Payment Security could be considered boring – let’s change that and make it interesting.
I searched the internet for ideas on how to make payment security exciting to read about, but it is almost impossible. Then I thought let’s look at it another way, and tell you how not to do payment security, hopefully making it a little more interesting.
I must be showing my age because I remember working in a shop and taking a deposit or sometimes processing a payment from someone’s credit card by taking a swipe of the card using carbon paper. You’d then get the actual card imprinted on a slip and then ask the customer to sign. How long ago was this, 25 – 30 years? Yep, definitely feeling old now! Oh my, how things have changed
Back in the good old days, we didn’t worry about payment security, and we had no idea about buying things online. I remember my internet was dialed up at home (try and explain to a teenager today what it meant to be unable to use the phone at the same time and they’ll think you’re mad). I used it to check my Hotmail email and would buy things on eBay then post a cheque to pay for it. I’ll say it once again, oh my, how things have changed!
In great leaps and bounds, we have moved forward to the present where I think we would all agree that we couldn’t have gotten through these past painful few months without the internet. I’m not only talking about using it as a means to talk to our friends and loved ones but what would we do without the ability to buy our shopping or perform our basic banking needs online.
Since the start of the pandemic in 2020, the number of businesses that were forced to start selling their products online has increased, perhaps it was a realization that this was probably going to be the only way for them to stay open. It was also vital for the country’s population as it was our only source of finding groceries and needs. Market places, online supermarkets, and contactless deliveries became the norm very quickly.
None of this would have been possible without the updates and advances in the internet and payment security which gives us as consumers the confidence and trust to enter our card and personal information online. Do you know where payment security came from? Why did the card industry feel it necessary to put standards in place?
We probably all have a pin number that we use for something, but the ATM PIN numbers started in the 1960s, this was probably the introduction for all of us into the world of payment security and we probably had no idea. We now have SSL, Multi-Factor Authentication, Security tokens, PCI Compliance, and numerous other standards and controls that need to be adhered to. The main one that I am focusing on is PCI Compliance. The Payment Card Industry Data Security Standard (PCI DSS) The main payment card brands Visa, MasterCard & American Express formed the standard to stop credit card fraud. All Merchants, Acquirers, Payment Technology Providers, Payment Service Providers, etc have to ensure and adhere to a level of PCI Compliance as service providers, and ideally, it is best to work with someone that maintains the highest compliance. The thought of writing lines and lines about PCI Compliance really makes my eyes glaze over so without falling asleep let’s look at the realities of having an e-commerce website with poor or absent security controls.
What’s the worst that can happen? If you are still with me and reading this, then prepare for a shock. This isn’t something that only happens to the small enterprises that don’t take security seriously. It can happen to all, yes even the big guys.
One of the biggest fines imposed was for British Airways under GDPR. It was originally £183million but was significantly reduced to closer to £20 million due to Covid 19. It was revealed that in mid-2018 hackers set up a fraudulent site that looked like the normal BA booking site, it was linked to the BA site so when it came to entering personal information (including payment) everything looked perfectly normal but the information was being added to the hacker’s site not where it should’ve been on the BA site. The attackers were able to obtain names, addresses, email addresses, credit card numbers, expiry dates, and CVV numbers of everyone that made a booking between 21 August 2018 and 5 September 2018, it’s a short window of time but just imagine how many people make a flight booking via BA each day. This was not only a serious GDPR breach but was a breach of BA’s PCI compliance, as the payment card data had not been adequately protected.
The estimated amount of data records breached was 500,000. These breaches happen every day; there are lists of companies that are breached each week and the severity ranges from bad to worse, there is no good when it comes to your customer’s data being accessed and ending up in the wrong hands being sold to the highest bidder. Other than BA, there are a few other well-known worldwide companies and brands that have suffered at the hands of hackers, Virgin Media, Facebook, Vision Direct, and Marriott Hotel Group. In Mauritius, we could’ve been affected by the breach with the Marriott group and there were the ‘Mauritius Leaks’ where confidential business information was accessed by the International Consortium of Investigative Journalists and used as massive exploitation of confidential information to constitute a case against the global business sector of Mauritius and to allege that the island was being used to avoid taxes in countries in Africa, Asia, the Middle East, and the Americas. Other than this there are no documented cases regarding data hacks or security breaches.
‘People’s personal data is just that – personal. When an organization fails to protect itself from loss, damage, or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data, you must look after it. Information Commissioner Elizabeth Denham
This isn’t an effort to scare you into thinking that you shouldn’t be processing payments online or telling you that your credit card details are going to be stolen when you pay for your groceries from a website. I’m probably trying to give you a bit of a reality check to say that this does happen, every day it happens in some shape or form but with the right security you can stop it from happening and minimize your own risks but also pass on security confidence to your customers. As a merchant, the easiest way to secure your payment processing is to look for a payment technology provider or gateway that is ‘On The List’. The list is Visa’s global registry of service providers and they suggest that you only use a provider on that list. You can use this link to check for providers in Mauritius.
Appletree is on that list and we proudly display our ‘On the list’ badge on our website. These are only provided by Visa and we work hard to maintain the security standards that they tell us to. We do the hard work so that you don’t have to. Our payment security is a high priority in our offering and we make it easy so that you have absolutely nothing to worry about. We are compliant with the Payment Card Industry Data Security Standards (PCI DSS) as a Level One service provider and after 8 years of annual audits, we still maintain our Level one status. We pass this on to you as a merchant using our software and you, in turn, pass this security onto your customers. You can confidently tell your customers that their payment information will be safe and they should go ahead with that purchase through your website. We offer a bit more than a padlock on your payment page and deliver this as part of the package. There are no extra charges, it is just there. We make sure we do it properly so that you can focus on selling your products, and marketing your business without thinking about your website being hacked and customers’ payment data being stolen.
Let us talk to you about how we can help the security on your site and provide you with confidence that your customer’s payment card information is safe. If you have a Shopify shop, have a read to our article here helping you understand why it’s important to connect your shop to your local bank here.