Read the Outseer Fraud & Payments Report for Q3, 2021

What Is Payment Security?

Payment security involves the steps businesses take to make sure that their customers’ data is protected and to avoid unauthorized transactions and data breaches. Important aspects of payment security include following protocols such as PCI Compliance and 3-D Secure (3DS).

Payment security has multiple layers and different requirements depending on the type of business you operate. With eCommerce showing no signs of slowing down, it’s more important than ever for credit card issuers and their merchant customers to implement robust payment security. Multiple layers of payment security are required to protect your business from processing fraudulent transactions, for which you could be liable.

Compliance plays a critical role in how payment security is designed and implemented. Let’s explore how one of the most common standards shapes payment security requirements.

Payment Security and PCI Compliance

Payment Card Industry Data Security Standard (PCI DSS) is a standard that aims to make payment security consistent worldwide.

Any organization that processes, transmits, or stores cardholder data must comply with PCI DSS requirements. These requirements shape how payment security is implemented and evolve to reflect changes in new fraud prevention techniques.

How your business proves PCI compliance will depend on how many transactions you process annually. There are four merchant levels businesses can fall into, with Level 1 having the strictest requirements and Level 4 having the least.

For instance, at Level 4, merchants can demonstrate their compliance through a self-assessment, while Level 1 requires them to submit to an external audit conducted by a certified security assessor. Different integrations with payment gateways can lower a merchant’s required compliance level if the transaction takes place in the payment processor’s environment versus on the merchant’s own website.

No matter how many transactions you process, having the right payment security in place will help you pass PCI compliance and prevent fraudulent transactions in your business.

Types of Payment Security

Tokenization

Tokenization secures transactions by replacing payment information with randomly generated strings of characters. These tokens allow businesses to provision customer accounts, set up scheduled payments, and manage payment settings without handling sensitive cardholder information each time.

Tokens use a public and private key to work. The public key allows for token creation, while the private key allows the merchant to issue single or recurring payments. This form of payment security helps ensure cardholder data is stored securely and reduces the amount of times payment information is transmitted over the internet.

Address Verification Service (AVS)

AVS compares the address provided at checkout with the known address of the cardholder. The tool verifies whether or not the addresses match via a response code sent by the credit card company. While this is useful when paired with other methods of fraud prevention, by itself AVS is quite limited.

Typos, misspellings, and outdated address information can all inadvertently trigger an AVS mismatch, causing friction for legitimate customers. AVS alone cannot guarantee fraud protection, so it’s best to combine AVS with other forms of payment security.

SSL Protocol

Secure Socket Layer (SSL) is an internet protocol that encrypts all communications on a website and is especially important for securing web pages that process customer payment information. Customers can see if a site is using SSL by searching their address bar for a lock icon or verifying that the site address begins with “HTTPS.” Many browsers now alert visitors when a site isn’t using SSL.

The good news: Acquiring an SSL certificate is both easy and affordable. Administrators can install SSL certificates to secure web applications and checkout pages; just be sure to renew your certificates before they expire. The bad news: Cybercriminals are increasingly acquiring SSL certificates for fraudulent sites.

Card Verification Value (CVV)

CVV is a three- or four-digit code on the back of a credit card designed to verify the purchaser has physical possession of the card. While CVV can certainly help prevent Card Not Present (CNP) fraud, it’s far from foolproof.

Data breaches can expose stolen CVV numbers, and fraudsters can simply physically write down your card information by hand. Like AVS, CVV is best used in conjunction with other payment security methods to provide an additional layer of security

3-D Secure (3DS)

3DS is one of the most widely used forms of payment security that continuously evolves to counter fraud. The power of 3DS comes from the data-rich information collected during and before checkout.

Information such as IP address, transaction history, and purchase amount are all factored in and analyzed for risk. In total there are over 100 data points collected regarding the cardholder, their device, and the nature of the transaction.

This information is shared among the acquirer bank, the issuer bank, and the supporting infrastructure for the protocol. All three parties work together to process the request, provide a risk assessment, and authenticate or challenge the transaction. This process uses statistical analysis to transform contextual information into a risk score for each transaction in just a few seconds.

If the transaction is deemed risky or there simply isn’t enough information to validate the transaction, the customer is sent through a challenge flow to provide additional identification. Common challenges include One-Time Passwords (OTP) sent via text or email. Unlike earlier versions of 3DS, only suspicious transactions are issued a challenge flow. This creates a frictionless experience for legitimate customers, improving conversion rates while protecting against fraud.

Payment Security Best Practices

One of the simplest ways to follow best payment security practices is to follow the PCI data security framework: Assess, Remediate, and Report.

Assess

Take inventory of your digital assets, and review your procedures for processing cardholder data. Most merchants can use the Self-Assessment Questionnaire (SAQ) to review their payment security. Larger companies processing a high amount of transactions annually may need to hire a Qualified Assessor to professionally audit their organization.

Remediate

Once payment security issues have been identified, they can be properly fixed. Remediation steps can consist of repairing misconfigurations, implementing encryption, or fixing vulnerable code. The assessment phase helps provide actionable steps to take during the remediation process.

Report

Regular reports are required to maintain PCI DSS compliance. PCI compliance is not enforced, meaning it’s up to the merchant to ensure their payment security meets the proper requirements. The level of reporting merchants need to provide depends on their merchant level.

What’s the Best Form of Payment Security?

Effective payment security offers many layers of protection without impacting the customer journey. 3DS makes it easy to protect your brand and customers at the same time, making it one of the best forms of payment security available.

Reduce Risk

3DS uses robust datasets and real-time fraud intelligence to significantly reduce the risk of fraud. Even if stolen card information is used to make a purchase, it is highly unlikely the fraudster will be able to complete the OTP challenge triggered by the 3DS challenge flow.

Customer Experience

The latest version of 3DS creates a seamless customer experience, unlike older methods of payment security. 3DS makes it easy for the customer to complete their transactions across multiple devices and inside mobile apps. By only issuing a challenge flow on suspicious transactions, 3DS provides one of the most customer-friendly solutions to fraud prevention.

The Outseer Solution

Outseer 3-D Secure provides the best 3DS-enabled payment authentication without sacrificing user experience. With the Outseer Risk Engine at its core and informed by intelligence from our global data network partners, Outseer 3-D Secure transparently evaluates each transaction in real time to prevent 95% of all fraud, with only 5% of transactions ever requiring intervention. That’s the best performance in the industry .

In 2020 alone, Outseer saved customers nearly $1.6 billion in fraud losses by authenticating over one billion transactions. By recognizing what others can’t, Outseer delivers a frictionless flow that simultaneously minimizes chargeback losses while reducing operational expenses associated with a fraud investigation. Experience the best in fraud protection with Outseer through our free demo.

Jim Ducharme

Chief Operating Officer

Jim is responsible for product strategy and leads the associated product management and engineering teams at Outseer. He has nearly two decades of experience leading product organizations in the Identity marketspace, and has held executive leadership roles at Netegrity, CA, and Aveksa.