Pagoda Blog

Use This Security Checklist When Processing Online Payments

November 2, 2023

Many customers now expect to be able to pay for services online, and since the pandemic, online shopping has become a fierce competitor with brick and mortar shops. In fact, 76 percent of adults in the U.S. identify themselves as online shoppers. 


It’s clear that customers conduct a lot of transactions online, and as an SMB, offering online payment processing on your website can help your business keep pace with the competition. Whether you’re considering adding online payments to your website or are already accepting them, this security checklist will help ensure that your customers and business are protected.   


Meet PCI compliance requirements 

When you process, transmit, and store payment information, it’s important to meet Payment Card Industry Data Security Standards (PCI DSS). PCI compliance helps to protect your customers’ card information and goes a long way in building trust and establishing yourself as a reputable merchant. PCI compliance is not required by law but if you’re accepting online payments, you should still comply. In addition to protecting your customers, it also helps protect your business from the short and long-term effects of a data breach


Encrypt your website with an SSL/TLS Certificate

SSL (Secure Socket Layers) and TLS (Transport Layer Security) both encrypt data and authenticate your website’s server. When you download a SSL/TLS Certificate, you are ensuring that your website always encrypts data sent between a user’s browser and your website’s server. TLS is simply an updated version of SSL and if you have an up-to-date certificate, your website is encrypted using TLS. You can tell if your website is encrypted by checking that your url begins with HTTPS. It should also show a lock icon to the left of the url. 


Maintain security across your network 

When accepting payments online, you should prioritize the security of your website above all else (although we believe you should prioritize cybersecurity regardless). Make sure you always download the latest software updates and security patches, use a firewall, require users to create strong passwords, and work with an IT services provider to implement continual monitoring of your website for vulnerabilities and suspicious activity. It’s also imperative that you regularly provide cybersecurity training to all your employees.


Require two- or multi-factor authentication 

If you’re storing customers’ credit card information on your server, it’s important to require users to set up two or multi-factor authentication when creating an account. This additional layer of security can take several forms, the most common being SMS or text-based. While this is still the most convenient and familiar form of 2FA, it’s also the most vulnerable. Other options include an authenticator app, a physical token, or biometrics. Learn more about the different forms of MFA and their security in this post


Use a fraud detection tool 

Websites that accept online payments should employ additional security measures, such as a fraud detection tool, to prevent criminal activity like identity theft. Fraud detection software can detect and prevent fraudulent transactions, protect against financial losses, and comply with any industry-specific regulations.  


Require customers to enter their card’s CVV

A credit card’s CVV is the three digit code typically found on the back of the holder’s card. The CVV is a  security feature that helps to verify the identity of the cardholder in online or phone transactions. Because this code is not embossed or stored in the card’s magnetic strip, it’s not vulnerable to a data breach that targets a physical store’s database. When you swipe, insert your card, or use contactless payment, the retailer’s credit card machine has no way to store your CVV. (It’s important to note that you should never be asked to provide your CVV when shopping in-person.) Requiring a CVV as part of your online payment process helps to prevent fraud. 


Consider payment tokenization 

Payment tokenization is a form of encryption that uses a unique token in place of sensitive payment information. With tokenization, your website doesn’t have to transmit or store a customer’s payment information. 


Choose a secure online payment gateway

Accepting online payments requires integrating with an online payment gateway to process, transmit, and store customer data. Most of the security requirements outlined above will rely on a third-party application to implement. There are countless online payment gateways to choose from so it’s important to do your homework and ensure you’re choosing one that will effectively protect your customers’ data and your business from a data breach. 


Below are several factors to consider when deciding which payment gateway is best for your business:  


- Meets PCI compliance

- Provides fraud detection and prevention

- Requires 2FA or MFA 

- Employs SSL/TLS encryption 

- Uses payment tokenization

- High percentage of uptime (the amount of time a system is operational and available to users) 


Is your online payment process secure? 

Meeting the expected security standards for online payment processing is essential to build and maintain your reputation as an online merchant and to prevent a data breach. Taking the time to implement the above security measures will allow your business to become a trusted online merchant, or to simply offer the convenience of online payments to your clients, without putting your business and their data at unnecessary risk. 


Photo by The Jopwell Collection on Unsplash


Related reading: 

Online Credit Card Security and What to Do in the Event of a Data Breach 

The Right Way to Notify Your Customers of a Data Breach

What Business Owners Can Learn from IBM’s Annual Cost of Data Breach Report


Want to get more posts like these in your inbox? Sign up for the Pagoda newsletter and we’ll send you the occasional email with content that will sharpen your technical skills, from cybersecurity to digital marketing


Did you know we also have a weekly LinkedIn newsletter? Make sure to subscribe for weekly actionable IT advice and tech tips to set your business up for success.




About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at to schedule a complimentary IT consultation.


Return to Pagoda Blog Main Page

As your trusted IT service partner, Pagoda Technologies is here to help you achieve your near and long-term business goals through reliable and affordable IT support. 

Pagoda Technologies

101 Cooper Street

Santa Cruz, CA 95060


Contact us for a free IT consultation



Get in touch 

Join our newsletter

Want IT to serve you better? 




Follow Us

Facebook LinkedIn LinkedIn