5 Tips for Secure Online Payments: How Merchants Can Scale
Providing secure payment transactions is a shared responsibility, because so many entities are involved in an intricate chain of activities to complete a deal. Each time consumer cardholder data passes from hand to hand, an opportunity arises for something to go wrong; and each time something goes wrong, the risk of significant business harm grows.
Best practices help protect consumer data, reduce business risk, and protect the payment ecosystem. However, the cost of maintaining a highly-secure, fully-protected environment can be high, which is why the investment should match the size and volume of the business. The PCI-DSS standard, for instance, recognizes this, and places a lower burden of security on lower-volume merchants than on higher-volume ones.
These five tips will help merchants identify the right practices to secure their payments systems in a way that is responsible, compliant, and cost-effective.
Tip 1: Understand the PCI-DSS Levels
PCI-DSS is the standard used by all participants in the payments process to protect consumer personally identifiable information (PII) and cardholder data (CHD). It clearly outlines the responsibilities and obligations of everyone from the merchant to the acquiring and issuing banks to the payment service providers (PSPs) who seamlessly connect all the players together.
For large organizations, PCI-DSS compliance can be an expensive and time-consuming commitment, requiring not only internal business process redesign and the creation of a wide range of standard operating procedures, but also the independent sign-off of a Qualified Security Assessor (QSA).
However, PCI-DSS compliance requirements are not all made the same! The four levels are separated by transaction volume:
- Level 4: less than 20,000 transactions per year
- Level 3: between 20,000 and 1 million transactions per year
- Level 2: between 1 million and 6 million transactions per year
- Level 1: over 6 million transactions per year
The good news is that until your business reaches Level 1, you likely won’t require the sign-off of a QSA. Maintaining level 3 and 4 compliance is largely a matter of filling out a self-assessment questionnaire (SAQ) and sharing it with your payment partners, for instance. So be aware that, until you start to really ramp up volume, the best practice is simply to keep your SAQs up to date.
Tip 2: Start Payment Acceptance Easily with an Aggregator
Not only is the payment process fairly complex, getting into the game can be too! To start with a full-stack in-house payment solution, you’ll need to obtain a merchant account from a bank, build a relationship with one or more payment gateways, or processors, then make sure you comply with their requirements (which often go way beyond what PCI-DSS demands).
Alternatively, you could start with a payment aggregator: a company that allows you to accept payments through their merchant account and essentially sidestep many of the best practices requirements you’d be forced into otherwise. Aggregators like PayPal, Stripe, and Square will make it easy to get started, not to mention providing you with technology that helps shield you from security requirements and risks: credit card numbers, for instance, go straight to them without passing through your system, eliminating the significant risk of data breaches.
Tip 3: Move to Multiple Payment Aggregators Quickly
While using that initial payment aggregator reduces both security risks and time-to-market for your online selling endeavor, naturally it introduces its own set of costs and risks. For instance, while their collection and storage of your customers’ payment details eliminates your need to worry about your database getting hacked, that also means that you can only reuse stored details through that aggregator - so if you want to move to another processor to get better rates, or, indeed, if the aggregator opts to sever your relationship, you can end up quickly without the ability to accept payments.
As a result, adding a second payment aggregator as early as possible provides you some very tangible security. How exactly you choose which provider to use for each transaction is less important than that you have a backup; each will provide you a token to reuse the card holder data (CHD) they are storing, so simply record that token plus the provider in your own secure database.
Certainly, opting to move on from one of the providers will mean the loss of some of your stored data, but you will not find yourself without processing capabilities if one of them closes your account abruptly (this can happen for a number of reasons).
Tip 4: Tokenize to Optimize Flexibility and Security Together
Even with a second - or third or fourth - aggregator in play, the best practice is to ensure you have ownership over your customers’ data, and not your partner. The key to doing this, without adding expensive and time-consuming regulatory compliance efforts, is to use a third-party tokenization service like Basis Theory. In brief, you still have the cardholder details delivered to a secure vault held by your partner, and you still receive a token rather than the data itself - but you now have sole control over the data’s future use. You’ll use API calls to process future transactions with the processor of your choice, without ceding control over your customers’ information.
Importantly, this works just fine with the aggregators - simply use the tokenization provider’s APIs to deliver transactions to your preferred partner. You may choose to focus your activity on one aggregator and keep another spun up in case of emergency - or distribute your transactions between them to generate records of which most reliably closes deals at the best price.
Tip 5: Automate for Flexibility and Cost Control
Ultimately, you’ll want to add payment automation to control the process of deciding where each transaction will be processed. You may find, for instance, that one aggregator has a better track record of closing details in Europe, or that another offers a better rate for micro-transactions. Using analytics, you can adjust your decisioning engine so that it makes a value judgment on the best partner for each transaction, then instructs your tokenization partner’s secure vault to transmit the details accordingly.
This is also the point where the best practice is to start adding less full-service partners to your ecosystem. Having gone live quickly with the services aggregators offer, you now have time to acquire your own merchant account and build relationships with payment gateways, who will expect a heavier dose of security rigor, but who will, in return, allow you to reduce your total cost to process. And, because you already started using a tokenization partner, you will be able to simply add your new processing partners to your mix, update your algorithm, and increase margins by reducing your processing costs.
Key Takeaway: Maintain Flexibility as you Scale
In the end the payments best practice most important to remember is: retain as much flexibility as you can. Reduce your compliance overhead by keeping as much of your business out of scope as you can, and optimize your costs by distributing transactions across providers.
Make the most of aggregators early, but avoid creating a critical bottleneck by committing to just one - and make the move to multiple providers as soon as you practically can. Maintaining flexibility and control at all stages will improve the bottom line and open more doors for growth.