Skip to main content

PCI Level I Compliance & Selling Virtual Items Online

Game Publishers that wish to monetise around a strategy for the sale and management of virtual items need to understand the relationship of PCI Compliance with the e-Wallet. 

Included in this is the ability to STORE credit card data at the ACCOUNT level for e-Wallet purchases and one-click-buying (spontaneous buying) either 'in or out-of-game.'

When discussing an e-Wallet capability, gamers must have their form of payment at the ACCOUNT level so VC (virtual currency) deposited into an e-Wallet can then be used to purchase from a ‘stored balance.’

The only thing that matters is CONVERSION. Since the first static page was posted and an effort was made to get users to sign up for a newsletter or become a member, there is one primary metric that matters; CONVERSION. Conversion is ‘the line in the sand.’ Conversion is taking a user from being a looker to a participant (which can be buying, signing up, registering, trying another game or character class etc), depending upon the business goal. 

For this piece, let’s keep it generic and call this the desired action (DA) that a business wants to achieve.
A barrier to entry is any ‘design element’ or ‘feature set’ that allows the user to walk away before taking the DA. There are so many barriers to entry that it is almost an ART versus SCIENCE.

How does this pertain to Virtual Asset Sales?
Remember, a barrier to entry is anything that allows the user to walk away or impedes the DA. In the example around gaming, don’t let your gamers leave the fantasy state. The moment they have to walk across the room and get their wallet etc, the phone rings or the neighbours wave through the window etc…all of which takes the gamer out of the fantasy state…and really, a good game keeps you in that cool place.

The Pieces and How They Fit – ‘One Click Buying'
  1. USER registers with user name and password
  2. ACCOUNT created
  3. USER has an ACCOUNT (no form of payment attached)
  4. USER wishes to buy using a credit card
  5. USER enters payment details in registration form (PCI Compliant form)
  6. Credit Card details can only be appended to the ACCOUNT if the provider is PCI Compliant
  7. ACCOUNT now has user name/password/payment details (assuming PCI compliance)
  8. USER purchases VC (Virtual Currency) - $5 for 500 pieces of VC
  9. $5 purchase is processed against the credit card at the ACCOUNT level
  10. 500 pieces of VC are placed into the e-Wallet
  11. FUTURE PURCHASES can now be made against the e-Wallet, with no percentages or transaction fees (some providers charge for virtual transactions within the e-Wallet)
USE CASE – e-Wallet runs out of VC
  1. USER wishes to purchase a virtual item for 600 VC (existing balance is 500 VC)
  2. USER needs 100 VC more to buy item
  3. Conversion Barrier –
  4. the SERVICE PROVIDER is not PCI Compliant 
  5. there is no stored credit card information at the ACCOUNT level (due to no PCI Certification)
  6. IMPACT - USER must go get their credit card (remember the waving neighbors) and re-enter all payment details for EVERY purchase.
NOTE - this has been a major barrier to conversion since the internet was launched, and why EVERY online merchant tries to design purchase flows that make it easy to keep the USER within the buying experience when the 'intent to buy/transact' is high.
Labels:

Comments

Post a Comment

Popular posts from this blog

PCI Compliance - Cheat Sheet

A bit of background regarding PCI compliance - as credit card use has become more widespread both offline and online, and as consumer concern about security has understandably grown, the credit card industries have made an effort to ensure that sensitive information is protected. To that end, in September 2006, the major credit card companies (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) formed the PCI Security Standards Council (SSC) and established a set of rules for what they called PCI compliance. These rules have to be followed depending on the size of a business and the number of credit card transactions handled, and if done properly will help protect consumers’ data from theft. The Rules in a Nutshell There are six major categories within the standards established by the PCI SSC, which are as follows: –Build and maintain a secure network –Protect cardholder data –Maintain a vulnerability management program –Implement strong ...
1 comment
Read more

Italian Baseball | Arriving (VERONA, ITALY)

ARRIVING IN VERONA, ITALY to PLAY BASEBALL On the train from Milano to Verona I found myself being suddenly freaked out. My family-heritage-enthusiasm was starting to leave me...and self doubt started to pop up. In moments like this...and in my lifetime I had plenty...I did what I was taught to do on the baseball diamond...stick to the fundamentals and don't try to do too much! So I took a deep breath and kept thinking to myself, 'one thing at a time...and the first thing is to get rid of this HUGE, unwieldy, ridiculously heaving duffel bag!' There are two things everyone should know about Italian train stations: Left Luggage - you can leave your bags with them, thus unburdening yourself for a small fee. Buses - there are lots of buses outside of train stations and if you take Bus #1, it will take you to Il Centro (the center) of town. So with this knowledge I rented one of their changing rooms for 30 minutes...took a shower and sorted through what I needed to begin my que...
2 comments
Read more

PCI-at-a-Glance for Gaming

There are four levels of PCI Compliance.  Level I is the highest standard .  Levels III & IV are self audits and should trigger serious red flags within your organization, as there is zero accountability. Why choosing a PCI Level I supplier saves money and limits risk! -         Liability : using a PCI Level I provider means that you absolve yourself from all liability as it pertains to the storage and transmission of credit card data. This means that if there was ever a breach and personal information was revealed, your SERVICE PROVIDER is liable, not your company. o     Imagine your Public Relations Team explaining to your end users that their personal credit card information was compromised because you did not choose a PCI Level I Compliant provider. -        Registration pages: o     You must host registration pages, because they cannot touch credit card data. - ...
1 comment
Read more