26 April 2023 | Published by Jodie Wilkinson
In 2020, research from UK Finance shows that the total amount of cash payments made in the UK fell by 35% while contactless transactions went up by 12%.
With this increase, scammers are increasingly targeting digital payments. In fact, Juniper Research reported a 16% growth in eCommerce fraud losses in 2022, with the global total cost to merchants at over $41 billion.
With cash transactions on the decline, there’s never been a better time to review your business’s card payment measures to make sure you’re doing everything you can to protect your company and your customers.
To help you get to grips with everything you need to know, we’ve come armed with all the important bits around card payment security. We’ll walk you through the importance of having secure systems in place and which card payment security measures you can implement today.
From phone to contactless payments, it’s essential to make sure that every stage of a digital transaction is safe and secure. That’s where card payment security measures come in.
These are methods that businesses can use to protect their customers’ sensitive and financial data throughout physical card and online payment processes.
Any business that accepts card payments must be Payment Card Industry Data Security Standard (PCI DSS) compliant. This is a set of security regulations that companies have to follow to ensure the safety of their customers’ data. These requirements include how businesses store, process, and transmit cardholder details.
PCI DSS aims to help minimise the chances of fraud by data breaches. Any business that isn’t compliant with the latest PCI DSS regulations will be risking their customer’s financial information and may be liable to a fine between $5-100,000 (£4-81,000) per month. The fine will be issued to a business’s merchant bank, before being passed down to the business.
As well as safeguarding your client’s personal information, implementing the proper card payment security measures can help to:
Learn more about how we can help your business become PCI DSS-compliant today.
Along with being PCI DSS compliant, learn how three additional types of card payment security are used to make transactions more secure.
This is the most common type of payment security used in card machines. The majority of people have probably heard of it. It’s been around since 2006, but let’s rewind to life pre-Chip and PIN…
Before the Chip and PIN method was rolled out, transactions were very different. Businesses had to take payments using a magnetic swipe which worked like this:
The problem with using a magnetic swipe was that if someone lost their card, there wasn’t much stopping someone else from fraudulently using it. All they would have had to do was forge the signature that was right in front of them. The Chip and PIN revolution put an end to all that.
Introducing the need to successfully submit the correct PIN code for the corresponding card makes card payments using a machine much quicker, safer, and more practical.
Now, this is how Chip and PIN works:
Step 1: When prompted, the customer puts their card in the machine and enters their four-digit PIN. PIN codes are set by the bank when someone first gets their card and most people change theirs to something personal (but not obvious) and easy to remember.
Step 2: Once the PIN’s been entered, it becomes encrypted data sent to your business’ merchant account. Encrypted data means the PIN code transforms into another form of code that only people with a decryption key or password can access.
Step 3: When the customer’s payment has been given the all-clear, it’ll show in your business bank account in 3 to 5 days, ready for you to access.
And don’t worry, all this goes on behind the scenes without you lifting a finger and takes just a couple of seconds.
AVS and CVV checks should be used for all phone payments, whether done with a card machine or through a virtual terminal.
Here’s how they work:
The good thing about AVS and CVV checks is they’re done in real-time, so you can go ahead and accept or reject the transaction right away.
It’s important to remember that failed checks could be a sign of credit fraud. So, if you get any, in the interest of your and your customer’s safety, it’s best to decline the payment.
This one applies to online payments and although there are security measures in place without it, 3D secure authentication adds another layer to help stomp out credit fraud. It’s also backed by big-name card issuers like Mastercard and American Express.
How 3D secure works:
After your customer has entered their usual details (like their billing address and CVV number) but before their payment has been processed, they will be taken to their card provider’s 3D secure page. There, they will either be:
As with the previous two methods, this process is also super quick, but this time it’s done by the person’s card provider.
Want to know more about 3D secure? Take a look at our complete guide to 3D secure authentication here.
In September 2019, a new set of regulations were enforced to try and make card payments even more secure and reduce the chances of fraud. Strong Customer Authentication (SCA) is a requirement from the Payment Services Directive (PSD2) that applies to all “customer-initiated” online card or contactless offline payments within the European Economic Area and the United Kingdom.
According to SCA requirements, banks must carry out certain checks to confirm a customer’s identity during the transaction journey. It’s also required for bank transfers.
It’s done by building in at least two of the following three authentication elements into the transaction:
Also known as two-factor authentication, these requirements mean that customers may need to provide two of the above elements when purchasing from your business. If they fail to do so, their payment may be considered non-compliant and will be declined.
SCA doesn’t apply to all transactions and it’s down to individual payment providers to identify which payments are considered low-risk and will be exempt from SCA. Here are a few examples which could be classed as low-risk payments that may not require SCA:
It’s worth noting that payment providers may request these exemptions to reduce the amount of authentication steps required in certain checkout flows. However, the request will always be passed on to the cardholder’s bank to review the transaction. Their bank will ultimately decide if the payment is exempt based on whether it’s high risk or needs SCA.
For businesses, you must decide which exemptions to put in place that balance security and a seamless checkout experience.
SCA can affect both online and offline businesses. Here’s how you can meet the SCA requirements for face-to-face and eCommerce transactions:
Safe’s our middle name. Whether you’re looking for a portable card machine or a POS system, you and your customers’ safety is at the centre of everything we do.
For more about what we do and how we do it, get in touch with the team on 0808 274 2017.