3 minute read
Four security questions to ask your payment provider
*Editor's note: This article was updated on October 4, 2021 from its original publish date of October 18, 2019.
Considering a new payment service provider? Security should be top of mind. It's important to ask these four critical security questions of your payment provider to help you make the best decision for your business. The way a provider answers your questions will shed light on their approach to payment security and how they will protect sensitive cardholder data to mitigate your risk.
1. How do you secure data?
How a payment provider secures sensitive card and personal data helps you understand if it's handling and storing your customers' payment details safely and securely.
At a minimum, your payment provider needs to be PCI compliant. The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for the proper handling and storing of cardholder data from credit card transactions. PCI-certified auditors, known as Qualified Security Assessors or QSAs assess businesses to ensure compliance. There are different types of PCI certification, so ask about any audits and certification levels your payment provider holds. Most payment providers are Level 1 in the context of PCI DSS, which is the minimum you should expect when it comes to data security compliance.
2. How do you go above and beyond compliance?
Yes, it's important for a payment provider to meet compliance standards, but this payment security question helps you go one step further. Asking for details on how a payment provider approaches compliance from the foundational level and on a continuous basis will help you make sure their vision aligns with yours.
EMV, GDPR, and PCI are table stakes. So how does your payment service provider go beyond these industry standards and regulations to protect data proactively? How do they addresses potential vulnerabilities that arise?
The best approaches will demonstrate that a payment provider understands where risks are, employs proper security to those risks, and manages compliance as a natural result of that security investment.
3. How do you authenticate data?
This security question for your payment provider will probe how they handle security once data leaves your platform, cloud, or system. Your partner must authenticate data— which verifies that card data and personally identifiable information is correct—on their end. Learning how they do that will help you feel confident your customer data stays secure throughout the entire process.
And while you may not get a full peek behind the curtain for security reasons, understanding your payment provider's approach to authentication security is helpful. Look for industry-standard protocols for securing APIs such as REST APIs that leverage Open Authentication (OAuth).
4. How does your technology facilitate a seamless customer experience while applying maximum security?
It's critical for your business to be able to provide minimal friction and maximum security. This is especially true now that consumers use multiple devices to interact and transact. You can provide a frictionless and secure payment experience for your customers, but it's not easy to retrofit security measures. So, think about security as part of the onboarding process of new technologies and solutions.
Your choice of payment provider will not only impact your customers' data security, it will impact your business' ability to compete. These security questions for payment providers will help you feel comfortable with your decision.