11 Ways to Help Protect Your Company (and Customers) When You Take Payments Online

Online payment security tips

Small businesses often have a false sense of security, assuming cybercriminals have bigger fish to fry. In reality, they often fall victim to security incidents. According to the Hiscox Cyber Readiness Report, 41 percent of U.S. businesses experienced at least one cyberattack in 2023. Small companies are particularly vulnerable because a security incident is more likely to put them out of business. 

Consider the following online payment security best practices to protect your customers and business. 

1. Use two-factor authentication.

Two-factor authentication (2FA) is an essential element of any company’s cybersecurity plan. 2FA, also called multifactor authentication (MFA), is essential when you deal with vendors, social media, financial institutions or any platform where your business has an account. If a cybercriminal can access your accounts, your customers’ sensitive information and your company’s private data are at stake. If you deal with a vendor that doesn’t offer 2FA or MFA, request it or find a more secure vendor.  

With 2FA, you know immediately if someone is trying to access your account and can take steps to secure it by changing the password.

According to John Price, a cybersecurity expert and CEO of SubRosa, MFA is also crucial for securing your business’s internal information. “Businesses should consider using [MFA] for any internal access to payment systems, ensuring only authorized personnel can handle sensitive transactions,” Price advised. “Implementing strong access controls and limiting data retention can also go a long way in reducing vulnerabilities.”

2. Verify every transaction.

E-commerce financial transactions are, by definition, card-not-present transactions, which are inherently less secure than card-present transactions. Online businesses can improve security by verifying the transaction in the following ways:

• Require customers to enter the credit card’s security code
• Have customers enter the card’s billing address and match it with address verification
• Get a phone number so you can call if there’s a discrepancy
• Validate the provided email address

3. Choose a secure e-commerce platform.

One of the best ways to protect your online store is to base it on a secure e-commerce platform. The best e-commerce platforms — such as BigCommerce, Adobe Commerce, Shopify and WooCommerce — are established companies that have excellent reputations and implement innovative security measures, such as SSL certificates, PCI compliance and fraud prevention tools. 

Platforms with excellent security are rarely the cheapest, but this cost is a crucial part of your cybersecurity budget. Secure e-commerce platforms can ultimately save you money by protecting your reputation and your customers.

4. Buy cyber liability insurance.

Even when you do your best to secure your operations, you may still be vulnerable to savvy hackers or dishonest employees. Cyber insurance will help cover your bases. Cyber liability insurance typically covers the costs associated with a data breach, such as those for losing income, notifying customers, recovering compromised data, and repairing damaged computer systems.

5. Use a personal verification system.

Requiring customers to set up an account with you before they make a purchase lets you verify them with their login credentials. Alternatively, you can ask customers to confirm their identity by providing a photo of their driver’s license or other government-issued identification for big-ticket items.

6. Don’t store customers’ payment data.

It’s best not to store any customer payment data, which could otherwise become a target for cybercriminals. Don’t store electronic data or paper files, such as when you take credit card payments over the phone. However, if you must store payment data to enable easy repeat purchases, work with a third-party company that uses encryption to protect the data. 

Brent Johnson, chief information security officer at Bluefin, recommended using tokenization services to secure customer payment data. “Merchants can choose to take advantage of tokenization services to remove cardholder data from their environment, rendering stored sensitive data useless to hackers in the event of a breach,” Johnson said. “Tokenization also fosters consumer confidence by keeping their payment and personal data secure while using that data to create a more personalized online shopping experience.”

7. Get an SSL certificate for your site.

A Secure Sockets Layer (SSL) certificate provides security by encrypting communication between the customer and your business. In addition, an SSL certificate makes customers feel more confident about doing business with you because they see the certificate displayed in the browser. For extra security, install a firewall and implement an intrusion detection and prevention system. 

8. Ensure PCI compliance.

Any business that accepts credit cards is required to comply with the Payment Card Industry Data Security Standard (PCI DSS). This set of standards covers proactive steps that businesses must take to do the following: 

• Build and maintain secure networks and systems
• Protect account data
• Scan for and protect against malicious software
• Control access to sensitive data
• Test networks to spot intrusions
• Respond quickly and appropriately in the event of an attack

9. Accept secure forms of payment.

In addition to credit cards, which you can verify with additional information, consider accepting payment forms with built-in security. These include electronic checks verified through the Automated Clearing House (ACH) network and digital wallets such as Apple Pay, Google Pay and Samsung Pay, which are secured through blockchain technology (more on secure payment forms below).

10. Educate employees about security protocols.

Human error leads to many data breaches, so it’s vital to invest in employee training. Train team members to identify and properly handle suspicious emails or calls that might be phishing attempts to gain login credentials. Warn them against clicking unexpected email attachments that might contain malware or sharing sensitive information with unauthorized people. Ensure that they log out of their workstation when leaving their desks and never leave work-related USB drives or devices unattended. 

11. Monitor customer purchase patterns.

When you see something out of the ordinary, like an unusually large order from an existing customer, call them to verify its legitimacy. 

The most secure online payment methods

Protect your customers and business by accepting secure forms of payment. These are some of the most secure payment methods:

• Credit cards: Credit cards are an exceptionally secure payment option. The best credit card processors comply fully with the PCI DSS and help you attain PCI compliance. Credit card purchases also benefit your customers because they don’t immediately withdraw money from their bank accounts. Instead, the money initially comes from the credit card company.
• Debit cards: Small business owners benefit from accepting debit card payments because they’re also governed by PCI DSS compliance. Debit card purchases are among the most secure online payment methods. In some cases, debit card use from an unfamiliar Internet Protocol address can trigger identity verification measures. Additionally, Visa and Mastercard don’t hold debit and credit card customers accountable for unauthorized purchases.
• Wire transfers: A wire transfer is usually a secure form of online payment when your company’s and customers’ banks are reputable institutions. Banks with solid reputations typically lack an extensive history of data breaches and other security gaps, likely because they have robust safeguards against fraud and other security concerns.
• Mobile wallets: Digital wallets, such as Apple Pay and Amazon Pay, are widely seen as among the most secure online payment methods. Customers benefit because mobile wallets mask credit and debit card numbers, and your company benefits because customers must use a PIN or biometric authentication method to verify their purchase. Mobile wallets must be linked to a legitimate debit account, thus eliminating the possibility of accepting a fake credit card.
• Electronic checks: Electronic checks are a secure payment method because the ACH verifies every transaction. The system keeps account numbers confidential so they can’t be stolen. If there is any fraud, you are protected by federal law. This is also an excellent payment method for online business-to-business transactions.