Payment processing security: strategies and best practices
South Africans are flocking to new forms of digital payments at a rapid pace. However, among those that are yet to fully make the move away from cash, there is a common theme: they are worried about the potential for scams and the security of their payments.
Making payments online is still a relatively new experience for many South Africans, so trust needs to be built continuously. Security remains an area of critical importance across anything related to payments, including online and offline payments.
People only use payment methods that they know they can trust, and often a single negative experience can turn them off for good. So in order to reap the benefits of South Africa’s blossoming payment ecosystem, it is important for enterprises to reassure customers that their money is safe - and to ensure best practices are followed to make sure that rings true.
What are secure payment systems?
A secure payment system is the infrastructure that allows payment information to be processed safely, whether online or in a physical store. Secure payment systems typically employ a number of safety measures, such as encryption, tokenisation and verification, to ensure the customer’s payment details are protected.
Using a secure payment system helps to mitigate some of the risk of fraud and theft, although these risks can never be removed entirely.
Why is secure payment processing important for online transactions?
Payment security is a crucial part of accepting payments online, especially in countries and sectors where people are still growing accustomed to transacting digitally rather than physically. When people are participating in online commerce for the first time, they are both less trusting and more likely to fall for scams as they do not know what to expect.
Increased payment security means more protection for the customer, and can result in more transactions which, ultimately, means higher revenue.
Organisations that process or transmit payment data, such as cardholder details, are required to comply with the Payment Card Industry Data Security Standard (PCI DSS), which is a set of security standards created to ensure a secure and reliable payments environment for customers.
In South Africa, additional licenses may be required for payments service providers, such as TPPP (Third Party Payments Provider) licenses, and more recently, CASP (Crypto Asset Service Provider) licenses for any businesses involved in crypto-related transactions, which ensure businesses operate according to agreed standards and security protocols.
Who should invest in payment security?
Payment security is a necessity, not a nice-to-have, for any business. Customers are unlikely to spend their money anywhere that they cannot trust to keep their payment details safe. This is especially true when customers are paying in advance for goods or services, such as with e-commerce or travel booking.
Many South Africans are still getting to grips with online commerce and want to know that they will be protected. For many, the idea of paying for something digitally in advance and trusting that it will arrive as promised is still something that requires getting used to.
How to implement best practices for secure online payments
Before implementing any security measures, it’s important to understand the requirements and carry out a comprehensive risk assessment to identify any liabilities, vulnerabilities and needs.
Any business that collects data from customers will need measures in place to protect this data and prevent fraud. As we saw in our recent consumer research report focused on the e-commerce space, customers value safety and security highly when it comes to choosing where they shop and whether they keep coming back. So it’s also important for businesses to communicate how they manage security to their customers.
Different payment security measures
There are a range of measures you can take as a business in South Africa to ensure any card details you handle are secure:
- Authentication: The most basic level of payment authentication is Single Factor Authentication (SFA), which describes measures like requiring a pin to authenticate a transaction. Enterprises can improve their security by implementing two-factor authentication (2FA) or even multi-factor authentication (MFA) in their payments process, which require additional layers of approval such as receiving a code via email or taking a selfie.
- Tokenisation: Tokenisation has many applications, but it is especially useful for improving the security of payments. Tokenisation is a technology that replaces sensitive information – such as credit or debit card numbers – with a unique ‘token’, or identifier. This token then acts as a proxy for card information during the transaction and can be saved for future transactions.
- Encryption: This is the practice of transforming data into code to prevent unauthorized access. Encryption protocols transform plain text data (such as payment card details) into a scrambled format that is unusable without decryption keys - even for the payment processor and the merchant handling this data. Encryption can either be symmetric – where both encryption and decryption use the same key – or asymmetric, where there are separate keys for each task. This allows for data to be transmitted and stored more safely.
- Fraud detection: Fraud detection systems use algorithms, pattern recognition and machine learning to flag and block suspicious transactions. There are a range of fraud detection tools available, but the best all combine the same components: real-time analysis of payments, historical data comparison against past behaviour, alert systems to warn when it has detected suspicious activity and machine learning capabilities to improve over time.
- Firewalls: Firewalls are a form of security that prevent outsiders from gaining access to a computer network. Payment infrastructure sits within and interacts with your business’s wider computer network, so it is important to ensure both are protected from intrusion. Best-in-class firewall solutions typically include intrusion detection and prevention, security monitoring and response and strong access controls. They also use network segmentation to separate sensitive data into isolated segments, making an attack more difficult.
- Training: In any system, the users are a critical weak point. Even sophisticated security can be overcome if the people responsible for managing it aren’t following the correct protocols to protect customer data. This is why it’s critical to provide regular and comprehensive training to ensure that your team is following best practices. It is also important to give customers adequate warnings to make them alert of the risks of scams
The easiest way to meet all of these requirements is to work with a payments provider that already has best-in-class security credentials, data management protocols and fraud prevention technology.
For example, every business that processes card payments must comply with the PCI DSS standard. In order to do so, they must implement a range of payment security best practices to meet PCI DSS’s 12 requirements. These include ensuring card details are collected and transmitted securely, storing data securely, encrypting cardholder data when transmitting it across open public networks and more.
Why choose Stitch for secure, reliable digital payments
Stitch is PCI DSS Level 1 certified, so the clients we work with meet these stringent requirements automatically. We are also a registered TPPP, and via Stitch Shield, our robust fraud engine, we actively work with our clients to prevent and mitigate fraud.
Stitch Shield helps our clients combat fraud by:
- Monitoring fraud based on industry-specific rules
- Flagging and alerting businesses of suspicious transactions and users
- Blocking or delaying a suspicious or fraudulent transaction
- Blocking a user (per merchant or across all merchants)
- And more