1. Symantec/
  2. Confident Insights Newsletter/
  3. Secure Online Transactions

Secure Online Transactions

February 26, 2007


Have you been thinking about setting up shop online? Taking your goods and services to the Internet will increase your business potential in many ways.


Have you been thinking about setting up shop online? Taking your goods and services to the Internet will increase your business potential in many ways. However, e-commerce requires a commitment to securing transactional details, including credit card information from customers. As e-commerce has grown, so have security threats. Identity theft, data security breaches and phishing continue to top the list of consumer complaints. All of these factors undermine trust in digital commerce, and that is why it’s important for any small business to take the necessary steps to reduce customer concerns about shopping and banking online.

Payment gateways

In the spirit of the instant transactions that online shopping enables, you will need to set up a payment gateway on your e-commerce site that enables customers to pay by credit or debit card. One of the most important decisions you'll face is to choose the payment gateway. The gateway takes the submitted billing information from your customer’s computer, through your secure server, and on to your merchant account at a processing bank. The gateway transaction is seamless and invisible to the customer, but to those concerned about security, it is anything but invisible.

The payment gateway provider you select should maintain their operations in state-of-the-art datacenters and utilize the latest security methods. They should also be fully compliant with major credit card providers’ security initiatives, including the Visa Cardholder Information Security Program (CISP), MasterCard Site Data Protection (SDP), and Discover Information Security and Compliance (DISC). Also, any payment gateway you work with must be certified as a PCI Level 1 service provider. If you are considering using a lesser-known provider, verify that the service is compliant with all these initiatives. Otherwise you could end up paying higher fees, having your account closed, or having your organization added to credit card processing blacklists. Here is a list of PCI-compliant vendors.

Deterring fraud

As discussed, it is critical that the payment gateway you choose supports basic fraud detection and that all required authentication measures are in place. For the most part, credit card fraud is carried out by individuals that have only the credit card number — and not the physical card itself. Here are two authentication measures that payment gateway providers should have available:
  • The Address Verification System (AVS) authenticates a credit card purchase based on the billing address. During the online transaction, the customer is asked to supply their billing address, which should match the address on the credit card bill. The drawbacks to this kind of authentication is that it is very easy to mistype an address, or for an updated address to not be fully propagated within a credit card company.
  • The Card Verification Value (CVV), also known as Card Security Code (CSC), is an authentication method based on the 3 or 4 digit number on the back of VISA, MasterCard, or Discover cards, or on the front of American Express cards. This number, called the CSC (also known as a CCID or Credit Card ID), is used by merchants so that they can secure "card not present" transactions, as are those conducted over the Internet. Supplying this code in a transaction is intended to verify that the customer has the card in their physical possession.


When it comes to choosing a payment gateway provider, you need to scrutinize their security measures because your business’ reputation will depend on it. The provider should be effectively managing all facets of security on an ongoing basis. The data should be secured via a 128-bit Digital Certificate. The data center where the payment gateway servers are housed requires ongoing requirements regarding physical security as well as information security. The provider should have firewall and intrusion detection systems installed at the operating system and application layers, as well as have database security and transaction security in place.

Of course, your own business should adhere to the same stringent security guidelines you expect of your gateway provider. At a time when identity theft and fraud is on the rise, you need to ensure you have earned your customers’ trust before they will conduct business with you online.

Back to Newsletter

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube