Why do online payments need to be secure?
Taking payments online can save you and your customers considerable time and effort. There are, however, risks associated with online payments and whether you’re an individual or run a business, it’s important to understand these risks and to make sure your customers can trust you with their payment information
If a site gives a sense of poor security customers may fail to complete their payment. In fact, 58% of customers blame a failure to complete a payment on security concerns. Secure payments are thus a key factor in improving buyer confidence and trust, and increasing your conversion rate.
There are also certain compliance requirements you need to comply with to take online payments, so that you can make sure you and your customers are fully protected. This post will run you through SSL, TLS and PCI - from what they are, to why you should use or comply with them, and how you should go about it.
Note: If you're taking card payments, it's not optional to comply with these. But if you choose a reputable provider, such as Stripe, you never touch sensitive financial data so you won't need to worry about them, as the provider will handle it.
TLS and SSL in online payments
No matter how you take payments online – whether you take card or ACH debit (AKA bank debit or Direct Debit) payments – you will want to make sure you’re using SSL. Technically it's now TLS or "Transport Layer Security", but the terms are used interchangeably.
If you’re taking card payments, it’s not a choice – SSL is required for PCI compliance (more on this below).
What is SSL?
SSL, or "Secure Sockets Layer", is a standard security technology used to establish a secure link between a website and a visitor's web browser (or, a mail server and client).
SSL is a predecessor to the current TLS, or "Transport Layer Security", however the term "SSL" is still commonly used to refer to it. (As such, this is the term we'll use in this guide.)
What SSL enables you to do is capture sensitive information like credit card numbers (when your customer inputs them to make a payment, for example) in an encrypted manner, and send it securely to its destination, where it can be safely decrypted.
This means anyone who tries to intercept the information on the way won't get anything but unreadable information.
What do you need to use SSL?
Both a customer's web browser and your web server require an SSL certificate (see below) to establish a secure connection with each other.
All major modern browsers have the capability to use SSL protocol to interact with secured web servers.
What is an SSL certificate?
An SSL certificate is a digital certificate that authenticates a website’s identity, and then encrypts information sent from the website to the server using SSL security technology. It says to users that you are who you say you are, and the issuer has verified that to be true.
When you have an SSL certificate, your payment site will display:
A padlock symbol in your customer’s web browser when your site is opened
The "https" prefix in front of your URL address in the browser
An SSL certificate consists of a “key pair” (a public and private key which work together to establish the encrypted connection) and the following information:
The certificate holder's name
The certificate's serial number and expiration date
A copy of the certificate holder's public key
The digital signature of the certificate-issuing authority
What should you think about when getting an SSL certificate?
There are two important questions to ask when getting an SSL certificate:
What does the SSL certificate verify? - SSL certificates can either verify your domain only (the SSL certificate issuer only validates that you own the domain), or your domain and your identity. Domain-validated certificates offer your customers no assurance of your identity. You should therefore only use a domain-validated certificate on an internal server, or if users already trust your organization and know they are on the right website.
Who is the SSL certificate from? - Anyone can create an SSL certificate - you can self-sign a certificate (for free), however, browsers only trust certificates that come from a trusted SSL certificate issuer (also known as a “Certificate Authority” or “CA”). These are companies which have been audited against security and authentication standards. Self-signed or free SSL certificates may lead to error messages from browsers.
How does SSL work?
There are five simple steps to the SSL process:
A browser tries to connect to a secured website.
The server shares a copy of its SSL certificate and its public key.
The browser checks and authenticates the SSL certificate. If the browser trusts the SSL certificate, it then sends back a session key to the server using the server’s public key.
The server confirms that it recognizes and trusts the issuer of the SSL certificate. This is known as the “SSL handshake” and it begins a secure session that protects message privacy and message integrity.
The browser and the server share encrypted data over the secure channel.
Why do I need SSL?
If you take online card payments you are required to have an SSL certificate as part of your required PCI compliance (more on this further).
Security is an incredibly important part of taking online payments – potential customers need to feel confident in giving you their details and want to feel that you will protect their information.
What should you do next?
You have two main options:
Get your own SSL certificate - If you want to take payments, you'll need an SSL certificate with one of the highest levels of security, which may cost as much as a few hundred dollars. (Note: Different providers offer varying levels of certificate.)
Use a trusted payments provider - Alternatively, you can take payments through a provider with authorization from financial regulators, like GoCardless. Customers will then give their payment details over the provider’s SSL secured site. (Note: Using a trusted provider can also help customers feel more secure in handing over their personal data. Make sure you display any secure payment branding.)
PCI compliance in online payments
PCI compliance is a key part of taking card payments. All merchants, from the world's largest corporations to the smallest online stores, who accept credit card payments (online or offline), are required to comply with the Payment Card Industry Data Security Standard (PCI DSS).
What is PCI?
PCI DSS refers to a framework of 12 technical and operational requirements set by the PCI Security Standards for businesses storing, processing, or transmitting card payment data.
Note: Each card network (e.g. Visa, Mastercard) also has its own rules for compliance, validation, and enforcement. Further details can be found on the websites of the relevant card networks.
What do you need to do to be PCI compliant?
If you’ve ever looked into PCI, you'll know working out what level you need to conform to can be tricky. To help you work out what you need to do in terms of PCI compliance, here's a quick summary.
Your website or web-connected database will need to be scanned for PCI compliance if:
You take payments onsite
Financial information is entered on, passed through, or stored on your site
You do not need a PCI scan of your website or web-connected database for PCI compliance if:
You never touch payment data - This means that no financial information is entered on, passed through, or stored on your website (e.g. with offsite payments, customers are redirected to the website of your payment gateway or payment service provider to make their payment).
Payments are made using iFrame payments - Using an iFrame, customers appear to still be on your website, but all payment details go directly to your payment gateway or payment service provider. Not all payment gateways offer this option.
You should always check that the payment gateway or provider that you choose is PCI compliant.
Why should you comply with the PCI security standards?
Compliance with PCI data security standards means that your systems are secure. This means your customers can trust you with their sensitive card information, and helps to prevent security breaches and theft of payment card data (which can lead to fines, lawsuits, cancelled accounts, loss of reputation, or even to going out of business).
What should you do next?
1. Make sure you are PCI compliant
If you’re taking card payments online you will need to meet PCI compliance requirements, so your first step will be working out the level of compliance you need to meet.
The specific compliance requirements you need to meet will depend on the size of your business and the number of transactions you take. So the next step is to make sure you comply with the right level for your business.
Level 1 - Businesses processing 6+ million transactions per year
Level 2 - Businesses processing 1 to 6 million transactions per year
Level 3 - Businesses processing 20,000 to 1 million transactions per year
Level 4 - Businesses processing less than 20,000 transactions per year
The lower levels, with a higher number of transactions, may require additional checks and audits to be compliant.
2. Use a trusted payments provider
Alternatively, you can take payments through a provider with a trusted name and regulatory authorization, like GoCardless or PayPal.
Customers will then give their payment details over the provider’s secure site, so you will never touch sensitive financial information. Using a trusted provider can also help customers feel more secure in handing over their personal data.
To find out more about how GoCardless helps you take online payments securely, check out our page on GoCardless Security.