What can you do to protect your customers? Let’s start from the overview of data security technologies which are used in the internet.
1. Use HTTPS connection for online checkout
First, you should make sure that the page where your customers specify their credit card credentials is run using the HTTPS connection, and that this data is transferred using encrypted protocol.
2. Don’t store sensitive data
The credit card information of your customers shouldn’t be stored on your server neither at the moment of checkout nor after it’s done. To avoid the violation, this information should be transferred directly to the payment gateway using the encrypted connection.
3. Use address verification system (AVS)
Using of the address verification system is the standard of online payments. You should check if your payment processor uses this system to avoid fraud transactions.
HTTPS (Hypertext Transfer Protocol Secure) is a protocol for secure communication over a computer network, with especially wide deployment on the Internet. Also provides authentication of the website and associated web server that one is communicating with, which protects against man-in-the-middle attacks.
The implementation of the HTTPS for the website requires purchasing the SSL certificate that should be installed on the website hosting side.
As soon as it’s implemented, the website will be able to be accessed through the HTTPS connection, and the visitors will see the padlock sign in their browsers and will be able to check the SSL certificate information.
PCI DSS compliance
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards developed by Visa, MasterCard, American Express, Discover and JCB credit card brands. The standards aim at protecting all card holders and impose on all organizations (be it online or offline) who anyhow process or deal with credit cards. To put it simply, when a company wants to work with credit cards, it is to certify all its processes by these standards. Usually these are companies like payment processors (e.g., PayPal, Stripe, Authorize.net, etc), banks, e-commerce solutions which process credit cards.
Payments on the payment processor’s secure page
When a customer goes through the checkout, your store sends the order information to the payment processor and then redirects the customer securely to the payment gateway’s website page — this is, where he or she specifies their credit card information. When the payment is done, the payment processor sends a callback containing payment status information to your store . So, a customer’s payment information is processed completely on the payment processor side using a secure protocol and isn’t stored or collected by your store in any way. If you setup the payment method in your store, this provides a redirect from the store to payment page (for ex. PayPal). Such a page uses HTTPS, so your customers can feel confident in the security of their information.
Internal website payments via HTTPS
Some payment processors (e.g. Stripe) are integrated with your store quite differently.
After adding shipping information to his or her order, the customer is not redirected to the payment processor page, but instead sees the payment form right on the checkout page of the store.
In this case your store is working within a customer’s browser (i.e. payment information is not stored on the server where the site resides). It means that when a customer inputs their credit card information, the data is not transferred to the server where your website is stored. Your store connects straight to the payment gateway via a highly secure channel and sends a request with the data for the order. This information is not transferred to your store servers, and is not stored or collected by us. The payment gateway performs all necessary operations with this data and returns a callback to your store .
This solution was verified and approved by a Qualified Security Assessor (QSA) company.