Payments 101: The Payment Security Landscape
Safeguard your customer loyalty and reinforce your brand with seamless payment security.
Unless you sell Teslas or MacBooks, among other non-commoditized products, your customers can find essentially anything they want from a variety of merchants online. They have choices. And among the more important choices they make–consciously or unconsciously—is which merchant is going to get the sale.
A whole bevy of variables contribute to this decision, but foremost among them is trust. One bad breach of trust at Target in 2013 (10 years ago!) still elicits a moment’s hesitation when we check out online or swipe our card in the check out line.
To win this battle of choice with your competitors, your online payment process must be as secure as it is seamless every time. This builds loyalty, trust, and a competitive edge in a marketplace where one slip can create a cloud of question marks around your brand for a long, long time.
Fintech Payment Security
At Clear Function, we regularly work with existing applications or newly funded products day in, day out. All signs indicate that most tech-enabled companies will become fintech companies in the near future—receiving, transacting, and fulfilling online payments online. In fact, consumers increasingly expect this convenience with every passing day.
If you are reading this, you may be mulling over which facets of security require investigation to ensure you keep customer trust and loyalty. Join us for the next few minutes as we delve into the aspects of payment security that may apply to you:
- Compliance and the Payment Card Industry Data Security Standard (PCI DSS)
- Securing data at rest
- Securing data in transit
- Secure software development methodologies
Let’s explore the payment security landscape and what it means for your business.
Book a Discovery Call
PCI DSS Overview
PCI DSS continues to set the standards of requirements for organizations that handle credit card data, whether online or in physical stores. For good reason, PCI DSS exists to protect sensitive cardholder information and maintain the security of payment card transactions in a world of evolving digital transactions.
As of this writing, PCI DSS includes 12 main requirements—everything from firewalls and access control to vulnerability assessments and pen testing—that provide consumers with as much confidence in their digital transactions as possible.
We live in a trust-based society that also heavily emphasizes freedom, which leads to an open marketplace where some merchants are trustworthy, and others are not. Appropriately, regulators would seek to establish a framework of compliance for payments in order to reinforce trust among consumers in this environment. Overall, we view this as a market positive. Who doesn’t want a thriving market where consumers feel confident buying online?
However, complying with PCI DSS is easier said than done and you don’t want to be caught out when the auditors come knocking.
We encourage every merchant to take PCI considerations into account when selling online. Yet, there are ways to mitigate your PCI risk with best-practice payment solutions. Tokenization is one of those ways, wherein your payment processor or a card network issues you a unique, randomized token representative of your customers’ payment data—reducing your personal responsibility for storing and protecting that data yourself.
When appropriately implemented in your payment system, tokenization removes you from PCI’s scope of liability and places it instead on the payment processor or card network. Read more in our Understanding Tokenization Basics article.
But the big-picture is this: you want to limit your PCI risk (and therefore data breach risk) as much as possible while still providing a secure, seamless payment experience for your customers. Tokenization is one of the preeminent methods Clear Function clients and other merchants can implement to achieve this.
Penalties for Non-Compliance
Financial penalties for PCI non-compliance often fall under the “cost of doing business” category for many megacorps. But sadly, for smaller merchants, it can put them out of business.
Penalties vary widely depending on the extent and duration of non-compliance. According to pcidssguide.com, PCI compliance fines “…can vary from $ 5,000 to $ 100,000 a month…depending on the size of the company and the duration and scope of your non-compliance.”
We strongly recommend that all merchants or tech-enabled companies moving into fintech take a hard look at their PCI requirements and give us a call if you have any questions about their company’s liability.
Book a Discovery Call
Compliance is important, but you may be surprised to hear us say it’s not everything. The intent is everything—which is to say that embarking into fintech carries an implicit responsibility to make your customers’ sensitive data as safe as possible without compromising their experience. It’s what they expect, and history indicates it’s good for business.
Payment Security for Data at Rest
Data at rest refers to where data is stored. While it’s easy to think of it as “digital” data, all data lives in a physical server somewhere, be it a distributed network, a mainframe, or the cloud (which is really just a rented, internet-accessible segment of somebody’s server!)
Wherever it lives, payment data at rest requires strong encryption, physical protections, file integrity monitoring, user access control, and much more. Payment processors and card networks work hard on an ongoing basis to update their protections and compliance, and it’s no easy task.
It’s worth noting that while you can reduce your scope of PCI risk and/or data breach risk with best practices like payment tokenization through a payment processing partner or card network, it benefits you as the merchant to carefully select service providers that offer the best protection for your customers’ data while at rest.
Payment Security for Data in Transit
Any payment card that passes through your system or network is possibly at risk. By design, solutions like Stripe®, PayPal®, Square®, and other mainstream payment processors aim to ensure cardholder information never passes through your system. They act as your customers’ virtual point of sale at check out. For many small businesses and ecommerce storefronts, these are perfectly viable options as long as you follow their processes.
Other merchants outgrow or need more flexibility than the off-the-shelf payment processors and opt for custom payment solutions more tailored to their needs. If security measures aren’t properly integrated into custom payment software, any credit card or bank account information flowing through your system or network puts it at PCI risk—even if you aren’t “storing” the data.
While measures such as Transport Layer Security (TLS) and Secure Socket Layer (SSL) protocols (indicated with “https://” in the URL instead of “http://”), reduce your risk, even encrypted cardholder data passing through your network can pull you into PCI scope and warrant an audit.
If you’ve outgrown the off-the-shelf payment processing solutions, schedule a call with us. It’s easy to find custom software developers, but it’s much harder to find a first-rate custom software firm to create a solution that meets your business’ unique needs, ensures excellent customer experience, and meets compliance requirements. Clear Function can help with all of these—while focusing on integrating security at every step.
Book a Discovery Call
Security-Enabled Payment Software Development
For online merchants venturing into custom payment software development, security should be at the forefront. Application Programming Interfaces (APIs) connect applications of all kinds across the internet, and are a key component in most software development. But when it comes to payment software, the connections and communications between APIs present substantial risks to data security.
Founded in 2001, the Open Web Application Security Project (OWASP) provides open-sourced resources and guidelines that help developers understand and address the proliferation of APIs with substandard security across the internet.
Each year, OWASP releases their OWASP API Security Top 10 to keep developers informed on the latest risks. In turn, we review the Top 10 on an annual basis and apply it to our fintech development framework for our clients. A major part of our mission is to evolve our development methodologies alongside the evolving risk landscape.
Check Your Blindspots
Before you choose an off-the-shelf payment solution like Stripe or opt for a custom fintech developer, we recommend you carefully consider how security factors into their methodologies. The most common blind spot for many of our clients is that they don’t realize they are in scope of PCI compliance, regardless of their chosen solution.
If you aren’t sure and would like a friendly consultation, we’re always here to lend a hand. Schedule a call with us today!
Book a Discovery Call