Why do online payments need to be secure?
Taking payments online can save you and your customers considerable time and effort. There are, however, risks associated with online payments and whether you’re an individual or run a business, it’s important to understand these risks and to make sure your customers can trust you with their payment information
If a site gives a sense of poor security customers may fail to complete their payment - in fact - 58% of customers blame a failure to complete a payment on security concerns. Secure payments are therefore a key factor in improving buyer confidence and trust and increasing your conversion rate.
There are also certain compliance requirements you need to comply with to take online payments so that you can make sure you and your customers are fully protected. This post will run you through SSL, TLS and PCI from what they are to why you should use or comply with them and how you should go about it.
Note: If you're taking card payments, it's not a choice. But if you choose a trusted provider like Stripe or GoCardless you never touch sensitive financial data so you won't need to worry about them.
TLS and SSL in online payments
No matter how you take payments online – whether you take card or Direct Debit payments you will want to make sure you’re using SSL (technically it's now TLS or "Transport Layer Security" but the terms are used interchangeably). If you’re taking card payments – it’s not a choice – SSL is required for PCI compliance.
While it’s not required for Direct Debit payments, SSL and the associated lock icon, green bar and https address that comes with an SSL secured site have become synonymous with online payment security.
What is SSL?
TLS and its predecessor SSL (“Secure Sockets Layer”) are standard security technology that establish a secure link between a website and a visitor’s web browser (or a mail server and client). All communications transmitted through this link are encrypted. Therefore, sensitive information like credit card numbers are first encrypted, and then sent to the website owners, who can decrypt the information once they receive it. This means anyone who tries to intercept the information on the way won't get anything but encrypted (unreadable) information.
What do you need to use SSL?
All browsers have the capability to use SSL protocol to interact with secured web servers, however, both the browser and the server require an SSL certificate to establish a secure connection.
What is an SSL certificate?
An SSL certificate is a digital certificate that authenticates a website’s identity and then encrypts information sent from the website to the server using SSL security technology. It says to users that you are who you say you are and the issuer has verified that to be true.
When you have an SSL Certificate, your payment site will display:
A padlock symbol in your customer’s web browser when your site is opened
The https prefix in front of your URL address in the browser
An SSL certificate consists of a “key pair” (a public and private key which work together to establish the encrypted connection) and the following information:
The certificate holder's name
The certificate's serial number and expiration date
A copy of the certificate holder's public key
The digital signature of the certificate-issuing authority
What should you think about when getting an SSL certificate?
There are two important questions to ask when getting an SSL certificate:
What does the SSL certificate verify? - SSL certificates can either verify your domain only (the SSL Certificate Issuer only validates that you own the domain) or your domain and your identity. Domain-validated certificates offer your customers no assurance of your identity. You should therefore only use a domain validated certificate on an internal server or if users already trust your organization and know they are on the right website.
Who is the SSL Certificate from? - Anyone can create an SSL certificate - you can self sign a certificate (for free), however, browsers only trust certificates that come from a trusted SSL Certificate Issuer (also known as a “Certificate Authority” or “CA” - a company which has been audited against security and authentication standards). Self signed or free SSL certificates generally lead to error messages from browsers.
How does SSL work?
There are five simple steps to the SSL process:
A browser tries to connect to a secured website.
The server shares a copy of its SSL Certificate and its public key.
The browser checks and authenticates the SSL Certificate. If the browser trusts the SSL Certificate it then sends back a session key to the server using the server’s public key.
The server confirms that it recognises and trusts the issuer of the SSL certificate. This is known as the “SSL handshake” and it begins a secure session that protects message privacy and message integrity.
The browser and the server share encrypted data over the secure channel.
Why do I need SSL?
If you take online card payments you are required to have an SSL Certificate as part of your required PCI compliance.
If you take Direct Debit payments, an SSL certificate is not mandatory but we would definitely recommend using SSL to protect your customers’ sensitive information like account details, address, phone number etc.. We use SSL (again technically it's TLS) on all of our pages.
Security is an incredibly important part of taking online payments – potential customers need to feel confident in giving you their details and want to feel that you will protect their information.
What should you do next?
You have two main options:
Get your own SSL Certificate(s) - If you want to take payments, you'll need an SSL certificate with one of the highest levels of security, which means you'll need to spend at least a few hundred pounds. Note: Different providers offer varying levels of certificate. Buying a more expensive SSL certificate may be offset by increased sales – customers are more likely to make a payment if they feel like the site is safe and their details are therefore protected.
Use a trusted payments provider - Alternatively, you can take payments through a provider with a trusted name like PayPal or with FCA authorisation like GoCardless. Customers will then give their payment details over the provider’s SSL secured site. Note: Using a trusted provider can also help customers feel more secure in handing over their personal data. Make sure you display any secure payment branding.
PCI compliance in online payments
PCI compliance is a key part of taking card payments. All merchants from the world's largest corporations to small Internet stores who accept credit card payments (online or offline) are required to comply with the Payment Card Industry Data Security Standard (PCI DSS).
What is PCI?
The PCI DSS refers to a framework of 12 technical and operational requirements set by the PCI Security Standards for businesses storing, processing or transmitting card payment data.
Note: Each card company has its own rules for compliance, validation and enforcement. Further details can be found on the websites of the relevant card networks.
What do you need to do to be PCI compliant?
If you’ve ever looked into PCI you'll know even working out what level you need to conform to can be incredibly tricky. To help you work out what you need to do in terms of PCI compliance, here's a quick summary.
Your website or web connected database will need to be scanned for PCI compliance if:
You take payments onsite
Financial information is entered on, passed through, or stored on your site
You do not need a PCI scan of your website or web connected database for PCI compliance if:
You never touch payment data - This means that no financial information is entered on, passed through, or stored on a merchant's website e.g. with offsite payments customers are redirected to the website of your payment gateway or payment service provider to make their payment.
Payments are made using iFrame payments - Using an iFrame, customers appear to be still on your website but all payment details go directly to your payment gateway or payment service provider. Not all payment gateways offer this option.
Note: You should always check that the payment gateway or provider that you choose is PCI compliant.
Why should you comply with the PCI Security Standards?
At first glance, especially if you are a smaller organisation, it can seem confusing and like a lot of effort, however, it is worth it.
Compliance with PCI data security standards means that your systems are secure. This means your customers can trust you with their sensitive card information and helps to prevent security breaches and theft of payment card data (which can lead to fines, lawsuits, cancelled accounts and loss of reputation or even to going out of business).
What should you do next?
1. Make sure you are PCI compliant
If you’re taking card payments online you will need to meet PCI compliance requirements so your first step will be working out the level of compliance you need to meet.
The specific compliance requirements you will need to meet will depend on the size of your business and the number of transactions you take so the next step is to make sure you comply with the right level for your business.
Level 1- Businesses processing 6 million + transactions per year
Level 2 - Businesses processing 1 to 6 million transactions per year
Level 3 - Businesses processing 20,000 to 1 million transactions per year
Level 4 - Businesses processing less than 20,000 transactions per year
The lower levels, with a higher number of transactions, may require additional checks and audits to be compliant.
2. Use a trusted payments provider
Alternatively, you can take payments through a provider with a trusted name like PayPal or with FCA authorisation like GoCardless. Customers will then give their payment details over the provider’s secure site so you will never touch sensitive financial information. Using a trusted provider can also help customers feel more secure in handing over their personal data.
To find out more about how GoCardless helps you take online payments securely, check out our page on GoCardless Security.