Enable javascript in your browser for better experience. Need to know to enable it? Go here.
How to select a Payment Gateway: [Part three] Security capabilities of Payment Gateways

How to select a Payment Gateway: [Part three] Security capabilities of Payment Gateways

Losses caused by electronic payment fraud are a significant issue for merchants. Plus, security breaches that expose user payment data can damage your brand and bring legal risk. So, it’s essential that you consider and prioritize security when selecting a Payment Gateway.


There are four main security options and standards to be aware of during your selection process, each with different implications for businesses of different sizes and operating footprints:

PCI DSS(Payment Card Industry Data Security Standard)

PCI DSS is a data security standard for the third-party payment industry. It sets out a baseline of technical and operational requirements to protect cardholders’ information by introducing security management systems, network security, physical security, and data encryption. 


PCI DSS also conducts annual audits, granting proof of security level qualification to certified companies when  the audit is completed, so it’s worth seeking a solution bearing this proof of security level. 


PCI DSS security certification of a Payment Gateway can be considered proof of its high level of security in terms of technology, infrastructure, and process. When selecting a Payment Gateway, we suggest placing the certification of PCI level qualification high on your list of criteria.

3D Secure

3D Secure(3DS) is a security verification service introduced to cardholders by international card organizations to ensure a high level of protection for online credit card payments. It requires users to verify their identity by entering information that only the cardholder knows, such as a payment password or verification code on a mobile phone.


3DS is a double-edged sword for merchants. If 3DS is enabled, it means the verification of the cardholder’s identity is more reliable, and the cost will be borne by the card issuer rather than the merchant if a related complaint happens in the future. However, there’s a cost for the merchant to maintain this additional layer of security protection. And an additional authentication process will have a negative impact on conversion rate, as there’s higher chance of failure and cart abortion when there’s more browser redirection. 


In the new version of 3DS, 3DS 2.0, the authentication happens in the backend in 95% cases, which will solve the conversion issue. Thus I recommend that you choose Payment Gateways that use 3DS 2.0, as it’s the most effective means of protection against payment fraud and can provide convincing evidence for risk management and liability shifting if payment fraud occurs. 

Fraud detection

Fraud detection is the use of technology to reduce the rate of payment fraud by identifying suspicious transactions before they’re processed. One of the most common scenarios is that the same IP address has attempted to make payments using different card numbers within a short period and most of the payments have failed to validate. Fraud detection technology identifies it and judges from the clues that the IP is suspected of being fraudulent. Then it will take action to ban all subsequent requests from that IP, preventing any further fraudulent transactions.


Fraud remains the most common problem encountered by customers when using Payment Gateways, and when it happens, payment requests from all users of that merchant will be temporarily blocked until the attack stops, significantly impacting the business. So, I recommend that merchants shouldn’t skimp on investment in fraud detection and make sure the Payment Gateway they choose provides effective anti-fraud capabilities.


The principle behind tokenization is that the Payment Gateway generates a unique token for each bank card number after the first verification of the user's identity, then returns it to the merchant as a credential representing the card information in the subsequent payment process. This helps prevent many of the risks associated with the frequent input of card information, and helps customers make payments with convenience.


I recommend gateway tokenization if credit card users make up a large proportion of your customer base, as it will enable those customers to make recurring payments without reentering their card details. That helps improve experiences for them, while also reducing their details’ exposure to data thieves.


If a Payment Gateway supports tokenization, it could either store customer card information in its own system, or use an integrated third-party system for storage. Before signing the contract, it’s important to clarify where that information is stored, so you can ensure it meets any local standards you’re required to uphold.


In part 4, we will explore how you’re going to implement and integrate your chosen Payment Gateway. You can find part 4 under ‘related content’ below.

Disclaimer: The statements and opinions expressed in this article are those of the author(s) and do not necessarily reflect the positions of Thoughtworks.

Keep up to date with our latest insights