9 Effective Steps In Securing Online Payments

Cybercrime continues to be a real and growing issue. It’s estimated that the various forms of cybercrime will have a global cost of $9.5 trillion in 2024. Although digital crime comes in various forms, such as phishing and ransomware, eCommerce businesses have real concerns about online payment fraud.

With online payment fraud exceeding more than $40 billion in 2022, the cybersecurity market also continues to grow in response and is expected to reach a value of $100 billion by 2027. 

While it’s heartening to see cybersecurity experts battling the growth, organizations should still be taking steps when it comes to securing online payments. 

What can your business do to prevent online fraud and instill confidence in customers?

Online payments are different types of digital payments made when a customer purchases goods or services from you via an online platform. These can come in various forms, such as:

• A transaction made by debit or credit card).
• Direct debit (usually used for a regular payment, such as a SaaS subscription).
• Digital wallet payments such as PayPal. (the most common type of online payment)
• Bank (wire) transfers.

Online payments may be one-off transactions (for example, buying something from an eCommerce site) or regular monthly payments (for example, when you sign up to some type of subscription service). With 34% of all online payments being by credit or debit cards (with an annual value of more than $2 billion, this is an area often targeted by cybercriminals.

‍

As the graph above shows, fraudsters focus heavily on CNP (card-not-present) transactions, and the incurred losses are huge. That is why it is so important for businesses to protect themselves from this type of crime.

‍

Let’s say that you’re just launching your eCommerce business. Payment security will be a big part of your plans, as you want customers to feel confident when inputting their card details. 

What are the best practices to follow to protect your customers—and you—from the threat of cybercrime?

Verification

Although many banks offer verification through an OTP (one-time password) for significant transactions, it should still be something that merchants implement. As the customer is not physically present for you to verify details, you should ensure you ask for the following details or confirmation. 

• Ask for the card’s CVV/CVC (card verification value or code). 
• Ask for a phone number in case of problems.
• Validate the provided email address. 
• Ask the customer to enter the billing address that matches the card and verify it. 

2FA (two-factor authentication)

Any cybersecurity plan should include 2FA (or MFA). This is primarily about directly protecting your business accounts, though if a cybercriminal managed to hack your accounts, then they would have access to your customers’ confidential information. As previously mentioned, many banks will initiate 2FA when a major purchase is being made. 

With 2FA, two separate forms of identification are required to proceed. The first one is your password. After providing this, the system will require a second. This may come in the form of an OTP sent to your phone, but advanced systems may implement a biometrics step, such as a fingerprint or facial ID. 

Insurance 

Even with robust cybersecurity measures, things can sometimes still go wrong. This may be due to adept and skilled hackers or insider actions such as a dishonest member of staff. Having specialized cyber liability insurance can offer you a ‘parachute’ in the event that fraudulent actions do occur.

Cyber liability insurance will cover any costs that are incurred due to cybercrime. This can include any lost revenue, the costs of notifying your customer base, and the costs associated with recovering lost data or repairing compromised systems. It will also usually cover any claims made against you by affected customers. 

However, you should also be aware of things that are not covered by cyber liability insurance. This can include any loss of value due to IP (intellectual property) theft and any improvements to your cybersecurity measures.  

Choose platforms and providers carefully

Numerous online payment platforms are available with varying levels of security measures. In this area, efficiency should rule over budget. Choosing an eCommerce payment platform should be based on its reputation and security. 

You’ll find that there are many established companies who take security very seriously, as it’s their reputation on the line if they get things wrong. Consider carrying out a financial risk assessment for any potential provider, just as you would within your business operations. Cybercriminals are using ever-innovative measures, so look for companies that are equally innovative when it comes to cybersecurity. 

Data storage

‍

Cybersecurity isn’t just about the potential loss of money; data can play a major role when it comes to activities such as identity theft. 

On a personal level, you’ve probably seen your browser offering to ‘remember’ card details and passwords. That in itself is a risky move but imagine it at an organizational level. 

Ideally, you shouldn’t store customer payment information, and you should never be storing paper files or electronic data unless you’re using a specialist third-party business that uses encryption and the highest security measures to protect that data. When you do store customer data, ensure you have the most robust security possible (and cyber liability insurance in case of a data breach).

Comply with PCI requirements 

There are many laws and regulations that may govern various areas of your business. If you take any form of card payment in the US, then those regulations are the PCI DSS (Payment Card Industry Data Security Standards). PCI DSS requires that any business taking card payments should implement the following: 

• Protect all account data with stringent security measures. 
• Ensure all the networks and systems used are secure and that updates are carried out regularly.
• Limit access to the most sensitive data. 
• Carry out regular scans for malicious software and use up-to-date protection. 
• Test networks regularly for intrusive or suspicious behavior. 
• Respond quickly to any cyberattacks or hacks.
• In the event of a successful cyberattack, have a comprehensive response plan. 

Using an ESG platform can help you with any compliance needs, as well as with handling data management and reporting procedures. 

Get your site SSL certification 

Savvy customers will always look to see if a website has an SSL (secure sockets layer) certificate. This gives them the confidence to proceed with card payments, as they know that the security measures will encrypt all communications between vendor and customer. 

If a website has an ‘https’ address, it shows it has the all-important SSL certificate. While this is a sign that you are complying with PCI regulations, you may also want to consider installing a firewall around your data and a cybersecurity system that can detect and prevent any attempts at intrusion. 

Train your staff

Many data and security breaches are down to human error. In the UK, the ICO (Information Commissioner’s Office) found that around 34% of breaches were due to human error. Think of your staff as the frontline troops when it comes to data security and ensure they are trained properly. 

The most common types of human error are:

• Sending data (by email, fax, or post) to the wrong person/people.
• Failing to redact sensitive information when needed. 
• Sender failing to use Bcc (blind carbon copy) when sending an email. 

Train any of your workforce working with data or sensitive information to identify and deal with any suspicious emails or phone calls that could be phishing attempts to get passwords and/or login credentials. They should also be aware of attachments to emails that might contain malware or other malicious software. 

You should also train and regularly refresh them on how to keep their login details secure and to update passwords regularly. Devices, whether a desktop or mobile device, should be logged out of when not being used, and they should never leave external hard drives or USBs that contain sensitive information unattended. 

Offer different payment options

If you currently only accept card payments, consider widening that choice. Digital wallet payments such as Apple Pay are growing in popularity and offer additional security such as blockchain technology. Electronic checks, though less popular, also offer added security as they are verified through the ACH (Automated Clearing House) network.

The other thing to consider about offering additional payment options is customer choice. If a customer moves through your website, picks a product, and goes to the checkout process only to find you don’t offer their preferred option, then they may well go elsewhere for that product. 

If your business suffers any form of security breach due to negligence on your part, then your brand reputation will suffer and you will lose customers. While some security breaches are unavoidable, it can be how you have tried to protect against them and how you react that can matter more than the attack itself. 

Securing online payments is one of the most important cybersecurity measures you can take. From having an SSL certificate to complying with PCI regulations, you are showing customers that you prioritize security. Making sure you have all the necessary security measures in place can help you attract new customers and retain the current ones.