The ultimate guide to payment security
Whether you’re a fledgling start-up or an established business, online payment security is highly important – to protect yourself and your customers. Here, we explain the different ways you can help ensure your transactions are safe, secure and compliant.
In short, payment security is the means of ensuring payments made and received are done so safely and securely. This way, both the customer and the merchant in the payment process are protected. As a business, it’s important you can reassure your customers that their data and money is in safe hands when they buy from or transact with you. Luckily, there are plenty of ways to make sure this is the case.
So, let’s look at some of the different payment security methods and practices in more detail – including how each works and when they’re used.
PCI DSS compliance
PCI DSS – short for Payment Card Industry Data Security Standards – compliance refers to meeting the guidelines set by the Payment Card Industry Security Standards Council (PCI SSC) which are designed to keep customers and merchants safe. You may see these standards referred to as PCI and they apply to any business - regardless of how big you are or how many transactions you process.
The guidelines ensure that every card transaction is made securely – from acceptance and processing to storing and transmitting. These ever-evolving standards are made up of 12 elements that businesses must follow, including building and regularly testing a secure network and maintaining an information security policy. PCI DSS also protects contactless payments.
Address Verification Service
Another important payment security tool is the Address Verification Service (AVS). Put simply, it verifies a cardholder’s billing address against their data from the issuing bank during online transactions, to help reduce fraud. It works for addresses in the UK, US and Canada.
The AVS is often used alongside CVV verification when taking payments online (more on this below). When combined, both systems can help protect customers at checkout from fraud.
Once an AVS check is submitted by a merchant either manually or automatically at checkout, the credit card processor will send an acceptance or rejection response back, based on whether or not the addresses match.
Card verification value (CVV)
Most commonly known as CVV or CV2, card verification value works by asking you to enter the cardholder’s card verification code (CVC) or card security code (CSE) to verify their card details. The code is a three or four-digit number that’s usually found on the back of credit and debit cards. It’s also accompanied by a code in the magnetic stripe on the back of the card, which can be read by a magnetic stripe reader (although since the introduction of Chip and PIN, ‘swiping’ cards has become less common).
Card verification value checks are done in real-time, so you’ll be able to see a response straight away via the virtual terminal system. Check failed? This could be a sign of card payment fraud and allows you to decline what might be an unlawful transaction.
Chip and PIN technology
Probably the most familiar type of payment security, Chip and PIN was first introduced into the UK in 2006 in a bid to combat card payment fraud. Before this, businesses took card payments using a magnetic strip and asked customers to sign a physical receipt to confirm they were the cardholder. Customers whose cards were stolen or misplaced were vulnerable to fraud because their signature could be easily copied.
Fast-forward to today, and customers are now asked to enter their four-digit PIN when shopping in-store to authorise their transaction. This is used to confirm that the cardholder is the one making the transaction. Once confirmed, the transaction is authorised. This process is automatic and ensures payments are approved quickly and securely.
Tokenisation is a way of replacing sensitive data with a randomly generated alternative identifier (a token) that keeps the same information in a secure way. It works by reducing the amount of data a business needs to keep, and therefore how much data can potentially fall into the wrong hands.
In credit card tokenization, the customer’s Primary Account Number (PAN) is replaced with a token, so that payment can be processed safely. PCI DSS standards dictate that card numbers can’t be stored on a POS terminal or in a merchant’s database, so options like this allow businesses to remain compliant.
Also known as 3DS, 3D Secure authentication is an additional layer or step for online transactions to increase security against fraud. Usually, it directs your customers to an authentication page on their bank’s website during the checkout process, where they’ll be asked to enter a password or code to confirm their identity.
European regulations currently require 3D Secure to be enabled for all card payments, which is managed by the card providers themselves.
Security Sockets Layer (SSL) protocol not only protects your customers’ information when transacting with you online, but also your reputation as a business.
SSL was widely used to provide online security before it was replaced by TLS (Transport Layer Security) in the late 1990s. Despite this, most people still refer to this type of technology as SSL. Essentially, it secures connections between your website and your customer’s web browser over an insecure network, such as the internet.
SSL is required for PCI DSS compliance for online card payments, and works by encrypting sensitive information like credit card details. Your site will need an SSL certificate to authenticate it - this is visible to customers as either a padlock symbol next to your site’s URL, or the ‘https:’ prefix before your website’s URL in a customer’s web browser.
To help keep yourself and your customers safe from payment fraud, it’s important to be aware of the risks and how to mitigate them. While it’s impossible to totally eliminate the threats, by complying with the relevant security measures and processes discussed above, you can give yourself the best possible chance of avoiding problems.
In doing so, you can help minimise chargebacks - when customers dispute a charge or payment, usually due to stolen credit card data - and other financial losses relating to fraud. Stay vigilant and, should you suspect fraud, make sure you act fast to resolve the situation.
Want to ensure your business’ payments are secure and compliant? Handepay is proud to fully meet all security requirements - get in touch today to find out more.