Payment Security Essentials

Follow this advice to minimize the risk of breach or data loss to you or your customers.

So, you have a killer app and are starting to really establish a presence in the market, but your users are asking you to include point-of-sale payments. Great – your users are talking to you! And they want more!

Surely adding this one feature can’t be that difficult – everyone seems to be doing it.

But what about those recent HACKS splashed all over the news? Is that going to be the next headline for your app? Will you be liable if credit information from your customers is stolen? Unfortunately, yes – you could be liable.

The good news is that there are payment security techniques you can use to minimize the risk. Here are a few simple rules to follow:

  1. Don’t “go it alone.”

There are plenty of processing partners out there who offer secure payment acceptance capabilities every day, so don’t try to create your own custom solution. It’s too hard to stay ahead of the hackers.

  1. Be selective.

Don’t judge a payment partner on their sexy reader or raw cost. The single most important thing in payments is security, so look at those features first. Pick a partner with a solution that guarantees they never give your application access to information that falls within the Payment Card Industry (PCI) security specification. That means THEY have to pass an annual audit, but it doesn’t apply to your system because the information never flows through your app.

  1. The safest data is no data.

There is absolutely no reason for you to store card numbers in your system. Ever. Anyone who tells you different is NOT a good choice as a payment partner. In any secure system, you can get back a TOKEN that represents the card number (for setting up recurring charges), and you can get back a transaction REFERENCE NUMBER (for crediting or voiding the sale). In either case, there is no CARD NUMBER which needs to be stored.

  1. Transportation matters.

The way card information moves from your card reader to the gateway or processor can be fully secure, or not at all. The best solutions are P2PE – point to point encrypted. That means that the card has been mangled into an encrypted form before it even comes out of the reader, and the only one who can un-mangle it is the gateway which is supposed to handle that payment on the other end. It’s like having a bodyguard from one end of the trip to the other.

  1. All methods are not equal.

Just like choosing a reader which is P2PE (a surprising number of them are not), the way your customers provide their card information can also trip you up. Yes, you can simply let people swipe (with a magnetic stripe reader) or tap (NFC/contactless reader), but your best bet is to make them dip (EMV reader) – where they insert their card to read the chip. That’s because magnetic stripe information can be duplicated, but the chip generates a one-time transaction code for each payment, which makes it really hard for hackers to create a duplicate card.

So go on – add those payment features and meet more user demands. But first, choose a payment partner who can help with your security before you even get started. 


Carol Oles is a software and security expert with more than 15 years of experience guiding IT enterprise solutions. Oles is currently the director of channel support at North American Bancard (NAB). NAB’s Velocity provides ISVs, software developers and businesses secure, integrated and customizable payment solutions.