Payment security

How to ensure your website security?

2021 October 26


How to ensure your website security?

Website security has never been more important as e-commerce market continues to grow year after year. Everyday fraudsters and scammers breach websites’ security for their own benefit. Far too many merchants invest nothing in security until it is too late. The damages done by fraudsters and scammers can devastate your ecommerce business.

In this article, we cover how to ensure your website security from different types of fraud and scams.

How to secure your website from payment fraud?

A common fraud type that ecommerce websites face is associated with payments.

Online payment processing is usually handled by payment service providers (PSP). PSPs take serious security measures to protect their clients from potential scam and fraud. However, a merchant can still be held liable for not taking sufficient security measures themselves to avoid fraud.

A merchant that is irresponsible in fighting fraud and scams themselves, can be seriously fined



hCaptcha or reCaptcha?

One of the important security measures we suggest to our merchants is implementing CAPTCHA. Nowadays CAPTCHA systems have been improving

significantly and does not create friction in the website experience.

We offer implementing either reCAPTCHA or hCAPTCHA:

  • reCAPTCHA – made by Google; v2 version has introduced a method which only shows reCAPTCHA if website user’s activity (recorded by mouse movements and clicks) seems suspicious;
  • hCAPTCHA – an alternative to a more popular reCAPTCHA method;

Using CAPTCHA can protect your website from bots who attempt completing a transaction via stolen or fake credentials.

2. Allow only registered users to make purchases

First of all, apply a rule to only allow purchases from registered users and disable guest checkout option. This allows you to control users who are able to make a transaction and avoid fake buyers.

Allow only users who have email confirmed

Secondly, allow only purchases from registered users who have their email address confirmed. This is harder for bots to bypass.

By only allowing registered users to make a purchase, you get control of your users. If your website users attempt to complete a fraudulent transaction, you can block their account and email as well. Thus, next time this person will not be able to use the same email for fraud attempt.

Confirm a user

In some cases you can confirm the validity of a user. For example, if you provide marketing services for businesses, you can make sure that your buyer actually has a business (or website). Think whether it is possible to check who you are selling to. Being aware which buyers are real, legitimate people helps spot fraudsters easy.

You can achieve this by adding additional fields to a registration form. This can allow you to identify which accounts are legitimate customers and who are fraudsters. For example, in marketing service example, you can ask for a business name and check whether it exists.

3. Limit the amount of declined transactions for a single user

There might be multiple attempts to complete a fraudulent transaction. Such transactions will mostly be declined. However, by trial and error fraudsters can eventually bypass security and complete the purchase.

First of all, if possible, you should monitor the transactions made on your website. For example, if multiple transactions of the same user, IP or during a short period of time are being declined, it might be a sign of potential fraud. Also, be aware of users that use multiple cards who’ ‘transactions are being declined .

Secondly, you can add a limit to failed transactions per checkout. For example, if a buyer fails to complete a purchase in multiple attempts, you can block that user (or IP address) from making a transaction. Legitimate buyers are likely to make a purchase successfully. So by implementing a rule to stop users of unlimited declined transactions you can secure your website from fraudsters.

4. Use 3D Secure

3D secure is a tool set by European Council for Strong Customer Authentication (SCA). It ensures security of your card transactions.

A newest version – 3D Secure 2.0 requests additional authentication of cardholders for high-risk transactions. It introduces more authentication methods: the customary one-time passcode, knowledge-based questions, bank app credentials, and biometrics.

Use 3D secure as it provides additional security while not intervening checkout experience of customers. Only high-risk transactions will be prompted with 3D secure 2.0.

How to secure your website from scammers?How to protect your website?

Some fraudsters and scammers might not want to take advantage of payment system, but the website’s data. Such fraud cases are related with fraudsters and scammers accessing websites for data.

Fraudsters who are able to access your website’s internal systems, can do serious damage. We suggest taking following measures to ensure your website security.

1. Use HTTP with SSL = HTTPS

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It adds security by protecting your website from attacks launched from compromised or insecure networks.

This is not only a tip for security, but also good for performance of your website. When accessing a website that does not have HTTPS, you will be prompted that your connection is insecure. Potential buyers might avoid accessing your website if you do not use this standard.

2. Promote good password habits

Users usually choose the same password for multiple accounts online. While this is convenient for us, this makes it easier for fraudsters to take advantage of.

When promoting good password hygiene on your website, you protect your customers’ data and their accounts from being hacked. Good practices that you can implement:

  • two factor authentication – an additional step of login confirmation via one-time password;
  • request length over quality while creating an account; good passwords should be long rather than include different kinds of symbols;
  • protect your users passwords’ list;

3. Make sure your site is PCI DSS compliant

Payment Card Industry Data Security Standard (PCI DSS) compliance is a set of security measures for websites to protect their card payments. There are overall 12 requirements, but it can be summarized to:

  • Have a secure business network and regularly maintain it.
  • Protect cardholder data.
  • Maintain a vulnerability management program.
  • Install strong access control measures.
  • Create a policy that marks information security.

Be aware that servers, the hosting plan and the ecommerce and shopping cart applications comply. Thus, choose these ingredients for your ecommerce taking PCI DSS in to consideration.

4. Don’t store sensitive personal data

Best way to avoid data breaches is to avoid storing data in the first place. Re-evaluate which personal data you store and which of it is crucial for you to keep. Always renew the lists and delete data that you no longer have use of. Store data under multiple security measures and make it hard to access.

Attacks where fraudsters are able to extract data from your website can result in fines due to leak of customers’ personal data. You can also use third-party software to do it for you, but be sure that it has been rigorously tested and validated to do such.

5. Keep your software up to date and use firewalls

In case you are hosting your site on ecommerce platforms, be sure that your software is up to date. New updates are rarely negative as they bring performance as well as security. Furthermore, use firewalls – third-party softwares that can do all the work for you of keeping fraudsters away. Nowadays, these can be easily installed via built-in plugins or premade libraries.

Other tips

  1. Backup your site data regularly
  2. Check the web root folder for suspicious files.
  3. Periodically monitor payment statuses and decline reasons.
  4. Do not ship the items and freeze the order if you question the legitimacy of transaction.
  5. If transaction is proved to be fraudulent, immediately refund the charge to the cardholder; otherwise, the legitimate cardholder may demand for a chargeback.


Open a merchant account for free
and start processing payments with Cardinity!