What to Look for in a Secure Payment System
A secure payment system protects customer and merchant data both in motion (during an active transaction) and at rest (when stored.) There are a variety of technologies and approaches available to ensure merchants’ online payments are executed securely. Every business must choose the most effective for their environment: the penalties for not having secure payment processing are substantial.
First, consider the key elements for securing payment while data is in motion—during an actual purchase and payment transaction.
- SSL-secure your website: These days, it is hard to find an e-commerce site that isn’t secured by SSL, but it is fundamental enough to bear re-stating. A site that is not secured with SSL is open to all sorts of hacks, allowing others to intercept data as it traverses the internet, which is bad for the consumer and merchant alike.
- Don’t collect more information than you need: The less information you collect from your customer, the less information is available for a hacker to steal. Consider using a third-party tokenization provider, that will provide APIs to collect and receive consumer-sensitive data, eliminating the risk that it can be stolen from within your own payment system.
Equally important are the security measures you take to protect data when it is at rest, or stored. This has the potential, in fact, to be the least secure portion of a payment system, as hackers are always looking for ways to break into databases and remove information—often without the system owner even knowing they’ve been compromised.
- Encrypt all stored data: Encryption uses a secret key to convert the raw data into an unusable version of itself. This is a bare minimum for stirring sensitive data, but it is likely insufficient: encrypted data can be reverted to its original form if a hacker can lay their hands on the encryption key, which renders your security measure ineffective.
- Tokenize all stored data: Tokenization goes a step further than encryption by swapping the raw data for a string that can never be reverted to the original - it is merely a reference to be used to retrieve the original from a secure storage location known as a token vault. Combining encryption and tokenization can render at-rest data virtually impossible to subvert.
Costs of Maintaining a Secure Payment System
Companies that transact business online are subject to the PCI-DSS standard, which governs how secure payment systems should manage sensitive data. This standard deals not only with the technical side of the business, but also with internal user operating procedures and more, which can make PCI relatively onerous to maintain.
That said, failure to secure personally identifiable information (PII) and cardholder data (CHD) within a payment system can be costly. A high level of chargebacks can raise a merchant’s fees and end their relationship with downstream processors.
While companies may decide to take the risk of running everything internally, consider some of the biggest disasters suffered through payment data breaches:
- Equifax settled a case after they were extensively hacked for $425M.
- Target settled a breach case for $18.5M, and reputedly spent over $200M on legal fees.
- Shein was fined $1.9M for lying about a data breach.
These are not liabilities most merchants are able to accept, which is why the vast majority opt to seek a vendor/partner to help build their secure payment system.
What to Look for When Seeking a Secure Payment System
Merchants effectively have two primary routes when selecting secure payment partner: choosing a full-service provider, or having a modular payment stack with various unbundled payment systems.
As with many technologies, the search for a secure payment system can easily land on a full-service platform, which can shoulder the risks involved in processing electronic transactions. Standing at one level of abstraction beyond a payment gateway, a full-service payment service provider (PSP) can: provide APIs to collect data, ready access to payment processing, and secure - even tokenized - storage.
This, in turn, can relieve their client of the responsibility to maintain regulatory compliance in their own e-commerce systems. While the costs are higher than simply integrating to a payment gateway, these PSPs can accelerate time to market for new merchants, and create a predictable fee structure.
The more economically-defensible approach is to decouple ‘secure payment’ from ‘system’, and pair multiple technologies. Start with a tokenization provider like Basis Theory to access a payment vault that can collect, store, and transmit tokenized data on request; then work with multiple payment providers to transmit that data.
With this setup, merchants can rapidly build a secure payment system, without bringing their own environment into PCI scope.
Enjoy the flexibility to build a payment optimization engine, which drives down the cost of financial transactions and increases customer lifetime value. Data is stored both in motion and at rest at the tokenization provider’s token vault, and the merchant is relieved of the commitment to a single full-service PSP.
