When you accept credit and debit cards from your customers, you are entering into a sacred trust. Your customer is expecting that your company and the various systems that you use will ensure that the personal information they have provided will not be intercepted and used by criminals for their own malicious purposes. At the same time, you too must ensure that these processes remain as airtight as possible. After all, your business’s good name is involved. In order to give your buyers peace of mind and protect your own reputation, it is crucial that you do all you can to make your payment processing secure. Taking the following steps can bring you a long way down the road to achieving this goal.
Maintain PCI DSS compliance.
Particularly since the turn of the century, data breaches have become an increasingly serious problem for businesses of all sizes. In order to address this escalating situation, members of the credit card industry, including Visa, Mastercard, American Express, Discover, and JCB, formed the Payment Card Industry Security Standards Council in 2006. After careful deliberation, this body came up with a unified set of data security protocols known as the Payment Card Industry Data Security Standards (PCI DSS) more commonly known as PCI compliance. Since that time, any and all businesses that manage, transmit, store, or otherwise handle sensitive customer data must comply with this complex set of requirements. In general, PCI compliance involves the following stipulations:
- Collect and transmit all credit card information and other sensitive details securely.
- Store data securely as set forth in the 12 domains of the PCI standard. This concerns areas such as encryption, security testing, and ongoing monitoring.
- Take steps annually to ensure that your business is PCI compliant by using measures such as third-party audits, forms, questionnaires, and external vulnerability scanning, or make sure you’re partnered with a merchants services provider who will handle your PCI compliance for you.
If your company does not directly come into contact with customer data on your servers, you are only required to adhere to 22 PCI compliance security controls. In cases such as this, you are wise to allow a PCI-compliant third party to do the hands-on payment acceptance and also carry the responsibility for meeting the full range of rigorous PCI standards.
Use SSL protocols.
The Secure Sockets Layer (SSL) protocol is technology that establishes a secure link between a server and a client, usually a website and a browser, or an email server and a client that uses encryption to hide sensitive information from view. In order for your customer’s browser to be able to communicate in a secure way with your website, you must have an SSL certificate. If you do, the following process can occur:
- Your customer’s browser connects to your website through an https address. The browser then requests that your server identify itself.
- Your server sends a copy of its SSL certificate along with its public key.
- The browser checks the certificate against a list of trusted Certificate Authorities and makes sure that it is not expired, that its name is valid, and that the certificate has not been revoked.
- If all the above checks out the server creates, encrypts, and sends a unique session key.
- Your server decrypts the session key and returns an acknowledgement to begin the encrypted “handshake” session.
- All data between the customer’s browser and your server is then encrypted with the session key.
It should be noted that the SSL protocol has been used for many years to safeguard and encrypt transmitted data. However, the most recent versions of this protocol have been renamed TSL, with the latest update being TSLv1.2.
In simple terms, tokenization involves using one thing to represent something else. In the world of data security, it means providing a digital representation of any sensitive customer data that you may have in your possession before it is sent for processing. You should never store unsecured customer data on your servers, as doing so leaves you highly vulnerable to costly data breaches. Tokenization enables all sensitive information to be encrypted before it even gets to your server, thus relieving you of any liability that you would incur otherwise. The process works like this:
- Sensitive data is tokenized and converted to a random string of characters and numbers.
- Once the transaction is authorized, it is sent to a centralized server, where it is stored.
- Your system then receives a unique string of characters that can be used in lieu of the customer’s credit card data.
- As you seek a payment gateway to process your online transactions, be sure to select one that offers the latest tokenization capabilities.
Add an extra layer of protection with 3D Secure.
Three-domain structure (3D Secure) is a payer authentication security protocol that can help you to further protect your customers’ online credit and debit card transactions from fraud. Created by the Visa and Mastercard brands, this is a multi-step process that involves the issuer, the acquirer and the interoperability domain or payment system. The 3D Secure process works as follows:
- You enable 3D Secure on your website.
- The customer inputs their 3D Secure-enrolled debit or credit card information into the payment form.
- A centralized server is contacted to validate that the customer’s card is registered with 3D Secure.
- The 3D Secure page comes up when it is time for the customer to authenticate their identity with the issuing bank.
- The transaction details are sent to the acquiring bank.
- The acquirer either authorizes or denies the transaction.
- The response of acceptance or declination is sent to the customer.
When you employ 3D Secure, you can expect that you will decrease the likelihood of fraud. Furthermore, your customers will feel safer doing business on your website and may be more loyal to your brand for the long haul. In the end, this should result in increased sales for your online business.
Protect your login screen and members areas against hackers.
To further deter criminals, require that your customers always log in using unique usernames and passwords. Using a CAPTCHA code verifier field also requires that users input information about an image or task to prove that they are not automated bots. This step helps to shield your site from SQL injections or other types of hacks.
Less is more when requesting customer information.
Only request what is absolutely necessary for a transaction to be processed from your buyers. Sensitive data such as dates of birth and Social Security numbers are particularly tempting to criminals looking to exploit any vulnerabilities in your website. In the end, it is best for your customers to keep such information to themselves.
Make regular assessments.
Just because your systems and processes were compliant and secure last year does not mean they still are. It is your ongoing responsibility to ensure that your entire payments landscape is as safe and protected as possible. To that end, frequently check for software and firmware upgrades. In addition, regularly assess your site to ensure that:
- Your webpage is clear, runs smoothly, and is accessible to mobile devices.
- SSL is properly installed.
- Only necessary information is requested on form fields.
- No broken or inappropriate outside links exist.
- Any third-party sales platforms that you may be using are in compliance with PCI standards.
It is recommended that you perform an informal audit of your website and payment pages at least once per week to ensure that all is well.
Enlist the support of your staff.
Keeping your payment processing secure is a job that everyone in your organization must take responsibility for performing. All personnel should receive comprehensive training concerning your expectations for how to handle email, store data, use tablets and other mobile devices, handle customer returns, and so forth. Provide cashiers with the tools they need to spot red flags and be sure to contact authorities should a suspected incident occur. In the end, the more transparent you are about situations that may arise, the better it will be for your reputation. You may even avoid being charged substantial penalties.
Keeping your networks and protocols locked down against intruders is one of the most important investments you can make in your business and your customers. Although incorporating these processes and protocols may seem overwhelming at the outset, they will move your company miles ahead in terms of compliance with industry standards and will help to create happy customers who should return to your physical store or website again and again.