Accepting payments online

If you collect online payments from customers, there are a few important steps you need to take to make sure that information is protected.

Many more businesses are embracing e-commerce these days, by selling  their products and services online. Putting your business online is like opening a new store that can be visited by anyone around the world. This not only enables you to reach more customers, it also creates more opportunities for online criminals.

E-commerce websites are often targeted by attackers because they want to get customers’ payment data to commit fraud. As your customers will need to provide personal and payment information when buying things from you online, this can make your site more of a target.

This guide will help you understand what you need to do in order to get your business online, while keeping your e-commerce website safe and secure, and protecting your customers’ information.

Understand what you need

Before making changes to your business operations to allow you to collect payments from customers online, it’s important to understand what’s required. Below are some things you’ll need to put in place.

An online store or e-commerce system

You might already have a website for marketing, and now your business is growing and you want to add an online shopping cart. This part of your website needs to be well-built and secure as makes it a prime target for cyber attackers. Because of this added risk, it’s important to do your due diligence as not all online stores are created equal. Your first decision is whether you want a custom-made e-commerce system or an off-the-shelf product.

There are many well-tested off-the-shelf options for online shopping carts (such as Shopify, Squarespace, or Wix). These dedicated e-commerce companies continually update their software to respond to evolving risks.

If you choose to have an e-commerce system custom-made for your website, make sure you understand what security features this will offer. Although they’ll be the ones doing the technical work, you’ll be responsible for keeping your customers’ information safe.

Risk assessments for your business

Tip: If you plan to use an IT service provider to create or recommend your e-commerce system, our guide on choosing an IT service provider will help you ask the relevant questions.

Payment gateway

A payment gateway allows you to accept online payments. There are important security and compliance factors for each payment type (e.g. credit/debit card vs. bank transfer) that you need to consider. We encourage you to get in touch with your bank to discuss payment gateway options.

Off-the-shelf e-commerce systems are often limited to certain payment gateways. Talk to your IT service provider about which payment gateway your e-commerce system can integrate with.

Security standards for handling credit cards

The Payment Card Industry has a security standard for businesses who accept credit cards that covers how to handle the data. It’s called the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS provides the minimum standard for website payment security – an important factor in processing credit card payments online.

By using a PCI-compliant service provider and by implementing the measures in your business, you significantly reduce your risk of suffering an online attack. The PCI DSS controls are useful to implement in other areas of your business too.

Visit CERT NZ for more information. 
Visit ACSC for more information.