The ultimate guide to payment security


Whether you’re a fledgling start-up or an established business, online payment security is highly important – to protect yourself and your customers. Here, we explain the different ways you can help ensure your transactions are safe, secure and compliant.

Card showing a locked padlock for security

What is payment security?


In short, payment security is the means of ensuring payments made and received are done so safely and securely. This way, both the customer and the merchant in the payment process are protected. As a business, it’s important you can reassure your customers that their data and money is in safe hands when they buy from or transact with you. Luckily, there are plenty of ways to make sure this is the case.

Types of payment security


So, let’s look at some of the different payment security methods and practices in more detail – including how each works and when they’re used.


PCI DSS compliance


PCI DSS – short for Payment Card Industry Data Security Standards – compliance refers to meeting the guidelines set by the Payment Card Industry Security Standards Council (PCI SSC) which are designed to keep customers and merchants safe. You may see these standards referred to as PCI and they apply to any business - regardless of how big you are or how many transactions you process.

The guidelines ensure that every card transaction is made securely – from acceptance and processing to storing and transmitting. These ever-evolving standards are made up of 12 elements that businesses must follow, including building and regularly testing a secure network and maintaining an information security policy. PCI DSS also protects contactless payments.


Address Verification Service


Another important payment security tool is the Address Verification Service (AVS). Put simply, it verifies a cardholder’s billing address against their data from the issuing bank during online transactions, to help reduce fraud. It works for addresses in the UK, US and Canada.

The AVS is often used alongside CVV verification when taking payments online (more on this below). When combined, both systems can help protect customers at checkout from fraud.

Once an AVS check is submitted by a merchant either manually or automatically at checkout, the credit card processor will send an acceptance or rejection response back, based on whether or not the addresses match.


Card verification value (CVV)


Most commonly known as CVV or CV2, card verification value works by asking you to enter the cardholder’s card verification code (CVC) or card security code (CSE) to verify their card details. The code is a three or four-digit number that’s usually found on the back of credit and debit cards. It’s also accompanied by a code in the magnetic stripe on the back of the card, which can be read by a magnetic stripe reader (although since the introduction of Chip and PIN, ‘swiping’ cards has become less common).

Card verification value checks are done in real-time, so you’ll be able to see a response straight away via the virtual terminal system. Check failed? This could be a sign of card payment fraud and allows you to decline what might be an unlawful transaction.


Chip and PIN technology


Probably the most familiar type of payment security, Chip and PIN was first introduced into the UK in 2006 in a bid to combat card payment fraud. Before this, businesses took card payments using a magnetic strip and asked customers to sign a physical receipt to confirm they were the cardholder. Customers whose cards were stolen or misplaced were vulnerable to fraud because their signature could be easily copied.

Fast-forward to today, and customers are now asked to enter their four-digit PIN when shopping in-store to authorise their transaction. This is used to confirm that the cardholder is the one making the transaction. Once confirmed, the transaction is authorised. This process is automatic and ensures payments are approved quickly and securely.


Tokenisation


Tokenisation is a way of replacing sensitive data with a randomly generated alternative identifier (a token) that keeps the same information in a secure way. It works by reducing the amount of data a business needs to keep, and therefore how much data can potentially fall into the wrong hands.

In credit card tokenization, the customer’s Primary Account Number (PAN) is replaced with a token, so that payment can be processed safely. PCI DSS standards dictate that card numbers can’t be stored on a POS terminal or in a merchant’s database, so options like this allow businesses to remain compliant.


3D Secure


Also known as 3DS, 3D Secure authentication is an additional layer or step for online transactions to increase security against fraud. Usually, it directs your customers to an authentication page on their bank’s website during the checkout process, where they’ll be asked to enter a password or code to confirm their identity.

European regulations currently require 3D Secure to be enabled for all card payments, which is managed by the card providers themselves.


SSL protocol


Security Sockets Layer (SSL) protocol not only protects your customers’ information when transacting with you online, but also your reputation as a business.

SSL was widely used to provide online security before it was replaced by TLS (Transport Layer Security) in the late 1990s. Despite this, most people still refer to this type of technology as SSL. Essentially, it secures connections between your website and your customer’s web browser over an insecure network, such as the internet.

SSL is required for PCI DSS compliance for online card payments, and works by encrypting sensitive information like credit card details. Your site will need an SSL certificate to authenticate it - this is visible to customers as either a padlock symbol next to your site’s URL, or the ‘https:’ prefix before your website’s URL in a customer’s web browser.

Green shield with a green tick

Preventing fraud with payment security


To help keep yourself and your customers safe from payment fraud, it’s important to be aware of the risks and how to mitigate them. While it’s impossible to totally eliminate the threats, by complying with the relevant security measures and processes discussed above, you can give yourself the best possible chance of avoiding problems.

In doing so, you can help minimise chargebacks - when customers dispute a charge or payment, usually due to stolen credit card data - and other financial losses relating to fraud. Stay vigilant and, should you suspect fraud, make sure you act fast to resolve the situation.

How to start taking secure online payments


Want to ensure your business’ payments are secure and compliant? Handepay is proud to fully meet all security requirements - get in touch today to find out more.

Locked padlock

Financial disclaimer:

Handepay Ltd is authorised and regulated by the FCA for consumer credit under FRN 673564. Handepay is a credit broker not a lender. Handepay receives commission from the credit provider for each successful introduction it conducts.

Terminal hire contracts are provided by Merchant Rentals Limited, who is authorised and regulated by the Financial Conduct Authority for Consumer Hire under FRN 720500. Terminal hire can be for consumer hire and non-regulated hire contracts. Please check your contract carefully for details. Regulation of all consumer hire fall under the control of the FCA.

Handepay is not an acquirer. Your acquiring service provider will depend on the service package you choose to receive through Handepay. Handepay acts as an introducer of card acquiring services on behalf of the card acquiring service providers which include Lloyds Bank plc trading as Cardnet and EVO Payments UK.

Lloyds Bank are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority under registration number 119278. Cardnet is a registered trademark of Lloyds Bank plc.

EVO Payments UK is the trading name of EVO Payments UK Ltd, a payment institution that is authorised and regulated by the Financial Conduct Authority (FRN number 959332).

Editorial disclaimer:

The information we provide does not constitute financial advice and might not apply to your business. Always carry out research into your business’ needs when choosing a new merchant services provider.

Sometimes, we link to other third-party websites to provide you with additional information. At the time of publication, we consider the information accurate, however, we do not have control over their content and are not responsible if any information on these websites change.

The products we display on our website are for illustrative purposes only - if your business requires additional facilities, you may receive a different model than advertised. All of the information contained on this website, including fees, services and functionality, are correct at time of publishing. E&OE.

Would you like
a callback?

FIND OUT MORE

Talk to an advisor today...

Please enter your number and we'll get back to you as soon as possible. *If you'd like to schedule a callback, please enter the best date and time.

Please note: Opening hours: Mon - Fri, 9am - 5pm


+44

Please choose the best time for us to call you back. The following options are GMT timezone.