Hackers are getting more sophisticated, and one area they love to attack is the online checkout experience on eCommerce websites, making secure payment forms more important than ever.
For example, Malwarebytes researchers recently found an expertly placed web skimmer on the Tupperware checkout page.
According to the State of Malware Report from 2020, “Malwarebytes researchers, who were among the first to find this web skimmer, noted that there was ‘a fair amount of work put into the Tupperware compromise to integrate the credit card skimmer seamlessly and stay undetected for as long as possible.’”
What makes this attack so devious is how the hackers went out of their way to hide the payload—they used an impersonation trick to make the skimmer look like Cloudflare feature that improves web page load times.
We recently spoke with several software developers and asked them what they thought about protecting customer information and preventing data breaches during checkout. We heard a wide variety of responses, such as:
- Using an AVS (Address Verification Service)
- Stacking payment gateways
- Using encrypted payments
Aside from using SSL certificates and ensuring your website is PCI-DSS compliant, here are seven other ways software developers can create a more secure checkout.
Note: FastSpring is the No. 1 full-stack commerce platform for SaaS and software sellers worldwide! Book a demo or create an account today to see how we can help you grow your software business.
Securing the Checkout Process: 6 Ways to Protect Customer Payment Info
1. Use eCommerce Fraud Protection
Artem Minaev, a Co-Founder of FirstSiteGuide, recommends using eCommerce fraud protection software on your website.
“The software scans through information continuously to ensure that everything matches up between a buyer and their payment. In some cases, they can search whether the buyer’s card matches their IP address.”
You can also opt for a service with a fraud protection managed services solution to monitor fraud on your behalf.
2. Use Payment Tokenization
Julian Witkowski from Sunscrapers suggests using payment tokenization. “By turning sensitive payment information to a string of randomly generated digits, credit card tokenization de-identifies it. As a result, the data can be delivered over the internet or through payment networks to complete the transaction without being revealed.”
Tokens also allow you to store credit card information in your system. Because they contain no credit card data, the PCI-DSS requirements are instead delegated to the payment gateway provider, eliminating your risk.
3. Research Prospective Credit Card Processors
There are many things you’ll need to take into consideration when researching credit card processors. In addition to transaction and other fees, look at their fraud resolution services to see what support you will have if the unthinkable should occur.
Reading online user reviews can also provide intelligent insights into the quality and reputation of the payment gateway provider. “Before using any payment system, spend a few days reading online reviews, ratings, comments, and jump on the board. Don’t search for the cheapest solutions – search for better security,” explains Ted Capwell, Founder & CEO of SafeTradeBinaryOptions.
4. Outsource Payment Forms
Daniela Sawyer, founder of FindPeopleFast, suggests a low-cost alternative to developing payment forms on your own. “I prefer to use third-party solutions for preparing forms and securely integrating them onto my platform,” said Daniela.
She also recommends third-party secure payment forms for mobile payments as well. “Most services support almost all of the payment methods. Customers who use mobile devices will immediately see a mobile version of the payment form.”
There are other advantages to using this method of securely handling customer payment information. The forms easily integrate with the website, and there are no significant development start-up costs. By partnering with a reputable software supplier, you can rely on them to guarantee that security standards are met.
5. Scan and Update Your Website Regularly
Hackers often target what they consider to be low-hanging fruit—such as deprecated eCommerce software platforms like Magento 1.x, which is no longer patched or supported by its developers.
Haroon Sethi, CEO & Founder at Proqura, suggests to “always make sure that your website is up-to-date. Install the newest versions available and make it impossible for hackers to gain access to any information through any bug in the older versions.”
3rd party plugins are also another vector that hackers target. Try to limit the plugins on your website to as few as possible. You can even go as far as setting up Google alerts to monitor mentions of plugin compromises in the news.
Kyle MacDonald, Director of Operations at Force by Mojio, takes scanning one step further. “We have a FIM (file integrity monitoring) system that detects and alerts us to any unauthorized or unexpected changes made to files.” Continually monitoring for server file changes can provide an early warning that an intrusion has occurred.
6. Use the Direct Post Method
The Direct Post Method works well for merchants who need more control over the look and feel of the payment form. However, you’ll need a good understanding of the PCI DSS security requirements to implement it.
Vadim Belski, Head of Web Development at ScienceSoft, is a proponent of the Direct Post Method. “For this method, we build enhanced security for an online payment form to prevent malicious attempts to change it and steal a cardholder’s information at the step of completing the form,” Vadim says.
Merchant of Record (MoR): Secure Payment Forms for Software and SaaS Companies
As attacks on online checkout forms grow in complexity, many software and SaaS companies are turning to a merchant of record (MoR) to manage the shopping cart and checkout experience, improving compliance, security, authorization rates, and retention rates. A MoR also handles sales tax and VAT, freeing you to focus on building your software product.
Your customers still visit your website to purchase your software, but the MoR handles the entire transaction. The MoR also manages all aspects of billing, from PCI-DSS compliance to sales tax collection and reporting.
Note: Learn more about how FastSpring can add value to your growth-stage software or SaaS business and provide you with a better checkout experience that drives more conversions.