Payment security: a guide for business owners

Payment security should be a major concern for any business that accepts card payments and other digital payment methods.

While technological developments in the payment industry have given a huge variety of payment options for small businesses and customers when paying for goods and services, they’ve also created new aspects to privacy and security that all merchants must address. 

Whether you’re a new merchant or you’ve been running a business for some time, it’s essential that you become familiar with payment security conventions to protect your customers and yourself from various security threats.

In this guide, we’ll take an in-depth look at the topic of payments security, showing you what it is, the different methods that businesses can use to approach it, and essential steps to keeping your business’ payments secure now and in the future.

What is payment security?

A large part of online payment security involves auditing business practices to follow established security protocols like GDPR and PCI DSS, and upholding proven layers of security like Address Verification System (AVS) and Card Verification Value (CVV) checks or two factor authentication.

There are many layers and variables to building a good payment security strategy, depending on the kind of business you’re running and your approach to processing payments. 

A small business owner running an e-commerce store that ships internationally and accepts several currencies, for example, will have very different payment security needs to a food truck business that takes a large portion of its payments in cash.

To ensure your business operations keep running smoothly and maintain a high level of trust and customer loyalty, it’s essential to find a payment security strategy that’s suited to the nuances of your industry and business model.

Types of payment security

When looking at the practical steps to ensuring payment security, there’s a wide range of technologies and practices that small business owners can apply to safeguard sensitive payment information during transactions.

Here’s an overview of some of the common security payment systems used by businesses in the UK, and what they mean in practice.

Address Verification Service (AVS) Checks

AVS checks are a method of fraud prevention where a person’s given billing address is compared to the address their bank has on file. 

When there’s a partial or non-existent match, this is flagged to the merchant, who must then decide whether to take further action if they suspect attempted fraud.

Payment tokenization

Payment tokenization is the practice of substituting sensitive payment information (e.g card numbers) with randomised strings of characters, known as tokens, during the payment process. 

This means that even if a hacker is able to intercept the token, they won’t be able to obtain the original payment information entered by the customer. With this security layer in place, there’s a greatly reduced chance of data theft or sensitive data breaches.

SSL Protocol

Secure Sockets Layer (SSL) protocol is a security measure that works by encrypting the connection between a customer’s web browser and a website’s server. 

In a similar way to tokenization, this ensures that any data a user enters into the website, including their payment data, can’t be intercepted by hackers.

Card Verification Value (CVV)

Card Verification Value (CVV) refers to the unique 3-digit number below the magnetic strip on a credit or debit card.

Requesting this information to make a payment is intended to confirm that a payment card is physically in the cardholder’s possession, and protects against card not present fraud arising from information theft.

3D Secure (3DS)

3D Secure is an online authorisation protocol that can be used for both credit and debit card transactions. Aside from basic details like a card number, expiry date, and CVV, a 3D Secure transaction will also require customers to provide a one-time password to verify their identity.

This helps to prevent payment card fraud even if a criminal has managed to get a hold of a person’s card details, as the single-use password is passed along communication channels exclusive to the cardholder.

Encryption

Encryption is a broad term that refers to any act of scrambling sensitive data into a code that can only be interpreted by a party with the relevant decryption key. 

Tokenization is similar to this security measure, with the key difference being that it doesn’t rely on decryption keys to scramble or decode the original data. The keys are only accessible to the parties that need to decrypt the data (payment providers), this makes it difficult for bad actors to intercept payment information and make sense of it.

Payment Card Industry Data Security Standard (PCI-DSS)

PCI-DSS is a security standard applied to any business that handles cardholder information. Though not legally binding in the UK, PCI-DSS is seen as a given for any business that takes card payments, and it’s essential to comply with its recommendations to minimise the risk of fraud and breaches. 

PCI-DSS compliance involves using a range of security measures, including firewalls, antivirus software, protecting stored cardholder data, and restricting the physical access to sensitive data within your business.

Multi- or 2-Factor Authentication

Multi-factor authentication (MFA) or two-factor authentication (2FA) is a security setup that requires customers to provide at least one additional form of verification when accessing an account associated with payment data.

This might include a one-time password (OTP) supplied through an authenticator app, an unchanging piece of memorable information, or even biometric information like a fingerprint.

Fraud Screening Tools

Fraud screening tools can refer to any piece of software that’s integrated with a payment system in order to detect signs of fraud. Depending on the specific tool in use, they might check for unusual user behaviour, unrecognised IP addresses, and other variables. 

When suspicious activity is detected, the transaction is flagged and the merchant is prompted to take further action.

The importance of payment security for small businesses

With credit and debit card, digital wallet, and other non-cash payment methods being hugely popular among consumers across all industries, the majority of businesses have cause to make online payment security a priority.

Small businesses that should prioritise payment security

While any business that processes, stores, or transmits payment information should be concerned with payment security, there are a number of common business types where it’s especially important.

Here are some of the business categories where payment security should be a major concern. As a potentially high risk merchant account, you should be aware of how to prioritise payment security: 

E-commerce stores

Online retailers are required to process huge volumes of credit and debit card transactions a day, and most store sensitive payment information associated with their customers’ accounts, making them a popular target for cyber criminals. 

Data breaches can cause serious damage to any e-commerce business’ brand equity, not to mention large financial losses. 

For this reason, it’s essential for those running online stores to take a proactive approach to payment security and keep their policies up-to-date with emerging threats in the industry.

Subscription model business

Businesses that charge for a service on a recurring billing basis often hold large volumes of payment data. This can make them a popular target for cybercriminals. 

Like with an e-commerce scenario, the event of an attack could lead to huge financial losses and reputational damage. If you facilitate recurring billing at your business, it’s essential to protect your customers’ data with both strong authentication methods and regular sweeps for unused sensitive information.

Brick-and-mortar vendors

Although the topic of payment security tends to be associated with online transactions, businesses where card transactions happen in-person through card readers can also be the target of fraud and cyber attacks. 

If you’re a merchant who takes card payments in a brick-and-mortar setting, you’ll also need to take protective measures to ensure the security of your physical payment tech, any network infrastructure involved in processing secure payments, and stored customer data. A good way to start this is by researching PCI DSS requirements and working to bring your business practices in-line with these.

Hospitality business

Businesses such as hotels and restaurants often store large volumes of personal data. If you run a hotel or restaurant your customers will tend to be international travellers and many hospitality businesses will offer flexible payment methods. 

Whether through online booking portals, in-person POS systems, or taking card payments over the phone. With their frequent handling of sensitive information, your hospitality business could be a prime target for cybercriminals looking to steal payment data. 

It’s essential for businesses in the hospitality sector to apply robust payment security to all touchpoints where they handle sensitive information.

B2B business

While many B2B businesses tend to have strict industry security standards they have to maintain, the large transactions that happen between parties make these businesses a prime target for fraud and data theft. 

If, for example, you’re running a business that supplies wholesale electrical components used by another brand to make consumer products, the transactions you facilitate are likely to have a much greater value than if you were running a small e-commerce store.

It’s essential for B2B businesses to uphold robust payment security practices to protect both themselves and the other businesses they deal with and maintain a high level of trust in their industry.

The benefits of payment security for small merchants

The theft of sensitive data is a constant threat in the UK and internationally. 

A government study run across 2022 and 2023 estimated that there were approximately 2.39 million instances of cyber crime and approximately 49,000 instances of fraud as a result of cyber crime in the last 12 months. 

Even charities have fallen victim to this widespread problem, with the study showing more than 3 quarters of a million instances of cyber crime happening in the same period.

With the scale of this issue, payment security is a necessity rather than just something that’s good to have.

To help you better understand the importance of payment security, here’s some of the key advantages that come with forming strong payment security policies as a small merchant.

Reducing risk and liability

As a small business owner, you may be operating on a tight margin as you work to scale your operations. 

Being in this position means financial losses as a result of cyber crime will be especially detrimental to your bottom line. In fact, for many small businesses, it may only take one major security incident to force the business to close completely.

By implementing strong and reliable payment security layers, you’ll be able to minimise the risk of fraudulent activities which could hurt your ability to keep trading, such as unauthorised transactions, chargeback fraud, and sensitive data breaches.  

The immediate effects of fraud and other cyber crime aren’t the only security risks that small merchants need to worry about. 

If a breach causes your customers to lose money, and it’s found this was caused by you neglecting security protocols, the affected customers could take legal action against your business. 

Guarding against a breach through strong online payment security methods will not only protect your customers, but could also shield your business from reputational damage.

Protecting customer data

Most small businesses store some kind of customer information, such as payment details, addresses, and contact information. It’s essential to use payment security measures to protect this kind of data from unauthorised access as effectively as possible.

By guarding data with a payment security policy, you’ll not only nurture trust and loyalty among your customer base, but also keep your business practices in-line with important regulations and standards such as the General Data Protection Regulation (GDPR) and PCI-DSS.

Improving customer experience and trust in your brand

Though it may not be at the front of many customers’ minds when going through a checkout process or other interactions with your business, having robust payment security can be a great way to improve the customer’s experience.

Aside from offering a smooth and intuitive experience in delivering your product or service, ensuring a high degree of security as you handle sensitive data will give your customers a sense of confidence that will increase customer loyalty and improve the overall experience.

When customers are confident their sensitive information is safe, they’ll show less trepidation when deciding whether to make a purchase, and be more likely to become repeat customers.

Better fraud detection and prevention

Though technology has created many new conveniences for consumers and helped businesses to innovate, it’s also given rise to potential data and security breaches. 

This evolving security landscape can be hard to keep track of, but taking a hands-on role in your payment security can help position your business for more effective fraud prevention and detection.

By equipping yourself with the right payment security tools, you can get a better view of the kind of patterns and anomalies faced by your business’s payment systems, helping you to flag suspicious activity as soon as it arises and take appropriate action.

With effective payment security, you’ll also become more familiar with the nuances of the security threats faced by your business, helping you take future preventative action and ensuring continued safety for you and your customers.

Protecting your brand reputation

Privacy is important to consumers, and a single occurrence of personal data being compromised can be extremely costly to a business’s finances and reputation. 

In 2020, for example, British Airways was fined £20 million by the Information Commissioner's Office (ICO) over a data breach that affected hundreds of thousands of customers.

On the other hand, when businesses invest in strong security measures and are transparent about their commitment to customers’ privacy, they’ll improve their brand credibility in the eyes of both their existing customers and their target audience. 

In this way, investing in payment security can be a huge boon to your brand equity and future marketing drives.

How to prove your small business is PCI compliant

As we explored earlier, if your business processes any kind of credit or debit card payments, you’ll need to ensure you’re PCI compliant as a basic part of your payment security efforts. 

There are 12 requirements specified by the Payment Card Industry Data Security Standard (PCI DSS) which businesses need to meet to align themselves fully with the standard, with various levels of compliance depending on the volume of transactions processed by a merchant.

Here are the key steps you’ll need to take in order to prove your small business is PCI compliant.

Research PCI compliance levels

PCI compliance is divided into 4 different compliance levels, each with their own unique requirements and recommendations. Your first step towards compliance involves understanding these levels and determining which one your business belongs to.

If you’re a customer of a reputable payment provider, their services will usually equip you with some degree of PCI compliance. For example, SumUp’s card readers are PCI DSS approved, meaning that you won’t have to worry about compliance when it comes to payments taken in-person using our physical payment devices.

However, even with some preliminary protections, there are often additional steps that you, as a merchant, will need to take to align your payment processing with the standard’s requirements.

The 4 levels of PCI compliance are determined by the volume of card transactions that your business processes per year:

• Level 1: Business' processing 6 million+ annual Visa transactions

• Level 2: Business' processing 1 to 6 million annual Visa transactions

• Level 3: Business' processing 20,000 to 1 million annual Visa e-commerce transactions

• Level 4: Business' processing <20,000 annual Visa e-commerce transactions; business' processing up to 1 million annual Visa transactions (non-e-commerce)

While most small brick-and-mortar merchants will only require Level 4 compliance, those running an e-commerce operation will often fall into Level 3. It’s also worth noting that businesses that have experienced data breaches in the past may need to achieve a higher level of compliance.

Complete a PCI self-assessment

Any merchant looking to become PCI certified who processes major credit cards will need to fill in a PCI Self Assessment Questionnaire (SAQ), administered by the Payment Card Industry Security Standards Council (PCI SSC). 

Like the compliance levels, there are a few different questionnaires available, and the one you choose will depend on the specifics of your business.

Some of the variables that will determine which self-assessment is right for you include the kind of POS system you use, your payment gateway if running an e-commerce store, and whether or not you use a virtual terminal or send invoices online.

The self assessment is formatted as a series of yes or no questions pertaining to how you process payments. These questions are accompanied by a description of the testing procedures related to each aspect of PCI compliance, which you can use to check on your testing processes internally and ensure you’re answering the questions accurately.

The final section of the questionnaire asks you to specify the actions you’re going to take to improve compliance if you fail any of the PCI DSS requirements, along with an expected timeframe for completion.

Review your payment tech

The next step in the process is to review the tech you use to process payments. This means analysing the individual pieces of payment tech that you use, for example: 

• Physical card readers.

• Self-service payment kiosks.

• E-commerce payment gateways.

Make sure that each of these touchpoints is fully protected against the threats specific to that payment method.

Though the information provided on the self assessment questionnaire will provide the most specific direction, there are a few general pieces of guidance to bear in mind when you’re assessing your tech for compliance:

• When assessing your payment tools and systems, try to prioritise the ability to create individual user accounts and secure logins. 

An important part of payment security is ensuring that only the people who truly need access to customers’ private data are granted access. 

It’s also important that the software you use allows you to keep tabs on which users have access to which information.

• With each piece of payment technology you review, carry out independent research on the kinds of additional security measures you can apply to it. 

Things like Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption protocols, two-factor authentication (2FA), and point-to-point encryption (P2PE), are all useful security features for protecting your payments against activities intended to steal customers’ sensitive information.

• Check your payment tech for security patches released by the vendors and make sure they’re installed. Working on PCI compliance often presents a good opportunity to review your approach to renewing security software and update it if necessary. 

If you fail to update your payment technology in a timely manner, you could miss out on important security updates and leave yourself vulnerable to attacks.

Organise an external audit

Once you’ve assessed your security compliance internally and done what you can to align yourself with PCI requirements, it’s recommended that you organise an external audit to help you cover any other shortcomings.

There are many PCI audit services on the market that will go through the various aspects of the protocol methodically, and outline the steps you need to take to get your business in-line with PCI-DSS standards.

By arranging an external audit, you’ll benefit from an objective assessment that isn’t influenced by any insider knowledge of your business, as well as customised recommendations specific to the payment tech you use and the threats that face them. 

You’ll also have the confidence that your payment security practices are being reviewed by a professional auditor who’s used to reviewing how businesses approach security, and will pick up on potential vulnerabilities where you may not.

Complete Your Attestation of Compliance (AoC)

The final step is to fill out and submit a Attestation of Compliance (AoC), a document which states that your business meets a certain standard of payment card security. 

To maintain compliance on an ongoing basis, you’ll need to complete and submit this document once per year.

Disclaimer: The contents of this page are intended for informational purposes only and should not be construed as professional advice. For matters requiring legal or financial expertise, it’s recommended to seek guidance from qualified professionals.