CardConnect Gr8at Payment Security Tips for Merchants


As a merchant, ensuring that your back-end and front-end information is secure is very important. To avoid getting hacked, scammed or not being Payment Card Industry (PCI) compliant, merchants must invest in having a payments platform that provides the security they need to run their business properly with worrying about getting hacked, scammed or being compliant.

What is PCI?

If any of the applications you use ever capture, process or store credit card information of any kind, those platforms must adhere to the data security guidelines of the PCI Security Standards Council. Otherwise, you may be subject to:

  • Payment fraud
  • Punitive fines
  • Costly litigation.

Here are six security tips that’ll help you keep your business secure:

Payment Security Tip 1: Password Management 

When you or your staff are logging into your platform, everyone should be required to create an entirely unique password. Sticking with default credentials should be impossible.

Moreover, all newly created passwords should be of a certain length (i.e., 16 to 20 characters). Ideally, they should use a mix of letters, numbers, special symbols and/or “pass phrases.” Any password that doesn’t meet these criteria should be automatically rejected.

In addition, the programs you use should never store passwords as plain text. Instead, use encrypted ones stored as salted hashes.

Finally, consider requiring (or at least offering) two-factor authentication (2FA). This extra layer of security may annoy some users, but 2FA is one of the most effective methods for preventing unauthorized access to accounts.

Payment Security Tip 2: Principle of Least Privilege

Lower-level personnel should never have access to higher-level information. In other words, access should be granted on a “need-to-know” basis.

Payment Security Tip 3: Build for the Cloud

The larger IT industry is moving away from on-site applications, in favor of cloud-based platforms. As a merchant, there are compelling reasons why you should also embrace this trend.

Payment Security Tip 4: PCI Compliance

You can’t control the creation of payment processors, but you can control which payment processor you use. Be sure to select a trustworthy payments solution platform that a seamlessly integrates a PCI-compliance software as a default option.

Payment Security Tip 5: Data Encryption

True payment security means having a payments processor that has a security feature that encrypts any and all payment data that’s entered, is stored on or leaves your system. All information—not just credit card numbers—should be secured. 

  • Tokenization allows you to replace sensitive information with one-off tokens. 
  • Point-to-point encryption (P2PE) allows you to transmit encoded information across unsecured networks. 
  • Hosted payment pages remove the need to capture, store or process customer data within the systems you build. 

Although none of these will automatically make your platforms “PCI-compliant,” they can help to limit fraud exposure.

Payment Security Tip 6: Fraud Filters

Be sure to work with payment processors that offer fraud management filters. That way you can set your own rules for flagging suspicious activity.

Payment Security as a Competitive Advantage

Adding extra safeguards to your platforms requires additional work. This is why many merchants regard payment security as an inconvenience. For the team at CardConnect, we view it as a competitive advantage.

Cyberattacks, payment fraud, and data breaches have become the new normal. independent software vendor (ISVs) that specialize in secure payment integration will win the lion’s share of new business, today and tomorrow. Although payment security isn’t always easy to manage, we have a department dedicated to helping merchants design PCI-compliant applications and tools.

Payment Security Tip 7: Carding Prevention

What is Carding? Carding, also known as credit card stuffing, fraud or verification, happens when cybercriminals attempt to make small purchases with large volumes of stolen credit card numbers on one eCommerce platform.

There are a variety of countermeasures that can be used to prevent a carding event. Broken down simply, businesses will want to protect customer accounts as well as their eCommerce site.

  • CVV Validation. To defend customer accounts, you should require Card Verification Value (CVV) validation. This is the code on the back of most major credit cards.
  • AVS. You’ll also want to require an Address Verification Service (AVS) code. It’ll tell you whether or not the address given online actually matches that of the cardholder. 
  • Transaction Minimums. You should also set a transaction amount minimum above US$10, if possible (most carding events charge between $1 and $6). Also, it is helpful if you require a valid login to allow users to access your payment page. 
  • Throttle Transactions. Transaction throttling can also prevent fraud. It works by giving businesses a simple way to deliberately slow down data transfer speeds so transactions can be accepted at a rate that wouldn’t be conducive to a carding event.
  • Add reCAPTCHA. Integrating reCAPTCHA technology onto eCommerce sites can also defend payments. It validates that all actions performed on a site are done so by humans and not bots or script automation.

As you can see, a little preparation by eCommerce businesses can go a long way when it comes to preventing fraudulent attacks like carding. If you have questions on this topic, fill out the brief form below. We are always happy to continue the conversation.

Payment Security Tip 8: POS Security

What is a POS?

Point of sale (POS) is the space at the store where customers go to make a purchase. They pay for their items at a POS system, which is comprised of the software and hardware used to track the financial transaction. A POS can be a traditional plug-and-play credit card terminal, a browser-based virtual terminal, or it can come with a mobile credit card reader and app.

What is POS security?

POS security means creating a secure environment for customers to purchase and complete transactions. This includes preventing unauthorized users from accessing the payments system, thus protecting the businesses and customers’ sensitive data such as credit card information. Cyberattacks like that, also known as a POS attack, target POS applications that store data about all purchases and transactions made through the POS system.

Run POS program updates regularly

While updating retail programs seems like such an easy thing to do, it is often overlooked. A diligent approach to managing patches ensures you are protected against newly discovered vulnerabilities.

Make sure you are actively using all programs installed in your system. If there are old programs no longer in use, be sure to uninstall them. To prevent updates from interrupting a point-of-sale transaction, set a reminder to check for regular updates before or after work hours. Setting time aside after business hours ensures you are not disrupting customer purchases while updating systems.