Electronic & Card Payments

These days, virtually all payments made or received by a business are transacted electronically, with cheques having become a rarity and cash normally used only in over-the-counter retail situations. Because of the secure nature of banking systems, bank transfers are relatively safe, provided the same care is taken that should be exercised with all online transactions. Taking and making card payments involve more risk, but again some simple precautions can prevent problems from arising. Compliance with certain standards is also required for businesses which accept payment cards.

The risks

  • Taking payments
    • Being paid using fraudulent or stolen credit cards.
    • Non-compliance with Payment Card Industry Data Security Standards (PCI DSS), and the resulting penalties.
    • Contravening data protection laws by keeping cardholder details for inappropriate purposes or an extended period of time.
    • Chargebacks to customers who falsely claim non-delivery, goods not as described or received damaged.
  • Making Payments
    • Making payments to fraudsters on bogus sites or for goods and services that do not exist.
    • Transferring money to bogus accounts for goods or services that do not exist (banks are rarely able to refund money stolen in this way)
    • Phishing emails – being deceived into entering financial details on fraudulent websites.
    • Vishing phone calls – being deceived into revealing financial details on the phone.
    • The last two mentioned are examples of social engineering.

Safe payments

  • Taking Payments
    • Ensure that your ecommerce website is secure for the safety and peace of mind of your customers (see Secure Websites, below).
    • If taking payment by payment cards, ensure your business is compliant with Payment Card Industry Data Security Standards (PCI DSS), whose requirements differ according to ‘merchant level’ and card issuer (see Compliance Criteria and PCI levels, below).
    • When despatching goods, use proof of delivery (POD) to avoid chargebacks.
    • Depending on the nature of your business and size of transactions, consider accepting PayPal and mobile payments which provide an additional layer of security.
  • Making Payments
  • When making online payments either on a supplier website or via direct payment, ensure the site is secure. There should be a padlock symbol in the browser window frame, that appears when you attempt to log in or register. Be sure that the padlock is not on the page itself … this will probably indicate a fraudulent site. The web address should begin with ‘https://’. The ‘s’ stands for ‘secure’. Remember, however, that this indicates only that the link between you and the website owner is secure, and not that the site itself is authentic. You need to do this by carefully checking the address for subtle misspellings, additional words and characters and other irregularities.
  • Use strong passwords and ensure they are kept private by the people they are issued to.
  • Impose strict usage rules for employees who have company payment cards –including PIN and password protection and anti-cloning precautions.
  • Remember that using a credit card offers more protection over using a debit card or direct payment.
  • Be clear with your bank where liability for loss lies in the event of fraud. Read their terms and conditions and if in doubt, ask your bank’s business manager.

Merchant PCI DSS compliance citeria and PCI levels

  • Compliance requirements are dependent on a merchant’s activity level.
  • There are four levels, based on the annual number of credit/debit card transactions.
  • While payment brands determine the compliance levels for their own brands, acquirers are usually responsible for determining the compliance validation requirement levels of their merchants.
  • The compliance levels are set out below and usually refer to the number of transactions of each payment brand in a year.
  • Whether or not transaction volume applies only to e-commerce transactions or to payments processed through all channels is decided separately by each payment brand but, in general, all transactions are included.

Level 1 Criteria

Merchants with over 6 million transactions a year, or merchants whose data has previously been compromised
Level 1 Validation Requirements
Annual Onsite Security Audit (reviewed by a QSA or Internal Audit if signed by officer of merchant company and pre-approved by acquirer) and quarterly network security scan

Level 2 Criteria
Merchants with 1,000,000 to 6 million transactions a year
Level 2 Validation Requirements
Annual Self Assessment Questionnaire
Quarterly Scan by an Approved Scanning Vendor (ASV)

Level 3 Criteria
Merchants with 20,000 to up to 1,000,000 transactions per payment brand
Level 3 Validation Requirements
Quarterly Scan by an Approved Scanning Vendor (ASV)
Annual Self Assessment Questionnaire

Level 4 Criteria
Merchants with up to 20,000 ecommerce transactions or up to 1,000,000 non-ecommerce transactions per payment brand

Level 4 Validation Requirements
Annual Self Assessment Questionnaire

Quarterly Scan by an Approved Scanning Vendor (may be recommended or required, depending on acquirer compliance criteria)

Secure websites

Providing a secure website for payments will ensure customers’ safety and peace of mind. Most people who shop and pay for goods and services online now recognise the significance of the padlock symbol in the browser window frame, that appears when they attempt to log in or register – and the address beginning with ‘https://’.

This shows that your business has a digital certificate that has been issued by a trusted third party, such as VeriSign or Thawte, which indicates that the information transmitted online from your website has been encrypted and protected from being intercepted and stolen by third parties, by means of SSL technology (see explanation below).

You can also obtain an Extended Validation (or EV-SSL) certificate, which indicates that the issuing authority has conducted thorough checks into your business.

SSL

SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client – typically a web server (website) and a browser, or a mail server and a mail client such as Microsoft Outlook.

SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent in plain text …leaving you vulnerable to eavesdropping. If an attacker is able to intercept all data being sent between a browser and a web server they can see and use that information.