E-commerce businesses must have the security basics right before accepting credit cards to transact online.
So says Peter Harvey, MD of payment services provider, PayGate, who adds that allowing card purchases makes online sales much easier, but businesses are responsible for any credit or debit card information they store, transmit or process.
"If cardholder data is stolen and you are responsible, you could face fines, penalties and even lose the right to accept payment cards," he says.
Hiring reputable professionals for Web development is an important first step in ensuring businesses and customers are protected, says Harvey. "Make sure your Web developer has specific experience in building e-commerce sites. Ask them what shopping carts and payment gateways they prefer and why, and [get them] to explain to you in detail how the process works. If they can't explain it to your satisfaction, you need to wonder whether they really understand it themselves - and in that case, can you accept their recommendations?"
It's worth investing in professionalism in this area, he emphasises. "If the online channel is important to your business, the checkout and payment process can make or break it. This is the last place you should be stingy with your budget."
Choosing a payment service provider with care is another important factor to consider. "Price is important, but don't fall for false economies," says Harvey. "The very first questions you ask should be about security - how does the gateway protect your customers' card information? Ask for proof that they are PCI [Payment Card Industry]-compliant."
Businesses should ensure that the payment provider they choose is reliable. "It's no good having a cheap payment gateway if they're down one day out of seven and your customers get turned away at the till. Ask about their downtime, and contact some other customers to ask about their experiences. Once you're satisfied that your security and reliability needs are met, then is the right time to let price be the deciding factor - not before."
Using a payment page hosted by a gateway provider can be a very safe option, Harvey adds. "This means that when a customer clicks 'Pay' or 'Checkout' on their shopping baskets, they get taken to a secure page that's isolated from your own Web site," he explains. This enables the business to avoid storing, transmitting or processing card data itself.
For those businesses that prefer to control the entire user experience, tokenisation is a good option, notes Harvey. "This means that instead of actual card information, you just store an encrypted token provided by the payment gateway. Next time you need to process a transaction on that same card, you just send the token. This is a simple but highly effective way to make sure you never need to store card numbers."
With card associations becoming stricter about businesses' responsibilities regarding card payments, ensuring security has never been more essential, Harvey concludes.
Share