responsible for paying: Sales tax, and Value-added tax.
You are responsible for remitting sales tax to the authorities whenever a consumer purchases one of your digital goods or services. In some regions, this is managed on the federal level, whereas with others it will be the state or provincial government. There are other differences between sales tax across different areas as well, like which products and services are actually taxable, what the percentage of tax charged is, when and how often online sellers are required to file their sales tax returns, and the date in which sales tax returns are due.
Functionally, value-added tax (VAT) works much the same was as sales tax, but is implementation (and implications) can vary. The main difference is that it is required to be collected by sellers at every stage of the supply chain, which impacts manufacturers, distributors, and retailers. This means that taxes will be applied differently depending on if you’re a B2B or B2C business. Additionally, they can be assessed differently across jurisdictions. For example, the EU used to have VAT assessed based on the location of the retailer, not the customer, although this was eventually changed to the location of the customer.
Ultimately, as more businesses and consumers opt to purchase digital solutions, governments are increasingly incorporating new cross-border sales tax policies, meaning that without a dedicated resource assigned to oversee this properly, you run the risk being overwhelmed very quickly by remittance requirements.
Now that you have a tighter grasp on the most significant government regulations that your ecommerce business will need to adhere to, as well as the knowledge you gained in the previous two articles about merchant account activation and localization, it’s time to lay out a detailed cost analysis to determine if a DIY approach is really the best option for your business at its current stage.
Below, we have devised three different scenarios based on your total monthly revenue, those generating $500k, $2M, and $5M. The findings below have been verified by three independent industry research articles, “The True Cost of Compliance with Data Protection Regulations,” “2017 True Cost of Fraud Study,” and “The Cost of Compliance.”
$500K / Monthly
|Payment Processing Software|
|Merchant / Seller of Record costs||$200,000||$200,000|
|PCI-DSS initial costs||$75,000||–|
|PCI-DSS ongoing costs||$35,000||$35,000|
|EU GDPR compliance costs||$150,000||$150,000|
|International tax compliance||$10,000||$10,000|
|Market research costs||$20,000||–|
|Costs as % of Revenue||13.3%||10.7%|
$2M / Monthly
|Payment Processing Software|
|Merchant / Seller of Record costs||$600,000||$600,000|
|PCI-DSS initial costs||$90,000||–|
|PCI-DSS ongoing costs||$35,000||$35,000|
|EU GDPR compliance costs||$600,000||$600,000|
|International tax compliance||$40,000||$40,000|
|Market research costs||$40,000||–|
|Costs as % of Revenue||10.8%||9.9%|
$5M / Monthly
|Payment Processing Software|
|Merchant / Seller of Record costs||$1,000,000||$1,000,000|
|PCI-DSS initial costs||$300,000||–|
|PCI-DSS ongoing costs||$100,000||$100,000|
|EU GDPR compliance costs||$1,200,000||$1,200,000|
|International tax compliance||$100,000||$100,000|
|Market research costs||$80,000||–|
|Costs as % of Revenue||8.9%||8.0%|
There are two important components to take away based on the findings above. For starters, and as we’ve mentioned previously, costs as a percentage of revenue start to decline quite significantly as your business grows and reaches a certain point in its expansion process, meaning that larger ecommerce businesses will stand to benefit tremendously from moving away from an outsourced payments platform to one that is built and managed in-house.
On top of this, and perhaps more surprisingly, the initial setup – while seemingly costly at a glance – only accounts for a fraction of your overall costs. Alternatively, the cost differential between outsourcing and the DIY approach largely comes from the ongoing tasks, like maintenance and compliance – a very important factor to be considered when scoping out your initial budget if you plan on making the switch from a 3rd party platform.
The Road Ahead
You are now no doubt more aware of how important the decision to outsource or build in-house can impact your bottom-line revenue. The path you choose to take could mean a difference of millions of dollars in savings, so it’s important you consider all your options and weigh out the pros and cons of the items we’ve covered in our “Building vs Buying” series.
Should you have any questions about outsourced ecommerce or some of the various elements we covered above, please don’t hesitate to reach out to our team. We have built the technology that allows businesses like yours to start taking digital payments on a global level, and we’ve taken these steps above with our own business to understand the process and navigate it successfully.
We hope the information we have shared here has helped you to better understand the process, and helped you make a more intuitive decision as you enter new international markets.