Last editedDec 20227 min read
To take online payments safely and reduce the chance of fraud, use trusted payment processors and payment gateways, install an SSL certificate on your website, and ensure PCI compliance if you take card payments.
Secure online payments
Taking payments online can save you and your customers considerable time and effort. There are, however, risks associated with online payments, and whether you’re an individual or run a business, it’s important to understand these risks and to make sure your customers can trust you with their payment information
If a site gives a sense of poor security, customers may fail to complete their payment - in fact, 58% of customers blame a failure to complete a payment on security concerns. Secure payments are key to improving buyer confidence and trust and increasing conversion rates.
There are also certain compliance requirements you need to comply with to take online payments so that you can make sure you and your customers are fully protected. This post will run you through SSL, TLS and PCI, from what they are to why you should use or comply with them and how you should go about it.
Secure payment considerations
For most businesses, the two primary options for accepting payments are bank payments via electronic transfers and credit and debit card payments. From a security perspective, the two methods offer very different risk profiles.
The significant increase in fraudulent card payment activity during the pandemic is well established and has remained at a high level subsequently. Research by Experian found that in 2021 credit and debit card fraud hit a five-year high, and that trend has continued with a further increase in those figures in 2022.
To put card fraud in context, research by UK Finance found that in 2022 card fraud rose an additional 4% from that record high in 2021, whereas bank payment fraud dropped around 40% over the same period.
The lesson here is that as card payments are more susceptible to fraud than bank payments, security-conscious businesses should prioritise accepting bank payments over card payments.
Accepting bank payments with a provider such GoCardless instead of card payments also reduces transaction fees and the level of manual payment admin your team has to deal with.
In addition, GoCardless has invested in developing a next-generation, intelligent anti-fraud product, Protect+, which reduces the opportunity for bank payment fraud even further.
Bank payment via GoCardless is more affordable, more secure and more reliable than accepting credit and debit cards.
*"Customers don't need to worry about fraud like they do with credit cards and bank accounts don't expire, so they’ll never need to update their details."* - Scott Westbrook, Director of Business Systems, Deputy
TLS and SSL safe payment
No matter how you take payments online – whether you accept credit or debit card or bank payments you will want to make sure you’re using SSL (technically, it's now TLS or "Transport Layer Security" but the terms are used interchangeably). If you’re taking card payments – it’s not a choice – SSL is required for PCI compliance.
While it’s not required for Direct Debit payments, SSL and the associated lock icon, green bar, and the HTTPS address that comes with an SSL-secured site have become synonymous with online payment security.
What is SSL?
TLS and its predecessor SSL (“Secure Sockets Layer”) are standard security technology that establishes a secure link between a website and a visitor’s web browser (or a mail server and client). All communications transmitted through this link are encrypted.
Therefore, sensitive information like credit card information is encrypted and sent to the website owners, who can decrypt the information. This means anyone who tries to intercept the information on the way won't get anything but encrypted (unreadable) information.
What do you need to use SSL?
All browsers have the capability to use SSL protocol to interact with secured web servers. However, both the browser and the server require an SSL certificate to establish a secure connection.
What is an SSL certificate?
An SSL certificate is a digital certificate that authenticates a website’s identity and then encrypts information sent from the website to the server using SSL security technology. It says to users that you are who you say you are, and the issuer has verified that to be true.
When you have an SSL Certificate, your payment website will display:
A padlock symbol in your customer’s web browser when your site is opened
The HTTPS prefix in front of your URL address in the browser
An SSL certificate consists of a “key pair” (a public and private key which work together to establish the encrypted connection) and the following information:
The certificate holder's name
The certificate's serial number and expiration date
A copy of the certificate holder's public key
The digital signature of the certificate-issuing authority
What should you think about when getting an SSL certificate?
There are two important questions to ask when getting an SSL certificate:
What does the SSL certificate verify? - SSL certificates can either verify your domain only (the SSL Certificate Issuer only validates that you own the domain) or your domain and your identity. Domain-validated certificates offer your customers no assurance of your identity. You should, therefore, only use a domain-validated certificate on an internal server or if users already trust your organization and know they are on the right website.
Who is the SSL Certificate from? - Anyone can create an SSL certificate - you can self-sign a certificate (for free). However, browsers only trust certificates that come from a trusted SSL Certificate Issuer (also known as a “Certificate Authority” or “CA” - a company which has been audited against security and authentication standards). Self-signed or free SSL certificates generally lead to error messages from browsers.
How does SSL work?
There are five simple steps to the SSL process:
A browser tries to connect to a secured website.
The server shares a copy of its SSL Certificate and its public key.
The browser checks and authenticates the SSL Certificate. If the browser trusts the SSL Certificate, it then sends back a session key to the server using its public key.
The server confirms that it recognises and trusts the issuer of the SSL certificate. This is known as the “SSL handshake”, and it begins a secure session that protects message privacy and message integrity.
The browser and the server share encrypted data over the secure channel.
Why do I need SSL?
If you take online card payments, you must have an SSL Certificate as part of your required PCI compliance.
If you take Direct Debit payments, an SSL certificate is not mandatory. Still, we would definitely recommend using SSL to protect your customers’ sensitive information like account details, addresses, phone numbers etc. We use SSL (again, technically, it's TLS) on all of our pages.
Security is an incredibly important part of taking online payments – potential customers need to feel confident in giving you their details and want to feel that you will protect their information.
Secure payment system options
To ensure you have a secure payment system in place, you have two main options:
Get your own SSL Certificate(s)
If you want to take payments, you'll need an SSL certificate with one of the highest levels of security, which means you'll need to spend at least a few hundred pounds.
Note: Different SSL providers offer varying levels of certificates. Buying a more expensive SSL certificate may be offset by increased sales – customers are more likely to make a payment if they feel like the site is safe and their details are therefore protected.
Use trusted & secure payment processing
Collecting payments through a trusted provider such as GoCardless that uses the most secure payment method and has FCA authorisation significantly reduces the chances of being caught up in payment fraud.
Note: Using a trusted provider can also help customers feel more secure in handing over their personal data. Make sure you display any secure payment branding.
PCI compliance in online payments
PCI compliance is a key part of taking card payments. All merchants, from the world's largest corporations to small Internet stores, who accept credit card payments (online or offline) must comply with the Payment Card Industry Data Security Standard (PCI DSS).
What is PCI?
The PCI DSS refers to a framework of 12 technical and operational requirements set by the PCI Security Standards for businesses storing, processing or transmitting card payment data.
Note: Each card company has its own rules for compliance, validation and enforcement. Further details can be found on the websites of the relevant card networks.
What do you need to do to be PCI compliant?
If you’ve ever looked into PCI, you'll know that even working out what level you need to conform to can be incredibly tricky. To help you work out what you need to do in terms of PCI compliance, here's a quick summary.
Your website or web-connected database will need to be scanned for PCI compliance if:
You take payments onsite
Financial information is entered on, passed through, or stored on your site
You do not need a PCI scan of your website or web-connected database for PCI compliance if:
You never touch payment data - This means that no financial information is entered on, passed through, or stored on a merchant's website, e.g. with offsite payments, customers are redirected to the website of your payment gateway or payment service provider to make their payment.
Payments are made using iFrame payments - Using an iFrame, customers appear to be still on your website but all payment details go directly to your payment gateway or payment service provider. Not all payment gateways offer this option.
Note: You should always check that the payment gateway or provider that you choose is PCI compliant.
Why should you comply with the PCI Security Standards?
At first glance, especially if you are a smaller organisation, it can seem confusing and like a lot of effort; however, it is worth it.
Compliance with PCI data security standards means that your systems are secure. This means your customers can trust you with their sensitive card information and helps to prevent security breaches and theft of payment card data (which can lead to fines, lawsuits, cancelled accounts and loss of reputation or even going out of business).
What should you do next?
1. Make sure you are PCI compliant
If you’re taking card payments online, you will need to meet PCI compliance requirements, so your first step will be working out the level of compliance you need to meet.
The specific compliance requirements you will need to meet will depend on the size of your business and the number of transactions you take, so the next step is to ensure you comply with the right level for your business.
Level 1- Businesses processing 6 million + transactions per year
Level 2 - Businesses processing 1 to 6 million transactions per year
Level 3 - Businesses processing 20,000 to 1 million transactions per year
Level 4 - Businesses processing less than 20,000 transactions per year
The lower levels, with a higher number of transactions, may require additional checks and audits to comply.
2. Use a trusted payments provider
Alternatively, you can take card payments through a provider with a trusted name like PayPal. Or accept payments more securely via a bank payments provider with FCA authorisation like GoCardless.
With GoCardless, customers will give their payment details over our secure site, so you will never need to touch sensitive financial information. Using a trusted provider can also help customers feel more secure in handing over their personal data. Furthermore, if you use an automated bank payment collection method such as Direct Debit, your customers will also be protected against unauthorised payments by the Direct debit Guarantee.
Case study - improving payment security
The Chartered Institute of Environmental Health (CIEH) is the membership and awarding body for environmental health. As part of a digital transformation, CIEH moved its payment process to GoCardless to become more secure and compliant with payment collection.
Previously, CIEH stored all its members’ Direct Debit details in its CRM, which Head of IT Justin Turner identified as a security and compliance risk:
As well as becoming more secure and providing customers with greater confidence and peace of mind, CIEH was also able to streamline payment collection and reduce admin time by 90%, explains Membership Officer Zoe Beresford:
Bank payment via GoCardless is more affordable, more secure and reduces manual admin compared to accepting credit and debit card payments.
*"Using GoCardless has saved us £5,000 in time costs and £50,000 in reduced receivables every month. Our clients love GoCardless as it saves them more time and gives them more transparency."* - Simon Kallu, Managing Partner, GrowFactor