security posted in security  on 24 December 2009
by Andrew Lang 
View by Categories | View By Latest

Should you really take payments directly on your website?

One dilemma a lot of people have with selling online is whether to take credit/debit card payments directly on their site, or to delegate this job and send shoppers to a 3rd party payment processor (e.g. WorldPay, PayPal) to deal with the payment on their site.

The advantages with taking payment directly on your site :-
  • It's a smoother process, people never effectively leave your site
  • There's a perception that you are more professional since you're taking payments on your site
However, there are disadvantages too:-
  • You must be PCI DSS compliant
  • If you're actually storing credit card information on your servers, you're automatically a big target for hackers
  • Will the merchant keep my credit card details? It's not always clear if this is the case unless the payment process is using a well known system like PayPal Payments Pro - in which case, PayPal store those details
  • There's a growing number of shoppers who prefer to give their credit card details on a large, well known payment processor (e.g. Google Checkout, WorldPay, PayPal) than what would appear to be a "roll your own" payment processor direct on your site
As a website developer, I am one of those people who prefer to pay on a payment gateway website like PayPal directly. After all, if I only have a choice to buy directly on the site I'm shopping on, how do I know that the site I'm buying from is actually PCI DSS compliant? How do I know how they store my credit card details? What if the site gets hacked? Is the site actually legitimate i.e. can I trust them with my credit card information?

Packages like PayPal Payments Pro address such concerns by making sure credit card information is stored on PayPal's servers, not the merchant's servers, but the merchant must still be PCI DSS compliant and ensure the credit card details are transmitted securely to PayPal. Problems still remain however: perhaps the site I'm buying from is spoofing a PayPal Payments pro checkout, and is keylogging my keystrokes, or transmitting them to a 3rd party server after I click the submit button? Most people just look for the padlock on a site (which shows the site has been issued a Secure Socket Layer - SSL - certificate), and if it's there "it must be safe". The trouble is, SSL certificates are both cheap and easy to obtain.

It's better to share your credit card details with as few web servers as possible. My credit card details are only as safe as the website with the weakest security measures that I shared those details with. This is why I insist on paying on payment gateway sites (and after checking the URL in the browser as these can be spoofed too!).

For merchants, it may soon become a preferred payment method for the majority of shoppers to be sent to a familiar payment gateway than it is to pay direcly on the merchant's website and have to trust the merchant's carried out all the correct procedures (or aren't spoofing a payment page).

Share this article:

view my profile on Google+