Ecommerce payment security means that the order checkout forms that collect customer data are hosted securely, whether self-hosted on your store’s servers or hosted by your payment provider. The data must be properly encrypted during transmission, and any stored payment information must be protected.
The boom in online shopping, along with the increase in fraudulent activity, has made ecommerce payment security vital. Follow the 10 best practices listed below to keep your site and your customers safe.
1. Use an All-in-One Payment Processor
All-in-ones roll a secure hosted checkout and merchant account into one service. They’re the most popular choices for small online sellers because of their ease of setup, straightforward pricing, multiple services, and selling options, and, of course, security. Most all-in-one payment processors offer quick one-click integrations with top ecommerce platforms, so for most, setup takes just a few minutes.
Here are three top names in secure all-in-one payment processing solutions:
2.9% + 30 cents per transaction; no monthly fees
2.9% + 30 cents per transaction; $0–$20/month
Lets you process PayPal Payments along with all major credit cards. Can be used with any website. Some plans are self-hosted.
2.9% + 30 cents per transaction; no monthly fees
1-click integrations with more than 50 top online shopping carts, plus offers checkout customization.
2. Try Ecommerce Platform Payment Services
Many top ecommerce platforms offer their own payment processing service, which makes for strong ecommerce payment security. Launching an online store with a secure hosted checkout is easier than ever with an ecommerce platform. Plus, they meet or beat the pricing of some top all-in-ones and are a breeze to set up.
Here are two top online store platforms that offer their own secure payment processing:
Ecommerce payments pricing
From 2.4% to 2.9% + 30 cents per transaction, depending on plan
Built-in to any Shopify plan; takes mere seconds to enable and start accepting credit card payments through Shopify’s secure system; includes a sitewide SSL certificate; top-rated ecommerce platform.
From 2.2% to 2.9% + 30 cents per transaction, depending on plan
BigCommerce partners with PayPal and Fast for 1-click activated credit card payments; includes sitewide SSL certificate.
3. Consider a Traditional Gateway With Secure Integrations
Unlike all-in-ones and ecommerce platform payments, traditional payment gateways let you use your own merchant account for payment processing. This can be a lower-cost solution than those other options, but takes more work to set up. When going this route, you also need to make sure it’s a truly secure solution.
Note: Most traditional payment gateways that offer a secure hosted checkout also support self-hosted checkouts. It’s up to you to make sure the gateway/ecommerce platform/merchant account combination works within a secure hosted checkout. If not, you’ll be back to square one, having to ensure ecommerce payments and security yourself.
A few top providers make secure gateway integrations easy, including:
Your merchant provider fees + 10 cents per transaction, $0 setup, $0/mo.
Lets you use your own merchant account at its competitive payment processing rates, plus accepts PayPal Payments at the standard 2.9% + 30 cents per transaction rate.
Your merchant provider fees + 10 cents per transaction, $49 setup, $25/mo.
Lets you use your own merchant account at its competitive payment processing rates.
See more secure solutions in our guide to the best payment gateways.
4. Update Your Business Software—Often
The software you use to manage your business often releases updates which you can download to ensure your technology stays current. These updates impact a range of things, and failure to keep your tech updated could make it more susceptible to data breaches and other cyber threats. So when an update is released, ensure you install it in a timely manner.
Did You Know?
In 2020, fraudulent activity increased because so many businesses and consumers turned to online shopping. According to Juniper Research, ecommerce companies are on track to lose some $20 billion to fraud in 2021.
5. Choose the Best Merchant Account
Most self-hosted checkouts integrate with a large number of payment gateways and, through them, merchant services providers. Going this route, large-volume sellers can compare many payment processors to find the lowest credit card processing rates. But again, many of these providers leave checkout security to the seller.
For most small online businesses, hosted checkouts provide plenty of choice with minimal security worries. See our recommended merchant accounts to find a solution that’s right for your business.
6. Maintain PCI Compliance
Payment security standards are governed by a set of rules referred to as PCI compliance. They outline security measures that sellers accepting credit card payments must meet to help prevent security breaches and data theft. Secure payment providers’ hosted checkouts meet these rules for you. But with self-hosted options, you’re responsible for maintaining PCI-compliant checkout and payment data systems yourself.
If you choose a self-hosted option, your merchant services provider will request PCI compliance documentation each year, based on your processing volume. If you process fewer than 20,000 Visa credit card payments annually, you’ll have to fill out a self-assessment questionnaire (SAQ) and perform a system security scan. Reporting and scanning requirements increase as your processing volume increases. You can learn more about payment security and its impact on your business in our full guide to PCI compliance.
7. Limit Data Storage and Access
Data is a double-edged sword when it comes to security. On one hand, the more data you have, the more insights you have to make informed business decisions. But on the flip side, the more data you have, the more you have to lose.
If you can, limit the amount of data you store. Perhaps you strike out certain fields or store customer data for a shorter period of time. Additionally, it’s important to ensure only the people who need access to the data have it. Use tools and technology that allows for user accounts and permissions.
8. Always Use SSL and AVS
SSL is secure sockets layer, which encrypts data during online payment transactions. This makes it harder for hackers to get to sensitive information such as names, addresses, ZIP codes, and credit card numbers.
AVS is address verification services, which ensures the billing address the customer enters matches what the card-issuing bank has on its records. This mitigates unauthorized use of customer credit cards. Most payment gateways and some ecommerce platforms have settings to require certain address verification codes in order to accept the transaction. If you’re selling online, this is a crucial step for preventing fraud and the chargebacks fraudulent transactions can result in.
9. Activate Multifactor Authentication
Multifactor authentication is another way to make it harder for hackers and data thieves to get to your customer and payment information. These multifactor authentication settings require customers to log in with more than just a username/email and password. Usually customers will need to enter a verification code that’s sent to their email or phone number, or answer a security question.
Though this adds an extra step in the purchase process—and potential friction—it’s widely used. And as consumers are more aware of cyber threats, they’re more open to extra security steps like this.
10. Flag Suspicious Activity
Over time, you’ll gather more data about ecommerce security. You’ll be able to unearth trends—for example, are there trends related to chargebacks? How can you address those trends? Do you have lots of orders with different credit cards from a single IP address? You might need to block that IP. Did you receive an unusually large order? Perhaps reach out to the customer to confirm or ask for a different payment method.
Self-Hosted vs Hosted Checkout
As detailed in several of the best practices above, the type of checkout you use is a factor in payment data security and your level of responsibility for it. Let’s take a closer look at the two types of online checkouts.
A self-hosted checkout collects and transmits customer payment data on your store’s servers. This puts the security risk on you and makes you responsible for managing secure data connection, transmission, and storage systems. Even if you use a top ecommerce platform, you can be responsible for handling security. Not all ecommerce platforms ensure secure checkouts with every payment processor.
With a hosted checkout, sensitive payment data is entered directly into your secure payment provider’s system via a secure, encrypted SSL. Simply put, sensitive data never touches your store’s servers. In some cases your ecommerce platform ensures this; in others, your payment provider makes it happen.
Which Should You Choose?
For many small online sellers, a hosted checkout delivers everything needed to process payments in a tidy, secure package. But for others, factors such as checkout customization and lower credit card processing costs come into play. In these cases, the flexibility that self-hosted checkouts offer can be worth the additional security considerations.
|Self-Hosted Checkout||Hosted Checkout|
|Your security responsibility|
|Checkout customization options||Very customizable||Limited, or requires developer skills|
|Payment processing costs||Tend to be lower||Tend to be higher|
|Merchant services choices||More options||Fewer options|
Ecommerce payment security plays a key role in the trust relationship between your company and your customers. Luckily, secure payment processing technology is constantly improving. Plenty of online store solutions provide secure hosted checkouts that protect both you and your customers. All-in-one payment processors, platform payment services, and traditional gateways all offer secure checkout options for the small online seller.