If you're looking for a new payment service provider or considering switching to a different one, it's important to ask critical questions about security to help you make the best decision for your business. The way a provider answers your questions will shed light on their approach to security and how they will protect sensitive cardholder data to mitigate your risk.
Question 1: How Do You Secure the Data?
Asking a payment provider how it secures the sensitive card and personal data it obtains helps you understand if it's handling and storing your customers' payment details safely and securely.
At a minimum, your payment provider needs to be PCI compliant. The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard by the Payment Card Industry Security Standards Council (PCI SSC) for the proper handling and storing of cardholder data from credit card transactions. PCI-certified auditors, known as Qualified Security Assessors or QSAs, assess businesses to ensure compliance. There are different types of PCI certification (most payment providers are Level 1 in the context of PCI DSS) so ask about any audits and certification levels your payment provider holds. The card brands have listings of PCI compliant service providers that you can search.
Question 2: How Do You Authenticate Data?
This question probes your payments partner about how they handle security once data leaves your platform, cloud or system. Your partner must authenticate data — verify card data and/or PII is correct. Learning how they do that will help you feel confident your customers' data stays secure throughout the entire process.
While you may not get to fully peek behind the curtain of a payment provider for security reasons, understanding their approach is helpful. Look for industry-standard protocols for securing APIs such as REST APIs that leverage OAuth (Open Authentication).
Question 3: How Do You Go Above and Beyond Compliance?
This question takes the first question one step further. Asking for details about how a payment provider approaches compliance from the foundational level and on a continuous basis will help you make sure their vision aligns with yours.
EMV, GDPR and PCI are table stakes, so you'll want to know what your payment service provider does to go above and beyond these industry standards and regulations to protect data proactively, as well as how it addresses potential vulnerabilities that arise. The best approaches will demonstrate that the payment provider understands where risks are, employs proper security to those risks and has compliance as a natural result of that security investment.
Question 4: How Does Your Technology Facilitate a Seamless Customer Experience While Applying Maximum Security?
Providing minimal friction and maximum security is critical for today's businesses. This is especially the case now that consumers use multiple devices to interact and transact. You can provide a frictionless and secure experience for your customers, but it's not easy to retrofit security measures so think about security as part of the onboarding process of new technologies and solutions. Get more actionable advice on this topic in our blog, Payment Security: Can it be Frictionless and Secure?
These security questions for your payment provider will help you feel comfortable with your decision. It's an important one that impacts your customers' data and your business' ability to compete.
Looking to explore payment security further? Get in touch with a Global Payments sales rep to tackle your payment security challenges.