The boom in online shopping, along with the general increase in fraudulent activity, has made ecommerce payment security vital. Ensuring the security of customer payments is the responsibility of every small business owner that accepts payments online.
What is ecommerce payment security?
Ecommerce payment security is a set of practices that ensures order checkout forms collecting customer data are hosted securely—whether self-hosted on the merchant’s store servers or hosted by its payment provider. Data must be properly encrypted during transmission, and any stored payment information must be protected.
Follow the 10 best practices listed below to keep your site and customers safe.
1. Choose a Trusted & Reliable Ecommerce Platform or Payment Processor
Among the easiest and fastest ways to start your online store while keeping ecommerce security in mind is to choose an all-in-one payment processor or a secure ecommerce platform service.
Invest in fraud protection tools. Check if your all-in-one payment solution or ecommerce platform comes with fraud protection tools. Some include it for free, but if it comes with add-on fees, it is worth the additional cost. If your provider doesn’t offer fraud protection tools, consider investing in fraud prevention and chargeback protection services.
2. Use a Secure Checkout Service
The type of checkout you use is a factor in online payment security and your level of responsibility for it. Let’s take a closer look at the two types of online checkouts.
For many small online sellers, a hosted checkout delivers everything needed to process payments in a tidy, secure package. But for others, factors such as checkout customization and lower credit card processing costs come into play. In these cases, the flexibility that self-hosted checkouts offer can be worth the additional security considerations.
| Self-Hosted Checkout | Hosted Checkout | |
|---|---|---|
| Your security responsibility | High | Minimal |
| Checkout customization options | Very customizable | Limited, or requires developer skills |
| Payment processing costs | Tend to be lower | Tend to be higher |
Merchant services choices | More options | Fewer options |
3. Secure Your Customer’s Credit Card Information
Merchants are under obligation to protect a customer’s credit card information once it is used to complete a transaction. Even more so when accepting payments from customers online. The Federal Trade Commission recorded nearly a 30% increase in reported fraud in 2022, with online shopping accounting for $358 million of the total $8.8 billion in fraudulent sales.
Make sure to look for the following online payment security features from your payment services provider:
Credit card tokenization converts your customer’s credit card data into a “token,” or string of randomly generated numbers. An ideal payment processor would have this measure in place from the checkout page. This makes it possible to safely communicate the information through payment gateways and store a cardholder’s information while adhering to Payment Card Industry (PCI) standards.
3D Secure adds an authentication step to your checkout process. Typically, this involves redirecting your customer to their bank’s authentication page, where they are to key in a code or a password sent to them via email or SMS. This method is meant to ensure that only the real cardholder would be able to complete a transaction.
Both Visa and MasterCard actively contribute to creating and developing a more advanced 3DS that aims to improve both online payment security and user experience during checkout.
AVS ensures the billing address the customer enters matches what the card-issuing bank has on its records. This mitigates unauthorized use of customer credit cards. Most payment gateways and some ecommerce platforms have settings to require certain address verification codes in order to accept the transaction. If you’re selling online, this is a crucial step for preventing fraud and the chargebacks fraudulent transactions can result in.
Stripe’s Fraud Prevention rules allow you to block transactions based on postal code. (Source: Stripe)
Chargebacks can have significant impacts on small businesses. Learn how to prevent chargebacks.
Credit card security codes, sometimes called Card Verification Code (CVC), is a three- to four-digit code found on a credit card, usually at the back (American Express CID is on the front). Names for these security codes vary depending on the credit card brand.
Card Brand | Name | Description |
|---|---|---|
Visa | Card Verification Value (CVV/CVV2) | 3-digit (back of card) |
Mastercard | Card Verification Value (CVV/CVV2) | 3-digit (back of card) |
Discover | Card Identification Number (CID) | 4-digit (front of card) |
American Express | Card Identification Number (CID) | 3-digit (front of card) |
These codes are used to help verify manually entered credit card information for both in-person and online transactions such as when accepting card payments at the register, on a virtual terminal, or when customers key in their card data on your website.
Let your customers know that they are protected. Nearly 20% of online shoppers tend to abandon their carts on websites that do not display proof of secured payments. Include security seals and add notices on the checkout page whenever possible to improve customer confidence.
4. Ensure a Secure Website Login for Your Customers
Hackers can steal your customer’s accounts (and eventually their credit card information) by targeting their login credentials. This starts from the moment customers go to your website and enter their login details. Hackers can then reset both login and verification information, which can lead to unauthorized transactions.
In one month alone, Microsoft recorded around 1.2 million accounts being successfully hacked because it did not have simple login security such as multifactor authentication (MFA).
Without going into so much technical detail, here are ways to secure your website’s login page:
MFA makes it harder for hackers and data thieves to get to your customer and payment information. These settings require customers to log in with more than just a username/email and password. Usually, customers will need to enter a verification code that’s sent to their email or phone number, or answer a security question.
Though this adds an extra step in the purchase process—and potential friction—it’s widely used. And, as consumers become more aware of cyber threats, they are also more open to extra security steps like this.
Password hashing is an authentication method that takes your customer’s password through a “hashing algorithm” and converts (encrypts) it into a unique set of symbols that cannot be reversed. You can then safely store these instead of the actual plaintext, and because it does not have a decryption algorithm, it makes it harder for hackers to use.
The Hashing Algorithm converts a plaintext password into hashed text and can then be safely stored in your database. (Source: Auth0)
Completely Automated Public Turing test to tell Computers and Humans Apart, otherwise known as CAPTCHA, is a challenge-response test program that helps to confirm that a real person is trying to access your website. For ecommerce merchants, the distorted images are meant to prevent automated systems from collecting your customer’s emails and logging in to their accounts.
With an IP address verification system, you can compare your customer’s billing information vs the IP address being used during login, and block attempts to access the account in case there is a discrepancy. Alternatively, you can set your website to block IP addresses associated with fraudulent online activities. This is usually done by accessing shareable data from third parties that maintain a record of known IP locations of fraudsters.
Encourage strong password security. You can significantly improve the security of your customer’s account by setting rules for creating a strong password and prompting regular reset/renewal.
5. Maintain PCI Compliance
Payment security standards are governed by a set of rules referred to as PCI compliance. They outline security measures that sellers accepting credit card payments must meet to help prevent security breaches and data theft.
Secure payment providers’ hosted checkouts often meet these rules for you—check to make sure that your chosen provider includes PCI compliance. With self-hosted options, you’re responsible for maintaining PCI-compliant checkout and payment data systems yourself.
You can learn more about payment security and its impact on your business in our full guide to PCI compliance.
If you choose a self-hosted option, your merchant services provider will request PCI compliance documentation each year, based on your processing volume. If you process fewer than 20,000 Visa credit card payments annually, you’ll have to fill out a Self-assessment Questionnaire (SAQ) and perform a system security scan. Reporting and scanning requirements increase as your processing volume increases.
The ecommerce method you use for your self-hosted checkout also determines your requirements for reporting compliance. (Source: PCI Security Standards)
Here are some quick tips for maintaining PCI compliance for your ecommerce business:
- Don’t store sensitive data: Do not store any sensitive data, such as credit card numbers, on your servers or in your database.
- Limit data storage & access: Only store the data you need for the shortest amount of time necessary. Restrict access to sensitive data to authorized personnel only.
- Secure business processes with firewalls and antivirus software: Use firewalls and antivirus software to protect your business from unauthorized access and malware.
- Stay up-to-date with security patches: Install security patches as soon as they are released to protect your systems from known vulnerabilities.
- Update your business software often: Update your business software to the latest version to ensure that it is secure and up-to-date with the latest security standards.
- Train employees about security and protecting cardholder data: Ensure employees are up-to-date on security best practices and how to protect cardholder data.
- Regularly test your security measures and processes: Ensure that your security measures are effective by conducting regular tests.
- Secure your network with WPA or WEP encryption: Use WPA or WEP encryption to secure your network and prevent unauthorized access.
PCI DSS Update: PCI DSS is currently in the transition period from v3.2.1 to v4.0, so both versions are active. By March 31, 2024, PCI DSS v3.2.1 will be retired, and PCI DSS v4.0 will be the only active version.
6. Keep Your Customers & Employees Informed
Consumer awareness is a key factor in keeping your website safe from hackers—especially if your website allows for employee and customer logins. Cyberattacks often target users to look for vulnerabilities, so apart from providing a secure website infrastructure, educating your website users on the most common hacking strategies is a must.
Hacking Strategies
- Phishing: Where hackers pose as legitimate websites to try to extract credit card information from customers.
- Spoofing: Where hackers send fictitious emails to customers sending them links to fake websites which can record keystrokes for data such as login details and credit card information.
- Sniffing: Where hackers try to intercept bits of data called packets sent over the internet to try and take sensitive information.
What to Do
- Make sure your customers are aware of these malicious attacks. Take the opportunity to post reminders on your website, newsletters, and emails.
- Provide illustrative examples to help them immediately identify fictitious emails.
- Give them clear instructions on what to do should they encounter such.
The PCI Security Standards Council also emphasizes the need for educating employees on information security. Those who have access to cardholder data are also susceptible to spoofing, which can give hackers access to their login credentials.
7. Always Use HTTPS & SSL
Secure Sockets Layer (SSL) encrypts data that is communicated on your website. Adding an SSL transforms your website’s HyperText Transfer Protocol (HTTP) address into a Secure HyperText Transfer Protocol (HTTPS), which encrypts your cardholder’s data during online payment transactions. This makes it harder for hackers to get sensitive information such as names, addresses, ZIP codes, and credit card numbers.
More people are becoming aware of this and completely avoid websites that do not have HTTPS on the address bar. Search engines like Google also favor HTTPS pages and, at the same time, flag users for websites that only use HTTP.
Customers can tell whether or not your site is SSL secure based on how the URL appears in their browser.
8. Monitor Transactions & Flag Suspicious Activity
Review your transactions at least on a weekly basis. If you have a high number of daily transactions, review them at the end of each day. This helps you to keep a close eye on what’s happening and immediately flag any suspicious activity.
Over time, you’ll gather more data about ecommerce security and your own payment landscape. You’ll be able to unearth trends—for example, are there trends related to chargebacks? How can you address those trends? Do you have lots of orders with different credit cards from a single IP address? You might need to block that IP. Did you receive an unusually large order? Perhaps reach out to the customer to confirm or ask for a different payment method.
9. Stay Updated With Fraud Tactics
Avoid getting blindsided by the latest fraud tactics by staying up to date with new hacking strategies and security practices. There are always new developments in cybersecurity that may help improve your online payment security, but cybercriminals are also constantly coming up with new ways to hack and get into payment environments.
Common Fraud Tactics
- Synthetic fraud: This type of fraud involves stealing personal information from other people and using those to create fake (synthetic) persona, which is used to create accounts and go on shopping sprees.
- Refund fraud: This involves purchasing from an online merchant and asking for a refund later using made-up reasons such as the product did not arrive, the item is defective, or the wrong item was sent.
- Account takeover fraud: This happens when a fraudster gets access to an existing account on a merchant site. The fraudster then uses this account to make purchases or, in some cases, withdraw funds.
What to Do
- Remind your account users to secure their accounts with regular password updates or two-factor authentication.
- Require ID verification upon sign-up and creation of new accounts.
- Set clear and definite terms for refunding items.
10. Offer Other Secure Forms of Payment
Credit and debit cards are not the only forms of online payment. Consider including other payment types with built-in security features. Echecks and automated clearing house (ACH) payments use the ACH network—a secure network for moving money from one bank account to another—instead of card networks.
Another option is to accept digital wallets such as PayPal, Apple Pay, Google Pay, and Samsung Pay as forms of payment. When a customer uses their digital wallet for payment, the payment information is not stored on your end. Aside from this, popular digital wallets use heavy encryption in storing and transmitting sensitive information.
Bottom Line
Ecommerce payment security plays a key role in the trust relationship between your company and customers. Luckily, secure payment processing technology is constantly improving. Plenty of online store solutions provide secure hosted checkouts that protect both you and your customers. All-in-one payment processors, platform payment services, and traditional gateways all offer secure checkout options for the small online seller.
