Data security is essential for merchants and online entrepreneurs. The payment industry has shifted to online and digital methods of money transactions, and while that brings with it many benefits, it also created new avenues for fraudulent activity.
Luckily, there are several industry practices you can leverage to better protect your entire payment system. To help you reduce your risk, provide your customers with a safe form of payment, and to protect against bad actors, read on to discover the 10 best practices for secure online payment processing.
Table of Contents
- Understanding Your Payment System
- 10 Secure Online Payment Processing Best Practices
- Additional Resources
Understanding Your Payment System
A quick refresher of your payment system and its individual components will help you organize your setup in the most efficient way.
- Point-Of-Sale Infrastructure: First, your client will present a card to make payment. You must have a payment terminal that can accept the various forms of card transaction (EMV Chip, Swipe, Tap, etc). A payment terminal includes the necessary software to facilitate any credit card transfers, and it will connect to your cash register. The cash register will balance funds and print receipts based on the information provided by the payment terminal. With successful payment, the cash register will connect with your merchant bank to process payment (or any cloud based service providers if used). The acquiring bank or processor facilitates the actual exchange of money from the customers credit card to your merchant account, completing the payment system.
- E-commerce Infrastructure: The same payment ecosystem exists for online vendors, but it offers a different customer journey. Clients can view sales pages of your products found on your E-commerce website. When making a purchase, the customer routes a payment page that accepts the credit or payment information. Shopping cart applications may support the payment page, or a third-party e-commerce providor can manage all payment processing. When a customer’s credit card info is supplied, your e-commerce provider will protect the data on its secure servers and will help facilitate the actual exchange of cash to your merchant account.
Many merchants use a combination of both systems, and could have multiple routing options
10 Secure Online Payment Processing Best Practices
While point-of-sale and e-commerce systems offer simple and convenient payment methods for your customers, both processes store data, meaning you must follow data compliance and security protocols. Use the following 10 payment processing best practices to create a secure cardholder data environment.
1. Use Strong Passwords
Passwords are your first line of defense and offer an effective form of protection against bad actors. According to a report by Verizon, 61% of data breaches in 2021 connected to leveraged credentials. Moreover, two out of every five people have had their identity and information hacked, with 80% of fraudulent logins due to weak passwords.
The good news is that passwords work. A password with 12 characters offers 62 trillion additional possibilities compared to 6 character passwords, drastically deterring hackers, even if they have extended computation power. You can protect your payment system with advanced passwords, and it takes little effort to do so.
Use the following elements to create a strong password:
- Use more than seven characters
- Randomize the characters (i.e. it is not a word found in the dictionary)
- Do not use any personal information (i.e. a company name)
- Include a mix of special characters (numbers, lower case, symbols)
- Avoid common passwords (it took hackers less than one second to crack the password “password” in 2020)
- Use no default passwords included in a machine settings
All employees that interact with your payment system should have their own login credentials for better security. E-commerce systems can also add individual customer accounts for yet more data protection.
2. Use Data Encryption to Protect Stored Data
Any payment transaction on your system involves the collection of a client’s information and card data. It is your job to protect that data and safeguard against any fraudulent use.
One of the most helpful ways to reduce your risk and protect your customers is to store as little data as possible. If you collect unneeded data, it is in your best interest to delete or destroy it. Not only does this limit your risk, but it decreases server usages and the possible amount of data exposed in the event of a breach.
If you must collect extra data for safe payment transactions, take advantage of tokenization. Tokenization refers to using cryptographic algorithms to scramble any information so that it is unusable to anyone. The scrambled data is known as a token, and it makes data that is at rest useless to any hacker.
If you need to move any data, it is a good idea to use point-to-point encryption. Similar to tokenization, encryption turns any collected information into unreadable text (in this case, ciphertext). But encryption ensures that whoever receives the data can only access the information with the proper encryption key. The single key decrypts ciphertext back into legible script, making all data exchanges to the correct party far safer. Most credit card institutions already employ a range of encryption tactics (e.g. the magnetic stripe on a card only decrypts with a confirmed payment terminal card reader that acts as the key).
3. Protect Your Physical Hardware From Tampering
Bad actors might attempt to breach your physical hardware just as much as your e-commerce software.
Credit card skimmers are an obvious example, where fake card terminals route data to the hacker’s server rather than your payment system. In 2020, Verifone and Ingenico, two major point-of-sale suppliers, had all of their legacy systems exposed to malware delivered through a simple USB. Plus, an often-overlooked form of internal security risk comes from employees who have extended access to physical sale devices.
Physical end-point devices will always come with inherent risk, so it is a good practice to limit any potential tampering. Here are a few ways to protect your payment system infrastructure:
- Set a routine schedule for visual inspections (look for broken seals, missing parts, extra wires, or missing labels)
- Maintain your devices and initiate needed repairs
- Only use authenticated and qualified repairmen
- Store spare devices in a secure location with limited access
- Securely mount devices in well-light and public areas that deter tampering
- Ensure that all physical codes match supplier and digital serial numbers
- Do not hesitate to check a device if chip readers or mag stripes fail numerous times.
The Payment Card Industry Council has adopted Pin Transaction Security (PTS) requirements that help standardize the security of point-of-sale and e-commerce devices. Still, regular inspections are an effective preventative measure that protects your payment systems, especially for legacy equipment made before PCI compliance measures came into effect.
4. Protect End-Points With SCA
In addition to monitoring the physical hardware of your payment system, it is a good idea to protect the network that each of your devices connects to. Your payment system runs on a network via the internet, and most bad actors exploit end-point devices to access that system and the data it holds. A laptop, phone, or payment terminal end-point presents a weak point—even more so if you use a digital e-commerce solution.
To defend against uncontrolled software access, use Strong Customer Authentication (SCA). SCA requires any user who logs into your system to present at least two of three possible identity factors:
- Something they know (a PIN number)
- Something they own (a mobile phone)
- Something that they are (a face or fingerprint scan.
Not only does SCA (also known as multi-factor identification) help prevent identity theft, but it also is highly effective against automated or bot attacks. Microsoft reported a 99.9% less likelihood of compromised accounts when users employed multi-factor authentication.
Another excellent method to reduce fraudulent activity involves card verification requests. The three-digit security number on the back of a credit card is known as the Credit Verification Value, and it validates the identity and authenticity of a payment card. Not only does this protect each customer as they purchase goods from your sales page, but it can prevent the illegal use of a credit card number. For example, if a user’s credit card info leaked online, without the CVV on the back of the physical card, a bad actor can make no fraudulent purchases.
Lastly, you can use local address or IP address verification software to deter fraudulent activity. Verification applications match the supplied information from a login or purchase attempt and compare it to any data kept on file, flagging any suspicious or incorrect values. If a customer has their credentials stolen and the bad actor attempts an illegal purchase, the local address supplied will not match the IP or location on file or listed with the credit card itself. The software will raise an alert, helping prevent any further illegal activity.
5. Use Trusted Third-Party Providers
In many cases, you will rely on third-party suppliers to facilitate the different aspects of your payment system. You might use a service to increase the speed of your payment processing, or you could hire an e-commerce provider to manage your data on their server. In most cases, third-party providers are an excellent way to reduce overhead costs, increase business efficiency, and enjoy enhanced security.
For example, it is far safer to allow a third party to store all collected credit card data. Not only does this remove your direct risk and liability, but the provider itself will have better security infrastructure and protective controls since they hold a large amount of sensitive information from numerous merchants.
Of course, it is still important to do as much research on the companies you use to help set up your payment system. Ensure that all third-party providers meet PCI compliance standards. It is also a good idea to request their security measures upfront and to check online reviews from other e-commerce vendors. Keep a list of your third-party service providers and ensure that they all integrate together, starting with your payment terminal and ending with your merchant bank.
6. Fraud Monitoring
The best kind of protection is preventative, and several solutions or applications offer robust verification and fraud monitoring software that can detect and defend against malicious activity. Having tools that track each transaction, troubleshoot weak points, keep a log of user activity, and provide security insights from the data collected can improve the overall security of your entire payment system.
Global payments fraud cost $32.39 billion in 2020 and is expected to grow to $40.62 per year by 2027 as hackers increase the sophistication of their attacks. E-commerce retailers reported having lost over $20 billion alone in 2021, an 18% increase compared to the previous year. Fraud detection systems can help limit such hefty losses.
It is in your best interest to employ a high-level fraud management systems that keep you protected:
- Install Antivirus Software: Your payment system might use laptops or other devices that need antivirus protection to defend against malware. Update your systems whenever possible, and use the latest security patches in your payment terminals.
- Use Fraud Scanning Applications: Several third-party applications can use machine learning to track customer behavior, analyze suspicious activity, and confirm the safety of each transaction that occurs in your system.
- Use Vulnerability Scanning: Vulnerability scanning does not track fraudulent activity but instead searches out trouble spots associated with your system. Cybercriminals are creative and will exploit any areas of weakness, so use scanning tools to locate and fix system problems. Vulnerability scanning is required for PCI compliance (section 11.2), so use a PCI Approved Scanning Vendor (PCI ASV).
7. Train Employees and Restrict Access
Verizon reported that 36% of all data breaches occur from internal actors. Privilege abuse is a common form of fraud, and it can occur with any stakeholder connected to your business, including employees, contractors, interns, and management staff.
To prevent fraud from within, it is common practice to restrict system access. Any business involved with your payment systems should operate on a “need-to-know” basis. The fewer players with access, the easier it is to deter fraud, whether friendly-fire or not. Use the following access practices to protect your payment system.
- Access Control: Most employees can do their jobs without total access to sensitive files or customer information. You can use software to limit what apps each management level can enter, keeping files far more secure. Plus, if a user’s credentials are compromised, the bad actor cannot gain total access to business operations.
- Access Tracking: It is a good idea to implement access tracking that logs each keystroke or digital action made by an employee. In the event of fraud or a data breach, you can check the logs to determine whose login got hacked and the type of data stolen.
- Employee Awareness: Employees should know your business’s security controls. Training keeps them and your customers safe, and it can reduce instances of friendly fraud (e.g. an employee downloads malware on accident).
- Device Disposal: Only used a trusted payment service provider to destroy old devices, helping limit data recovery or further physical tampering.
8. Use Secure Payment Terminals
You are required to use a payment terminal that meets the standards set by the Payment Standards Security Council. The compliance regulations for acceptance terminals connect with customer requirements, where every cardholder must present a personal identification number (PIN). Together, your payment terminal and the unique pin of the customer help create safe transactions.
To ensure the safety of your customer’s PIN and the additional info supplied via the attached credit card company, it is in your best interest to use PCI validated terminals only. Such considerations extend to your virtual terminal as well as the digital store connected with your e-commerce website.
Lastly, ensure that any payment processors of other service providers you use are compliant with PCI Data Security Standard (PCI DSS). DSS is the set of security regulations regarding credit card transactions, so select providers that are compliant with most major credit card institutions.
- List of PCI Validated and Products and Solutions
- List of PCI Validated Applications
- PCI DSS Guidelines
- List of MasterCard Compliant Service Providers
- List of Visa Card Compliant Service Providers
9. Protect Your Software From Bad Actors
If you use a web application at any point within your payment system, it is vulnerable to hacking. There are several different methods a bad actor will use across a digital channel, such as phishing, pagejacking, and credential stuffing. Payment systems within e-commerce have revolutionized the speed and convenience of payment transfers, but they also give other avenues for bad actors to stage attacks. It is a good idea to set up safeguards that protect against such activity.
- Firewalls: While an antivirus scans and deters malicious applications, a firewall acts more like a bodyguard, deciding which users or programs can gain access to your individual payment network. Implement a high-level firewall on all apps connected to the web.
- 3D Secure: 3D secure is an internet protocol that connects you, your bank, and a credit card institution together. Each domain shares customer transaction data, helping improve transparency, fraudulent behavior detection, and limiting chargebacks, a common form of friendly fraud.
- Usage Isolation: Only use specific and designated devices for your payment system. Accessing the web or using other business operations on your payment network creates a larger surface area for hackers to attack. Isolate your payment system within its own silo for enhanced security.
- Wifi Protection: Use a separate WIFI network for your payment system to further increase its isolation. Secure all WIFI devices with WPA2.
10. Remain PCI Compliant
Whenever possible, achieve PCI compliance. The Payment Card Industry Security Standards Council enforces regulations for the betterment of the entire payments and e-commerce industry. Meeting all compliance standards is a requirement, but it also offers you advanced instruction on keeping your systems secure.
For example, you must have a Secure Reading and Exchange of Data (SRED) module for PCI compliance. SRED requirements outline how to keep all Points Of Interaction (POI) safe, and it discusses elements such as encryption, the data your payment terminal can collect, and information authentication.
Another example involves Transport Layer Security (TLS) and Secure Socket Layer (SSL) certificates, a method for ensuring the safety of browser connections. While once a requirement, PCI announced in 2018 that TLS 1.0 did not meet compliance and now requires better protocols.
Continue to take assessments of your systems and confirm they achieve compliance with PCI requirements, keeping you secure while also avoiding any fines.
Additional Resources:
General:
- How to Create an Online Payment System for Small Business
- 20 Information Security Tips for Payment Processors
- Best Practices to Guarantee Payment Security Online
- Rapyd 10 Best Practices for Secure Online Payment Processing
- Payment Card Industry Security Standards Council Guide to Safe Payments
- Everything You Need to Know About Achieving PCI Compliance
- Payment Card Industry Pin Transaction Security Requirements
- How to Keep Your PCI Compliance Status Up-To-Date
Passwords:
Data Encryption:
Physical Device Protection
Strong Customer Authentication:
- Understanding Strong Customer Authentication & PSD2
- Strong Customer Authentication Solutions from Stripe
Third-party Providers
- Top 10 Payment Processing Companies in the World
- Best Payment Gateways of 2021
- The 10 Best Online Credit Card Payment Processing Services For Small Businesses
Fraud Monitoring
Access Restrictions
Payment Terminals
- List of PCI Validated and Products and Solutions
- List of PCI Validated Applications
- PCI DSS Guidelines
List of MasterCard Compliant Service Providers - List of Visa Card Compliant Service Providers
E-commerce Firewalls
PCI Compliance