Payment security

The beauty of the internet is attracting customers from around the world – unfortunately it also means attracting the attention of fraudsters. So it’s essential your payment security is fit-for-purpose.

  • If you take payments online you must comply with the PCI Data Security Standard.
  • Penalties for security breaches can be severe (up to £500,000).
  • Online fraud is lower than conventional retail fraud.

But fear not, because perception often gets in the way of fact. Online trading is less prone to fraud than conventional ‘in-store’ trading. Research by global company Forrester found that for every £1000 worth of transactions, a company could lose £1 over the internet compared to £25 offline – as a result of fraud.

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide security standard developed to protect cardholders' personal information.

It includes requirements for security management, network architecture, software design, security policies and procedures, and other protection of customer account data. The standard is applicable to any organisation that stores, transmits or processes cardholder information.

PCI DSS is a set of six principles that encompass these specific requirements. These requirements are applicable to any organisation holding personal information and are intended to reduce the organisation's risk of a data breach:

  • Build and maintain a secure network
    • install and maintain a firewall configuration to protect cardholders’ data
    • do not use vendor defaults for system passwords or other security actions
  • Protect your cardholder data
    • protect any stored cardholder data
    • encrypt transmission of cardholders’ data across open, public networks
  • Keep a vulnerability management plan
    • always use and regularly update anti-virus software
    • develop and maintain secure systems and applications
  • Implement strong access control practices
    • limit access to cardholder data to only those who need to know
    • give every person with computer access a unique ID
    • limit physical access to cardholder data
  • Monitor and test your networks on a regular basis
    • track and monitor all access to network resources and cardholder data
    • regularly test security systems and procedures
  • Keep an information security policy
    • Always keep a policy that addresses information security

The Payment Card Industry Security Standard Council encourages businesses to comply with PCI DSS and become certified to help reduce financial risks from data compromises.

But it’s the payment card schemes, eg MasterCard or Visa, that manage the actual compliance programme. Seek advice from your bank on your specific compliance obligations and how your business can become certified.

Failure to be annually certified can become an issue if you have a security breach and your customers’ card details are stolen. Penalties levied by the card schemes can be heavy depending on the number of cards compromised. Even where a merchant is certified, this does not protect them from potential penalties if it is deemed that their own actions through negligence, omission or accident contributed to a breach.

Where these breaches can occur:

  • Late night orders
  • High-risk countries
  • PO box addresses or hotels/guest houses
  • Free/anonymous email addresses
  • Express delivery
  • High-quantity orders
  • High-value orders
  • Different shipping and billing addresses or IP country and billing/card issue country
  • Frequent purchases
  • Frequent contacts from anxious fraudsters
  • Mobile rather than landline number
  • Suspicious behaviour by the customer
  • Indiscriminate purchases
  • Inconsistencies in shopper details across multiple purchases, eg same shopper email address but differing name or address provided

Your website MUST be compliant in this area to trade online. The Information Commissioner’s Office (ICO) is responsible for enforcing this standard and can impose penalties of up to £500,000 for serious data breaches. So if you’re not sure if your site complies, speak to a professional web security specialist. Or it could cost you!

Types of security encryption

Successful eCommerce is largely dependent on customers feeling safe and satisfied you are doing everything to protect their card details, personal data and transactional history. If you are them to protect your site, your customers can be satisfied that you are taking security seriously.

Encryption software such as SSL and the introduction of 3-D Secure protect online shoppers and their data. By integrating these types of security systems with your site, you will greatly reduce your exposure to the risk of attack from internet criminals stealing data or costs as a result of transactions that turn out to be fraudulent.

Don’t be complacent. But with the proper safeguards in place, your customers’ money as well as your business’ profits will be safe online.

Latest payment news

We can help

Three reasons to compare

  1. Find the best prices...
  2. From leading providers...
  3. Quickly and simply!

Please login using your email address

Sorry, your login details were incorrect


© Copyright 2013 Electronic Payments, All Rights Reserved 99 Giles Street, Edinburgh | Scotland, EH6 6BZ | 08000 248 620