Cybersecurity Standards in Online Payments
by Luiza Filipoi
Remember when we had to walk to the shop to buy...everything? Hard times, right?
Technology evolved, our habits have changed; therefore, our shopping habits changed. Online shopping comes with various benefits, is quick and practical, but still not perceived as trustful as physical store shopping. Customers don’t have knowledge about the entire purchase and payment process, but they want to be secure. As a merchant, you must do everything in your power to make your customers feel safe on every step of their purchasing process.
How to do that? Choose a secure payment gateway!
Securing online transactions should and probably is the primary concern for eCommerce merchants, especially now when data breaches are more common and scary than ever.
If you own or work for an eShop, then make sure your payment gateway is providing you with the right security solutions and features. Transaction security is complex, but you have to keep up with it. A payment gateway should help you accept any online payment without worrying about security. If not, you should reconsider your choices in terms of payment gateways.
This article is meant to bring some light on what to look for in a payment gateway. If your payment gateway does not match these standards, please consider a change.
Below you can find three features that should be on your radar when looking for a payment gateway:
1. PCI DSS - Payment Card Industry Data Security Standards
With a simple search on Wikipedia, you can find that “the PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.”
The PCI Data Security Standard states that there are twelve requirements for compliance, organized into six groups of goals
I. Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
II. Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
III. Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
IV. Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
V. Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
VI. Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors
As you can see, there are many requirements you should meet but don’t worry, the fun part comes now: a merchant doesn’t have to be PCI compliant if it has the right payment gateway provider. A secure gateway, as Twispay, offers PCI level 1; therefore, the eShop can rely on it for compliance with PCI DSS.
2. P2PE - Point-to-point encryption
Encryption standards are another thing you’ll have to consider when choosing a payment gateway. We’re talking about your customer’s sensitive data, you’ll want to avoid any breach that would reflect on your company’s reputation.
P2PE is also a standard established by Payment Card Industry (PCI); its purpose is to ensure payment security solutions that instantly convert payment card data into coded data to prevent fraud or hacking.
This standard is designed to maximize the security of payment card transactions in an increasingly complex regulatory environment. To comply with the P2PE standard, a payment solution provider must include:
1. Secure encryption of payment card data at the point-of-interaction (POI)
2. P2PE-validated application at the point-of-interaction
3. Secure management of encryption and decryption devices
4. Control of the decryption environment and all decrypted account data
5. Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection, administration, and usage.
But keep in mind, using a valid P2PE payment solution doesn’t remove the need for PCI DSS in the merchant environment.
Choosing a payment gateway provider that offers P2PE, you and other merchants can breathe freely. It ensures a low risk of data loss and protects your company’s reputation, and of course, it will avoid some possible compliance failure fines or lost revenue from fraud.
Another of these standards is tokenization, that also adds another level of security. Tokenization is the process of replacing sensitive data with a non-sensitive equivalent, that has no exploitable meaning or value. This piece of non-sensitive data is called token. For the entire tokenization process to function, the payment gateway has to store data that allow the token to be randomly generated.
Fundamentally, tokenization securely protects sensitive data such as banking account or credit card number in a virtual vault by coding them into meaningless data that can’t be exploited by external threats. The data can be shared over wireless networks without worrying about undesirable risks.
Tokenization is a necessary process for eCommerce, and it should be part of the payment process, especially for the merchants that enable recurring payments or subscriptions. It is also a fundamental component for the eShops that offer one-click payments.
As mentioned, transaction security is complex, but we encourage you to check if your gateway meets these standards; if not, you should demand them. Twispay understands the importance of security in eCommerce and incorporates all of these standards into our payment gateway. If you want to know more about our commitment to security, you can find further info here, or we can also have a coffee and talk more.