What you need to know about card payment security

Photo of author
Written By Berry Mathew

Billions of transactions are completed using credit and debit cards every month in the UK.

That’s not even thinking about the number of mobile or digital payments now being made on smartphones or wearable devices using e-wallets.

As card payments continue to pull away from cash as the preferred way to pay for goods and services all over the world, the focus on card payment security becomes clearer.

But while it might seem like a lot, and there’s plenty to think about when it comes to securing card payments and protecting not only your customers but your own business data, there are lots of security measures keeping you safe.

And as a business, there are a few security policies and regulations you need to know about if you want to safely accept card payments.

Here’s what you need to know about card payment security.

PCI DSS requirements

The Payment Card Industry Data Security Standard (or PCI DSS) is a set of rules all businesses must follow to ensure the private payment data of their customers is processed, handled, stored, or transferred with the highest degree of security.

Created in 2006, the PCI Security Standards Council is an independent body that monitors developments in card payment technology and focuses on improving card security processes while promoting the importance of PCI DSS.

If you’re not already PCI DSS compliant, you need to complete the following steps to uphold an acceptable level of card security in your business:

  • Protect cardholder data

If you plan on storing card data locally, for example in an internal server, this adds another element of risk. To minimise the risk of a data breach, implement both virtual and physical barriers to the data, such as locked cabinets and limited server access. You should also never store information like pin numbers and all customer data must be encrypted before it’s transferred between devices across a network.

  • Vulnerability measures

You should always have strong, up-to-date anti-virus software active across all business devices, especially card machines, or anything that handles payment information. It’s also essential you update any business software as soon as it’s available. These updates patch potential security flaws and protect against newer security threats.

  • Maintain a secure network

Along with having a strong and reliable firewall, it’s recommended that businesses replace any vendor-supplied passwords or temporary passwords with strong and unique alternatives. Passwords should also be updated at least every 90 days across all major systems or software, and don’t repeat passwords.

  • Regularly test your networks

It’s not enough to use strong network security. You also need to test your network security frequently to find any weaknesses that can develop over time. There are various tools you can use to test just how robust your network is.

Astra Security, for example, performs full, in-depth scans of your network to discover potential vulnerabilities and fix them. Or, if you’re looking for a free alternative, Wireshark is perfect for monitoring network traffic and identifying issues.

  1. Manage access control

Access to cardholder data should be limited only to those who need access as part of their role in the company. You can add an extra layer of security here by giving staff members with access their own identification codes or logins, so access can be tracked and traced back should anything need to be checked in the future. The fewer people who have access to card data, the lesser the chance of a breach.

  • Promote information security policies across the business

Having an up-to-date security policy shows your business is taking active measures to keep cardholder data safe. These policies and procedures should be promoted across the business so everyone knows what’s expected of them.

One thing to note is that many card machine providers will offer PCI DDS compliance as part of their packages – but will charge you. Shop around and find a provider who offers PCI compliance as standard (and for free).

Click here – How To Convert 92.625 As A Fraction: A Step-By-Step Guide

Multi-factor authentication

Multi and two-factor authentication have been around for a while but are starting to become more widespread for card payments as more customers start to use them.

Essentially multi-factor authentication adds an additional layer of security, asking the customer to prove they’re the one using their card.

For example, a customer may be asked to enter their PIN number when trying to pay contactless.

Or they may be asked to approve a transaction in their mobile banking app when trying to pay for something online.

For digital payments on smartphones, multi-factor authentication usually uses biometric data (like facial or fingerprint recognition).


Encryption is one of the primary payment security methods. It’s the process of scrambling data, making it unreadable to external parties. This means if someone hacks into your system, they would not be able to make sense of any card data if it’s been pre-encrypted.

Card data should be encrypted from the moment a transaction is made, and should remain encrypted both as it moves across a network and when it lands in your storage system of choice.

A reliable card machine vendor will ensure all card payments meet the requirements set out by PCI at the point of payment, encrypting data as it’s taken by the machine. But once that information is stored on your system, it’s the responsibility of the business to have trustworthy encryption in place.

Put card payment security first in your business

Protecting your customers’ data should be your top priority as a business owner.

If you’re worried your business isn’t fulfilling its PCI DSS obligations, or that your card payment security isn’t getting the job done as well as it should be, do everything you can to fix these issues before continuing accepting card payments.

You can look into the requirements of the Payment Card Industry Data Security Standard here.