Mobile payments hold the promise of a fast and convenient shopping future, but there’s a big elephant in the room everyone is talking about: security.
Forty million from Target, 2013. Fifty-six million from Home Depot, 2014. Those staggering figures represent the credit and debit cards compromised in recent record-setting data breaches, a worrying trend that online merchants are eager to have subside soon.
With a watchful eye on these high-profile hacks, consumers are more skittish than ever about releasing their financial data into the perceived murkiness of the cloud. E-commerce and, increasingly, m-commerce are undoubtedly here to stay, but online shoppers, if anything, want more assurance that digital businesses have cybersecurity handled.
If you’re selling a product or service online, it’s essential to know the ins and outs of online payments and security in order to anticipate customer concerns and properly assess your responsibility. To give developers, merchants and consumers a peek behind the payment-security curtain, we’ve partnered with Braintree to compile four key things to keep in mind as you set up — and protect — your connected marketplace.
Getting In Good With The PCI
Talking payment security begins and ends with a requisite bit of alphabet soup. Founded in 2006 by the global payment networks Visa, MasterCard, American Express, Discover and JCB, the Payment Card Industry Security Standards Council (PCI SSC, or “the Council”) issues recommendations, or Data Security Standards (PCI DSS), that aim to guard against credit card fraud.
The most recent set of guidelines, PCI 3.0, requires browser-based checkouts to outsource data storage of cardholder information to “PCI DSS validated third-party service providers.” Braintree’s SVP of Mobile, Aunkur Arya, recommends merchants go with a provider that can host the required fields in a way that doesn’t interrupt the user experience or mess with the style of the existing form, while ensuring the proper level of security.
“If you think about the payment form that you’re presented on a website, those fields where consumers are actually adding their payment information are the most sensitive, and in some cases, the areas where there’s a lot of exploitation that happens,” Arya says. “As a merchant, if I have a payment form built, but I haven’t built the spaces where people input their payment information, I can pull in hosted iframes on third-party servers.”
Enter Third-Party Payment Gateways
Payment gateways are the digital equivalent of physical point-of-sale terminals, transmitting credit card data to a processor. They also present a good opportunity for sellers to shore up inherent weaknesses in the payment process.
“[Merchants] need to think very hard about their payment gateway and make sure it’s matching the level of security they want to offer their consumers,” says Sean McQuay, a credit card expert at NerdWallet. He cites point-to-point encryption, or P2PE, as a payment gateway add-on that can offer another layer of security.
Full-stack payment platforms — which provide an all-in-one payment gateway, processor and merchant account service — can be especially attractive for smaller businesses. They handle and store PANs and other data on behalf of merchants, reducing liability and smoothing the way toward PCI compliance.
But there’s a lot to consider when choosing among online payment options. Some levy monthly fees or take a cut of each transaction. And while conveniently turnkey and secure, these platforms may “dirty up” the UX of the transaction process, raising the possibility of a lost sale if a customer is impatient.
Network Tokenization: The Next Big Thing
Several card networks, including Visa and MasterCard, have been turning to tokenization to beef up security and further minimize their exposure. As cardholder data is captured by a point-of-sale terminal, it is encrypted and sent to the “vault” of a tokenization service provider, such as a card network. This provider then creates a token — unique and randomly generated numbers or symbols that take the place of the PAN in part or in whole — and this token is what the merchant sees throughout the entire transaction process.
John Kindervag of Forrester Research praises tokenization as both a user-friendly and effective way to secure online transactions. Merchants benefit, he explains, by only possessing “dead data that can’t be monetized by criminals and doesn’t fall under purview of PCI.”
What’s EMV Got To Do With It?
One of the most talked-about advances in payment security this year is EMV, a technology developed by credit card giants Europay, MasterCard and Visa. Embedded EMV chips in credit cards employ single-use transaction codes to transmit encrypted data. These unique, throwaway codes are thus worthless to data skimmers, besting the level of protection of cheaper, easily cloned magnetic stripes on the back of conventional plastic.
Though many see EMV adoption as a positive step forward, it only addresses vulnerabilities of brick-and-mortar businesses. The technology’s impact on CNP, or “card-not-present,” online payment security may be more ambiguous. Some experts believe that as credit card thieves find some of their efforts at card-present scams stymied by EMV, their crimes will go digital. “Fraudsters are seeing opportunity diminish with EMV adoption,” says McQuay of NerdWallet. “Online fraud is an easy next step.”
The data supports his claim: in the 10 years after the U.K.’s 2004 adoption of EMV, CNP fraud spiked 120 percent, even as credit card fraud on the whole decreased.
Hire The Right Bouncer
As any club owner knows, having the right security guy outside is critical to ensuring the safety of guests without scaring them off or ruining their night by being too aggressive. The same is true for online retailers. The trick is building a partnership with a platform that strikes the right balance between security and a clean, smooth user experience.
At Braintree, security is of paramount importance. The global online payment processor provides a secure environment that goes above and beyond industry security standards and guidelines.