In online card transactions, security is of utmost importance as sensitive card information and personal data of cardholders are involved. The security of online payments is crucial for building trust with customers and maintaining the integrity of the web shop. Therefore, there can never be enough discussions and writings on security, which is why I dedicate this blog to this important topic.
A significant responsibility in online payments lies with the Internet Payment Gateway (IPG), responsible for processing and transmitting transactions between the web shop and the acquiring bank. The entire process must adhere to strict security regulations with card details being inputted on the secure payment form provided by the IPG. Moreover, when storing card and cardholder data within the IPG system, rigorous prerequisites must be met.
The security level within the IPG is demonstrated through the PCI DSS (Payment Card Industry Data Security Standard) certification, recognized as the highest security standard in the payment industry. According to the standard, certification is mandatory not only for banks but also for any other entities handling card data in any capacity. Considering the significant impact of securely storing and managing card data and transactions on the reputation and overall business operations, merchants must carefully consider whether their chosen IPG holds the PCI DSS Level 1 certification.
It’s important to understand that there is a difference between an IPG being certified and merely compliant with the PCI DSS standard. Certification represents a much higher level and is a prerequisite for storing and processing card data and transactions. While web shops also have the option to undergo certification according to the PCI DSS standard, it is often not cost-effective for them. The certification process is rigorous and expensive, particularly when considering the annual audit requirement, as the certification needs to be renewed every year. Consequently, certified merchants are a rarity, particularly in smaller markets.
To obtain certification, an IPG must comply with over 250 security requirements related to building and maintaining a secure network (firewall, passwords, and other security parameters), protecting cardholder data (storage and transmission of data), utilizing and maintaining programs and applications related to vulnerability management (antivirus programs and security applications), access control (computers and premises), monitoring (access), and network testing (security testing of systems and processes), as well as information security policies.
For those venturing into online business as web shop owners, I advise you to pay attention to whether your potential IPG partner holds the PCI DSS Level 1 certificate. If you have been working with an IPG for an extended period, check if it renews its certificate annually. If it is compliant and regularly undergoes audits, they will likely highlight this on their website. If not, you can always request them to provide you with a valid certificate.
Wishing you a safe flight through the online world!
Edgar