4 security considerations for online store payments

In this post, we look at four security considerations that must guide the development of an online store if a suitable level of quality is to be achieved.
Published on
May 5, 2021
Finance & Fintech

Buying online was an everyday occurrence long before the COVID-19 pandemic broke out, but the compelling need for non-essential retail stores to close down tipped the balance even more in favourof ecommerce. There are now many people throughout the world who rely on online retail for supplies, not just frivolous purchases of clothing items or consumer electronics goods, and it’s placing the matter of cybersecurity into harsher light.

After all, issues with online payments can seem relatively trivial when you’re dealing with small orders of items that aren’t strictly necessary — but when you’re talking about vulnerable people (often with limited budgets) receiving food and other necessities, there’s a pressing need to ensure that such issues don’t arise in the first place.

Given today’s design standards and user expectations, having a weak payment system will soon sully a brand and disincline visitors to risk their hard-earned money. In this post, we’re going to look at four security considerations that must guide the development of a modern online store if a suitable level of quality is to be achieved. 

Human hand using phone to shop online with credit card

Ensuring that linked systems are protected

Safeguarding a payment process in isolation simply isn’t enough to prevent fraud. This is due to the modular nature of online stores. Data is shared between different parts for ease of use, and this means that any segment of a store system with high-level permissions can serve as a point of vulnerability. One weak link in the chain is all that’s needed to render it insecure.

The simplest way to avoid such points of insecurity is to use a fully-featured store CMS with all its components based in the cloud and regular automatic updates. A wide-reaching platform with a native payment gateway — Shopify, for instance — makes for an easy choice, because you can feel assured that all the component parts will combine perfectly.

But then there’s the matter of plugins (or extensions, or add-ons, depending on the system). The use of plugins is extremely common in ecommerce, with sellers eager to make their stores easier to use or simply more attractive, yet each plugin constitutes a fresh point of weakness. One poorly-optimized plugin can allow malicious actors to gain access to an entire system. The best thing to do is limit plugin use, using only those plugins that can be properly vetted.

Balancing authentication with convenience

We live in the era of biometrics, with smartphone ownership being incredibly common and fingerprint readers (plus facial recognition systems) appearing on many such devices. Notably, this sets a precedent that must be kept in mind. Users now know the ease of getting near-instant (yet secure) access to their devices — and they expect similar ease online.

This doesn’t mean that online stores should (or could) store biometrics data. That’s something that most people wouldn’t accept. Instead, it means they need to be very careful with how they handle their authentication systems. They need to be secure, preventing unauthorized users from somehow gaining access, but without slowing things down too much.

Leaning on smartphone and browser storage is the way to go. Users can keep their card details stored locally under their main logins, then submit them when needed following suitable local authentication (confirming CVCs — Card Verification Codes — or using biometrics-secured logins). You must also think about which gateways you’ll support. The more gateways you offer, the better the user experience will be, but the more security issues you’ll need to address.

Complying with all relevant data regulations

The implementation of the GDPR — General Data Protection Regulation — back in 2018 heralded a significant change in how most people view the storage and processing of private data. Though it only technically applies to companies based in the EU or with customers based in the EU, it’s had influence throughout the world through setting a powerful precedent (and playing a large role in backing Open Banking).

Accordingly, one of the core concerns when managing online payments must be ensuring that the underlying systems are fully compliant with all relevant regulations and user expectations. The perception of impropriety is a serious threat. Even in the event that it’s entirely legal to store and process data in a certain way, there’s no guarantee that customers will find it acceptable.

And given the immense influence that negative customer comments routed through social media can have (often leaving brand images utterly devastated), it’s mission-critical that you not only store and use data responsibly but also make your actions abundantly clear. Providing and promoting a comprehensive breakdown of your data policy will be a key step.

Keeping shoppers apprised of best practices

Lastly, there’s a security concern that gets overlooked far too often, and that’s the behaviour of the customers. Online sellers can focus entirely on keeping their systems secured and fail to consider how easily something like social engineering (Tripwire has more on this) can compromise user accounts and lead to fraudulent transactions.

Any contention that a store owner shouldn’t much care about such transactions is a non-starter for two reasons. Firstly, those transactions will ultimately be contested, leading to chargebacks and lost money. Secondly, the customers who see their accounts compromised will be less likely to return. That you weren’t at fault won’t really matter: they won’t be able to visit your store without thinking of their bad experiences.

In addition to providing some key suggestions in the support section of your site, you should have some relevant advice for those who reach out to you for assistance, and promote good security practices through your blog and marketing emails. Remind your customers to change their passwords on a semi-regular basis (you can even require this for good measure), choose sensible account-recovery terms, and keep their login details safe.


To compete in this time of online retail effectively serving as a utility, every ecommerce store owner must take payment security extremely seriously. Keeping the aforementioned security concerns in mind while configuring a store will make it markedly easier to produce a setup that’s suitably robust, leading to better performance and happier customers.

Stay up to date with the latest
Atto news

Get the latest news, thought leadership, product updates and customer stories straight to your inbox - subscribe to our blog today.