Ecommerce Payment Security: 10 Small Business Best Practices
Meaghan has provided content and guidance for indie retailers as the editor for a number of retail publications and a speaker at trade shows. She is Fit Small Business’s authority on retail and ecommerce.
Anna is a retail expert writer for Fit Small Business with over six years of evaluating dozens of software for small business. She holds a double degree in Accountancy and Financial Management and is currently pursuing further education in financial and payment technology.
This article is part of a larger series on Payments.
Ecommerce payment security means that the order checkout forms collecting customer data are hosted securely, whether self-hosted on your store’s servers or hosted by your payment provider. The data must be properly encrypted during transmission, and any stored payment information must be protected.
The boom in online shopping, along with the general increase in fraudulent activity, has made ecommerce payment security vital. Follow the 10 best practices listed below to keep your site and customers safe.
1. Use an All-in-One Payment Processor
All-in-ones roll a secure hosted checkout and merchant account into one service. They’re the most popular choices for small online sellers because of their ease of setup, straightforward pricing, multiple services, selling options, and, of course, security. Most all-in-one payment processors offer quick one-click integrations with top ecommerce platforms, so for most, setup takes just a few minutes.
2. Try Ecommerce Platform Payment Services
Many top ecommerce platforms offer their own payment processing service, which makes for strong ecommerce payment security. Launching an online store with a secure hosted checkout is easier than ever with an ecommerce platform. Plus, they meet or beat the pricing of some top all-in-ones and are a breeze to set up.
3. Consider a Traditional Gateway With Secure Integrations
Unlike all-in-ones and ecommerce platform payments, traditional payment gateways let you use your own merchant account for payment processing. This can be a lower-cost solution than those other options, but takes more work to set up. When going this route, you also need to make sure it’s a truly secure solution.
Note: Most traditional payment gateways that offer a secure hosted checkout also support self-hosted checkouts. It’s up to you to make sure the gateway/ecommerce platform/merchant account combination works within a secure hosted checkout. If not, you’ll be back to square one, having to ensure ecommerce payments and security yourself.
See more secure solutions in our guide to the best payment gateways.
4. Use a Secure Checkout Service
The type of checkout you use is a factor in payment data security and your level of responsibility for it. Most self-hosted checkouts integrate with a large number of payment gateways and, through them, merchant services providers. Going this route, large-volume sellers can compare many payment processors to find the lowest credit card processing rates. But again, many of these providers leave checkout security to the seller.
Let’s take a closer look at the two types of online checkouts.
Which Should You Choose?
For many small online sellers, a hosted checkout delivers everything needed to process payments in a tidy, secure package. But for others, factors such as checkout customization and lower credit card processing costs come into play. In these cases, the flexibility that self-hosted checkouts offer can be worth the additional security considerations.
| Self-Hosted Checkout | Hosted Checkout | |
|---|---|---|
| Your security responsibility | High | Minimal |
| Checkout customization options | Very customizable | Limited, or requires developer skills |
| Payment processing costs | Tend to be lower | Tend to be higher |
| Merchant services choices | More options | Fewer options |
5. Secure Your Customer’s Credit Card Information
Merchants are under obligation to protect a customer’s credit card information once it is used to complete a transaction. Even more so when accepting payments from customers online. The Federal Trade Commission recorded a 70% increase in reported credit card fraud in 2021, with online shopping accounting for $392 million of the total $5.8 billion in fraudulent sales.
Make sure to look for the following security features from your payment services provider:
Credit card tokenization converts your customer’s credit card data into a “token,” or string of randomly generated numbers. An ideal payment processor would have this measure in place from the checkout page. This makes it possible to safely communicate the information through payment gateways and store a cardholder’s information while adhering to PCI standards.
3D Secure adds an authentication step to your checkout process. Typically, this involves redirecting your customer to their bank’s authentication page where they are to key in a code or a password sent to them via email or SMS. This method is meant to ensure that only the real cardholder would be able to complete a transaction.
Both Visa and MasterCard actively contribute to creating and developing a more advanced 3DS that aims to improve both security and user experience during checkout.
AVS ensures the billing address the customer enters matches what the card-issuing bank has on its records. This mitigates unauthorized use of customer credit cards. Most payment gateways and some ecommerce platforms have settings to require certain address verification codes in order to accept the transaction. If you’re selling online, this is a crucial step for preventing fraud and the chargebacks fraudulent transactions can result in.
Stripe’s Fraud Prevention rules allow you to block transactions based on postal code.
(Source: Stripe)
Credit card security codes, sometimes called Card Verification Code (CVC), is a three- to four-digit code found on a credit card, usually at the back (American Express CID is on the front). Names for these security codes vary depending on the credit card brand.
Card Brand | Name | Description |
|---|---|---|
Visa | Card Verification Value (CVV/CVV2) | 3-digit (back of card) |
Mastercard | Card Verification Value (CVV/CVV2) | 3-digit (back of card) |
Discover | Card Identification Number (CID) | 4-digit (front of card) |
American Express | Card Identification Number (CID) | 4-digit (front of card) |
These codes are used to help verify manually entered credit card information for both in-person and online transactions such as when accepting card payments at the register, on a virtual terminal, or when customers key in their card data on your website.
Let your customers know that they are protected.
Seventeen percent of online shoppers tend to abandon their carts on websites that do not display proof of secured payments. Include security seals and add notices on the checkout page whenever possible to improve customer confidence.
6. Ensure a Secure Website Login for Your Customers
Hackers can steal your customer’s account (and eventually their credit card information) by targeting their login credentials. This starts from the moment customers go to your website and enter their login details. Hackers can then reset both login and verification information, which can lead to unauthorized transactions.
In one month alone, Microsoft recorded around 1.2 million accounts being successfully hacked because it did not have simple login security such as multifactor authentication (MFA).
Without going into so much technical detail, here are ways to secure your website’s login page:
Activate MFA
MFA makes it harder for hackers and data thieves to get to your customer and payment information. These settings require customers to log in with more than just a username/email and password. Usually, customers will need to enter a verification code that’s sent to their email or phone number, or answer a security question.
Though this adds an extra step in the purchase process—and potential friction—it’s widely used. And, as consumers become more aware of cyber threats, they are also more open to extra security steps like this.
Password Hashing
Password hashing is an authentication method that takes your customer’s password through a “hashing algorithm” and converts (encrypts) it into a unique set of symbols that cannot be reversed. You can then safely store these instead of the actual plaintext, and because it does not have a decryption algorithm, it makes it harder for hackers to use.
The Hashing Algorithm converts a plaintext password into hashed text and can be then safely stored in your database.
(Source: Auth0)
CAPTCHA
Completely Automated Public Turing test to tell Computers and Humans Apart, otherwise known as CAPTCHA, is a challenge-response test program that helps to confirm that a real person is trying to access your website. For ecommerce merchants, the distorted images are meant to prevent automated systems from collecting your customer’s emails and logging in to their accounts.
IP Address Verification
With an IP address verification system, you can compare your customer’s billing information vs the IP address being used during login, and block attempts to access the account in case there is a discrepancy. Alternatively, you can set your website to block IP addresses associated with fraudulent online activities. This is usually done by accessing shareable data from third parties that maintain a record of known IP locations of fraudsters.
Encourage strong password security.
You can significantly improve the security of your customer’s account by setting rules for creating a strong password and prompting regular reset/renewal.
7. Maintain PCI Compliance
Payment security standards are governed by a set of rules referred to as PCI compliance. They outline security measures that sellers accepting credit card payments must meet to help prevent security breaches and data theft. Secure payment providers’ hosted checkouts meet these rules for you. But, with self-hosted options, you’re responsible for maintaining PCI-compliant checkout and payment data systems yourself.
You can learn more about payment security and its impact on your business in our full guide to PCI compliance.
If you choose a self-hosted option, your merchant services provider will request PCI compliance documentation each year, based on your processing volume. If you process fewer than 20,000 Visa credit card payments annually, you’ll have to fill out a Self-assessment Questionnaire (SAQ) and perform a system security scan. Reporting and scanning requirements increase as your processing volume increases.
The ecommerce method you use for your self-hosted checkout also determines your requirements for reporting compliance.
(Source: PCI Security Standards)
Here are some tips for maintaining PCI compliance for your ecommerce business:
Data is a double-edged sword when it comes to security. On one hand, the more data you have, the more insights you have to make informed business decisions. But on the flip side, the more data you have, the more you have to lose.
If you can, limit the amount of data you store. Perhaps you strike out certain fields or store customer data for a shorter period of time. Additionally, it’s important to ensure only the people who need access to the data have it. Use tools and technology that allows for user accounts and permissions.
The third goal of PCI compliance is to manage network vulnerability, which includes PCI requirements 5 and 6—this mentions the need to ensure that your anti-virus software is always updated and that it maintains secure systems and applications. Failing to run your vendor’s security patches and updates within the first month of its availability will significantly increase your website’s vulnerability to data breaches.
The software you use to manage your business often releases updates that you can download to ensure your technology stays current. These updates impact a range of things, and failure to keep your tech updated could make it more susceptible to data breaches and other cyber threats. So, when an update is released, install it in a timely manner.
Did You Know?
In 2020 and 2021, fraudulent activity increased because so many businesses and consumers turned to online shopping. A study by Juniper Research estimates a loss of $20 billion due to fraud in 2021.
8. Keep Your Customers & Employees Informed
Consumer awareness is a key factor in keeping your website safe from hackers—especially if your website allows for employee and customer logins. Cyber-attacks often target user vulnerabilities, so apart from providing a secure website infrastructure, educating your website users on the most common hacking strategies is a must.
Hacking Strategies
- Phishing: Where hackers pose as legitimate websites to try to extract credit card information from customers.
- Spoofing: Where hackers send fictitious emails to customers sending them links to fake websites which can record keystrokes for data such as login details and credit card information.
What to Do
- Make sure your customers are aware of these malicious attacks. Take the opportunity to post reminders on your website, newsletters, and emails.
- Provide illustrative examples to help them immediately identify fictitious emails.
- Give them clear instructions on what to do should they encounter such.
The PCI Security Standards Council also emphasizes the need for educating employees on information security. Those who have access to cardholder data are also susceptible to spoofing, which can give hackers access to their login credentials.
9. Always Use HTTPS & SSL
Secure Sockets Layer (SSL) encrypts data that is communicated on your website. Adding an SSL transforms your website’s Hypertext Transfer Protocol (HTTP) address into a Secure Hypertext Transfer Protocol (HTTPS), which encrypts your cardholder’s data during online payment transactions. This makes it harder for hackers to get sensitive information such as names, addresses, ZIP codes, and credit card numbers.
More people are becoming aware of this and completely avoid websites that do not have HTTPS on the address bar. Search engines like Google also favor HTTPS pages and at the same time, flag users for websites that only use HTTP.
Customers can tell whether or not your site is SSL secure based on how the URL appears in their browser.
10. Flag Suspicious Activity
Over time, you’ll gather more data about ecommerce security. You’ll be able to unearth trends—for example, are there trends related to chargebacks? How can you address those trends? Do you have lots of orders with different credit cards from a single IP address? You might need to block that IP. Did you receive an unusually large order? Perhaps reach out to the customer to confirm or ask for a different payment method.
Bottom Line
Ecommerce payment security plays a key role in the trust relationship between your company and customers. Luckily, secure payment processing technology is constantly improving. Plenty of online store solutions provide secure hosted checkouts that protect both you and your customers. All-in-one payment processors, platform payment services, and traditional gateways all offer secure checkout options for small online sellers.
