Secure Payments

Early attempts at fraud prevention for merchants who take credit cards were focused on the cards themselves. The features are still there – a difficult to duplicate card, owner’s signature on the back, and when physically present, a businesses could ask for other identification to verify authenticity. However, with the explosion of online payment processing, these security measures aren’t enough. Data is too easy to copy and forge. The card itself isn’t available and verification must depend on entered data. Even a signature cannot be obtained when you take payments online.  Strong credit card processing security measures have become essential in today’s marketplace.

What is Breach Protection?

A data breach occurs when unauthorized people gain access to private information. For those who accept credit card payments online, all the information needed to run charges is entered by customers – if this is stolen, thieves can then use it to make fraudulent charges. Handling private customer data then represents a possible risk and liability for your business. If you are the custodian of the information, you have a responsibility to keep it secure and protected.

For this reason, secure online payment processing companies offer breach protection as part of their services. In the U.S. laws at the State level cover how personal data should be handled, but to a large degree, they only require notification when there is a breach – merchants are left without good guidance from legislation on what their responsibilities are.

Various organizations have addressed this issue and the credit card industry has as well. Part of your contract with an online payment service will be compliance with these guidelines. Depending on how you submit credit card information – the type of payment gateways used – your responsibilities and liabilities will vary, along with the cost per transaction.

The lowest cost (highest security) comes when a customer is physically present, has their card and verifies with a signature. Secure payment systems online will generally charge more per transaction to offset the greater risks of fraud because neither the card, nor the cardholder is present when the sale occurs.

What is PCI?

As data transfer became more complex and data breaches (some quite newsworthy) happened, the major card issuers got together to come up with standards to protect themselves from data theft. These standards are called Payment Card Industry Security Standards (PCI DSS). To meet your obligations to card issuers, you will have to use a PCI compliant, secure payment gateway to submit charges.

If you take payments online and have a merchant processing account, you will be required to be PCI DSS compliant. While there are some states that have these standards written into law, most enforcement will be through fines levied by the credit card companies themselves.

The standards for electronic payment processing continue to evolve – partly in reaction to new technologies, but also because crooks find ways to circumvent the system. Currently, the standards fall into six main categories:

  • Build and maintain a secure network – this includes firewalls and strong passwords.
  • Protect cardholder data – includes encryption standards.
  • Manage vulnerability – updating anti-virus software and structural software when vulnerabilities are discovered.
  • Access control – Need-to-know level of protection, segregate all users and track access – both virtual (over a terminal) and physical (where the data is actually stored).
  • Periodic testing and monitoring of systems.
  • Keep clear policies and procedures relating to the above.

Each of these areas will have specific concerns that need to be addressed to secure retail payments in an online environment.

Best Practices for Breach Protection

The eternal conundrum is striking the right balance between usability and security. The more efficient a system is, and the more user friendly, the less secure it will be. However, there are excellent practices that give higher security without too much cost or inconvenience.

AIM and SSL – Advanced Integration Method and Secure Socket Layer are protocols used to secure payments online by keeping the data which flows between you and your customers secure. It allows you to host your own payment form and collect data on your site. The alternative is to use payment solutions offered by your gateway. Larger businesses will want control of the payments processing (perhaps linking it to accounting functions) while smaller businesses will pay to have this handled by others.

Third Party Solutions – Often offered as an integrated shopping cart solution, third parties can take over the responsibilities of secure payment solutions. By keeping up with PCI DSS, this frees you to focus on sales instead of the behind the scenes technical issues. Finding the best payment gateway might include getting a service with a solid (and secure) software shopping solution.

Basic Computer Security – Ultimately, any system can be breached if your own computer is successfully attacked. To prevent this you should change passwords at a minimum on a bi-monthly basis, use a firewall and anti-virus software, maintain physical security and storage for any data you retain, and avoid using email or other non-secure methods to transmit important data. Many breaches happen because an email is hacked and then other passwords and activity mapped by tracking email.

Compliance Assessment

Merchant services can be withdrawn or you can be penalized if you fail to follow PCI DSS standards. Transaction processing compliance is measured periodically, based on the level of business you transact. These assessments are designed to test for secure online transaction capability. When you accept secure payments and keep them secure, the entire network is made more secure.

All levels mentioned below may undergo a quarterly security scan in addition to the standards mentioned here. These are done by independent vendors and used as a type of “spot check” or when you are operating in an environment where fraud is a higher risk.

Level One – Major businesses and networks doing six-million or more transactions a year. These are conducted annually by a professional auditor.

Level Two Through Four – These all use an annual self assessment questionaire (SAQ) appropriate for their businesses. The levels range from millions of transactions (level two) down to less than 20,000 (level four). The self assessment quiz covers the points raised above. It comes in four styles: A, B, C and D.

A — Card-not-present (e-commerce and phone sales) where customer data isn’t held by the merchant.

B — Terminal or imprint operations (physical card present) where no data is held by the merchant and data flows only through phone lines.

C — Internet transactions or data that flows over the Internet – no customer data storage.

D — All others, usually e-commerce where data is held by the merchant instead of a third party payment gateway.

The PCI Security Standards Council owns the copyrights to the SAQ forms, but you can view and take the assessments online here. Merchants may also want to utilize the PCI DDS website to gain additional information prior to accepting credit cards online – these questionaires are excellent guides to practices you should be using anyway.