Millions of security breaches make the internet less safe for business every year. Consumers are certainly aware of this risk. If your e-commerce site can’t provide the highest level of online payment security, buyers may look elsewhere.
The good news is that existing security strategies are well established, frequently updated, and easy enough to implement. Here are the key terms you need to understand to keep online financial transactions secure — and to demonstrate that safety to your customers.
SSL and TLS
Tokenization for secure online payments
Communicating payment security to buyers
A payment gateway is a software application that encrypts financial data and authorizes transactions, communicating with payment processors to enable the transfer of funds from buyer to seller.
Unless you plan to run payment data through your own servers — and make the significant investment it takes to do so safely — you’ll need a payment gateway, whether it’s built into your hosting platform or incorporated via a third-party plug-in.
Payment gateway providers handle financial identifiers on behalf of their customers, protecting site owners from the risks associated with storing data on their own servers. Established gateways like PayPal and Authorize.Net invest heavily in security, charging membership and/or transaction fees to site operators.
Websites protect payment information by encrypting the data before transmitting it. Two major protocols accomplish this encryption — Secure Sockets Layer (or SSL) and Transport Layer Security (or TLS). TLS is the newer protocol, with stronger encryption algorithms. However, many industry insiders use the terms interchangeably, as SSL is more widely known among web users.
Most site owners don’t need to worry too much about the difference; the important thing is to obtain an SSL or TLS certificate from a trusted hosting service. This certificate shows that customer data is encrypted as it travels from the user’s computer to your e-commerce site during the first step in any payment transaction.
“For the moment, provided SSL security is up to date with modern encryption, secure information is well protected at this stage,” says Jason Agouris, CEO of digital systems provider iTristan Media Group.
An SSL or TLS certificate is vital in today’s online ecosystem. In most browsers, the presence of such a certificate is readily apparent to users, symbolized by a closed padlock in the URL bar. When a website doesn’t have an up-to-date certificate, browsers may warn users of the security risk, which can pose serious problems for any website that handles online transactions.
The Payment Card Industry Security Standards Council (PCI SSC) is an international group dedicated to keeping payment data secure. It publishes and updates the PCI Data Security Standard (PCI DSS), which applies to “all entities that store, process, or transmit cardholder data and/or sensitive authentication data.”
Different types of businesses need varying levels of PCI compliance, ranging from a few simple requirements for online sellers using gateways to full validation for gateway providers themselves. Major payment card brands like Visa and Mastercard operate independent programs that define validation levels and compliance, so the notion of “compliance” itself is complex.
Most e-commerce merchants who use payment gateways can gauge their level of PCI compliance with that organization’s Self-Assessment Questionnaire A. This document includes only the PCI DSS requirements that apply to sellers who outsource payment card handling to validated third-party services — i.e., reliable payment gateways.
Be sure to ask any third-party vendors that handle financial transactions whether they carry validation for all PCI DSS requirements. If they don’t, keep looking.
Encryption isn’t the only way to conceal financial identifiers as they move between customers, your site, and the payment processor. Tokenization is a powerful strategy that replaces a credit card number with a unique code, or “token.” Client computers transmit the token rather than the information itself, rendering the data useless if it’s stolen.
Agouris recommends choosing a payment gateway that provides tokenized transactions for the greatest security benefits.
“For most businesses now, the best option is to fully tokenize their payment gateway relationship with their e-commerce platform, such that the business’s own e-commerce system never actually sees the full payment information,” Agouris says.
“All the system knows is that the payment gateway did or did not approve the payment and why. The immediate security is now shifted to leverage the payment gateway’s systems, whose day job is all about security on your behalf.”
To grant access to protected information, a system needs to verify the user’s identity. A simple way to do that is to prompt the user for a password — but a malicious user could acquire that password, so a single factor isn’t enough to guarantee security.
The second factor is typically a code sent to the user’s phone or email address upon request for access; this tactic verifies that the user also possesses an item (the phone or email account) that proves their identity. This is a simple but effective type of multifactor authorization that dramatically improves security.
As with all efforts to ensure online payment security, the use of multifactor authentication doesn’t just make e-commerce safer; it also makes customers more likely to click “buy” in the first place.
Online payment security strategies serve two critical purposes: They protect customer data and help visitors feel secure when making a purchase. To reassure customers, site operators must openly advertise their investments in data protection.
For example, if you’re using advanced fraud-detection plug-ins, list them on your shopping cart page. Your payment gateway should also be fully PCI compliant; let your customers know that it is. When visitors see that payments on your site are secured by a familiar name, your chances of making more sales increase exponentially.