As a business, you’re likely to engage with the world of payment security fleetingly. Managing your PCI Compliance may be the closest you come as a merchant to looking at payment security. Many of the systems protecting businesses and customers are so seamless that they require little thought. However, understanding payment security is increasingly important if you want to protect your business and your customers.
1. Strong Customer Authentication (SCA)
Whilst you may not be familiar with the term SCA, as a merchant, SCA transactions occur all time. An SCA occurs when a customer is asked to enter their pin after trying to pay for an item using a contactless payment system.
The SCA is a fraud preventative measure that stops fraudsters from using a lost or stolen card and using the contactless system to steal the card holder’s money. Typically, card issuers place a limit either on the number of contactless payments or limit the value of contactless payments until a PIN is required.
For users of Visa, SCA may require you to know at least two of the following three steps to fulfill their two-factor SCA authentication.
Firstly, customers may need to verify they are the cardholder with something they know. For example, if the contactless threshold has been reached, the next time they try and pay using contactless, they will be instructed to enter their pin. As a merchant, recognising this process and walking the customer through this stage can be very helpful.
Secondly, customers may need to verify themselves with something they have, such as a mobile phone. Paying via an e-wallet can authenticate customers because they require passcodes.
Finally, customers can verify themselves through biometrics. Customers can use Google and Apple Pay biometrically, using fingerprints and facial recognition that unlock the wallet and allow the customer to proceed with a payment.
2. Card Not Present Security (CNP)
A CNP payment occurs when the cardholder does not physically present the card at the time of purchase. The two most common examples of CNP payments are online and over-the-phone payments.
These forms of payment usually only require the card details to complete a transaction, exposing this form of payment to potential risks of fraud. To mitigate these risks, card providers have started sending users codes via text to confirm their identity before processing the transaction.
Being able to walk customers through this process confidently is reassuring and lends your business a sense of authority and trustworthiness that is valued by customers.
3. Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS), introduced in 2006, is a set of legal requirements that ensures all companies that process, store, and transmit credit card information maintain a secure environment.
PCI compliance is one of the most important aspects of a modern business. The importance of being compliant is ever-growing particularly with the transition to a cashless society.
However, despite the importance of PCI compliance, 80% of UK businesses are not compliant. Failure to demonstrate compliance can result in a costly monthly fine between £4000 to £80,000.
4. Near Field Communication (NFC)
Near Field Communication is something many will not have heard of but will likely use every day. NFC enables contactless payments between devices like Apple and Google Pay via smartphones and smartwatches, as well as contactless bank cards.
NFC payments have gained increasing popularity due to the ease of the payment method. NFC contactless payments have the added benefit of being encrypted and highly secure.
NFC payments only work when a contactless device and payment terminal are within 2 inches of each other. E-wallets can only operate when they have been biometrically unlocked either with a unique fingerprint or with facial recognition software.
As a merchant, to accept NFC payments, you will need to have a payment terminal with an NFC-enabled reader. Whilst contactless payments are becoming the new norm, many merchants still do not have the technological capacity to accept this payment method.