We use cookies on the site to improve our service. By clicking any link you are giving consent for use of cookies. Click here for more information

Taking & Making Payments

The vast majority of payments to or from a business are made electronically – either by bank transfer or payment (credit or debit) card. Because of the secure nature of banking systems, bank transfers are relatively safe, provided the same care is taken that should be exercised with all online transactions. Taking and making card payments involve more risk, but again some simple precautions can prevent problems from arising. Compliance with certain standards is also essential for businesses which accept payment cards. 

The Risks

  • Taking payments
    • Being paid using fraudulent or stolen credit cards.
    • Non-compliance with Payment Card Industry Data Security Standards (PCI DSS), and the resulting penalties.
    • Contravening the Data Protection Act (DPA) by keeping cardholder details for inappropriate purposes or an extended period of time.
    • Chargebacks to customers who falsely claim non-delivery, goods not as described or received damaged.
  • Making Payments
    • Making payments to fraudsters on bogus sites or for goods and services that do not exist.
    • Phishing emails - being deceived into entering financial details on a fraudulent site.

Safe Payments

  • Taking Payments
    • Ensure that your ecommerce website is secure for the safety and peace of mind of your customers (see Secure Websites, below).
    • If taking payment by payment cards, ensure your business is compliant with Payment Card Industry Data Security Standards (PCI DSS), whose requirements differ according to ‘merchant level’ and card issuer (see Compliance Criteria and PCI levels, below).
    • When despatching goods, use proof of delivery (POD) to avoid chargebacks.
    • Depending on the nature of your business and size of transactions, consider accepting PayPal and mobile payments which provide an additional layer of security.
  • Making Payments
    • When making online payments either on a supplier website or via BACS, ensure the site is secure. There should be a padlock symbol in the browser window frame, that appears when you attempt to log in or register. Be sure that the padlock is not on the page itself ... this will probably indicate a fraudulent site. The web address should begin with ‘https://’. The ‘s’ stands for ‘secure’.
    • Use strong passwords and ensure they are kept private by the people they are issued to.
    • Impose strict usage rules for employees who have company payment cards – including PIN and password protection and anti-cloning precautions. 
    • Remember that using a credit card offers more protection over using a debit card or BACS.

Merchant PCI DSS Compliance Criteria and PCI levels

  • Compliance requirements are dependent on a merchant's activity level.
  • There are four levels, based on the annual number of credit/debit card transactions.
  • While payment brands determine the compliance levels for their own brands, acquirers are usually responsible for determining the compliance validation requirement levels of their merchants.
  • The compliance levels are set out below and usually refer to the number of transactions of each payment brand in a year.
  • Whether or not transaction volume applies only to e-commerce transactions or to payments processed through all channels is decided separately by each payment brand but, in general, all transactions are included.

 

Level 1 Criteria

Merchants with over 6 million transactions a year, or merchants whose data has previously been compromised

Level 1 Validation Requirements

Annual Onsite Security Audit (reviewed by a QSA or Internal Audit if signed by officer of merchant company and pre-approved by acquirer) and quarterly network security scan

 

Level 2 Criteria

Merchants with 1,000,000 to 6 million transactions a year

Level 2 Validation Requirements

Annual Self Assessment Questionnaire

Quarterly Scan by an Approved Scanning Vendor (ASV)

 

Level 3 Criteria

Merchants with 20,000 to 1,000,000 transactions a year

Level 3 Validation Requirements

Quarterly Scan by an Approved Scanning Vendor (ASV)

Annual Self Assessment Questionnaire

 

Level 4 Criteria

Merchants with less than 20,000 transactions

Level 4 Validation Requirements

Annual Self Assessment Questionnaire

Quarterly Scan by an Approved Scanning Vendor (may be recommended or required, depending on acquirer compliance criteria)

 

Secure Websites

Providing a secure website for payments will ensure customers’ safety and peace of mind. Most people who shop and pay for goods and services online now recognise the significance of the padlock symbol in the browser window frame, that appears when they attempt to log in or register – and the address beginning with ‘https://’.

This shows that your business has a digital certificate that has been issued by a trusted third party, such as VeriSign or Thawte, which indicates that the information transmitted online from your website has been encrypted and protected from being intercepted and stolen by third parties. 

You can also obtain an Extended Validation (or EV-SSL) certificate, which indicates that the issuing authority has conducted thorough checks into your business. 

 

More Information

There are a number of vendors offering transactional businesses still higher levels of security - increasingly valid in the burgeoning world of mobile commerce and banking. Such solutions involve multi-factor authentication of the kind used by financial services organisations, or even more secure than these. An example is that offered by ValidSoft.

 

See also...

 

Business Fraud
Spot and prevent the kinds of fraud that could affect your business. 

Protect Your Website
Customer interface or shop window, here’s how to keep your website safe.

Selling on eBay
A few simple rules about selling safely via this auction site.