Industry Guide

Payments Security for Merchants: Best Practices To Follow

As consumer expectations rise and fraud becomes more sophisticated, merchants must deliver robust payments security, without compromising the customer experience

On This Page

What is payments security?

Payments security refers to the collective systems, processes, protocols and procedures that merchants implement to protect the confidentiality, integrity and authenticity of customer transactions, both in person and online. Merchants must invest in a comprehensive payments security strategy to mitigate fraud to both their business and their customers and to prevent data breaches or any other form of cyberattack that could lead to fraudsters gaining unauthorized access to sensitive payments information.

Why do merchants need to pay attention to payments security?

To illustrate just how real and present a threat online payments fraud is to merchants and their customers, let’s look at some cold hard data:

  • According to a report from IBM, 83 percent of organizations surveyed said they’d experienced more than one data breach between March 2021 and March 2022.
  • The Association for Financial Professionals found that 65 percent of organizations were victims of payment fraud attacks or payment fraud attempts in 2022.
  • IBM’s annual Cost of a Data Breach report revealed that the global average cost of a data breach reached $4.45 million in 2023 — an all-time high and a 15 percent increase over the past three years. 
  • According to that same report, only a third of breaches were discovered by internal teams, and it took average of 277 days for teams to identify and contain the breach. Within those breaches, customers’ personal identifiable information (PII) proved to be both the costliest and most common record compromised.
  • Research from Statista shows that eCommerce losses to online payments fraud were estimated at $41 billion globally in 2022.

These figures make it abundantly clear that both payments fraud and hacking are on the rise, which pose a direct threat to merchants’ bottom lines and reputations. Even a single known data breach can make consumers feel distrustful and motivate them to take their business elsewhere. But protecting their profits and reputation isn’t the only reason why merchants must invest in online payments security — there’s also the matter of compliance to consider.

What are merchants’ compliance obligations?

The Payment Card Industry Data Security Standard (PCI DSS) is a widely recognized information security standard designed to safeguard customers’ cardholder data. Any merchant that stores, processes or transmits cardholder data is required to comply with PCI DSS. And in order to achieve compliance, merchants must meet PCI DSS’s 12 requirements, which include restricting access to cardholder data, encrypting cardholder data during transmission, removing or tokenizing stored PII and cardholder data and regularly testing security systems and processes.

PCI DSS isn’t the only payments security standard merchants must meet. The Revised Payment Services Directive (PSD2) is a European Union directive aimed at regulating payment services and enhancing online payments security.

Although PSD2 primarily applies to payment service providers, under PSD2’s strong customer authentication (SCA) requirements, merchants are mandated to use multifactor authentication to secure payments. Merchants can meet PSD2’s SCA mandate — and other mandates — by implementing 3D Secure, a form of authentication based on a three-domain model.

Should merchants fail to comply with either of these regulations, they could be subject to financial penalties, loss of payment processing abilities and reputational damage — all on top of being more vulnerable to fraud and data breaches.

What are some common ways to secure payments?

There are a wide range of security measures merchants can implement to protect their customers’ financial information during both card-present and card-not-present (CNP) transactions:

Network Security

Network security encompasses a broad range of tools, protocols and policies designed to ensure a network’s integrity, confidentiality and availability. This can include firewalls, antivirus software, network segmentation, intrusion detection systems and access. Essentially, all forms of payments security — including those listed below — fall under the umbrella of network security.

Address Verification Service

One of the most common online payment security measures, the Address Verification Service (AVS) is a tool that credit card processors and issuing banks use to authenticate transactions. AVS verifies payments by cross-referencing the billing address provided by a cardholder against the billing address on record for that cardholder in their issuing bank’s system.

Card Verification Value

A Card Verification Value (CVV) is a security code — typically consisting of three or four numbers — on the back of a credit or debit card. These numbers are used to verify that the cardholder has physical access to the card when making a CNP transaction.


Encryption refers to the process of converting customers’ financial information, including cardholder data, into a coded or unreadable format using cryptographic algorithms. Point-to-point encryption (P2PE), a security standard developed by the Payment Card Industry Security Standards Council, is one of the most commonly used forms of encryption for electronic transactions.

Secure Sockets Layer

Secure Sockets Layer (SSL) is a cryptographic protocol used to provide online payments security. SSL establishes a secure, encrypted connection between a consumer’s web browser and a merchant’s website server, ensuring that any data — including transaction details, personally identifiable information and payment credentials — transmitted over the internet remains confidential and safe from unauthorized parties.


Tokenization is a payments security technique that involves substituting sensitive information, such as credit card numbers or personal identifiers, with a unique, randomly generated token. Once a token is generated, it represents a customer’s payment card within a merchant’s environment. Since tokens are entirely random, they cannot be reverse-engineered to identify the customer’s original primary account number, thereby enhancing payments security.


EMV is a standard created by — and named after — Europay, Mastercard and Visa to secure credit and debit card transactions. Rather than magnetic stripes or mechanical imprints, EMV cards use integrated circuit chips that store encrypted data and generate dynamic transaction codes to enhance payments security. Prior to EMV, thieves could easily write stolen credit card data to magnetic strips and use them at unmanned kiosks and gas station pumps.


Authentication broadly refers to the process of verifying the identity of an individual during a transaction through the use of passwords, biometric data or security tokens. In order to meet PSD2’s SCA requirements, merchants are obligated to use 3D Secure (3DS) authentication — which is based on a three-domain model — on CNP transactions.

Secure Payments Gateway

A secure payments gateway is a technology infrastructure that facilitates online transactions by securely transmitting payments data between a customer’s browser and a merchant’s website or point-of-sale (POS) system. These gateways automatically encrypt cardholder data and validate transactions with financial institutions to ensure the confidentiality and integrity of that data.

What else can merchants do to enhance payments security?

Investing in cybersecurity systems is just one way for merchants to improve payments security. In order to maximize security, merchants need to take a holistic approach. Here are some best practices to help you get started:

Familiarize yourself with compliance obligations

It’s essential that your compliance team has a thorough understanding of your obligations under PCI DSS, PSD2 and other security regulations. Not only will this help your company avoid potentially severe penalties and loss of consumer trust, but these requirements can also serve as a roadmap when piecing together your payments security strategy.

Conduct a risk assessment of your existing payments infrastructure

There may be security vulnerabilities within your payments infrastructure that you’re unaware of. A risk assessment can help you identify these gaps in coverage, as well as surface any other potential issues that may leave your business and your customers exposed to risk.

Establish strong security protocols and procedures

From setting access controls and conducting regular security audits to keeping software systems up to date and developing a comprehensive incident response plan, there’s no shortage of ways to strengthen your company’s payments security.

Train your staff on security risks

According to Verizon’s 2023 Data Breach Investigations Report, 74% of breaches involve a human element, such as social engineering attacks, errors or deliberate misuse. It’s important to make sure your employees fully understand your company’s security policies, how to use any cybersecurity systems you’ve invested in and what’s expected of them. It’s also important that your employees be able to recognize common forms of social engineering, such as phishing and pretexting.

Use strong, unique passwords

A simple, yet effective way to ensure that cardholder data stays out of the wrong hands is to require both your employees and your customers to use strong, unique passwords. Current guidance dictates that passwords should be long and use a combination of uppercase and lowercase letters, numbers and special characters. Additionally, passwords should not include personal details or easy-to-guess words or phrases.

Get an SSL certificate

An SSL certificate is a digital certificate issued by a Certificate Authority (CA) that verifies your website’s identity and establishes a secure connection for data transmission. The process for applying for an SSL certificate is fairly straightforward and involves demonstrating to a CA that you are who you claim to be and that your web server is capable of encrypting information in transit. Once you’ve received an SSL certificate, a small padlock icon will be added to your website’s browser address bar and an “https://” prefix will appear before your URL.

Accept secure forms of payment

Certain payment methods, such as EMV chip cards, online payment gateways and biometric payments, are secure by design. Offering your customers a wide variety of secure payment methods not only increases payments security, but also creates a frictionless shopping experience by enabling your customers to use their preferred payment methods. 

Verify every transaction

Don’t let a single, unsecured payment slip through the gaps; make sure that every transaction is legitimate. Running CNP transactions through fraud management solutions can stop fraudsters without upsetting customers, leaving only questionable transactions to verify through AVS, CVV or some other verification method.

Don’t store customer payment credentials that haven’t been tokenized

Keeping your customers’ unsecured credentials on file increases your company’s risk in the event of a data breach. By using tokenization to replace payment credentials with randomly generated, nonconvertible tokens and storing them within a secure token vault, you can protect you and your customers against potential risk.

Build robust customer profiles

Most merchants collect customer data in order to build out profiles for marketing personalization — but this data can also be used for security purposes. By applying behavioral analytics — a branch of data analysis that focuses on studying and interpreting patterns and behaviors within data — merchants can set baselines for consumer behavior. They can then monitor these baselines, identify anomalous (and potentially fraudulent) activity and take proactive measures to address risk.

How does ACI Worldwide support payments security?

ACI Worldwide has security and fraud solutions to protect payments in-store and online including:

  • ACI’s proven and scalable Point-to-Point Encryption (P2PE) solution encrypts payments card data within the POS PIN-entry device when it is captured, so no data is transmitted in the clear when requesting payment authorization. P2PE also ensures PCI compliance as the merchant POS never sees payments card data. The solution supports Verifone, Ingenico, PAX, Gilbarco, Dover-Wayne and other devices.
  • ACI’s omnitokens replace customers’ primary account numbers with unique, randomly generated numeric sequences. Compared to issuer- or acquirer-generated, single-use tokens, our omni-tokens can be associated with those tokens and used across channels, creating a seamless shopping experience for your customers. ACI facilitates all external processes, including authorization, fraud checks and settlement, on a merchant’s behalf, reducing your risk exposure.

The ACI Fraud Management for merchants solution also includes an extensive array of capabilities that make payments security simple. Here’s a sample:

  • Our digital identity solution leverages behavioral analytics, user data and over 10,000 data signals from multiple sources to authenticate transactions. In addition to enhancing payments security, this digital identification system reduces the rate of false positives, reducing cart abandonment and increasing conversion rates.
  • With incremental machine learning, merchants are able to apply ethical, responsible artificial intelligence to increase transparency around decision-making and enhance payments security. Compared to traditional machine learning models, incremental machine learning leverages both historical and live data to recognize and dynamically respond to changes, allowing for more sophisticated fraud management.

For more information about these tools — or any of the other offerings included in ACI Fraud Management for merchants — contact the ACI Worldwide team today.

Discover the Next Generation of Fraud Prevention for Merchants

Get a comprehensive look at incremental machine learning and how it can help you manage risk in the face of rapid change in this guide.