What is card payment security: 8 ways to protect your customers

UK Finance’s Half Year Fraud Update for 2023 revealed that £258.9 million had been lost to card fraud in the first half of 2023.

And it’s not just shoppers who are being duped out of their hard-earned cash. Juniper Research predicted that eCommerce businesses lost up to $48 billion due to online payment fraud in 2023.

With cash falling out of favour and card transactions totalling 11.6 million each day in the UK, there’s never been a better time to review your business’s card payment measures.

To help you get to grips with everything you need to know, we’ve come armed with all the important bits around card payment security to help you protect your company and your customers. We’ll walk you through the importance of having secure systems in place and which card payment security measures you can implement today.

What is card payment security?

From phone to contactless payments, it’s essential that every stage of a digital transaction is safe and secure. That’s where card payment security measures come in.

These are methods that businesses can use to protect their customers’ sensitive and financial data when making physical card and online payments. Without it, shoppers’ personal information could be at risk of falling into the wrong hands.

Why is card payment security important?

When your customers hand over their payment details to make a transaction, they’re also trusting that your business can keep it safe. If they suspect that you’re not looking after their information properly, it could be the difference between them choosing one of your competitors over your business. And if you’ve lost their trust, it can have damaging effects on your reputation and your bottom line.

But, the biggest reason why card payment security is important is because it helps to protect consumers against fraud and theft. Cybercriminals and fraudsters are continuously finding new ways to scam victims out of their cash, and they can do this by exploiting them at the checkout stage.

Whether your business has moved online and accepts transactions through a payment gateway or you have a physical presence location and take payments with a mobile card machine, it’s your responsibility to make sure each and every transaction is secure.

Helping your consumers to become less susceptible to fraud is so vital that you could face repercussions for non-compliance or negligence, like fines and penalties.

8 ways to enhance card payment security for customers

1. PCI DSS compliance

First and foremost, any business that takes card payments must comply with the Payment Card Industry Data Security Standard (PCI DSS). This is a set of security regulations that companies have to follow to ensure the safety of their customers’ data. These requirements include how businesses store, process, and transmit cardholder details.

PCI DSS aims to help minimise the chances of fraud by data breaches. Any business that isn’t compliant with the latest PCI DSS regulations will be risking their customer’s financial information and may be liable to a fine between £4,000-81,000 per month. The fine will be issued to a business’s merchant bank before being passed down to the business.

As new payment methods and technologies are rolled out, the PCI DSS is updated to ensure it’s still effective and relevant. Find out how we can help your business become PCI DSS-compliant today.

2. Strong Customer Authentication

In September 2019, a new set of regulations was enforced to make card payments even more secure and reduce the chances of fraud. Strong Customer Authentication (SCA) is a requirement from the Payment Services Directive (PSD2) that applies to all “customer-initiated” online card or contactless offline payments within the European Economic Area and the United Kingdom.

SCA compliance requires banks to carry out certain checks to confirm a customer’s identity during the transaction journey. It’s also required for bank transfers.

It’s done by building in at least two of the following three authentication elements into the transaction:

• Something only the customer knows – a password or a PIN
• Something only the customer owns – a mobile phone or card reader
• Something the customer is – a fingerprint or face recognition

Also known as two-factor authentication, these requirements mean that customers may need to provide two of the above elements when purchasing from your business. If they fail to do so, their payment may be considered non-compliant and will be declined.

SCA doesn’t apply to all transactions, and it’s up to individual payment providers to identify which payments are considered low-risk and will be exempt from SCA. Here are a few examples which could be classed as low-risk payments that may not require SCA:

• Transactions below a specific amount
• Recurring payments of the same amount
• Payments made with a saved card on an account where a transaction has previously been made

SCA can affect both online and offline businesses. Here’s how you can meet the SCA requirements for face-to-face and eCommerce transactions:

• In-store – Chip and PIN is SCA compliant as it requires a physical card and PIN code. Contactless payments, however, may prompt customers to enter their PIN code on higher-value transactions. This is particularly useful for mitigating cases of fraud where a card has been stolen and is being used to attempt to purchase something at a physical store location.
• Online – For online stores, the 3D Secure authentication (3DS) method meets the SCA requirements. By entering a one-time passcode as well as their card details, customers will be providing the necessary two levels of SCA to confirm their identity.

3. 3D Secure authentication

The 3D Secure authentication protocol is widely recommended as a solution for SCA requirements, so we thought we’d dig deeper into it.

It applies to online payments, and although there are security measures in place without it, 3D Secure authentication adds another layer to help stomp out credit fraud. It’s also backed by big-name card issuers like Mastercard and American Express.

How 3D Secure works:

After your customer has entered their usual details (like their billing address and CVV number) but before their payment has been processed, they will be taken to their card provider’s 3D Secure page. There, they will either be:

• Asked for their banking password
• Sent an authentication code to enter

The first generation of 3DS directed shoppers to their bank’s website to retrieve an authentication code, but this added an extra step in the checkout process. To address this issue, 3D Secure 2 (3DS2) was introduced.

3DS2 requires merchants to provide additional customer information with each transaction so that banks can decide whether the person attempting the transaction is the cardholder. If the information checks out, there’s no extra security step, and the customer can continue purchasing. If it doesn’t, the cardholder’s bank can trigger the authentication step, which allows payments to be approved via mobile banking applications for a more streamlined experience.

Want to know more about 3D Secure? Take a look at our complete guide to 3D Secure authentication here.

4. Chip and PIN

This is the most common type of payment security used in card machines for card-present transactions. It’s been around since 2006, but let’s rewind to life pre-Chip and PIN…

Before the Chip and PIN method was rolled out, transactions were very different. Businesses had to take payments using a magnetic swipe, which worked like this:

1. You swipe the customer’s card through the machine.
2. They sign the receipt (yes, using an actual pen and paper).
3. You check the signature matches what’s on the card.

The problem with using a magnetic swipe was that if someone lost their card, there wasn’t much stopping someone else from fraudulently using it. All they would have had to do was forge the signature that was right in front of them. The Chip and PIN revolution put an end to all that.
Introducing the need to successfully submit the correct PIN code for the corresponding card makes card payments using a machine much quicker, safer, and more practical.

Now, this is how Chip and PIN works:

Step 1: When prompted, the customer puts their card in the machine and enters their four-digit PIN. PIN codes are set by the bank when someone first gets their card, and most people change theirs to something personal (but not obvious) and easy to remember.

Step 2: Once the PIN has been entered, it becomes encrypted data sent to your business’ merchant account. Encrypted data means the PIN code transforms into another form of code that only people with a decryption key or password can access.

Step 3: When the customer’s payment has been given the all-clear, it’ll show in your business bank account in 3 to 5 days, ready for you to access.

5. Address Verification System (AVS) and Card Verification Value (CVV) checks

AVS and CVV checks should be used for all phone payments, whether done with a card machine or through a virtual terminal.

Here’s how they work:

• Address Verification System (AVS) – You’ll be asked to provide your customer’s full billing address, and then the system will match the postcode given to the address already stored with their bank.
• Card Verification Value (CVV or CV2) – Requires your customer’s CVC or CSC (card security code) to verify the card’s details. This is either a three or four-digit number usually found on the back of the card.

The good thing about AVS and CVV checks is that they’re done in real time, so you can go ahead and accept or reject the transaction right away.

It’s important to remember that failed checks could be a sign of credit fraud. So, if you get any, in the interest of your and your customer’s safety, it’s best to decline the payment.

6. Tokenisation

Tokenisation is similar to encryption, except that sensitive card details are converted into a unique string of characters – known as a token. If your customer’s information is intercepted once it’s been entered into a card machine or payment gateway, tokenisation means that the hacker can’t read the information.

When a customer makes a payment, their card information is immediately tokenised. This means that their actual card numbers never enter your payment system, so anyone trying to intercept the data can’t read the information. All they would find are tokens, which are useless without the tokenisation system's decryption keys. This can help to significantly reduce the risk of data breaches.

7. HTTPS

HTTPS stands for Hyper Text Transfer Protocol Secure and is the protocol that’s used to send information between a customer’s browser and the website they’re connected to. It uses encryption to share information – which means that enabling HTTPS on your business’s website allows your customers to share sensitive financial information in a secure way that can’t be intercepted.

To enable HTTPS, you’ll need to purchase a valid SSL certificate from a Certificate Authority. As part of this, you must submit your website to a Certificate Authority who will validate your domain. They’ll also issue your SSL certificate, which you’ll have to install on your website’s server. Once it’s installed and activated, a closed padlock icon will appear in the address bar of a browser displaying your website.

As a general rule of thumb, a secure SSL-certified website with HTTPS protocol enabled should have a web address that starts with ‘https’ and a closed padlock icon next to the URL.

SSL certificates expire after a certain amount of time, so remember to review it’s expiry date to make sure yours is still valid.

8. Proper credit card information storage

Security is paramount for the transaction part of any customer interaction, but storing customer card details properly is just as important as the actual exchange of funds.

Merchants must ask for customer permission to save their card details for future purchases. Shoppers are allowed to deny the request, and in that instance, merchants cannot keep those details stored on their payment gateway, website, or any other system.

If customers consent to having their information saved, it must be encrypted to prevent it from getting into unauthorised hands and it has to be PCI-compliant to ensure it’s in line with the latest security regulations.

Plus, merchants are only allowed to save certain bits of information:

• Cardholder name
• The customer’s 16-digit card number
• Card expiration date
• Expiry date

Business are not allowed to store or save the customers’:

• PIN
• CVV code
• Authentication data requested through 3D Secure authentication

You can put your trust in us

Safe’s our middle name. Whether you’re looking for a portable card machine or a POS system, you and your customers’ safety is at the centre of everything we do.

• All our solutions use at least one of the above safety features
• Everything we do is in-line with the latest PCI DSS guidelines
• Our secure merchant accounts mean safe transactions

For more about what we do and how we do it, get in touch with the team on 0808 274 2017.

Jodie Wilkinson

Head of Strategic Partnerships