The BSI’s Secure Payments in E-Commerce guide confirms what we already know: payment security isn’t just about compliance, it’s about trust, conversion, and brand resilience.
Here’s how shops, eCommerce platform developers, and vendors should act to stay secure and compliant.
1️⃣ PSD2 & Strong Customer Authentication (SCA)
What it is: PSD2 mandates two or more independent factors from knowledge, possession, and inherence. Exceptions exist (e.g. low-value transactions, whitelisted recipients).
Recommendations:
- For merchants: Ensure your payment provider supports dynamic SCA methods (biometrics, app-based push-TAN) — static passwords alone are no longer enough.
- For developers/vendors: Build flexible checkout flows that can handle both SCA-required and exempted transactions without breaking the customer journey.
- For both: Monitor transactions that fall under exemptions — fraudsters often target these.
2️⃣ Tokenization – The Silent Security Workhorse
What it is: Replaces the actual card number (PAN) with a merchant-specific token. If stolen, it’s useless elsewhere.
Recommendations:
- For merchants: Choose payment processors that tokenise all stored card data, especially for subscriptions or “save card” features.
- For developers: Never store PAN or CVC in your systems — integrate PCI DSS-compliant token APIs.
- For both: Regularly audit whether tokenisation is applied end-to-end (from checkout to recurring billing).
3️⃣ 3D-Secure 2.x – Balancing Fraud Prevention & Conversion
What it is: An authentication layer (Mastercard Identity Check, Visa Secure, etc.) that meets PSD2’s SCA requirements.
Recommendations:
- For merchants: Activate 3D-Secure 2.x on all card transactions — but enable frictionless flow for trusted, low-risk customers.
- For developers: Optimise 3D-Secure integration for mobile-first and responsive checkouts; poorly implemented 3DS causes cart abandonment.
- For both: Test the customer journey under various scenarios — authentication failures should gracefully fall back to retry options.
4️⃣ Mobile Wallets – Not All Equal in Security
What it is: Apple Pay and Google Pay both use tokenisation, but differ in device-level protection (Apple Pay uses hardware Secure Element, Google Pay often software).
Recommendations:
- For merchants: Clearly display supported wallets and educate customers on security benefits — Apple Pay for iOS users, Google Pay for Android.
- For developers: Implement wallet payments natively in checkout to avoid redirect-based friction.
- For both: Maintain fallback payment options that still meet SCA — don’t force customers to downgrade security.
5️⃣ Method-Specific Risks – Know Your Weak Points
- Credit cards without 3D-Secure: High fraud risk, merchant sees card data.
- Sofortüberweisung/Klarna: Credentials shared with third-party provider.
- PayPal: Security heavily depends on user enabling two-factor authentication.
Recommendations:
- For merchants: Limit or remove non-SCA card payments; require PayPal 2FA for high-value orders.
- For developers: Build admin tools so merchants can enforce these payment rules without code changes.
- For both: Map each payment option into a risk matrix and align fraud monitoring accordingly.
6️⃣ End-User Device Security – The Overlooked Risk
What it is: Even the most secure payment flow fails if the customer’s device is compromised.
Recommendations:
- For merchants: Display in-checkout reminders to update devices and avoid rooted/jailbroken phones.
- For developers: Detect high-risk device environments and trigger additional SCA steps.
- For both: Disable “stay logged in” options by default for wallets and payment accounts.
Bottom Line
Security in eCommerce isn’t a single switch — it’s an architecture of choices. Merchants, developers, and payment vendors need to combine regulatory compliance, technical safeguards, and UX optimisation to achieve both protection and conversion.
Leave a Reply