3 card payment security types: how small businesses can secure their payment methods

In 2020, research from UK Finance shows that the total amount of cash payments made in the UK fell by 35% while contactless transactions went up by 12%.

With this increase, scammers are increasingly targeting digital payments. In fact, Juniper Research reported a 16% growth in eCommerce fraud losses in 2022, with the global total cost to merchants at over $41 billion.

With cash transactions on the decline, there’s never been a better time to review your business’s card payment measures to make sure you’re doing everything you can to protect your company and your customers.

To help you get to grips with everything you need to know, we’ve come armed with all the important bits around card payment security. We’ll walk you through the importance of having secure systems in place and which card payment security measures you can implement today.

What is card payment security?

From phone to contactless payments, it’s essential to make sure that every stage of a digital transaction is safe and secure. That’s where card payment security measures come in.

These are methods that businesses can use to protect their customers’ sensitive and financial data throughout physical card and online payment processes.

Why is card payment security important?

Any business that accepts card payments must be Payment Card Industry Data Security Standard (PCI DSS) compliant. This is a set of security regulations that companies have to follow to ensure the safety of their customers’ data. These requirements include how businesses store, process, and transmit cardholder details.

PCI DSS aims to help minimise the chances of fraud by data breaches. Any business that isn’t compliant with the latest PCI DSS regulations will be risking their customer’s financial information and may be liable to a fine between £4-81,000 per month. The fine will be issued to a business’s merchant bank, before being passed down to the business.

As well as safeguarding your client’s personal information, implementing the proper card payment security measures can help to:

• Prove that your business is legitimate
• Gain the trust of future customers
• Help to encourage potential sales

Learn more about how we can help your business become PCI DSS-compliant today.

What types of card payment security are there?

Along with being PCI DSS compliant, learn how three additional types of card payment security are used to make transactions more secure.

1. Chip and PIN

This is the most common type of payment security used in card machines. The majority of people have probably heard of it. It’s been around since 2006, but let’s rewind to life pre-Chip and PIN…

Before the Chip and PIN method was rolled out, transactions were very different. Businesses had to take payments using a magnetic swipe which worked like this:

1. You swipe the customer’s card through the machine.
2. They sign the receipt (yes, using an actual pen and paper).
3. You check the signature matches what’s on the card.

The problem with using a magnetic swipe was that if someone lost their card, there wasn’t much stopping someone else from fraudulently using it. All they would have had to do was forge the signature that was right in front of them. The Chip and PIN revolution put an end to all that.

Introducing the need to successfully submit the correct PIN code for the corresponding card makes card payments using a machine much quicker, safer, and more practical.

Now, this is how Chip and PIN works:

Step 1: When prompted, the customer puts their card in the machine and enters their four-digit PIN. PIN codes are set by the bank when someone first gets their card and most people change theirs to something personal (but not obvious) and easy to remember.

Step 2: Once the PIN’s been entered, it becomes encrypted data sent to your business’ merchant account. Encrypted data means the PIN code transforms into another form of code that only people with a decryption key or password can access.

Step 3: When the customer’s payment has been given the all-clear, it’ll show in your business bank account in 3 to 5 days, ready for you to access.

And don’t worry, all this goes on behind the scenes without you lifting a finger and takes just a couple of seconds.

2. Address Verification System (AVS) and Card Verification Value (CVV) checks

AVS and CVV checks should be used for all phone payments, whether done with a card machine or through a virtual terminal.

Here’s how they work:

• Address Verification System (AVS) – You’ll be asked to provide your customer’s full billing address and then the system matches the postcode given to the address already stored with their bank.
• Card Verification Value (CVV or CV2) – Requires your customer’s CVC or CSC (card security code) to verify the card’s details. This is either a three or four-digit number usually found on the back of the card.

The good thing about AVS and CVV checks is they’re done in real-time, so you can go ahead and accept or reject the transaction right away.

It’s important to remember that failed checks could be a sign of credit fraud. So, if you get any, in the interest of your and your customer’s safety, it’s best to decline the payment.

3. 3D secure authentication

This one applies to online payments and although there are security measures in place without it, 3D secure authentication adds another layer to help stomp out credit fraud. It’s also backed by big-name card issuers like Mastercard and American Express.

How 3D secure works:

After your customer has entered their usual details (like their billing address and CVV number) but before their payment has been processed, they will be taken to their card provider’s 3D secure page. There, they will either be:

• Asked for their banking password
• Sent an authentication code to enter

As with the previous two methods, this process is also super quick, but this time it’s done by the person’s card provider.

Want to know more about 3D secure? Take a look at our complete guide to 3D secure authentication here.

What is Strong Customer Authentication (SCA)?

In September 2019, a new set of regulations were enforced to try and make card payments even more secure and reduce the chances of fraud. Strong Customer Authentication (SCA) is a requirement from the Payment Services Directive (PSD2) that applies to all “customer-initiated” online card or contactless offline payments within the European Economic Area and the United Kingdom.

According to SCA requirements, banks must carry out certain checks to confirm a customer’s identity during the transaction journey. It’s also required for bank transfers.

It’s done by building in at least two of the following three authentication elements into the transaction:

• Something only the customer knows – a password or a PIN
• Something only the customer owns – a mobile phone or card reader
• Something the customer is – a fingerprint or face recognition

How does SCA apply to small businesses?

Also known as two-factor authentication, these requirements mean that customers may need to provide two of the above elements when purchasing from your business. If they fail to do so, their payment may be considered non-compliant and will be declined.

SCA doesn’t apply to all transactions and it’s down to individual payment providers to identify which payments are considered low-risk and will be exempt from SCA. Here are a few examples which could be classed as low-risk payments that may not require SCA:

• Transactions below a specific amount
• Recurring payments of the same amount
• Payments made with a saved card on an account where a transaction has previously been made

It’s worth noting that payment providers may request these exemptions to reduce the amount of authentication steps required in certain checkout flows. However, the request will always be passed on to the cardholder’s bank to review the transaction. Their bank will ultimately decide if the payment is exempt based on whether it’s high risk or needs SCA.

For businesses, you must decide which exemptions to put in place that balance security and a seamless checkout experience.

What does SCA compliance look like for small businesses? 

SCA can affect both online and offline businesses. Here’s how you can meet the SCA requirements for face-to-face and eCommerce transactions:

• In-store – Chip and PIN is SCA compliant as it requires a physical card and PIN code. Contactless payments, however, may prompt customers to enter their PIN code on higher-value transactions.
• Online – For online stores, the 3D secure authentication method meets the SCA requirements. By entering a one-time passcode as well as their card details, customers will be providing the necessary two levels of SCA to confirm their identity.

You can put your trust in us

Safe’s our middle name. Whether you’re looking for a portable card machine or a POS system, you and your customers’ safety is at the centre of everything we do.

• All our solutions use at least one of the above safety features
• Everything we do’s in-line with the latest PCI DSS guidelines
• Our secure merchant accounts mean safe transactions

For more about what we do and how we do it, get in touch with the team on 0808 274 2017.

Jodie Wilkinson

Head of Strategic Partnerships