Is Your Payment Processor Secure? 5 Questions to Ask Today

One of our recent blog posts discussed what merchants can do to protect payment card data and help prevent fraud in the face of rising ecommerce sales that make stealing card information increasingly easy and tempting to bad actors. All told, online sellers will lose $130 billion to payment fraud between 2018 and 2023, Juniper Research estimates.

But payment processors play an even more critical role in data protection. Any processor a merchant is considering should have robust security, encryption, and redundancy measures in place to keep data safe and ensure network operations. Here are five questions you should ask your payment processor to support you and your customers to maximize protection against data theft and fraud.

Are you PCI compliant? PCI compliance means following the Payment Card Industry Security Standards Council rules to protect customer payment card data. Maintaining payment security is required for all entities that store, process, or transmit cardholder data, including payment processors. Any business or merchant that accept credit card payments also must maintain PCI compliance and ensure the compliance of any vendors that supply them with software or services, including those same payment processors. Guidance for maintaining payment security is provided in PCI security standards.

• MerchantE is a Level 1 PCI Validated Service Provider, reserved for organizations that process more than 300k transactions per year. It is the highest and most stringent of the PCI Data Security Standard levels.

Does your organization participate in SOC (System and Organization Controls) assessments? SOC assessments evaluate service providers to see whether they are operating in an ethical and compliant manner. In a SOC assessment, independent third-party auditors examine various aspects of a company, such as security, availability, and processing integrity.

• MerchantE undergoes an annual SSAE-18 SOC1 and SOC2 assessment, which sets the standard for how IT service providers should manage their systems to ensure security of customer data. It examines the controls a service organization’s system uses to process customer data and maintain confidentiality of information processed by those systems.

How do you make sure data is transmitted safely? To securely transmit data, payment processors need to adhere to multiple standards and protocols:

• HTTP Strict Transport Security (HSTS). This widely supported standard protects visitors by ensuring that their browsers always connect to a website over secure HTTPS. By enabling HSTS, service providers can earn an A+ grade from SSL Labs, the highest possible rating. SSL Labs is a collection of documents, tools, and thinking related to SSL (Secure Sockets Layer, a security protocol that creates an encrypted link between a web server and a web browser).
• Transport Layer Security (TLS), the successor to SSL. As with SSL, TLS is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and Voice over IP, and is the security layer in HTTPS.
• Perfect Forward Secrecy (PFS) with cipher suites. PFS means that an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information. If the latest key is compromised, it ensures that past communications cannot be decrypted. A cipher suite is a set of algorithms that help secure a network connection. The algorithms perform various functions: they encrypt data, ensure its integrity, and authenticate a server or client. They also ensure the compatibility and performance of HTTPS connections.
• Tokenization is the process of turning a meaningful piece of data, such as an account number, into a random string of characters called a token that has no meaningful value if compromised. It protects payment data during transaction processing and when stored for future use.
• MerchantE uses HSTS to enforce encrypted internet traffic and maintains an A+ rating from SSL Labs. All internet connections enforce TLS 1.2 at a minimum with a preference for Perfect Forward Secrecy (PFS) cipher suites. This advanced security is supported by proprietary tokenization services.

What kind of network redundancy do you have in place? Redundancies work by connecting multiple channels of power, communication, and storage within network infrastructure. Redundancies are a form of insurance against failures. Multiple paths of connection and multiple places to store data minimize the potential loss of both. They also can mitigate attempts to render a network inoperable, because data centers can reroute services in case of an attack.

Ideally, a payment processor will maintain redundant connectivity to multiple Tier 1 Internet Service Providers (ISPs). Tier 1 providers are the big guns – AT&T and Verizon, for example – that offer broader reach and reliability than smaller networks.

• MerchantE offers redundancy through multiple Tier 1 ISPs and all its processing systems and data are contained within redundant, geographically dispersed data centers in the United States.

What kind of support do you provide to customers to help them with their security programs? In addition to being PCI-compliant themselves, a payment processor should be able to assist you with your compliance.

• MerchantE customers receive the tools needed to implement and supplement their own security programs, including access to PCI security checklists, templates to build robust security policies, on-demand payment card training modules for employees, and a $100k breach protection program that reimburses some expenses in the event of a data compromise.

Get the Right Answers

While payment card fraud affects all businesses, large organizations are able to absorb losses more easily than small- to medium-size ones. But whether your business is large or small, ensuring that your payment processor does everything it can to guard against data theft is essential. Before entering into any payment processing relationship, ask the provider the right questions about data security – and make sure you get the right answers to them.

Ensuring the privacy and security of data entrusted to us is at the core of MerchantE's mission.