5 Security Tips For Ecommerce Stores Accepting Online Payments
When customers make a purchase from your online storefront can they trust you to protect their credit card information? If not, why would they continue to support your business? That’s why ensuring that your customers’ payment data should always be a priority. When customers trust you, it will ultimately benefit your bottom line. For small business owners, that may seem overwhelming and complicated, but it’s actually easier than you may think.
As a small business, the Internet has given you the ability to compete on a much larger scale – even leveling the playing field with bigger retailers by putting you out there to differentiate your unique products or services and personalized experience. While it has its advantages, there are also many more concerns as far as building trust with your customer base than there would be with a physical storefront where they could see and know you are keeping their payment information safe. The concerns are valid, considering how much online fraud has grown in the last few years.
Online, customers can’t see you so they may be less likely to trust that you will protect their credit card and personal data. However, there are ways that you can reassure them that you are a secure and trustworthy small business for conducting online payments. Business owners need to accept a broad range of payment types to keep the money coming in. According to TechAisle, the top two business goals for small businesses when they were looking forward to 2016 were to increase profitability and to accelerate business growth.
2016 is almost over, and by now, the average small business today has more money flow through its network than through its cash register. Small businesses process credit cards, debit cards, Google Pay, and ACH transfers. The electronic processing of these payments impacts both e-commerce sites and brick-and-mortar retailers alike. Strict regulations are in place to ensure businesses of all sizes do their processing securely.
Small businesses frequently lack the funds or expertise to adequately protect themselves and their customers when processing payments. Yet with the variety of payment options available to customers, the growth of mobile purchases and the increased sophistication of cyber attacks, small businesses must take extra precautions. Online shopping has grown exponentially.
Unfortunately, the ever-present threat of cybercriminals attempting to steal from businesses. And most small businesses that are victims of a payment security breach don’t know it occurred until the damage is done. Breaches are expensive. After a breach, there are mandatory investigative audits of payment security practices cost them hugely. Additionally this could affect the business’ reputation. Large businesses usually have the funds to wait until goodwill is built up again, but most SMBs don’t have that kind of time to wait.
These breaches can be tackled if some security tips are followed. Here are some of the security tips for the ecommerce stores accepting online payments:
There are strict standards in place regarding the customer’s data that you store, like not storing CVV data. And, that’s because 95% of credit card breaches come from small businesses. If you do need to store information, such as a customer’s name and account number then take measures to protect this information like using a private network or cloud-based storage or encrypting the data so that intruders can’t read it.
Also, under the Fair and Accurate Credit Transaction Act of 2003 (FACTA) you’re not allowed to include the full credit card number and expiration date of your customer’s credit card when emailing them a receipt. You’re only permitted to display the last five digits. If you’re not capable of accommodating EMV chip cards, you could be liable in case of a security breach, as the liability for card fraud has shifted to whichever party is the least EMV-compliant in a fraudulent transaction.
Most debit and credit cards include EMV chips and now include both a magnetic strip on the back and an EMV chip on the card’s front.
Yes, you can still swipe, instead of inserting. But, when a customer inserts a card to activate the EMV chip, the processing system does something called “tokenization” that substitutes the sensitive cardholder data which is the 16-digit personal account number. With randomly assigned numbers. That way, if the transaction is intercepted or later stolen in a breach, the data is useless to cybercriminals. Swiping the magnetic stripe doesn’t do that.
Despite the regulations that have been put in place, not all eCommerce platforms and processors take security as serious as others. When looking for an eCommerce platform or processor, choose trusted and reputable companies that have good reviews and are transparent about their security that they have in-place. A majority of data breaches are due to human error. Even if you comply with regulations and have top-of-the-line security systems in-place. You’re still putting your customers information in jeopardy if you and your employees aren’t trained in basic security measures.
If you do have any employees, they should also educate themselves or go through training you provide. You can start by Informing them about the latest security risks and threats. Most importantly, however, everyone should verify transactions and realize the dangers of clicking on unsolicited e-mail attachments, sharing sensitive information with unauthorized individuals, and never leaving work-related USB drives or devices unattended. It’s well worth it to take the time and learn more about what type of fraud is committed. Because you are the target, why it’s so attractive to criminals, how it is done, and how it can be stopped.
The more you know, the better able you will be to identify suspicious activity and transactions. Which you can then shut down before they become a problem. And the more likely you will be to discourage criminals from attacking your online payment system. The most important part here is that you have to make this into a continual learning process because criminals keep coming up with new schemes.
There are several ways that you can do this – even when a customer’s card isn’t present. This includes. Making sure that there’s an address verification (AVS) match. Customers to enter their card security code, aka the CVV number on the back of their cards. Being suspicious of patterns that are of the norm. Reviewing smaller details like strange email addresses, products being shipping to areas known for instances of fraud, and the customer not taking advantage of deals like free shipping. Payments from bank accounts have to be verified through the ACH network.
Even if you taken security precautions like having a SSL Certificate on your website and properly trained your employees, you’re still not completely out of the clear. Everything from your web host to web server can get be comprised. Having a firewall solution can help decrease these threat, but you should also consider setting up an intrusion-detection systems/intrusion-prevention systems (IDS/IPS). This will monitor and block any malicious traffic.
As a small business owner you may be accustomed to leaving your computer, laptop, tablet, and smartphone laying around to use at your discretion for processing orders and payments. However, you are putting yourself and business at great risk, especially if you start adding employees. You want to make sure that every device is password protected and that you don’t give administrative access to just anyone. If you start to add more devices for any staff that you bring on board or have them tap into your network as remote workers, then also make sure you have everything on lockdown.
Outdated systems are more prone to cyber-attacks. You need to make sure that when there’s a new update it’s downloaded immediately. Typically these updates occur automatically, but it’s always best to err on the side of caution by making sure that you’re running the latest version of any software that you use for your business. These are two of the most popular words in security. Despite being often lumped together, there are differences between the two.
The main difference between tokenization and encryption is how they handle the data that they’re attempting to replace. Tokenization will remove data from a system and replace it with an associated value. Encryption is that the original information if left intact, but makes it inaccessible without a proper key. With tokenization, you’re not worried about someone coming along and having or breaking or being able to reverse engineer the system in the future. And you’re not worried about admin keys being compromised and gaining access to the original data. When storing any sort of data, make sure that it’s encrypted. You may also want start accepting payments via digital wallets, which encrypts data, or cryptocurrencies like bitcoin which uses tokens instead of a credit number or bank account.
PCI-DSS is a collection of compliance regulations that are mandated by the Payment Card Industry Security Standards Council. If you accept, process, store, or transmit credit card data then these regulations apply to you in order to ensure that your customers’ payment information is kept safe and secure. One of the biggest headaches that PCI-DSS gives business owners is that they can be complex – especially if you don’t have IT specialists on-hand.
At the very least, being compliant with PCI-DSS means you must undergo an on-site data security assessment annually, such as using of SSL authentication on your website and Secure Sockets Layer (SSL). Security for online payments is all about building a fortress with numerous layers that keep the data inside the actual transaction safe from being penetrated and stolen. Some of the security measures that work as these layers include encryption and tokenization as well as a firewall, SSL certification, and even an intrusion-detection system and intrusion-prevention system.
If you do suffer from a breach, and an investigation finds you to have provided inadequate security for your transactions, you could be held responsible for costs associated with the breach, including identity protection services for victims, the cost of re-issuing cards and legal fees. Both encryption and tokenization work to scramble the data and make it unusable to hackers should they even get close to it. Instead, the fraudsters would have to know a key or code to unscramble the data to make it valuable. And, most of the time, no criminal wants to put that effort into it so they will just move on to a small business whose online presence can be penetrated.