Online payment security: 6 best practices for e-tailers

Decidedly, the pandemic parenthesis has definitively anchored e-commerce in the daily lives of the French. In 2022, they spent more than €147 billion online, a growth rate of 13.8% in a complicated economic climate(Fevad). In detail, each French person makes an average of 54 online purchases per year, for an average shopping basket of €54.

And companies are getting in on the act too, as B2B buyers now say they are more inclined to buy online rather than through a sales representative. In fact, B2B e-commerce has overtaken B2C in terms of value... not surprising, given that the average shopping basket is 25 times higher.

In an increasingly demanding regulatory environment, the craze among individuals and businesses for online purchasing raises the question of data security. For beyond exposure to sanctions (provided for by the RGPD in particular), companies that sin through negligence will see their customers' trust eroded, no doubt irreversibly.

So how do you secure your online payment system? Here are 6 INCONTROVERTIBLE best practices to help you meet online payment expectations with complete peace of mind.

#1 Avoid exotic or shady payment platforms

Choosing the right payment platform is no mean feat, since you'll be entrusting it with the most critical part of the purchasing process. Our advice: don't stray too far from the familiar leaders like Stripe, PayPal or Adyen.

If they dominate the market, it's not (at all) by chance. They are PCI DSS-compliant and invest continuously in developing anti-fraud algorithms. A quick comparison:

	Stripe	PayPal	Ayden
Main strength	Stripe provides ready-to-use modules for popular e-commerce CMS (Shopify, Magento, WooCommerce).	The presence of PayPal during the payment process reassures thanks to its worldwide reputation (over 392 million active users).	Companies targeting different international markets will appreciate Ayden's ability to handle local payment methods such as Alipay in China and Boleto in Brazil.
Security	Stripe uses tokenization. The platform automatically captures and converts payment information into a unique "token". Card details are never stored on the company's servers, and compromised data cannot be used to hack into accounts.	PayPal is more than just a payment intermediary. The solution also features a monitoring system that actively analyzes transactions to detect and prevent fraudulent activity.	Adyen uses behavioral data to identify suspicious activity during the payment process for rapid intervention in the event of fraudulent attempts.

#2 HTTPS isn't just an "s" added to HTTP!

A quick rundown: HTTPS uses the SSL (Secure Socket Layer) or TLS (Transport Layer Security) protocol to encrypt data transmitted between the user's browser and the web server. This encryption ensures that data, such as credit card details and login credentials, are safe from malicious interception during transfer.

How do I go about it? Here's a step-by-step mini-guide:

1. Choose a certification authority (such as DigiCert, Let's Encrypt, or GlobalSign) and purchase an SSL/TLS certificate. The choice of certificate will depend on your needs (single certificate, certificate for several sub-domains or certificate for several domains).
2. Install the certificate on your web server. This process varies depending on the server you're using (Apache, Nginx, etc.), but your web host or certification authority will provide you with specific instructions.
3. Configure your web server to use SSL/TLS encryption. You will redirect HTTP traffic to HTTPS and update the settings to use the installed SSL/TLS certificate.
4. Ensure that all your site's resources (images, scripts, CSS) are loaded via HTTPS to avoid "mixed content" problems, where some resources are loaded in HTTP on an HTTPS page.
5. Set up permanent redirects (301) from your old HTTP URLs to the new HTTPS URLs. Objective: ensure that users and search engines are automatically directed to the secure version of your site.
6. Update your Sitemap and robots.txt files to reflect the change to HTTPS. Also submit the new Sitemap to Google Search Console so that search engines are quickly informed of the change.
7. Regularly check the validity of your certificate and renew it before it expires.

Migration to HTTPS doesn't just benefit the security of online transactions. Browsers clearly indicate a site's security level to the user with a padlock or security notification. This is an indicator of trust for the Internet user, who is more inclined to click.

#3 Ensure data integrity with Data Quality Management

After all, why build an impenetrable wall around your e-commerce site if the information it protects is erroneous or obsolete?

Using Data Quality Management (DQM) solutions is a strategic investment with a very good ROI. The idea is to clean up and sanitize your existing database, check the validity and accuracy of the data entered on the contact form and, in turn, generate business benefits (better performance of marketing campaigns, fewer errors in parcel delivery, greater customer confidence, etc.).

Here are a few things to keep in mind:

1. When a customer fills in an online form, there may be innocent errors, as well as attempts at intrusion or fraud. Your DQM solution will examine these entries in real time to ensure their validity. For example, is the e-mail address supplied correctly formatted? Does the zip code correspond to the city entered? All this is checked before entry into the database.
2. Over time, even the most rigorously managed databases can become filled with obsolete or duplicate information. An effective DQM scans this data, identifies and removes duplicates, corrects obvious errors and can even enrich existing data by supplementing it with relevant, up-to-date information.
3. For e-tailers managing data from multiple sources (online store, physical store, mobile apps), all this information needs to be consistent. And this is one of the tasks of the DQM.

Data Quality Management isn't just about cleaning up data. It's a proactive approach to ensuring information integrity, optimizing operations and delivering a better user experience.

Data Enso has precisely developed intuitive, simple and 100% RGPD-compliant solutions for e-tailers. We can clean up your existing databases within 48 hours and act preventively to ensure that all customer information entered on your forms is screened. Test us free of charge and without obligation!

#4 Strong customer authentication (SCA): an obligation under PSD2, with a few exceptions

Strong Customer Authentication(SCA) is one of the key requirements of Europe's Payment Services Directive 2 (PSD2).

In concrete terms, the SCA requires online transactions to be validated using at least two of the following three elements:

1. Knowledge: something that only the user knows (e.g. a password or PIN code).
2. Possession: something that only the user owns (for example, a bank card or a cell phone).
3. Inherence: something the user "is" (for example, a fingerprint or facial recognition)

I'm a French e-commerce website. Am I concerned? SCA is mandatory for all online transactions initiated by consumers within the EEA (European Economic Area) where both the merchant and the cardholder's bank are located in the EEA. In other words, for a French e-commerce site processing payments with consumers using cards issued by EEA banks, SCA implementation is an obligation.

If it's an obligation, where's the best practice? It lies precisely in the exceptions to the SCA. The law authorizes you to bypass this double authentication to make the purchasing process more fluid, and it would be a shame to do without it. There are four such exceptions:

1. If the transaction is considered low-risk by the bank thanks to a real-time analysis of the transaction's risks, it may be exempted (same user on the same device according to a usual pattern, etc.).
2. Payments of less than €30 may be exempt. On the other hand, if five consecutive payments are made, or if the total value exceeds €100, CAS will be required.
3. Recurring payments of the same amount to the same merchant can be exempted after authentication of the first transaction.
4. Consumers can add merchants to a "white list " with their bank to avoid authentication each time.

#5 Auditing and vulnerability testing are not just for e-commerce giants

Even if you're not a giant like Amazon or Alibaba, the security of your e-commerce site won't stand any neglect if you have big ambitions. Note: cybercriminals most often target SMEs, as they are less well protected.

So don't hesitate to regularly assess your system's robustness against these threats through mini-audits and vulnerability tests.

What you can do yourself:

• Familiarize yourself with the basic concepts of common vulnerabilities such as SQL injections or XSS attacks. A short course on YouTube or a tour of ChatGPT 4 will do the trick.
• Use free scanning tools such as OpenVAS or OWASP ZAP. You'll get a detailed report on your e-commerce security problems and recommendations for remedying them.
• Examine your contact forms with an injection test, Cross-Site Scripting (XSS), field limit check, etc. If you don't understand any of these terms, call in an external service provider.

What a cybersecurity expert can do for you:

• Interpreting automated scan results
• Penetration Testing (PenTest) to simulate a real cyber attack
• Implementation of patches.

#6 Train your employees and raise their awareness

It's a fact: in a serious e-commerce ecosystem, the weakest link isn't technology. It's people.

The marketing manager, the boss, the copywriter, the customer service department, the accountant... every employee can be an entry point for threats if basic precautions are not taken. Employee training and awareness-raising are therefore essential to securing your business.

Here are the key words for your training: work on mastering common risks such as phishing and "social engineering" attacks, raise awareness of the importance of regular updates and the use of password managers, instill a " security first " culture, determine the behavior to adopt in the event of a suspected compromise or security incident...