How to Create a Secure Payment Gateway

Written by Lynn Jatania on October 7, 2021 Blog, Sell Online.

It’s better to be safe than sorry. And that statement’s even more true for online stores. Securing your payment process is critical to holding customer trust and maintaining your flow of business and income.

Is your payment system under lock and key? Learn more about attacks and make sure you’re protected with our WooCommerce security checklist.

What do payment gateway attacks look like?

When a cybercriminal targets your payment gateway, their goal is to discover or steal credit card information that they can then sell online. 

Payment gateway attacks may take the form of:

  • Enumeration attacks, which test the validity of credit card combinations to find ones that work. On your site, this might look like numerous failed attempts to check out with a small order. 
  • Stolen admin credentials. Criminals use phishing techniques or other methods to access your admin account and payment gateway with the goal of stealing customer credit card information.
  • Cloned POS devices. Bad actors copy your point-of-sale devices (which use your payment gateway credentials) to generate fake orders.

Why care about payment gateway security?

Once your store is up and running, you might be tempted to think you’re safe enough — especially if you haven’t been the focus of hackers yet. But when criminals target your payment gateway, you may find yourself facing consequences like:

  • Time required to sort out and deal with breaches, preventing you from spending time on income-generating parts of your business.
  • Problems with website performance, due to traffic from brute force attacks.
  • Eroded trust with your payment gateway provider, possibly resulting in higher fees or service cancellation.

If you need help securing your store, we’re here to support you. And with Woo, high-volume stores qualify for unique benefits like dedicated support and discounted extensions. Learn more about how our team can help your business grow.

How to lock down your site

Hopefully, you’ll never have to worry about actual attacks. But err on the safe side and give some thought, time, and investment to each of these issues to make sure your site is locked down.

Use CAPTCHA for user accounts and the checkout process

Make sure bots can’t get into your system by adding a CAPTCHA to your registration and checkout pages. Although it’s an extra step for customers, it’s worth it for the simple and effective way it keeps bots from attacking your site.

There are a variety of methods you can use to streamline the process for your legitimate customers, while still adding security. Consider the advanced features of the ReCaptcha for WooCommerce extension to find the right balance between ease and safety.

Invest in quality hosting

Your host is your partner in performance and security. A quality provider will include critical security features like:

  • An SSL certificate, which encrypts customer information like credit card data and addresses.
  • PCI-compliant servers that follow all credit card company guidelines.
  • Regular site scans, backups, and brute-force attack monitoring.

But don’t just rely on your host. Consider adding a firewall to your site, which acts as a barrier between your store and hackers, preventing them from getting in. 

And, tools like Jetpack Security provide malware scans, downtime alerts, and off-site backups.

Use an anti-fraud plugin

Protect your payment gateway directly with anti-fraud software that monitors your orders and watches for any suspicious activity.

Extensions like WooCommerce Anti-Fraud will look for transactions that fall into typical attack patterns and put suspicious orders and questionable users on lockdown. 

risk assessments for a website using WooCommerce Anti-Fraud

You can block activities like:

  • Many small orders placed in quick succession
  • A sudden influx of orders from a geographical location outside of your typical order zone
  • Orders placed from a blocklist of email addresses and IP addresses
  • Suspicious differences between billing and shipping addresses
  • Payments made by new, unverified PayPal accounts
  • Use of proxy servers and other masking activities

You can set the level of sensitivity for orders to be flagged to find the right level of risk for your shop. 

Make sure passwords are safe

We all know the basics when it comes to password security: use a variety of characters, don’t use a personal name or date, and don’t reuse passwords across websites. But you can add additional security by:

  • Making your admin passwords extra complicated with special characters, etc.
  • Adding password lock-out software, that will limit the number of failed login attempts
  • Ensuring users have only the minimum permissions needed to perform their job or tasks
  • Being aware of phishing scams and never sharing your password information with suspicious businesses or individuals

Passwords can also be used to secure certain portions of your site. Use the Password Protected Categories extension to limit access to commonly exploited areas. Shoppers will need to have an account to verify their identity, or will have to access the password directly from you through secure channels. 

settings in the Password Protected Categories extension

Limit payment card information storage

One great feature of WooCommerce is that you don’t need to store credit card information at all — your payment gateway will handle the most vulnerable and important security information. 

Key tip: Make sure your selected payment gateway uses tokenization to pass credit card information back and forth. For maximum security, consider WooCommerce Payments.

But if you want to allow your customers to set up subscriptions or register for pre-orders, then your system might store some information about payment options, either on your site or through your payment gateway. Limit the number of times customers can update their credit card information. Several updates per day are a red flag of brute force attacks.

Safely decommission POS devices

When POS devices have outlived their usefulness, make sure to decommission them safely. That means wiping all memory and settings to ensure that any access codes or stored passwords are removed and cannot be cloned or copied. It also means returning these devices to the source company so they can be safely disposed of; don’t let them gather dust in the back of your shop. 

With all parts of the payment system fully protected, you’ll know that you’ve done all you can to keep your most important business asset safe and sound. Keep attackers at bay and make sure you’re spending your energy on income generation and growth, instead of dealing with security breaches.

Finally, note that this is just one important aspect keeping a safe site. Review our WooCommerce security guide for a more comprehensive checklist.

Grow your business with Woo