Security is a major concern for ecommerce businesses, particularly in light of the increasing number of large data breaches occurring across industries. In 2016, 48% of Americans suffered credit card exploitation at the hands of fraudsters, and about 90% of all retail website logins in 2018 were attempted by fraudsters seeking unauthorized access. A secure payment gateway helps protect sensitive customer information from these malicious third parties and should be an essential factor in your data security protocol.
What is a payment gateway? Why does your business need one?
You can think of a payment gateway as the online equivalent of a physical point of sale (POS) system. It’s the front-end technology allowing you to accept credit card payments on your website using information customers input during checkout. In most cases, an API connects your website to the payment gateway so that customers can pay without leaving the branded page, which maintains a cohesive purchasing experience.
A payment gateway is just one part of a complete payment processing system. To handle debit and credit card transactions, you need a gateway to collect customers’ card information, a payment processor to process transactions, and a merchant account to collect money from completed purchases until they’re transferred to your business bank account. The gateway acts as a bridge between your website and the payment processor to facilitate transactions and authorize the transfer of funds from customers to your business. Payment gateways may also perform other functions, such as calculating sales tax or adding shipping costs.
You have the choice of three different types of payment gateway setups for your ecommerce business:
- Allow customers to choose their preferred payment method and be redirected to a trusted provider’s website to complete the transaction.
- Integrate payment acceptance directly to your website and let the provider handle processing on their back end.
- Host and handle all processing on your own servers.
Most small businesses use one of the first two options because self-hosted payment processing requires more server power and puts a greater degree of responsibility for compliance, data security, and fraud prevention on the merchant.
Payment gateways may be obtained from your merchant account provider or a third-party company and integrated with your existing business systems. Many POS providers include payment gateways in their products so that you don’t have to set one up separately. If you’re already using a POS system for your physical location and are looking to add a payment gateway to your website, check if the option is available from your POS provider.
How payment gateways work.
A customer’s interaction with your payment gateway occurs when he or she finishes shopping and begins the checkout process. First-time customers input payment information, including name, billing address, credit card number, and CVV code, and send it through for verification.
Of course what takes only seconds on the customer’s end is actually a complex multi-step process involving several data transfers and interactions. After card information is submitted:
- The data is encrypted using your website’s SSL certificate.
- Encrypted data is sent to the payment gateway.
- The gateway converts the transaction data and sends it to the payment processor.
- The payment processor transfers the data to the card issuer.
- The payment is authorized or rejected based on available funds and whether or not fraudulent activity is suspected.
- The card issuer sends a confirmation or denial to the payment processor.
- If payment is confirmed, the transaction is authorized.
- The payment gateway receives notice of the authorization and completes the transaction.
Each authorized transaction puts money into your merchant account, which is then transferred to your business bank account within a few days.
Seeing the steps involved clarifies the importance of payment gateway security. Data is vulnerable when traveling between points in a network and during processing at these various points. A weak area at any point in the transaction could allow hackers to breach your network and steal sensitive customer information.
However, the quest for security shouldn’t be so stringent that it slows down the customer experience. Customers are looking for quick, efficient, and frictionless shopping experience and don’t want to spend a lot of time creating accounts for sites where they rarely shop or switching credit cards because a site doesn’t take the one they prefer. To provide a smooth experience while preserving security, look for a processor equipped to take cards from multiple issuers and with options for alternative payment types.
Integrations with popular payment options allow customers to check out fast using stored credentials and payment information. If you’d prefer to keep customers on your website for a completely branded experience, you can even speed up transaction times by allowing them to save payment data for future purchases.
Security features to look for.
Since ecommerce businesses are subject to 32.4% of all cyberattacks (with small businesses, the target of 43% of them) a secure payment gateway is a must if you want to accept credit card payments. Here’s what you should look for when comparing providers:
- Point-to-point encryption — Secures credit card data during the entire transaction, starting at the point at which it’s entered.
- Transport layer security (TLS) — Supports point-to-point encryption by protecting communication across the network.
- Tokenization — Credit card information is replaced by a one-time token, which can’t be decrypted if intercepted.
- PCI compliance — Conforms to 12 specific security requirements and numerous sub-requirements all businesses processing credit card transactions must meet.
- Address verification service (AVS) — Checks the billing address a customer enters against the address on file with his or her issuing bank.
- Velocity detection — Compares the volume of orders from customers’ cards against purchasing histories to spot unusually high numbers indicative of fraud.
- Digital signatures — Provide evidence to show information hasn’t been tampered with, thus validating both sender and data.
- Fraud detection — Identifies potentially suspicious activity and flags it to prevent data theft.
Payment gateways should never store credit card information at any point during a transaction. Avoid solutions leaving gaps in encryption between data entry and processing. If possible, choose a solution employing both encryption and tokenization for added protection. Evaluate the security practices of the gateway provider, as well, to determine how well they handle their own customers’ information.
Managing payment gateway security risks.
Checking the breach history of payment gateway providers gives you a good indication of reliability. Recent, frequent, or large breaches may indicate poor security, meaning your own data and that of your customers would be at risk. Doing research into incidents takes time but is an important step in choosing which payment gateway to use.
Providers aren’t accountable for all risks. You’re still responsible for implementing and maintaining your own security protocols and making use of the security tools payment gateways offer. Many businesses make the mistake of cutting corners with encryption and only protect credit card numbers, which leaves names, addresses, and phone numbers vulnerable to theft. Hackers can use this information to steal a customer’s identity or launch phishing schemes with the intent of obtaining login credentials for any number of sites. Failure to secure databases containing customer information has led to several breaches in the past, which highlights the necessity of ensuring that all data is always protected.
Hackers who have obtained login credentials are likely to attempt fraudulent purchases. Because these purchases are made using legitimate accounts, they’re harder to detect. Card-not-present transactions like those used on ecommerce websites are at a higher risk for fraud, which is why you need a payment gateway with technology designed to evaluate behavior in addition to checking traditional authenticators.
Weak authentication protocols, such as relying only on passwords, increase the risk of a breach. Customers are notoriously bad at creating strong passwords and storing them securely. Your payment gateway should use some form of multi-factor authentication (MFA) to verify logins while offering customers their choices of authenticators, such as codes sent by text message or one-time passwords.
It’s also important to consider the risk of insider threats. Employees are often the target of phishing schemes and if a hacker is able to infiltrate your network using credentials stolen from an unsuspecting internal user, your entire network could be compromised by malware, leading to data theft and loss.
Conducting regular security and access audits provides better visibility of how customers and employees use and interact with your network, including your payment gateway. Audits uncover weak points, allowing you to address breach risks with stronger security protocols and identify areas where tighter access control is required to ensure customers’ security.
When you accept credit card payments, you need to be sure that the information is protected from the moment a customer enters it through the completion of the transaction. Businesses of all sizes always deal with the risk of cyberattacks. Choosing a payment gateway with strong security is one way to reduce the likelihood of a data breach. Investigate the security options available to find a provider with the most reliable protection for your payment processing system.