Can you imagine a time when you couldn’t shop online or pay for your groceries with a tap of a bank card? Neither can your customers.
If you’re still taking payments using old-fashioned, offline methods then it’s time to elevate your payment game to offer secure payments online.
Consumers today are savvy when it comes to sharing their financial data. It’s no longer novel to pay for goods and services online and with the threat of card fraud, people are hyper aware of scams and dodgy-looking websites.
If your webpage asks for their bank account information and isn’t obviously secure or in compliance with the latest standards they will quickly click off and find a competitor which is.
So, just how do you make sure you’re offering your customers the most secure payments online? This article will detail:
- Payment Card Industry Data Security Standard (PCI DSS)
- TLS/SSL Certification
- TLS/SSL Process
- How to Access Direct Debit as a Direct Submitter
- How to Access Direct Debit as an Indirect Submitter
The Payment Card Industry (PCI) Security Standards Council is a global collective of members including major payment brands Visa, MasterCard and American Express. Its purpose is to set and maintain the payment card industry security standards.
This means that any business, small or large, that takes payments online must comply with the PCI Data Security Standard (PCI DSS).
The PCI DSS applies to: “all entities that store, process, and/or transmit cardholder data. It covers technical and operational practices for system components included in or connected to environments with cardholder data. If you accept or process payment cards, PCI DSS applies to you.”
Each payment card brand (e.g. Visa) also has its own compliance requirements. Businesses taking online payments must ensure they also comply with these. You can see contact information for each brand here.
It’s also important to consider any local country laws with regards to taking secure payments online.
Payment Card Industry Data Security Standard (PCI DSS)
Payment security is paramount to protecting cardholder data. The PCI DSS is a framework of 12 technical and operational standards that fall into six categories:
1. Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
2. Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
3. Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
4. Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
5. Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
6. Maintain an Information Security Policy
- Maintain a policy that addresses information security for employees and contractors
Once you have this framework in place, the PCI will ‘scan’ your website, or IT infrastructure with an internet-facing IP address, to validate your compliance. These quarterly scans are carried out by an approved vendor. There’s more information on the procedure here.
To be PCI compliant, you must ensure that your website is secure by using Transport Layer Security (TLS), which is the newer version of Secure Sockets Layer (SSL). Both terms are still widely used, although technically TLS has largely superseded SSL.
TLS/SSL are encryption protocols that provide data privacy and authentication between two communicating computer applications. They allow the secure exchange of data between a customer’s web browser and your website, for example.
Therefore, if anyone attempts to intercept the data – e.g. credit card details – between these two points it will be encrypted and indecipherable.
To add TLS/SSL to your website you’ll need to get a TLS/SSL Certificate, activate it and install it on your website.
Once installed, the certificate authenticates your website to prove to visitors that you are who you say you are and that you have a secure, encrypted website.
It’s obvious to your website visitors that you have this certificate because there’s a padlock symbol displayed in the web browser before your URL. And the URL itself starts with the prefix https (rather than http for non-certified websites).
A certificate will include:
- The certificate holder's name
- The certificate's serial number and expiration date
- A copy of the certificate holder's public key
- The digital signature of the certificate-issuing authority
TLS/SSL creates a secure connection so that when a customer visits your website, their browser establishes an SSL connection with the web server using a process called a ‘SSL Handshake’. This happens instantly and invisibly.
The connection is set up using three keys: public, private and session keys. Anything encrypted with the public key can only be decrypted with the private key, and vice versa.
This encryption and decryption involves a lot of processing power and only happens during the SSL Handshake to create a session key.
After the secure connection is made, the session key then encrypts all transmitted data.
If the idea of PCI compliance and TLS/SSL certification feels overwhelming, then you can opt to outsource this to a trusted payment solution provider.
A payment solution provider, such as PayPal, Stripe or Braintree, will manage the entire process for you so you can take secure payments on your website using their TLS/SSL protocols and PCI compliant procedures.
As you won’t be handling any of your customers’ financial information, you don’t need to worry about updating your website to manage it. You simply sign up to a payment solution provider and integrate their payment forms and buttons with your website – often by simply copying and pasting some HTML code into your website’s backend.
There are fees involved with outsourcing this process. However, there are various packages to select from depending on the volume of your online payments, customisable options and other possibilities.
If you’re unsure about this option due to security concerns, it’s worth noting that in 2018, PayPal had 267 million active worldwide accounts. Therefore, it’s likely that your customers have either heard of it, or are already using it.
By using a payment solution provider such as PayPal, your customers can either pay you using the balance in their PayPal accounts or use the PayPal system to access their bank accounts to pay from their funds held there.
It simplifies the process and gives customers an appreciated choice so they can select the most convenient way to pay you.
If you’re considering setting up secure online payments because your customers pay you regularly, for example for an ongoing service or product, then Direct Debit could be the most secure and efficient option for you.
Payment online using a credit or debit card lends itself well to one-off payments, however it’s not convenient for customers to go online every week, month, quarter, year etc. to make regular payments.
In 2018, 4.3 billion Direct Debits were processed in the UK. People now use Direct Debits to pay recurring fees securely and automatically, including utilities bills, subscriptions and insurance premiums. The Direct Debit scheme is run by Bacs and is recognised by HM Treasury for oversight by the Bank of England. It’s reliable and predictable for both payer (your customer) and biller (you).
How to Access Direct Debit
As with taking secure payments online, there are two routes. Either you do-it-yourself and become a Direct Submitter to Bacs, or you outsource to a third party as an Indirect Submitter.
As a Direct Submitter
A Direct Submitter must install the relevant Bacs-approved software and manage the Direct Debit data files creation, collation and submission to Bacs. This involves training staff and having the correct licenses and operational practices.
First, you must have a unique Service User Number (SUN). Your bank will run rigorous checks on your business’ size, financial health and operational procedures before it supplies you with a SUN.
Direct Submitters are often large corporations that manage a huge volume of Direct Debits and so prefer to handle the entire process in-house with a dedicated team and the appropriate infrastructure and software.
As an Indirect Submitter
Smaller businesses generally opt for the Indirect Submitter route. This involves outsourcing your Direct Debit collection process to a third party, called a Direct Debit Bureau.
Direct Debit Bureaux are approved by Bacs and submit all the data and files to Bacs on your behalf. They will also monitor your account and report to you on the status, including flagging if a Direct Debit is returned uncollected.
There are two ways to access the Direct Debit scheme as an Indirect Submitter:
This is for companies that have obtained a bank-sponsored SUN but don’t want to submit directly to Bacs due to the cost of acquiring Bacs software, the time implication of training and installation, and ongoing staffing requirements.
Once you have your SUN from the bank, select a specialist provider, such as FastPay, and your bank will link your SUN to your chosen bureau’s number.
FastPay bureau services start from as little as 3p per Direct Debit and can be live in a day, rather than the months that it might take a Direct Submitter to be up and running.
Many sole traders, SMEs, charities, limited companies, partnerships and organisations will not be able to obtain a SUN from their bank. However, they can still access the Direct Debit scheme as an Indirect Submitter by using a managed service.
The managed service from FastPay provides you with a personalised SUN and starts at 10p per transaction, depending on the volume of Direct Debits.
As an Indirect Submitter using either FastPay’s bureau or managed service, you’ll receive:
- All the necessary templates and documents to run your scheme including a personalised Direct Debit Mandate in both paper and online form
- Fully integrated, professionally-designed and Bacs-approved paperless sign-up pages if you want to accept Direct Debit instructions online
- Guidance notes and a Bacs-approved script if you prefer to take instructions over the phone
- Cutting edge, market-leading software that is always up-to-date with changes to Bacs or banking legislation
- The option to link your software with ours, using our advanced API or other integrations
- Friendly and knowledgeable staff always on hand with free lifetime email and phone support
- Full database management with reports available on your collections history using your online account or API
- Professionally-written Bacs-approved letters on your company letterhead to send to customers with any Direct Debit or Direct Credit issues
Making Secure Payments: Your Options
Upgrading your website to take secure payments is a great option for one-off payments.
You can either ensure you’re PCI compliant with the appropriate TLS/SSL certification or you can use a trusted payment solution provider.
However, if your customers want to make recurring payments then Direct Debit could be your best option. Customers can simply set up Direct Debits and then forget about them, knowing that they will reliably and predictably be taken at a pre-agreed time and for a pre-agreed amount.
You can also implement both methods to provide your customers with choices that suit their lifestyles, shopping habits and preferred ways to pay. As the popularity of tap-and-buy cards and the huge volume of Direct Debits processed demonstrate, customers are looking for speed, security and simplicity.
Offering a range of payment types and retiring old-fashioned or convoluted methods shows that you’re firmly on their side.