Three steps for secure online business

Peter Harvey

If they store, transmit or process any kind of credit or debit card information, it is their job, as the merchant to protect it. If cardholder data is stolen and the seller is responsible, the organisation could face fines, penalties and even lose the right to accept payment cards. The card associations are getting stricter about this.

Three steps

1. Hire reputable professionals for your web development
   The days when one could ask one's neighbour's son or a just-qualified graphic design student to build a website on the cheap are long over. Make sure web developers have specific experience in building e-commerce sites. Ask them what shopping carts and payment gateways they prefer and why, and to explain in detail how the process works. If they cannot explain it to one's satisfaction, then one must ask if they really understand it themselves and whether one can accept their recommendations.

   This is an area where it is worth investing in professionalism. If the online channel is important to a business, the checkout and payment process can make or break it. This is the last place one should be stingy with the budget.

2. Choose your payment service provider carefully
   Price is important, but don't fall for false economies. The first question one should ask is about security - how does the gateway protect customers' card information? Ask for proof that they are PCI compliant that is that they comply with the standards laid down by the global PCI Security Standards Council.

   Secondly, ask for information about reliability and availability. It's no good having a cheap payment gateway if they're down one day out of seven and customers get turned away at the till. Ask about their downtime and contact some other customers to ask about their experience. Once one is satisfied that security and reliability needs are met, then is the time to let price be the deciding factor - not before.

3. Use a payment page hosted by the gateway provider, or consider tokenisation
   One very safe option is to let the gateway handle the entire payment process via a page on their server. This means that when a customer clicks 'Pay' or 'Check Out' on their shopping basket, they are taken to a secure page that is isolated from one's website. This means that one's business never stores, transmits or processes their card information in any form - the PCI-compliant payment gateway does it all for you.

   Some online merchants prefer to control the user experience from beginning to end, including the payment process. In this case, merchants should use tokenisation. This means that instead of actual card information, one stores an encrypted token provided by the payment gateway. Next time one needs to process a transaction on that same card, one just sends the token. This is a simple but highly effective way to make sure one never has to store card numbers."