A report by Business Standard stated that, on average, 100 million online transactions are conducted every single day. Digitisation has made it easy for any business to conduct commerce digitally, and consumers find it extremely easy and convenient to complete payments online.

A surge in fintech solutions has helped businesses digitise payments. There are generally four people involved in a transaction — the user, the user’s bank, the merchant, and the merchant’s bank. In order to facilitate an online payment, we have a fifth stakeholder — the payment gateway.

Payment gateways are intermediaries that facilitate online transactions between users and merchants (and their respective banks). The payment gateway is responsible for conducting the transaction, verifying that all parties are authentic, and securing all data involved in the transaction.

Since payment gateways handle sensitive information, like a user’s credit card number, it is extremely important for them to implement security methods that safeguard all parties involved. This has been the philosophy employed at Plural since day one — to implement security standards and protocols that safeguard our users, their information, and their money.

In this article, we’ll cover protocols and security methods that every payment gateway must consider implementing.

Payment Gateway Security Protocols and Methods

1. SSL (or TLS)

SSL (Secure Sockets Layer) is a security technology that secures the connection between public channels and encrypts the data flowing between them. This ensures that any data being transferred between the channels is safeguarded from threats and criminals who could be looking to fish for information.

Implementing SSL is extremely important for payment gateways because they handle sensitive information like a user’s card details. By using SSL, you can ensure that the risk of data being stolen is mitigated.

Traffic moving over a connection secured by SSL uses HTTPS rather than HTTP, which is one way of identifying if SSL is implemented.

2. Data Encryption

Along with implementing SSL technology, you can also implement additional data encryption methods. This involves encrypting data entered by users into ciphertext with a public key generated by the payment gateway. The encrypted data can be decoded only by applications that have the private key provided by the payment gateway.

The ciphertext, however, cannot be read without the private key, so in case it falls into the hands of a hacker, it is deemed useless, ensuring sensitive data always remains safe.

3. SET Protocol

Secure Electronic Transaction, or SET, is a security protocol developed by Visa and Mastercard in conjunction with tech companies GTE, IBM, Microsoft, Netscape, SAIC, Terisa Systems, RSA, and VeriSign.

The SET protocol generates a digital certificate, and the transaction is verified through a combination of digital certificates and digital signatures between the user, the merchant, and the user’s bank. The use of digital certificates and signatures keeps the user’s card data hidden from merchants, ensuring privacy and confidentiality.

4. Tokenisation

Tokenisation is a security method in which the 16-digit card number entered by the user is replaced with a digitally generated identifier called a token.

The payment gateway is able to authenticate the user’s transactions using this token, but if the token were stolen by hackers, it would be extremely hard for them to convert the token back into the user’s card number.

Tokenisation ensures the safety of the user’s entered data as the generated token is only usable by the payment gateway. This token can be stored and used, so the user does not need to enter their card details, and all transactions are conducted using just the token.

The Reserve Bank of India (RBI) passed a mandate prohibiting businesses, payment gateways, and payment aggregators from storing customer card details on their servers. The RBI has only permitted card networks to store card details while all stakeholders, including businesses, payment gateways, and payment aggregators, must adopt the tokenisation guidelines and have compliant solutions in place by the 30 September deadline. Plural Tokeniser is a compliant solution by Plural. Write to us at pgsupport@pinelabs.com if you’re looking for a token solution.

5. 3D Secure Authentication

3D Secure Authentication is a security protocol that is quickly being preferred as a replacement for the SET Protocol.

3D Secure is an extra security layer for credit and debit card transactions executed online. It gets its name from the three parties (or ‘three domains’) involved in the transaction — the card user, the bank or merchant who will receive the money, and the intermediary party (like the payment gateway) that supports the 3D Secure protocol.

The 3-D Secure protocol uses digital certificates sent over SSL for client authentication. In this method, the protocol redirects the transaction to the card issuer’s website for authorisation.

-The issuer bank can use any method for authorisation, like a password or a one-time passcode (OTP). Once the authorisation is verified, the payment gateway completes the transition.

This keeps all sensitive data hidden from the merchant and receiving bank and ensures the user and the issuer bank are the only ones involved in the authorisation.

6. Address Verification Service

Address Verification Service, or AVS, is a security measure that verifies a user’s billing address to authenticate the user. The address entered by the card user during the transaction is verified against the saved billing address and is used to verify the user’s identity.

AVS is an additional step that is carried out by the payment gateway along with other authorisation protocols. The debit or credit card issuer responds to the request by indicating if the address has matched and if the transaction should be processed or rejected.

AVS does not fully protect users from fraud as billing addresses can be stolen, but it is still an additional security step that helps deter criminals. It should be used in conjunction with other fraud prevention tools.

7. Anti-Fraud Tools

There are a lot of ways to mitigate fraud and security risks today. Apart from the security protocols we have mentioned so far, you can also implement fraud detection systems that use Artificial Intelligence and Machine Learning to detect anomalies in user transaction data to identify potentially fraudulent transactions.

These tools analyse user transaction data to create patterns, which helps them identify user behaviour anomalies. They are able to differentiate between normal user behaviour and suspicious behaviour, allowing you to stay proactive and prevent a threat from getting bigger.

These methods work on predictions rather than proof, but they are still very accurate and effective in mitigating threats.

Other Preventative Measures You Can Follow

True safety comes from being proactive. Yes, there are standardised protocols and methods you can follow, and we have listed the important ones in this article, but you can implement additional fraud and threat prevention strategies that will help you stay proactive when threats do occur.

• One such method is to train your AI monitoring system to not just analyse user transactions but also monitor application logs. This will help identify any vulnerabilities in the application.
• Monitor all orders and compare the product values to the amount being deducted to ensure there are no fraudulent withdrawals occurring.
• Notify users with order details and the amount deducted so that they can immediately respond if the transaction was not triggered by them.
• Ensure that your support team is active and swift in responding to user queries. This will help you nip any threats in the bud.

With these methods in place, you can ensure that your payment gateway is as secure as can be. Write to us at pgsupport@pinelabs.com to get started.

Plural by Pine Labs has received an in-principle authorisation from the Reserve Bank of India (RBI) to operate as a Payment Aggregator.