What are the main new standards to take into account when it comes to payment gateways to have a secure and compliant eComm site? Know the answer in the following lines.
Suppose you own an e-commerce site that accepts credit card payments. Of course, there are fees applied to each transaction. That is something you accept as it is, because your payment gateway is robust, and you haven’t had any troubles in the past.
This is the most common case for eComm sites that have been online for some years. However, in the past few years, many regulations and security standards have appeared, which make us realize that the platform we are using might need an upgrade.
What are the main new standards to take into account when it comes to online payments in order to have a secure and compliant eComm site? Before that, let’s focus on some reasons why you need to upgrade your payment interface with a simple questionnaire. If you have a positive answer to any of these questions, get ready to upgrade.
1. Is your site controlling and storing credit card information from customers?
This is useful in scenarios where you need to hold the payment until you have confirmation about your stock or when the payment process uses more than one credit card, and you have to first preauthorize every partial payment.
If this is your case, then you should know there is a regulation from the Payment Card Industry Data Security Standard (PCI DSS or just PCI). The standard, created by a consortium composed of the major players in the payment industry (American Express, Visa, Mastercard, JCB, and Discover), proposes a normative framework with different levels of compliance about storing sensitive data when processing payments.
If you are storing credit card information from your customers, PCI compliance has several strict rules you need to follow to assure this sensitive information is safe.
2. Do you want to support recurring, installment, or subsequent payments?
In this case, you have to collect your customer’s credit card information every time a new payment is processed. Think about recurring payments as a Netflix invoice, where every month you have a fixed fee, so you also have a scheduled date.
Installments are similar to recurring payments with the difference that they have an end date. Finally, subsequent payments are not scheduled and don’t have a fixed amount.
If you are willing to have one of those kinds of payments, you will always need to capture a new credit card payment, or you can get the stored credit cards and use them.
3. Do you want a digital wallet to hold and maintain different payment techniques?
This will remember customer’s cards and let them select which plastic they will use. The goal is to avoid asking the customer to enter a card every time they make a payment.
4. Do you have many charge disputes or fraud alerts?
This is a sensitive topic to be aware of. A Juniper Research report that fraud charges increase to US$25 billion in 2020. One of most common backdoors for fraudulent charges are payment forms without any authentication.
Charge disputes are also a common issue in e-commerce sites and can make you lose a significant amount of money, reduce your transactional score with a bank, or even get fines and have a bad reputation.
5. Do you want to reduce your transaction fees?
You should know that there are many different e-commerce payment techniques to reduce transaction fees, and we will cover the most significant ones to achieve this reduction in the following lines.
Make a plan to upgrade your payment gateway
After answering the previous questions, now is the time to get ready and make the right plan to upgrade your payment gateway. This plan is not tied to any payment interface as most of them will cover and support the next features.
1. First things first: Authentication
This is the first step to have traceability, increase your security, and avoid fraud. You need a way to authenticate your users before they submit a payment.
Maybe your site already has an account management microsite, section, or page where you have a way to login into your eComm portal. This way, you guarantee no anonymous user will be able to send a payment, and every charge made will be traceable, only saving a reference of a payment that is tied to a registered user.
2. Major upgrade: tokenization to get rid of your stored credit card data
Tokenization is the strategy of having a payment gateway that stores credit card data for you, returning a token (an alphanumerical value without an extrinsic meaning or value) that represents all the sensitive information. With tokenization, you will be able to process a single charge, make installments, and process recurring or subsequent payments by just sending the token within the secured and authenticated transaction request.
Your payment gateway may also be able to store other personal information like billing or shipping addresses. This will let you create a customer profile that lives outside your database.
Credit cards are saved in a secure vault in the payment gateway side, so you don’t have to worry about encrypting your data, because you will only have a reference to the token that doesn’t have any meaning to the outside.
For other payment transaction types, you will use your token to apply preauthorizations, voids, refunds, and credits, so you don’t have to send any card number anymore.
In addition, you will have three top-notch benefits of tokenization:
- You can apply to a reduced and quick PCI compliance questionnaire.
- Transaction fees in a tokenized environment are cheaper.
- You can start a plan to get rid of the sensitive data, making your system safer
3. going forward: Three Domain Secure payments
Three Domain Secure (3DS) is a strategy to add a third level of security with the purpose of authenticating the user in front of the screen. This strategy was first developed by Visa in 2001, and many other competitors have started an adoption process to make it the next step in payments security. In fact, the UK is planning to process all eComm transactions with 3DS by 2021. For its part, the EU is planning the same without a particular date, and The United States is preparing their networks to do something similar.
The three actors or domains involved in the 3DS authentication are the payer’s issuing bank domain, the credit card network within the payment gateway domain, and the acquirer merchant bank domain. These actors exchange different messages to get key information about the payer to authenticate their identity.
Once the scaffolding is set up to work with 3DS, the flow can go through a frictionless authentication, where the user doesn’t have to do anything extra. It can also go to a more challenging flow, where the payer should enter a personal password, PIN, or have to solve a challenge to end the payment process.
EMVCo is the interoperability standard that works worldwide and specifies the different 3DS protocol versions. This authentication strategy is becoming the future for online payments, thereby reducing transaction fees, fraud alerts, and disputes and enhancing the security of eComm sites.
4. Bonus: a less intrusive option — Hosted payments
A good option (that can replace the three mentioned above) for making safer payments comes with an old strategy of iframing html code or redirections to hosted capture payment microsites. Many modern payment gateways offer this strategy that takes payments only from your application.
The main idea with this feature is to present a payment form to the user that is hosted by the payment gateway, with little or no interaction with the eComm website. Payments are captured and handled by the gateway so you don’t have to worry about error codes, security, etc. In addition, hosted payments give the user more confidence about who is taking the payment because customers will notice that the payment is taking place in a well-trusted network (PayPal is a great example of this).
The downside to this strategy is that you lose some control of your payment flow. You won’t be able to tokenize cards, create a virtual wallet, or have control of the required fields or even the style of your page. Also, it makes it difficult to process many card payments or on-hold payments, where you need to confirm the availability of a resource to then charge the card.
To sum up
There are new ways to make payments, all of them with a certain amount of complexity. I won’t lie to you — when it comes to payment gateways, this is a path full of challenges. However, the benefits are significant, starting with a notable reduction of the transaction fees, the higher level of security your site reaches, and the compliance with the latest international industry standards.
Focused on your target customers, the implementation of these features provides a better user experience and will generate confidence on your platform. This will lead to an increase in your market share and will allow you to think of different ways to approach the customer with innovative and secure applications.
You might enjoy this reading: 5 most critical web application security risks
Comments? Contact us for more information. We’ll quickly get back to you with the information you need