The global pandemic
One of the biggest concerns when it comes to digital payments is online payment security. This is a concern that both merchants and customer share, and it doesn't come as a surprise to anyone considering the amount of online payment fraud that's happening around us.
According to Statista the losses for the ecommerce industry were expected to reach over $20 billion globally in 2021 as a result of payment fraud, which is 14% more than the previous recorded year, in which losses amounted to $17.5 billion. The global pandemic was one of the biggest contributors, causing more and more merchants to move their business online, and exposing them to fraud for which they weren't really prepared.
Value of e-commerce losses to online payment fraud worldwide in 2020 and 2021. Source: Statista
As the whole world has moved to online shopping, fraudsters can't resist the urge to take advantage of it. In fact, it is estimated that online payment fraud cost businesses worldwide around 1.8% of their total revenue.
This unfortunate tendency not only impacts businesses and customers from a financial perspective, but also decreases customers' trust in online shopping as they don't always trust merchants with their payment data or other sensitive information. In this article, we will discuss some of the most effective ways to ensure online payment security as a merchant - so, without further ado, let's dive right into it.
1. Encrypt data with an SSL certificate
Securing transactions with SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols is an extremely important step to ensure that sensitive information is encrypted and only accessible by the intended recipient. But how does SSL and encryption work?
The process is very simple. Once the SSL/TLS certificate has been installed on a web server, it will enable the SSL/TLS protocol, which facilitates encryption. Encryption works by generating a session key each time a user visits a website, which is randomly generated and only the server and the user (client) have access to it.
This means that if a cybercriminal would try to manipulate the communication between the user (client) and the server, they wouldn't be able to do that without the correct key, which is inaccessible by anyone other than the client and the server. In other words, encryption prevents data from being intercepted by fraudsters by encoding it.
2. Make use of Payment Tokenization
Payment Tokenization is another effective way to ensure online payment security for digital transactions. It works by converting sensitive data (for example, credit card numbers) into algorithmically-created values called tokens. A token is a random combination of characters with no exploitable meaning, and it can only be mapped back to the original data within the tokenization system.
This means that tokens would be undecipherable outside of the tokenization system in which they were generated, making it impossible for fraudsters and cybercriminals to figure out the original sensitive data that's being protected by the token.
Some of the benefits of payment tokenization include:
• Improved online payment security for merchants and customers
• Helps sellers establish trust with their customers;
• It can prevent penalties and revenue loss as a result from data breaches;
• It allows merchants to store credit card data for recurring payments;
• Payment tokenization also allows makes it easier to achieve PCI-DSS compliance;
PCI-DSS, also known as the Payment Card Industry Data Security Standard, is a standard established by the biggest card brands, and it was designed with the purpose of reducing fraud and increasing online payment security. We will talk more about it in our next section.
How does payment tokenization work? Source: medium.com
3. Achieve compliance with PCI-DSS
As we just mentioned, PCI-DSS compliance is a payment security standard established by major card brands such as VISA, Mastercard and American Express, and it is obligatory for all merchants that accept online payments or process payment cards in any shape or form.
In other words, if you are operating with credit card data, you should be compliant with PCI-DSS.
The requirements of the PCI standard revolve around the following main pillars:
• Building and maintaining a secure network
• Maintaining a Vulnerability Management program
• Restricting physical access to cardholder data
• Assigning a unique ID to each person with computer access
• Regular monitoring of all accesses to network resources
• Maintaining an Information Security Policy
Unfortunately, becoming compliant with PCI-DSS can be expensive for merchants, with prices starting at $5,000 and reaching up to $75,000 for larger enterprises. Luckily, there is a cheaper and more effective way to do it - by accepting payments with a Payment Gateway that is already Level 1 PCI-DSS compliant, such as MYMOID.
With MYMOID, you can accept payments online in a fast, simple and versatile way, and ensure online payment security for your customers while optimizing their experience for better conversion.
4. Update your operating system
Another important measure to take into account in order to ensure online payment security is making sure that your operating system is up to date. This detail is often neglected by merchants, but hackers and fraudsters can easily take advantage of outdated software, resulting in possible data breaches among with other issues.
So, as a merchant, you need to make sure that all your software is always updated in order to reduce vulnerability and exposure to cybercriminals.
5. Implement 3D secure
Another effective way to ensure online payment security for your business as a merchant is to implement the use of 3D secure. 3D secure is a credit card authentication method, and it provides an additional layer of security for credit and debit card transactions online.
The name itself makes a reference to the three "domains" which interact using the 3D secure protocol:
• The merchant/acquirer domain
• The issuer domain
• And the interoperability domain
Ensuring online payment security with 3D Secure. Image source: wikipedia.com
This authentication method serves the purpose of preventing the unauthorized use of credit and debit cards, protecting merchants from possible chargebacks that may occur in the event of a fraudulent transaction.
When 3D secure is implemented, what happens is that the card issuer (or the ACS provider) will ask the buyer to type down a password that is only known by these two parties. Because the merchant doesn't know this password and has no responsibility in capturing it, the card issuer can use this as an evidence that the buyer is the real holder of the credit or debit card.
The reason why this authentication method adds such a good layer of online payment security is because the password required by the card issuer is not written on the card itself (as opposed to the CVV number, for example). So, even if a hacker or a fraudster has managed to get hold of the card, he won't be able to complete the purchase without this additional password.
6. Ask for the CVV number
While this method may not be as effective if the fraudster has managed to steal the actual credit or debit card (because the CVV number is written on it), it still adds an additional layer of security in many cases. For example, if cybercriminals only have access to the credit card number and not the physical card, they might not be able to complete the online purchase without it.
So, merchants can use this method to help ensure online payment security by asking for information that's only available on the card itself.
The CVV number is a three or four-digit number that can be found on the back of the credit card, and it proves that you actually have the physical card with you when making a purchase online, thus preventing identity theft.
Example of a CVV number at the back of a credit card.
7. Monitor for fraud and security threats continuously
In order to ensure online payment security, merchants should continuously monitor their operations and transactions for suspicious or fraudulent activity. Luckily, there is one easy way to do that, and it is by implementing a Payment Gateway that offers a robust and reliable system against security threats and fraud.
8. Comply with the European Directive PSD2
The PSD2 directive went into effect on the 14th of September 2019, and it was designed with the purpose of introducing obligatory security requirements for the processing of online payments and the protection of customers' payment data.
In other words, it was created with security on top of mind, obligating banks and merchants to implement multi-factor authentication for all proximity and remote transactions independently from the channel on which they were performed.
To meet this requirement, the multi-factor authentication has to include at least 2 of the three main features defined in the directive:
• Knowledge: Something only the user knows, e.g., password, code, personal identification number
• Possession: Something, only the user, possesses, e.g., token, smart card, mobile handset
• Inherence: Something, the user, is, e.g., biometric characteristics, such as a fingerprint
Among other requirements defined under the directive, merchants and banks should also seek the perfect balance between security and convenience, highlighting the importance of smooth payment experience for users.
MYMOID offers personalizable payment solutions that not only help merchants meet the requirements of PCI-DSS, PSD2 and GDPR, but also allow them to establish and optimize the payment experience for their customers to make it as smooth and intuitive as possible.
9. Require a strong password
Another important measure that merchants can undertake to ensure online payment security for their customers is to require a strong password. Most cybercriminals and fraudsters attempt to access user accounts starting with the most popular combinations that users usually come up with.
Some examples include names, birthdays, birthplaces, and dictionary words that are easy to remember. Ideally, a strong password should contain a combination of:
• Uppercase letters
• Lowercase letters
• Special characters
As a merchant, you can consider adding a password generator that automatically creates these combinations for them in order to facilitate the purchase or the creation of an account. In the event of forgetting the password, they can always request a password reset.
Just as we mentioned in the previous section, all merchants should comply with the European laws for strong authentication such as the PSD2. Requesting a strong password as an additional layer of security can help to achieve this compliance.
10. Match the transaction details
Another way to add an extra layer of online payment security is to match the billing address information of the customer's credit card and the IP of the customer to ensure that the he is indeed the holder of the credit card.
Checking these details during the transaction can sometimes indicate a potentially fraudulent transaction, and it will also protect the merchant before the fraud even occurs. This is very important because a high amount of chargebacks can lead to penalties for merchants by the credit card issuer.
11. Establish secure internal processes
Online payment security starts from the way your employees handle sensitive information during internal business processes. You can train them with the necessary skills and knowledge so they are able to immediately recognize fraudulent activity when they see it, and of course, respond adequately to it.
Handling sensitive information correctly is also one of the requirements of the PCI-DSS standard, and failing to do so may lead to possible penalties by credit card issuers.
Establishing the best practices for online payment security and the safe processing of payment data should be on top of mind for all merchants not only because it protects customers, but also because it protects them as well.
Luckily, you don't have to figure out everything on your own - with the right Payment Gateway partner, you can deliver safe payment solutions that meet all industry standards and regulations while providing the best user experience for your customers.
Stay updated with the latest news, tricks and tips for MYMOID
¿Qué medidas tomar para reducir las vulnerabilidades antes de que sea demasiado tarde?
¿Qué es exactamente un banco adquirente?, y ¿cuál es su papel en la gestión de transacciones?
Pioonering digital payments since 2012. Trusted by +5.000 companies, startups and retail stores.