The Payment Card Industry Security Standards Council (PCI SSC) is an international group dedicated to keeping payment data secure. It publishes and updates the PCI Data Security Standard (PCI DSS), which applies to “all entities that store, process, or transmit cardholder data and/or sensitive authentication data.”
Different types of businesses need varying levels of PCI compliance, ranging from a few simple requirements for online sellers using gateways to full validation for gateway providers themselves. Major payment card brands like Visa and Mastercard operate independent programs that define validation levels and compliance, so the notion of “compliance” itself is complex.
Most e-commerce merchants who use payment gateways can gauge their level of PCI compliance with that organization’s Self-Assessment Questionnaire A. This document includes only the PCI DSS requirements that apply to sellers who outsource payment card handling to validated third-party services — i.e., reliable payment gateways.
Be sure to ask any third-party vendors that handle financial transactions whether they carry validation for all PCI DSS requirements. If they don’t, keep looking.
Encryption isn’t the only way to conceal financial identifiers as they move between customers, your site, and the payment processor. Tokenization is a powerful strategy that replaces a credit card number with a unique code, or “token.” Client computers transmit the token rather than the information itself, rendering the data useless if it’s stolen.
Agouris recommends choosing a payment gateway that provides tokenized transactions for the greatest security benefits.
“For most businesses now, the best option is to fully tokenize their payment gateway relationship with their e-commerce platform, such that the business’s own e-commerce system never actually sees the full payment information,” Agouris says.
“All the system knows is that the payment gateway did or did not approve the payment and why. The immediate security is now shifted to leverage the payment gateway’s systems, whose day job is all about security on your behalf.”
To grant access to protected information, a system needs to verify the user’s identity. A simple way to do that is to prompt the user for a password — but a malicious user could acquire that password, so a single factor isn’t enough to guarantee security.
The second factor is typically a code sent to the user’s phone or email address upon request for access; this tactic verifies that the user also possesses an item (the phone or email account) that proves their identity. This is a simple but effective type of multifactor authorization that dramatically improves security.
As with all efforts to ensure online payment security, the use of multifactor authentication doesn’t just make e-commerce safer; it also makes customers more likely to click “buy” in the first place.