How Secure Are Your Online Payments?




A normal online user would likely assume that the data they share with a website is secure. However, a more experienced web user would start to notice signs which indicate a lack of online security – especially on payment sites.

Websites can, however, implement security measures to ensure that data being sent and received is as secure as it can be. When a user connects to a website, their connection should be the first thing being secured. TLS /SSL certificates can provide this service, encrypting the data being passed, ensuring that a man-in-the-middle attack would render captured data unusable. For online payment sites, the most secure certificate, an EV SSL certificate (Extended Validation SSL certificate) should be held. As a user, you should look out to see whether they have a certificate by looking at the URL of the site you are connected to. If the web protocol at the beginning of the URL is ‘http://’ then the site is not secure, and your data being exchanged is not being encrypted. You can only guarantee that your data is being transmitted safely if the protocol is ‘https://’.

As the rise of online shopping is ever rising, there are an increasing number of hackers who are trying to target this area. Perhaps one of the best preventions for fraud is 3D Secure. It works by adding an extra layer of security when making a transaction: As well as the payment info, an extra piece of data is required to verify the identity of the payment-maker. Some sites choose for the original user to create a password for payments, others require also knowing the real account holder’s postcode.

 

PCI-DSS – Guidelines for Merchants to Protect Their Customers

Some experienced cyber users may have heard of PCI-DSS. Especially for payment websites, it is a necessity. The Payment Card Industry Data Security Standards is a council that provide a set of guidelines indicating how sensitive data should be handled. The standards are very important and there are different compliance levels for merchants providing different levels of transactions per year.

Some of the key steps to achieve PCI compliance are providing a secure connection between a customer’s browser and the website’s server.

  • The first requirement requires a system to build and maintain a strong firewall configuration. This is to control the transmission of data around networks: internally and externally.
  • The second requirement ties in with the first: a site should not use default passwords or likewise parameters which have defaults set.
  • The third requirement governs that cardholder data should be kept to an absolute minimum – it also provides guidelines on the retention of data and data disposal procedures.
  • The fourth step, as discussed in the first paragraph above, is that all data being transmitted must be encrypted using TLS/SSL certificates.

As written by IT Governance: There should be strong cryptography and security protocols should be there when it is time to safeguard cardholder’s data during data transition over insecure open or public networks. Malicious hackers could easily access such networks.

Open networks include Bluetooth, GPRS, satellite communication, internet, etc.

There should be industry’s best practice regarding security policies and data encryption procedure to be implemented for strong authentication and encryption. It must be in document form and affected persons should know about it.

  • The fifth requirement, and a definite must, entails performing malware checks and anti-virus scans. These scans protect systems against known security vulnerabilities using a large backlog of techniques. The requirement also requires regular updating of these programs, so the scanning procedures used are always up to date with the newest found vulnerabilities. Similarly, software used to discover vulnerabilities and anti-virus software must be developed in accordance with the PCI-DSS and use industry standards.
  • The next few guidelines are to implement access control measures. From protecting the data virtually, as well as physically. These guidelines, simplified, ensure that data can only be accessed on a need-to-know basis and there are as few authorised accounts as possible – since exploiting authorised accounts is one of the most common cyber-attacks.
  • The next two requirements ensure system technicians regularly monitor and test their networks. The PCI guideline requires that system usage is logged so that vulnerabilities can be discovered, as well as analysed to identify suspicious activity. The guideline calls for a log history of at least a year to be kept.
  • Finally, security policies are a vital need, especially larger companies, and they provide ways of conduct when using technology and post-attack procedures: To comply with the PCI DSS, organisations must establish, publish, maintain and disseminate a security policy, which must be reviewed at least annually and updated according to the changing risk environment. A risk assessment process must be implemented to identify threats and vulnerabilities, usage policies for critical technologies must be developed, security responsibilities for all personnel must be clearly defined and a formal awareness programme must be implemented. Organisations must also implement an incident response plan so that they can respond immediately to any system breach.

 

3D Secure – for Fraud Prevention

As the rise of online shopping is ever rising, there are an increasing number of hackers who are trying to target this area. Perhaps one of the best preventions for fraud is 3D Secure. It works by adding an extra layer of security when making a transaction: As well as the payment info, an extra piece of data is required to verify the identity of the payment-maker. Some sites choose for the original user to create a password for payments, others require also knowing the real account holder’s postcode.

 

Tokenisation – Protecting Customer’s Sensitive Information

A popular and widely used payment security method is tokenisation. It is used by most sites, but only some advertise them using it. The process involves creating a token out of a card number – like encryption. This allows payment portals to access cardholder data but deters attackers. The tokens are created using a process not known to the public. Only the person who created the exact process for tokenisation can reverse engineer it.

 

Two Factor Authentication – “Did you make this purchase?”

Similarly, to 3D Secure, Two Factor Authentication (2FA) is regularly used as it is an easy to use method of security for customers. It involves users entering data that only they could know. Often, the site – or bank – that the customer is using, texts the customer a code to their phone number which they used to create their account with – this ensures that the original account holder is making the purchase.

 

Conclusion:

Few cautions should be followed by merchants and customers like from merchant side, they should avoid storing customers’ credit card data and use always encrypted payment service. On other side, customers should check the website from which they are purchasing product as well, never send scan copy of their ID proof or credit card copy but enter only minimum required information on the website.






error: Content is protected !!

Looking for QuickBooks Support & Help Services?

Talk to our Certified QuickBooks ProAdvisor