Secure Online Payments: Present and Future

Internet payment is the most widely used method by younger generations and increasingly by the general population. The future of purchases and transactions of all kinds is shaping up to be online, already becoming a growing reality. Therefore, it is imperative to develop an environment that is as secure as possible for the consumer.

PRESENT: Card Payment, Secure Payment Gateways.

Currently, there are several security measures that a payment gateway must provide, let's analyze the requirements it must meet:

- PCI DSS Regulation (Payment Card Industry Data Security Standard)

It establishes a worldwide security standard that includes a set of technical and operational requirements to protect the sensitive information of cardholders. It is mandatory for all companies that accept, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD).

It includes 12 requirements:

1. Install and maintain a firewall configuration to protect cardholder data.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data across open, public networks.

5. Use and regularly update anti-virus software or programs.

6. Develop and maintain secure systems and applications.

7. Restrict access to cardholder data by business need-to-know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes.

12. Maintain a policy that addresses information security for all personnel.

- Tokenizing sensitive information.

Tokenization involves replacing the PAN number of credit and debit cards with a series of randomly generated numbers (token) that have no meaning and are irreversible. Card digits remain secure by handling tokens instead of real payment information.

The operation can be summarized in three phases:

* Provisioning (the customer already has a token linked to their PAN)

* Validation (the token is sent to the credit card network to process the transaction, and this network detokenizes the token, obtains the PAN, sends it to the card owner's bank, and receives validation from that financial institution).

* Authorization: once the transaction validation is received, the network re-tokenizes the PAN and sends authorization to the seller.

- 3D Secure Protocol.

It is designed to prevent card fraud in transactions where there is no physical presence of the card.

It consists of an encryption anti-fraud technology. At the time of payment, it ensures that the user identifies and authenticates themselves as the cardholder by entering additional data. The verification is done through a direct connection from the customer to their bank. The bank will authenticate the buyer's identity (legitimacy) by requesting additional complementary information such as PIN or password, SMS code, token-generated code, mobile app code, coordinate code, date of birth, or other personal data.

Now that we have covered the different security measures that a payment gateway must provide, let's specifically discuss one of them, Redsys, which is the nerve center of most payment transactions that occur in Spain, including those of Inversa through Paymático (segregated custody account for money).

To give us an idea, some of its partners are:

Abanca, Banco Bilbao Vizcaya, Banca March, Banco Sabadell, Banco Mediolanum, Banco Santander, Bankia, Bankinter, Barclays, Caixa Rural Galega, etc...

Redsys offers solutions based on redirecting to the payment page hosted on its secure servers. Through its online payment gateway, it offers a Risk Control Tool that allows creating rules with combinable parameters. Its active fraud prevention service uses a neural network that learns and models its behavior with accumulated experience day by day. Additionally, Redsys uses a second level of security when necessary (3D Secure Authentication) and a tokenization service.

Redsys is a Processing Provider, but it is the financial institutions, as card-issuing owners, that authorize or deny operations, perform charges and reversals in their accounts, and handle all aspects related to their management. The entity with which the contract was signed through its payment media center will be responsible for reviewing, investigating, and resolving problems raised with the use of such card.

FUTURE: Mobile Replaces Cards.

On September 14th, the new Payment Services Directive known as PSD2 came into force, approved by the European Banking Authority to improve security in online payments, requiring providers to demand at least two elements to verify the buyer's identity (double authentication).

Likewise, the new technical standards will require banks to create communication platforms to ensure third-party access, particularly from financial technology companies (fintech), to their clients' banking data easily and securely.

Online businesses that do not have a reinforced authentication system in their payments will have to adapt the payment gateway to the new directive.

However, in our country, the Bank of Spain has granted a moratorium, and the regulation will come into force later.

Currently, two payment methods coexist: the traditional one using cards and payments made with mobile phones, but a future is emerging where cards may no longer be necessary. This is because, thanks to direct access to users' accounts that banks must provide to third parties, the customer can expressly authorize any merchant (from large ones to the smallest) to charge their purchase immediately and without using the card, as if it were a simple transfer. The mobile phone will be essential in this process.