Are online payments safe? How can you sell securely online?

The boom of ecommerce prompts many businesses to ask: are online payments secure? The simple answer is yes, but only with security measures in place.

Whereas consumers have suffered more losses in the recent year due to e.g. impersonation scams and fake investments being sold online, businesses have experienced a reduction in financial losses related to their online payment system.

UK Finance reports that card-not-present (CNP) fraud – where stolen card details are used for online/remote purchases – fell by 6% in the first half of 2020 to £222 million compared to the same period in 2019. In contrast, the total number of CNP fraud cases increased by 5% compared to the year before, which implies that card issuers are better at identifying and stopping fraudulent transactions online.

The data suggests that remote purchase fraud are mainly from criminals attempting to use card details they got through phishing emails, third-party data breaches, text message scams and other data theft.

However, losses due to online card fraud are preventable – if you know what to look for. The security checks are different for the cardholder and online business:

Warning signs for consumers include insecure web pages and dubious requests for card details and personal information over the phone or in messages.

Merchants mainly need to worry about whether the card information accepted is genuinely submitted by the card owner. If stolen card details are used and the transaction goes through, this is a fraudulent transaction that will likely be flagged and reversed.

With a good security system in place, suspicious transactions are detected and blocked. Let’s look at what merchants can do to prevent fraud and have the safest online payment system possible.

3-D Secure

3D Secure is a security protocol requiring an additional verification step during online transactions. The protocol falls under different names depending on what credit or debit card is being used:

• Visa: Secured by Visa
• Mastercard: Identity Check (previously SecureCode)
• American Express: SafeKey
• Discover: ProtectBuy
• JCB: J/Secure

“3D” refers to the three domains that interact during the verification step: 1) acquirer domain (merchant’s side), 2) card issuer domain (customer’s bank), and 3) interoperability domain (card scheme’s software infrastructure enabling the authentication). It isn’t a quick verification – the whole process usually takes several seconds just to load.

However, the EU’s Payment Service Directive 2 (PSD2) has paved way for 3D Secure Version 2 that is more efficient and secure. In the EU, it is now a requirement for payment service providers to use strong customer authentication (SCA), i.e. multi-factor authentication which 3-D Secure Version 2 complies with in most cases.

Previous versions of 3-D Secure have left some payers vulnerable to phishing attacks, i.e. where hackers can obtain sensitive information typed into the web page.

Image: Stripe

3D Secure authentication step for a Mastercard transaction.

3D Secure Version 2 no longer redirects the payer to an external web page requesting the same keyed information like a password. Instead, it sends transaction data to the customer’s bank that will determine if it’s a high-risk transaction. Only if the payment is deemed high risk will there be an extra authentication step such as providing a text message passcode or using biometric authentication (if shopping from a phone).

This more streamlined version of 3-D secure is less likely to put buyers off from completing a transaction, which has been a concern for businesses. Being redirected to an external web page to complete a payment puts some people off, and sometimes, even honest cardholders fail at giving the right answers.

Address verification service (AVS)

A common check in Canada, US and the UK is the address verification service (AVS), sometimes referred to as ‘address verification system’. This is where parts of the cardholder’s billing address are submitted for the issuing bank to verify. If the details match, AVS confirms the transaction can go ahead.

Image: Worldpay

A standard Worldpay checkout requires address information.

There are actually two versions of AVS. The automated verification is the one suitable for online payments completed by the cardholder. This prompts the payer to enter their postcode and street address matching the address saved in the account. A non-match causes the transaction to fail.

The manual verification is for face-to-face merchants. The till person gets a prompt to verify the customer’s address in-store, then calls the customer’s bank that will ask the cardholder to verify account details. If satisfactory, the merchant can manually approve the payment.

Address verification is often used together with CVV2 verification, the 3- or 4-digit code in the signature field of the customer’s card. This is another essential security check that reduces the likelihood of fraudulent transactions, since many fraudsters do not have the physical card to check this.

PCI-DSS compliance

Payment Card Industry Data Security Standard (PCI-DSS) is an international security standard enforced by Visa, Mastercard and other industry players to prevent fraud from data breaches in a company. It is intended for any business that transmits, receives or stores sensitive card payment data.

To comply, your business has to complete an application and periodical reviews of how card payments are handled in your business. Certain processes have to be followed to ensure payment data stay protected.

PCI-DSS compliance is especially important for remote transactions through a virtual terminal, where the merchant handles sensitive card details for one-off transactions, and card-on-file transactions where card details are saved for repeat payments authorised by the customer.

Online payments also require PCI-DSS compliance, managed either by you or the online payment system. Many of the biggest merchant service providers in the UK and US can assist in setting up this compliance, but it does usually cost a monthly fee – and non-compliance fees, if the paperwork has not been completed in time.

Pay-as-you-go online payment systems like Square and SumUp, on the other hand, do not require PCI-DSS paperwork.

SSL certificate

A Secure Sockets Layer (SSL) certificate shows customers that your website is who it says it is. It also enables an encrypted connection so payers can rest assured that card details entered on your web pages are protected from hackers. This way, online shoppers get the reassurance that it’s safe to pay in your online store.

If there’s a padlock icon next to your URL field, it means the web page is already encrypted and SSL-certified.

The padlock icon means the site is secure.

If you’re building a site from scratch, you may need to install this protection manually, whereas most all-in-one website platforms automatically have it on your website.

Dealing with security measures

If 3-D Secure, AVS, PCI compliance and SSL certificates are too much to deal with, you can simply choose an online payment gateway with the customer support to guide you through the setup.

Worldpay, for example, welcomes you to phone customer support and ask for help about online payments security. They also have a streamlined PCI-DSS application process, though costs apply.

Many payment service providers offer direct support for PCI-DSS compliance. Others – PayPal included – recommend third-party providers who can guide and manage it for a cost. Others, like Square, don’t require anything from your end because their payment security systems are handled purely from their end.

Even with security protocols, a system is rarely bullet-proof 100% of the time. For peace of mind, you should keep an eye out for suspicious patterns in your payments. If, for example, it looks like the same person is using many different cards for transactions, it could be a fraudster who stole the card details.