Security Information
What Should I Know About E-commerce Security?
The topic of e-commerce security can be both simple or complex depending on how a merchant chooses to setup their online payment system. Although our payment systems can support any type of integration, we recommend that small business owners take a simple approach to e-commerce security by using a method of integration that makes it impossible to touch, receive or store credit card information.
It is easy to accomplish this type of integration. You will not touch or store any sensitive information because your customers will enter their card details while they are directly connected to payment gateway.
Eliminating Cardholder Data - How It Works
Merchants that wish to use this method of integration will receive website hosting on the payment server. You have the ability to upload your graphics to the payment server and can completely customize the look and feel of the page so your customer will not be able to tell that they have in fact left your site and are directly connected to the payment gateway.
It is on this page that the customer will actually enter their credit card details. When they press the "Submit Payment" button the transaction details are securely encrypted and passed directly from their computer to the payment gateway. At no time was any part of this process handled from the merchants website. All information passes directly from the visitors browser to the banks payment server.
The gateway will check to see if the cardholder has sufficient funds, and if so the user is automatically directed back to your website. When the user is taken back to your website you will receive all of the transaction information -- except for the cardholder data. In place of the credit card number you get a reference ID for the transaction. All cardholder data is stripped away and it is impossible for you to have access to this information.
Instead of getting the transaction information you simply receive a "Y" if the transaction was approved, or a "C" if it was cancelled. Your shopping cart software will know everything it needs to know to complete the order, and you have managed to do so without ever touching, seeing or storing any cardholder data. The reference ID you receive can be used in your control panel if you later need to perform a refund or look up a transaction amount, but at no time, not even in your control panel, can you find or touch any credit card information of any kind.
If you eliminate the ability to come into contact with credit card information, you go a very long way towards making sure you have implemented a secure e-commerce solution.
Supported Security & Anti-Fraud Features
We offer extremely secure, bank endorsed, real-time credit card processing that utilizes a range of industry leading security technology, including AVS and CVV2.
AVS - AVS stands for "Address Verification". This is a unique anti-fraud mechanism, that verifies the shipping address the user enters matches the actual cardholder's address on record at the issuing bank.
CVV2 - CVV2 stands for "Card Verification Value". This is a 3 digit number found on the back of the customers credit card. This number provides an additional layer of validation as the customer must have the credit card physically present, in order to determine the CVV2 number.
3DSecure - 3DSecure is one of the newest methods of combating fraud and is an important tool in any online merchant's arsenal. More information on 3DSecure can be found here.
Most importantly, we have carefully developed our processing solution in a way that ensures the merchant will never come into contact with any credit card numbers whatsoever.
Merchants using the HTML method of integration cannot come into contact with sensitive information because credit card numbers are entered while the user is directly on a page hosted by the payment gateway. Because the credit card numbers are never seen by the merchant, and are not stored or recorded in any way, this removes the possibility of credit card numbers being lost or stolen. This greatly reduces the risk of liability for the merchant and increases security for the customer.
Note that advanced customers can choose to accomplish an XML integration which will enable them to retain full control over the user session throughout the payment process.
Is Verified by Visa / MasterCard SecureCode supported?
The payment system fully supports 3DSecure - Verified by Visa and MasterCard SecureCode.
Verified by Visa is an additional layer of password protection on top of the standard anti-fraud protections built into the gateway. Verified by Visa is an interesting and favorable security feature for online merchants because if a transaction has been validated using Verified by Visa cardholders cannot claim that the transaction was unauthorized. This shifts some of the risk from the merchant onto the cardholder, making it a very desirable security feature for online merchants.
The Verified by Visa and MasterCard SecureCode service is included at no additional charge.
What Is SSL (Secure Socket Layer)?
SSL stands for Secure Socket Layer. SSL is a method of encryption that is used to protect sensitive data as it is passed across the internet. Modern SSL encryption is so strong that it has been calculated that a 128 bit symmetric key would, on average, take more time to crack by brute force than the solar system has left before the sun goes nova and swallows the earth.
Do I need SSL on my webserver?
SSL is required depending on the type of integration you choose to implement. With the HTML integration credit card numbers are entered while the user is on a page hosted directly by the secure payment gateway, thus SSL is not required. However, merchants utilizing the more advanced XML integration will require a SSL certificate and will need to demonstrate PCI compliance.
The type of integration you choose to use is up to you. If you are not certain which type of integration will prove a better choice for your business do not hesitate to contact a customer service representative for assistance.