Data security on e-commerce websites or an online payment system begins the moment a user lands on the site. The TLS Certificate tells users that the data transmitted between the web server and their browser is safe.
As a payment provider, Razorpay uses the highest assurance SSL certificate on its website which is the EV SSL (Extended Validity SSL) certificate.
Without TLS Encryption in place, all data sent over the Internet is unencrypted and is visible to anyone with the means and intent to intercept it. An easy way to check if the e-commerce websites you frequent are SSL certified is to look at the URL and see if it uses ‘http://’ or ‘https://’ protocol.
The additional ‘s’ signifies a secure e-payment system. You can also look for the padlock icon at the beginning of the URL. Modern web browsers in their race to make the Web secure by default are now following the opposite paradigm – mark HTTP sites as “insecure”.
The PCI Security Standards Council is a global organization that maintains and promotes compliance rules for managing cardholder data for all e-commerce websites and online payment systems.
The Payment Card Industry Data Security Standards (PCI-DSS) is in effect a set of policies that govern how sensitive cardholder information should be handled.
Fact: The PCI Security Standards Council was created as a joint initiative by the four major credit-card providers: American Express, Visa, MasterCard, and Discover, in the year 2004. Over the years, the PCI-DSS standard has become the guiding principle for online security across the globe.
For an e-commerce website or an online payment system to be PCI-DSS compliant they have to follow certain directives:
Maintain a secure network to process payments: This involves using robust firewalls which can protect against malicious security threats. Further, the website or payment gateway should not use default credentials like manufacturer provided PINs and passwords, and must allow customers to change this data as needed.
Ensure all data is encrypted during transmission: When cardholder data is transmitted online, it is imperative that it be encrypted. Razorpay encrypts all information you share using checkout via TLS (Transport Layer Security). This prevents data interception during transmission from your system to Razorpay.
Fact: On the Razorpay Payment Gateway, all the details entered by a user like their name, address, and credit/debit card information are used only to process and complete the order. Razorpay never stores sensitive information like CVV numbers, PINs etc.
Keep infrastructure secure: This directive involves keeping abreast of new PCI-DSS mandates and using updated software and spyware to protect against known software vulnerabilities, running regular system and software scans to ensure maximum data protection.
Restrict information access: An important part of securing online payments on e-commerce websites is restricting access to confidential information so that only authorized personnel will have access to cardholder data. Cardholder data must be protected at all times – both electronically and physically.
Tokenization is a process by which a 16-digit card number gets replaced by a digital identifier known as a ‘token’. This is done to ensure the safety of the original data while allowing payment gateways to securely access the cardholder data and initiate a secure payment.
Fact: Even if a website gets breached and the tokens stored are hacked, it is immensely difficult to reverse-engineer the actual card number from the token itself. To do this, one needs access to the logic used for tokenization, which is not publicly available.
Credit card tokenization helps e-commerce websites improve security, as it eliminates the need for storing credit card data, and reduces security breaches. For more on how tokenization works and impacts online payments, you can read our in-depth blog.
Two Factor Authentication, aka 2FA, or two-step verification is an extra layer of security added by e-commerce websites to ensure a secure payment for a customer.
This is a customer-facing authentication process, mandated by regulatory bodies like RBI, in that the transaction is processed only after the user enters a detail that only they could know, or have at hand (like a physical token or a security key). Many banks and other e-payment gateways also use the 2FA for their own payment modes.
Fact: 2FA is not a newly-minted technology, but it has recently become the de-facto method of authentication in the digital age. In 2011, Google announced 2FA for heightening online security for its service. MSN and Yahoo followed suit.
When you use Net Banking for a transaction, you are first asked to enter your username and password. As a final confirmation, the bank sends you an OTP on your registered mobile number. This process has been mandated by the RBI, is divided into two levels of authentication:
What the user knows: In this step, users fill in their card/Net Banking details such as username and password. This helps the payment gateway recognize which bank the card belongs to.
What the user (and only the user) has: This step is known as ‘Authorization‘ and is done through the OTP/PIN/CVV. The bank (and the payment gateway) can then confirm that the request for payment is initiated by the rightful user.
Apart from these mandatory protocols, most e-commerce websites and payment gateways have their own fraud and risk prevention systems. Big data analytics and machine learning play a huge role in devising these risk prevention and mitigation systems.
By delving into our customer’s data and analysing patterns, we at Razopray can discern between a ‘normal’ and a ‘suspicious’ transaction with credible accuracy. Apart from this, there is a lot that you as a customer can do to reduce the risk of fraud.
If you are building an e-commerce website, remember that fraud prevention requires that you follow all the above-mentioned protocols. Or find a payment gateway (hello there!) that has stringent security protocols already in place.
|
|
||||||||||
.png)