What to Look for in Secure Payment Systems
A secure payment system is one that protects customer and merchant data both in motion (during an active transaction) and at rest (when stored). There are a variety of technologies and approaches available to ensure merchants’ online payments are executed securely, and every business must choose the most effective for their environment: the penalties for allowing hacks or data breaches are substantial.
Core Security Technologies for Securing Payment Systems
First let’s consider the key elements for securing payment while data is in motion - during an actual purchase and payment transaction.
- SSL-secure your website: these days, it is hard to find an e-commerce site that isn’t secured by SSL, but it is fundamental enough to bear re-stating. A site that is not secured with SSL is open to all sorts of easy hacks, allowing others to intercept data as it traverses the internet, which is bad for the consumer and merchant alike.
- Don’t collect more information than you need: the less information you collect from your customer, the less information is available for a hacker to steal. Consider using a third-party tokenization provider, that will actually provide APIs to collect and receive consumer sensitive data for you, eliminating the risk that it can be stolen from within your payment system
Equally important are the security measures you take to protect data when it is at rest, or stored. This has the potential, in fact, to be the least secure portion of your payment system, as hackers are always looking for ways to break into databases and remove information - often without the system owner even knowing they’ve been compromised.
- Encrypt all stored data: encryption uses a secret key to convert the raw data into an unusable version of itself. This is a bare minimum for stirring sensitive data, but it is likely insufficient: encrypted data can be reverted to its original form if a hacker can lay their hands on the encryption key, which renders your security measure ineffective.
- Tokenize all stored data: tokenization goes a step further than encryption, by swapping the raw data for a string that can never be reverted to the original - it is merely a reference to be used to retrieve the original from a secure storage location known as a token vault. Combining encryption and tokenization can render at-rest data virtually impossible to subvert.
Costs and Risks of Maintaining a Secure Payment System
Companies that transact business online are subject to the PCI-DSS standard, which governs how secure payment systems should manage sensitive data. This standard deals not only with the technical side of the business, but also with internal user operating procedures and more, which can make it relatively costly and onerous to maintain.
That said, failure to secure personally identifiable information (PII) and cardholder data (CHD) within a payment system can be costly. A high level of chargebacks can raise a merchant’s fees and end their relationship with downstream processors; a documented data breach can result in fines of up to half a million dollars, and continuing difficulty in finding reasonably-priced payment processing partners.
While very large companies may decide to take the risk of running everything internally, here are some of the biggest disasters suffered through payment data breaches:
- Equifax settled a case after they were extensively hacked for $425M
- Target settled a breach case for $18.5M, and reputedly spent over $200M on legal fees
- Shein was fined $1.9M for lying about a data breach
These are not liabilities most merchants are able to accept, which is why the vast majority opt to seek a vendor/partner to help build their secure payment system.
What to Look for When Seeking a Secure Payment System
Merchants effectively have two primary routes when selecting secure payment partner: choosing a full-service provider, or building a payment stack from various unbundled payment systems.
Full-Service Payment Service Providers (PSPs)
As with many technologies, the search for a secure payment system can easily land on a full-service platform, which can shoulder the risks involved in processing electronic transactions.
Standing at one level of abstraction beyond a payment gateway, a full-service payment service provider (PSP) can: provide APIs to collect data, ready access to payment processing, and secure - even tokenized - storage.
This, in turn, can relieve their client of the responsibility to maintain regulatory compliance in their own e-commerce systems. While the costs are higher than simply integrating to a payment gateway, these PSPs can accelerate time to market for new merchants, and create a predictable fee structure.
Custom Secure Payment Stacks
The more economically-defensible approach is to decouple ‘secure payment’ from ‘system’, and pair two different technologies. First, select a tokenization provider like Basis Theory to collect, store, and transmit data on request; then select one or more payment providers to whom that data might be transmitted.
With this setup, merchants can rapidly build a fully secure payment system, without bringing their own environment into regulatory scope, and enjoy the flexibility to build a payment optimization engine, which drives down the cost of financial transactions. Data is stored both in motion and at rest at the tokenization provider’s token vault, and the merchant is relieved of the commitment to a single full-service PSP.