Table of content
The coronavirus pandemic boosted the shift towards online transactions a lot. People stopped paying by cash, they buy and pay online instead. Only in 2021, more than 2 billion people worldwide used mobile payment apps. 67% of U.S. customers use their bank's mobile app, and 41% of bank customers are now classified as digital-only, which is a record number.
Such a rapid shift to digital payments created an opportunity for startup founders to enter the market with innovative and useful solutions on the one hand. Still, on the other hand, it created payment security risks. Whether you're developing a mobile banking app or creating a subscription-based fitness app, you store users' credentials. Once you do it, you should make everything possible to develop a secure payment system that is hard for attackers to penetrate.
We at Uptech have helped to develop compliant apps following payment systems security standards. Today I will tell you about the most common security practices, how and from what they can save you, and why payment security is the key to product success.
3 Main Security Issues To Be Aware Of
If your product is going to work with users' financial information (and it's very likely to do so), it's essential to know what security attacks exist to anticipate customer concerns and properly assess your responsibility. I have gathered 3 payment security issues that happen most often.
Cyberattack is the most widespread security concern. Only in the first half of 2021, the number of cyberattacks against financial institutions increased by 118%. To put it shortly, a cyber attack means that hackers can obtain your users' credentials, account balances, and credit limits, which leads to data leakage. Hackers are very creative in stealing data and can do it in many ways:
- Password or code hacking;
- Website takeover;
- Refund frauds.
Data leakage can significantly damage a company's reputation and credibility. In addition, it will take a lot of money to recover after such a case.
Trojan malware is one more profitable tactic that hackers use against apps. It happens when users download an app or file that contains malicious software. Often such software is disguised within other mobile applications like games that, once installed, the hacker behind the software has access to all the information stored in the device and can control it in some cases.
You may think that many companies use firewalls or antivirus software to protect themselves, but it turned out that many fintech companies are vulnerable to malware attacks. Their payment systems' security isn't strong enough to stop hackers from accessing bank accounts, changing PIN codes, or transferring money. And again, it can cost users millions and trillions of dollars lost, and for businesses, it puts an end to reputation and trust.
The last security concern you should be aware of is third-party providers. To be more correct, the non-compliant third-parties. It's a common practice among companies to integrate third-party providers to handle digital payments to increase efficiency and reduce costs. You can use so many different third-party vendors, including:
- payment processors;
- point-of-sale system vendors;
- payment gateway providers.
The concern is that insufficient third-parties could store and process users' data unsafely and expose it to risk. Moreover, some third-party vendors can outsource their functions to external parties, creating fourth- and fifth-party risks.
How Do Online Payments Work in Different Apps?
So, it now becomes clear that solid payment security saves your business from:
- reputational risks;
- users turnover;
- court costs.
But the question of how exactly payment security standards can save you remains. To figure it out, we should dig deeper into the online payment process: how money moves from a customer to your business and how banks facilitate these payments. Let's look at 3 cases: a subscription-based app, an eCommerce marketplace, and an online banking app.
When you build a subscription-based app, you must deal with recurring revenue. It means that you need to store customers' payment information and accurately charge them at set time intervals. The level of effort here depends on the way your payment system is set:
- The first option is to build your own payments system;
- Second one is to use the existing software (third-party).
As you decide to build your own system from scratch, consider the engineering resources required to develop and maintain your billing software. These things take time and money, which I'll describe later. So I better recommend you think of the second option. This is what we did on Plai.
We implemented a compliant payment gateway – Stripe. When a user enters the card number to subscribe to Plai, Stripe converts the card number into a token, so we don't see and don't store the card number itself, we work with the token instead. In case of attack, we are sure that no user credentials will fall into the wrong hands.
Check out what financial software development services we offer 🚀
eCommerce marketplaces have one of the most complex payment requirements because they accept money on behalf of sellers or service providers and issue payouts to them. Such a process has some difficulties, like:
- verifying sellers' identity;
- managing money transmission;
- taking a service fee from each payment;
In addition, to implement payment functionality, you need to maintain a payment facilitator status with card networks, such as Visa, Mastercard, or American Express. But that's not the end, and these card networks apply strict regulations. This process can take months and require millions of dollars in upfront and ongoing costs.
Online Banking App
So we approached the most complex app type in terms of payment security system – online banking. There are 4 players involved in online card payments.
Cardholder: The person who owns a credit card;
- Merchant: The business owner;
- Acquirer: A bank that processes credit card payments through the card networks (such as Visa, Mastercard, and American Express) to the issuing bank;
- Issuing bank: The bank that elongates credit and issues cards to consumers on behalf of the card networks.
If you come to Uptech and ask me what the smoothest way to make the online transaction possible is, I'd recommend you follow the next steps:
- Set up a business bank account;
- Partner with BaaS (bank as a service) or a payment processor, so they help you route payments from your app to the card networks;
- Implement a payment gateway;
I often advise our clients to use gateways as it's a fast, cost-effective, secure, and efficient way to add an online payment system to your app. Gateways securely encrypt the data they send to the acquirer and then to the card networks. It helps you meet security guidelines called PCI standards, which I'll explain later. Then the card networks communicate with the issuing bank, which either confirms or denies the payment. The issuing bank sends the message back to the gateway or acquirer, and this is where you can display the message "payment accepted" or "payment declined" to your user.
Of course, you can build your own payment integration instead of using a payment gateway provider, but again, it'll cost you much more money and time.
5 Payment Security Standards To Remain Compliant and Prevent Skimming
Payment security may first seem to be an alphabet soup. So let's clear things up and make sense of all these letters.
In 2006 the global payment networks Visa, MasterCard, American Express, Discover, and JCB founded the Payment Card Industry Security Standards Council (PCI SSC) issues recommendations or Data Security Standards (PCI DSS) that aim to reduce fraud and data breaches across the entire payment ecosystem.
Every organization that accepts or processes payment cards must follow the PCI requirements. And telling the truth, there are lots of things to follow, but here are three of the main ones:
- Collect and transmit sensitive card details securely;
- Store data securely, which means encryption, ongoing monitoring, and security testing of card data access;
- Ensure annually that the required security controls are in place, which includes questionnaires, external vulnerability scanning services, and 3rd party audits.
There are four different PCI compliance levels based on the volume of credit card transactions your business processes during one year. When we need to select the level that suits the project best, we use the flowchart on page 18 of this PCI doc.
Note the PCI DSS requirements change over time, so you should monitor them regularly or become a PCI Participating Organization (PO).
One of the ways to build up payment security is tokenization. How does it work? For example, when users enter their card information in your app, it's immediately replaced with randomly generated numbers and symbols. This random combination is called a token. This token is what the merchant sees throughout the entire transaction process. So it allows businesses to manage payments without handling the users' sensitive data.
Tokens use a public and private key to work. When we implement tokenization, our job as developers is to store the tokens' keys securely.
3D security is a relatively new payment security technology. With 3D security, it's not enough for swindlers to access the card numbers to make an online transaction. After entering their payment card data, the users must further confirm a purchase using a digital banking app or enter a One-Time Password (OTP) sent via text or email.
I bet everyone of you has seen the Secure Socket Layer (SSL), but you probably didn't know that it was one more thing that secures your data.
SSL is an internet protocol that encrypts all communications on a website and secures web pages that process customer payment information. You can easily check if a site uses SSL by searching the lock icon in the address bar or verifying that the site address begins with "HTTPS." It's a common practice among many browsers to alert visitors when a site isn't using SSL.
The good news for you as a business owner is that acquiring an SSL certificate is faster and more affordable than PCI. Just don't forget to renew your certificates before they expire. The bad news is that it's as easy and affordable as hackers to acquire SSL certificates for fraudulent sites.
Know Your Customer (KYC)
Know Your Customer (KYC) verification is the process of verifying the identity of bank customers before or during the time they start using your app. KYC involves the following measures:
- confirm customer identity;
- understand the nature of customers' activities;
- ensure that the source of customers' funds is legitimate;
- estimate fraud risks associated with customers.
Here are some of the top services that help with KYC:
- Microblink: a company that develops AI-powered solutions that automate personal data entry by using camera input.
- Fourthline: one of Europe’s fastest-growing fintech companies for digital KYC.
- Jumino: a company that uses AI, biomentics, and certified liveness detection to protect you from fraud and financial crime.
Think of the KYC procedure as a security check at the airport. It allows you to ensure that your potential users are who they claim to be and that they are reliable enough to allow them to use your product.
Top Payment Gateway Apps List
From a business, implementing a payment gateway is a fast and cost-effective way to enable secure online payment from one bank account to another.
We at Uptech often advise clients to use payment gateways, so I have gathered a list of top payment gateway apps that offer quality and compliant services.
- Stripe: global online payment processor for internet businesses of all sizes.
- Wordplay: one of the longest-standing online payment platforms for both online and in-store payments.
- Adyen: a payment platform focused on e-commerce companies.
- WePay: an online payment service company that provides secure APIs designed for ISVs and SaaS providers.
- PayPal is an online payment system that helps individuals and businesses send and receive money securely.
- Payoneer: a payment platform that allows merchants to send and receive payments without requiring a merchant account.
If you decide to develop an app that will work with users' credentials, your main challenge is payment security. There are three main security issues you should be aware of:
- Trojan malware;
- Unreliable third-parties.
You need to follow payment security standards to guarantee a safe and compliant payment system. Depending on your product, the payment process differs so as a security solution, so it's important to access people who know what payment security solution to implement. At Uptech, we provide fintech web and mobile app development services to our clients and know all the ins and outs of payment security standards. So if you need the hand of help in developing your project, contact us.