5 golden rules of ePayments

As epayments become more intermingled with physical card transactions from tech giants, Anne Bailey from KuppingerCole reviews some golden rules of e payments for merchants

Word got out recently that Google may launch their own physical debit card to accompany the already existing Google Pay. Its current Google Pay use cases for online and P2P payments with a bank-issued payment card would be expanded to allow physical payment with many more merchants. Although the details are not yet clear, the Google debit card would likely be supported by Citibank and Stanford Credit Union to provide the accounts, and Visa to provide the chip network. This also comes in competitive contrast to the Apple Card, a credit card that also expands the native wallet app in iOS devices.

The US and Europe lag behind East Asia in e-payment adoption, but the impending launch of these fintech payment services from major tech companies is reminiscent of Alipay emerging out of tech giant Alibaba, which is now by far the dominant payment method across China. While it’s unlikely that Europe and the US will see such a rapid adoption rate of mobile-based payments, these launches favour the preference of US consumers for card and may ease the transition to cashless payments for European customers. Nevertheless, as e-payments become more intermingled with physical card transactions from tech giants, it is useful to review some golden rules of e payments for merchants, to have a steady foundation with which to move forward.

Transaction security

PIN Transaction Security (PTS) devices still provide the strongest forms of security for transactions: according to the Payment Card Industry (PCI) security standards council PTS devices still have the lowest threat, especially when they are combined with point-to-point encryption (P2PE).

This is relevant for the upcoming Google Card, as it would enable Google Pay transactions to be authenticated and executed with a physical device.

Preventative cyber-health

Regardless of if an ecommerce merchant outsources their payment services to a compliant third-party payment service provider, there is always a risk of data being compromised on the merchant’s own page because of poor security practices, for example a malicious party interrupting how a customer is redirected to the 3rd party service provider’s page by adding a false payment page. Practice good preventative cyber-health, such as using strong passwords, following data minimalisation guidelines, and coordinate with your 3rd party service providers.

As a merchant, outsourcing your payment services entirely to a tech giant payment services provider doesn’t protect you entirely from risk, although it is more secure than providing the payment service yourself.

Tokenisation and encryption

Tokenise or encrypt the card data that must be stored. Both methods make card data useless if stolen, which should be a huge incentive to deterring a cyber incident. Tokenisation substitutes card data with meaningless data and can be used by a merchant to trigger other actions that a consumer may need, such as processing a refund, without needing to store the actual payment info. The token is used by the payment processor, which looks up the card details for the merchant.

While we still don’t have the full details of the Google Card, it would be prudent to check the encryption and/or tokenisation that would accompany its transactions – physical and virtual.

Adapt to changing roles of banks and payment services

Enable 3-Domain Secure protocol to authenticate the payer’s card: Banks will be more willing to process ‘card not present’ transactions with extra security measures in place, such as 3D Secure.

This depends on the partnerships between issuing banks and the institutional payment services giants of Mastercard and Visa. As the roles of fintech, issuing bank, and payment services provider continue to morph and overlap, updated protocols like 3D Secure may emerge.

Honour data protection regulation

More data means more risk: follow the recommendations of security standards, such as the Payment Card Industry Data Security Standard, first established in 2008. This is mandatory for organisations that accept payment cards and process payment card data, with the goal of mitigating impact of cyber threats.

When more cards are issued by tech companies that have a history of reinventing customer experience based on data insights, it’s not unlikely to imagine the data collecting potential with the launch of Google Card. Be proactive about protecting any payment or personal data collected during transactions, and as the merchant take an active role in protecting cardholder data, both in the interest of your consumers and your corporate security against a breach.

These are the 5 golden rules of ePayments, and for more information be sure to read KuppingerCole’s Advisory Note on Emerging Technologies in the Financial Industry.

About Anne Bailey

As an analyst, Anne Bailey is covering emerging technologies such as blockchain and artificial intelligence and helps synthesise the implications for companies, industries, and markets. Her research covers innovation in relation to non-profits, diversity, and competitiveness. She has worked with several non-profit organisations in Sub-Saharan Africa.

About KuppingerCole

KuppingerCole, founded back in 2004, is a global, independent analyst organisation headquartered in Europe. We specialise in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM, Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation.